Hijack this log

Hent CWSHredder herfra: http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe
Kør CWShredder, opdater CWSHredder. Luk CWSHredder. Så skal du afbryde din internetforbindelse fysisk(stikket ud), deaktiver ALLE sikkerhedsprogrammer.

Genstart computeren i fejlsikret tilstand(Du skal klikke på f8 tasten under genstarten (ca. lige når der er talt ram), og så vælge fejlsikret tilstand. Er du i tvivl, så klik bare på f8 flere gange.)

Åbn CWSHredder, klik på Fix, så scanner denog fixer det den finder .Når den er færdig, så trykker du på Next, og bagefter på Exit..

Genstart normalt og ny hijackthis log

ok

Logfile of HijackThis v1.99.1
Scan saved at 10:30:45, on 27-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Tickerbar\TickerBar.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\NetIBA\netiba.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Qk0\command.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\tcpip32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Staunfeldt\Desktop\hjt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
F2 - REG:system.ini: Shell=explorer.exe                                                                                                    "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [GreenHorseTickerBar] C:\Program Files\Tickerbar\TickerBar.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: NetIBA - Consumer Protection Tool.lnk = C:\Program Files\NetIBA\netiba.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
O16 - DPF: {0D136D67-D293-4626-8C93-D12CF78E4590} (tcConference Setup) - http://67.19.231.218/v4/tc4.cab
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.danskebank.dk/html/activex/DB/Menu.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\l42s0ef7eh2.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: ssldr - C:\WINDOWS\SYSTEM32\ssldr32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Qk0\command.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\system32\S24EvMon.exe

Du har den nyeste variant af VX2 infektionen.

Hent L2mfix.exe fra et af disse steder:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Gem filen på dit Skrivebord og dobbeltklik på l2mfix.exe. Klik på Install knappen og følg instruktionerne. Åben herefter den nye mappe der er dannet på dit Skrivebord (l2mfix). Dobbeltklik på l2mfix.bat og vælg option 1 (Run Find log) ved at taste "1" og "Enter". Din computer bliver nu scannet - efter et par minutter åbnes en tekstfil i Notesblok. Kopier indholdet herind.

NB: Du må ikke køre option 2 eller andre af filerne i l2mfix mappen, før du er blevet bedt om det.

