Hijackthis fil

Der er meget snavs i den log.

Download og gem disse scanner på skrivebordet:

Hent denne scanner.
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
(men lad være med at scanne endnu).

-----

Ewido: http://www.ewido.net/en/download/
Klik på Download now. Installer og kør Ewido. Opdater straks efter installationen programmet, (men lad være med at scanne endnu).

----------

Genstart i fejlsikret tilstand. Du skal klikke på f8 tasten under genstarten (ca. lige når der er talt ram), og så vælge fejlsikret tilstand. Er du i tvivl, så klik bare på f8 flere gange. Kør nu en fuld scanning med Ewido. Når den er færdig trykker du save report.

-----

Kør nu en fuld scanning med Ewido. Når den er færdig trykker du save report og gemmer rapporten.

-