L2MFIX find log 121605
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enl4l13q1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Sebring]
"Logoff"="SebringUserLogoff"
"Logon"="SebringUserLogon"
"Impersonate"=dword:00000000
"Dllname"="C:\\WINDOWS\\system32\\LgNotify.dll"
"Asynchronous"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssldr]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="ssldr32.dll"
"Logon"="StartProcessAtWinLogon"
"Logoff"="StopProcessAtWinLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{DBFCF295-408E-362E-7B9F-F358DD4EDE17}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{A5110426-177D-4e08-AB3F-785F10B4439C}"="Mine telefoner"
@=""
"{6af09ec9-b429-11d4-a1fb-0090960218cb}"="My Bluetooth Places"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Webmapper"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5a61f7a0-cde1-11cf-9113-00aa00425c62}"="IIS Shell Extension"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{D6A5ABA1-9966-479A-9B17-0090D1483367}"=""
"{546CC2D3-030A-45CC-99AC-EC1B53208DEC}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D6A5ABA1-9966-479A-9B17-0090D1483367}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{D6A5ABA1-9966-479A-9B17-0090D1483367}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D6A5ABA1-9966-479A-9B17-0090D1483367}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D6A5ABA1-9966-479A-9B17-0090D1483367}\InprocServer32]
@="C:\\WINDOWS\\system32\\sxscrap.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{546CC2D3-030A-45CC-99AC-EC1B53208DEC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{546CC2D3-030A-45CC-99AC-EC1B53208DEC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{546CC2D3-030A-45CC-99AC-EC1B53208DEC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{546CC2D3-030A-45CC-99AC-EC1B53208DEC}\InprocServer32]
@="C:\\WINDOWS\\system32\\WR0MLRES.DLL"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
  browseui.dll  Thu 24 Nov 2005  2.06.34  A....      1.022.464  998,50 K
  cdfview.dll    Fri 21 Oct 2005  4.39.26  A....        151.040  147,50 K
  child.dll      Tue 27 Dec 2005  9.30.22  A....        14.336    14,00 K
  danim.dll      Sat  5 Nov 2005  4.16.24  A....      1.054.208    1,00 M
  dxtrans.dll    Fri 21 Oct 2005  4.39.28  A....        205.312  200,50 K
  enl4l1~1.dll  Tue 27 Dec 2005  10.28.26  ..S.R        235.298  229,78 K
  esent.dll      Thu 20 Oct 2005  23.20.04  A....      1.082.368    1,03 M
  extmgr.dll    Fri 21 Oct 2005  4.39.28  A....        55.808    54,50 K
  gdi32.dll      Thu  6 Oct 2005  4.09.36  A....        280.064  273,50 K
  hrn805~1.dll  Tue 27 Dec 2005  11.28.32  ..S.R        236.153  230,62 K
  iepeers.dll    Fri 21 Oct 2005  4.39.28  A....        251.392  245,50 K
  inseng.dll    Fri 21 Oct 2005  4.39.28  A....        96.256    94,00 K
  mhtime.dll    Tue 27 Dec 2005  9.59.54  ..S.R        234.739  229,23 K
  mshtml.dll    Thu 24 Nov 2005  2.06.34  A....      3.015.680    2,88 M
  mshtmled.dll  Fri 21 Oct 2005  4.39.30  A....        448.512  438,00 K
  msrating.dll  Fri 21 Oct 2005  4.39.30  A....        146.432  143,00 K
  mstime.dll    Fri 21 Oct 2005  4.39.30  A....        530.944  518,50 K
  pngfilt.dll    Fri 21 Oct 2005  4.39.30  A....        39.424    38,50 K
  shdocvw.dll    Thu  1 Dec 2005  4.59.30  A....      1.492.480    1,42 M
  shlwapi.dll    Fri 21 Oct 2005  4.39.30  A....        473.600  462,50 K
  spmsg.dll      Thu 13 Oct 2005  0.12.26  .....        14.048    13,72 K
  ssldr32.dll    Tue 27 Dec 2005  9.30.20  A....        10.240    10,00 K
  urlmon.dll    Sat  5 Nov 2005  4.16.28  A....        609.280  595,00 K
  wininet.dll    Fri 21 Oct 2005  4.39.30  A....        658.432  643,00 K
  wr0mlres.dll  Tue 27 Dec 2005  11.28.32  ..S.R        235.298  229,78 K

25 items found:  25 files (4 H/S), 0 directories.
  Total of file sizes:  12.593.808 bytes    12,01 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
  atmtdd~1.tmp  Tue 27 Dec 2005  11.28.46  A....              0    0,00 K

1 item found:  1 file, 0 directories.
  Total of file sizes:  0 bytes      0,00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 0CCB-CFA8

Directory of C:\WINDOWS\System32

27-12-2005  11:28          235.298 WR0MLRES.DLL
27-12-2005  11:28          236.153 hrn8055ue.dll
27-12-2005  10:28          235.298 enl4l13q1.dll
27-12-2005  09:59          234.739 mhtime.dll
16-12-2005  18:29    <DIR>          dllcache
02-10-2004  14:24    <DIR>          Microsoft
05-04-2001  15:43            94.208 msstkprp.dll
              5 File(s)      1.035.696 bytes
              2 Dir(s)  10.596.921.344 bytes free

Luk alle programmer - du vil om lidt blive bedt om at genstarte din computer.

Fra mappen l2mfix skal du køre l2mfix.bat igen - denne gang skal du vælge option 2 (Run Fix). Så vil du blive bedt om et password. Her skriver du (efterfulgt af <Enter>)
bye

Dit skrivebord og ikoner vil forsvinde en tid så. L2Mfix vil fortsætte med at scanne din computer, vil den være klar til en genstart. Tryk en taste for at genstarte. Efter genstarten, vil Notepad åbnes med en ny log. Kopiér indholdet af denne log ind i denne tråd, sammen med en ny Hijackthis-log.

L2mfix Beta 121605
Creating Account.
The account already exists.

More help is available by typing NET HELPMSG 2224.

Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX  ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 940 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1036 'winlogon.exe'
Killing PID 1036 'winlogon.exe'
Killing PID 1036 'winlogon.exe'
Killing PID 1036 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 708 'explorer.exe'
Killing PID 708 'explorer.exe'
Killing PID 708 'explorer.exe'
Killing PID 708 'explorer.exe'
Killing PID 708 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 456 'rundll32.exe'
Killing PID 972 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators  ... successful
Granting SeDebugPrivilege to Administrateurs  ... failed (GetAccountSid(Administrateurs)=1332
Granting SeDebugPrivilege to Administrat÷rer  ... failed (GetAccountSid(Administrat÷rer)=1332
Granting SeDebugPrivilege to Administradores  ... failed (GetAccountSid(Administradores)=1332
Granting SeDebugPrivilege to Amministratore  ... failed (GetAccountSid(Amministratore)=1332
Granting SeDebugPrivilege to Administratoren  ... failed (GetAccountSid(Administratoren)=1332

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
moving: C:\WINDOWS\system32\enl4l13q1.dll 
Successfully Moved: C:\WINDOWS\system32\enl4l13q1.dll
moving: C:\WINDOWS\system32\hrn8055ue.dll 
Successfully Moved: C:\WINDOWS\system32\hrn8055ue.dll
moving: C:\WINDOWS\system32\mhtime.dll 
Successfully Moved: C:\WINDOWS\system32\mhtime.dll
moving: C:\WINDOWS\system32\WR0MLRES.DLL 
Successfully Moved: C:\WINDOWS\system32\WR0MLRES.DLL




Restoring Windows Update Certificates.:

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 940 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1040 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 316 'explorer.exe'
Killing PID 316 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 520 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators  ... successful
Granting SeDebugPrivilege to Administrateurs  ... failed (GetAccountSid(Administrateurs)=1332
Granting SeDebugPrivilege to Administrat÷rer  ... failed (GetAccountSid(Administrat÷rer)=1332
Granting SeDebugPrivilege to Administradores  ... failed (GetAccountSid(Administradores)=1332
Granting SeDebugPrivilege to Amministratore  ... failed (GetAccountSid(Amministratore)=1332
Granting SeDebugPrivilege to Administratoren  ... failed (GetAccountSid(Administratoren)=1332

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
File not found - C:\WINDOWS\system32\enl4l13q1.dll
File not found - C:\WINDOWS\system32\hrn8055ue.dll
File not found - C:\WINDOWS\system32\mhtime.dll
File not found - C:\WINDOWS\system32\WR0MLRES.DLL
moving: C:\WINDOWS\system32\enl4l13q1.dll 
Successfully Moved: C:\WINDOWS\system32\enl4l13q1.dll
moving: C:\WINDOWS\system32\hrn8055ue.dll 
Successfully Moved: C:\WINDOWS\system32\hrn8055ue.dll
moving: C:\WINDOWS\system32\mhtime.dll 
Successfully Moved: C:\WINDOWS\system32\mhtime.dll
moving: C:\WINDOWS\system32\WR0MLRES.DLL 
Successfully Moved: C:\WINDOWS\system32\WR0MLRES.DLL




Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enl4l13q1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Sebring]
"Logoff"="SebringUserLogoff"
"Logon"="SebringUserLogon"
"Impersonate"=dword:00000000
"Dllname"="C:\\WINDOWS\\system32\\LgNotify.dll"
"Asynchronous"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssldr]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="ssldr32.dll"
"Logon"="StartProcessAtWinLogon"
"Logoff"="StopProcessAtWinLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\enl4l13q1.dll
C:\WINDOWS\system32\hrn8055ue.dll
C:\WINDOWS\system32\mhtime.dll
C:\WINDOWS\system32\WR0MLRES.DLL

Registry Entries that were Deleted:
Please verify that the listing looks ok. 
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D6A5ABA1-9966-479A-9B17-0090D1483367}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{D6A5ABA1-9966-479A-9B17-0090D1483367}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D6A5ABA1-9966-479A-9B17-0090D1483367}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D6A5ABA1-9966-479A-9B17-0090D1483367}\InprocServer32]
@="C:\\WINDOWS\\system32\\sxscrap.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{546CC2D3-030A-45CC-99AC-EC1B53208DEC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{546CC2D3-030A-45CC-99AC-EC1B53208DEC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{546CC2D3-030A-45CC-99AC-EC1B53208DEC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{546CC2D3-030A-45CC-99AC-EC1B53208DEC}\InprocServer32]
@="C:\\WINDOWS\\system32\\WR0MLRES.DLL"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
  adding: dlls/enl4l13q1.dll (148 bytes security) (deflated 5%)
  adding: dlls/hrn8055ue.dll (148 bytes security) (deflated 5%)
  adding: dlls/mhtime.dll (148 bytes security) (deflated 5%)
  adding: dlls/WR0MLRES.DLL (148 bytes security) (deflated 5%)
  adding: backregs/546CC2D3-030A-45CC-99AC-EC1B53208DEC.reg (212 bytes security) (deflated 70%)
  adding: backregs/D6A5ABA1-9966-479A-9B17-0090D1483367.reg (212 bytes security) (deflated 69%)
  adding: backregs/notibac.reg (164 bytes security) (deflated 88%)
  adding: backregs/shell.reg (164 bytes security) (deflated 62%)



Logfile of HijackThis v1.99.1
Scan saved at 12:23:17, on 27-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\NetIBA\netiba.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Qk0\command.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Staunfeldt\Desktop\hjt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
F2 - REG:system.ini: Shell=explorer.exe                                                                                                    "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: NetIBA - Consumer Protection Tool.lnk = C:\Program Files\NetIBA\netiba.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
O16 - DPF: {0D136D67-D293-4626-8C93-D12CF78E4590} (tcConference Setup) - http://67.19.231.218/v4/tc4.cab
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.danskebank.dk/html/activex/DB/Menu.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\enl4l13q1.dll (file missing)
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: ssldr - C:\WINDOWS\SYSTEM32\ssldr32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Qk0\command.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\system32\S24EvMon.exe

Download og gem disse scanner på skrivebordet:

Mwav: http://www.spywareinfo.dk/download/mwav.exe
(men lad være med at scanne endnu).

-----

Ewido: http://www.ewido.net/en/download/
Klik på Download now. Installer og kør Ewido. Opdater straks efter installationen programmet, (men lad være med at scanne endnu).

Du skal nu til at i gang med at fixe:

Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked, luk hijackthis igen.
Dobbelttjek, så alt kommer med.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

F2 - REG:system.ini: Shell=explorer.exe                                                                                                    "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\enl4l13q1.dll (file missing)
O20 - Winlogon Notify: ssldr - C:\WINDOWS\SYSTEM32\ssldr32.dll

--------------------------------------------------------------------

Åbn en tilfældig mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

------------------------------

Hent denne bats fil og kør den :
http://www.spywareinfo.dk/download/cleantempxp2k.bat
den sletter alt i din temp mappe.

------------------------------

Genstart computeren i fejlsikret tilstand(Du skal klikke på f8 tasten under genstarten (ca. lige når der er talt ram), og så vælge fejlsikret tilstand. Er du i tvivl, så klik bare på f8 flere gange.)
Find og slet disse manuelt :

C:\WINDOWS\system32\enl4l13q1.dll
C:\WINDOWS\SYSTEM32\ssldr32.dll

Kør nu en fuld scanning med Ewido. Når den er færdig trykker du save report og gemmer rapporten.

-----

Klik på mwav.exe som du hentede, programmet pakker sig selv ud og starter.
Sæt flueben i følgende:
Memory, Startup folders, drive, Registry, System folders og Services.
Sæt prik i følgende:
All local drives og Scan all files. Klik på scan clean. Når scanneren er færdig med at scanne, så kopier indholdet af vinduet "Virus Log Information" herind (marker det, og tast ctrl-c)

-----

Begge rapporter kopier du herind sammen med en ny hijackthis taget efter du har kørt de 2 scannere

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:            15:42:52, 27-12-2005
+ Report-Checksum:        A292A36B

+ Scan result:

    [848] C:\WINDOWS\system32\child.dll -> Downloader.Small.bug : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Cookies\staunfeldt@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Desktop\l2mfix\backup.zip/dlls/enl4l13q1.dll -> Spyware.Look2Me : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Desktop\l2mfix\backup.zip/dlls/hrn8055ue.dll -> Spyware.Look2Me : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Desktop\l2mfix\backup.zip/dlls/mhtime.dll -> Spyware.Look2Me : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Desktop\l2mfix\backup.zip/dlls/WR0MLRES.DLL -> Spyware.Look2Me : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Desktop\l2mfix\dlls\enl4l13q1.dll -> Spyware.Look2Me : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Desktop\l2mfix\dlls\hrn8055ue.dll -> Spyware.Look2Me : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Desktop\l2mfix\dlls\mhtime.dll -> Spyware.Look2Me : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Desktop\l2mfix\dlls\WR0MLRES.DLL -> Spyware.Look2Me : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temp\a.exe -> Downloader.Harnig.ax : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temp\Cookies\staunfeldt@adtech[1].txt -> Spyware.Cookie.Adtech : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\8H6V4XMN\tool5[1].txt -> Trojan.Small : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\FBX2OR9B\AppWrap[1].exe -> Spyware.AdURL : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\FBX2OR9B\AppWrap[2].exe -> Spyware.AdURL : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\FBX2OR9B\AppWrap[3].exe -> Spyware.AdURL : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\FBX2OR9B\drsmartload[1].exe -> Downloader.Adload.l : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\FBX2OR9B\tool1[1].txt -> Trojan.Small : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\FDJ7UODW\kl[1].txt -> Trojan.Agent.bu : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\GF57YEB1\AppWrap[1].exe -> Spyware.AdURL : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\GF57YEB1\AppWrap[2].exe -> Spyware.AdURL : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\GF57YEB1\Installer[1].exe -> Spyware.Look2Me : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\GF57YEB1\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\I9U90VGF\country[1].htm -> Trojan.Small : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\IN6BCDIB\adtech2006a[1].exe -> Hijacker.VB.kc : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\IN6BCDIB\mm[1].js -> Spyware.Chitika : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\IN6BCDIB\tool2[1].txt -> Not-A-Virus.Hoax.Win32.Renos.aj : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\KZ4L078H\loaderadv588[1].exe -> Downloader.Harnig.ax : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\LVL7HQ3H\AppWrap[1].exe -> Spyware.Zestyfind : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\LVL7HQ3H\AppWrap[2].exe -> Spyware.Zestyfind : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\LVL7HQ3H\child[1].exe -> Dropper.Small.ahg : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\LVL7HQ3H\mng[1].exe -> Proxy.Agent.hs : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\LVL7HQ3H\stub_113_4_0_4_0[1].exe -> Downloader.TSUpdate.o : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\LVL7HQ3H\tool3[1].txt -> Downloader.Small.bwr : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\M2CPKX1Q\ms1[1].txt -> Downloader.Tiny.al : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\P8AITAR5\hosts[1].txt -> Trojan.Qhost.el : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\P8AITAR5\paradise[1].raw -> Proxy.Lager.f : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\WJQBO1G9\tool4[1].txt -> Trojan.Small : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\WJQBO1G9\toolbar[1].txt -> Downloader.Adload.j : Cleaned with backup
    C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\YZS3GZCR\timessquare[1].exe -> Hijacker.StartPage.aw : Cleaned with backup
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> Trojan.Agent.bu : Cleaned with backup
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe -> Trojan.Agent.bu : Cleaned with backup
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Agent.bu : Cleaned with backup
    C:\Program Files\Common Files\okuf\okufa.exe -> Downloader.TSUpdate.l : Cleaned with backup
    C:\Program Files\Common Files\okuf\okufd\okufc.dll -> Downloader.Small : Cleaned with backup
    C:\Program Files\Common Files\okuf\okufl.exe -> Downloader.TSUpdate.p : Cleaned with backup
    C:\Program Files\Common Files\okuf\okufm.exe -> Downloader.TSUpdate.n : Cleaned with backup
    C:\Program Files\Common Files\okuf\okufp.exe -> Downloader.TSUpdate.f : Cleaned with backup
    C:\WINDOWS\adtech2006a.exe -> Hijacker.VB.kc : Cleaned with backup
    C:\WINDOWS\icont.exe -> Spyware.AdURL : Cleaned with backup
    C:\WINDOWS\iconu.exe -> Spyware.Zestyfind : Cleaned with backup
    C:\WINDOWS\kl.exe -> Trojan.Agent.bu : Cleaned with backup
    C:\WINDOWS\Qk0\asappsrv.dll -> Spyware.CommAd : Cleaned with backup
    C:\WINDOWS\Qk0\command.exe -> Adware.CommAd : Cleaned with backup
    C:\WINDOWS\system32\child.dll -> Downloader.Small.bug : Cleaned with backup
    C:\WINDOWS\system32\paradise.raw -> Proxy.Lager.f : Cleaned with backup
    C:\WINDOWS\system32\ssldr32.dll -> Proxy.Agent.hs : Cleaned with backup
    C:\WINDOWS\tcpip32.exe -> Downloader.Small.fg : Cleaned with backup
    C:\WINDOWS\Temp\Cookies\staunfeldt@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\WINDOWS\Temp\Cookies\staunfeldt@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
    C:\WINDOWS\timessquare.exe -> Hijacker.StartPage.aw : Cleaned with backup
    C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.aj : Cleaned with backup
    C:\WINDOWS\tool3.exe -> Downloader.Small.bwr : Cleaned with backup
    C:\WINDOWS\toolbar.exe -> Downloader.Adload.j : Cleaned with backup


::Report End


File C:\WINDOWS\pkg02.exe infected by "Trojan-Downloader.Win32.Small.fg" Virus. Action Taken: File Deleted.
File C:\WINDOWS\system32\__delete_on_reboot__child.dll infected by "Trojan-Downloader.Win32.Small.bug" Virus. Action Taken: File to be deleted on reboot.
File C:\Documents and Settings\Staunfeldt\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5c9ed667-56f6f702.zip infected by "Exploit.Java.ByteVerify" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\Staunfeldt\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0502b.jar-4cc14802-6bb2d717.zip infected by "Trojan-Downloader.Java.OpenConnection.ae" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\Staunfeldt\Local Settings\Temporary Internet Files\Content.IE5\IN6BCDIB\installer[1].exe tagged as not-a-virus:AdWare.Win32.CommAd.a. No Action Taken.



Logfile of HijackThis v1.99.1
Scan saved at 19:34:10, on 27-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\NetIBA\netiba.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Staunfeldt\Desktop\hjt.exe

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: NetIBA - Consumer Protection Tool.lnk = C:\Program Files\NetIBA\netiba.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
O16 - DPF: {0D136D67-D293-4626-8C93-D12CF78E4590} (tcConference Setup) - http://67.19.231.218/v4/tc4.cab
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.danskebank.dk/html/activex/DB/Menu.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Qk0\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\system32\S24EvMon.exe

Så er din log ren.

Efter sådan en tur er det altid en god ide og rydde op i dine systemgendannelses filerne.
Deaktiver systemgendannelse ( http://www.arlet.dk/systemgendannelsen.htm ) - genstart din computer - aktiver systemgendannelse.

Generel oprydning: http://www.arlet.dk/oprydning.htm

For at beskytte dig mod snavs har jeg lavet en sikkerhedspakke,
som du kan se her : www.arlet.dk/pakke.htm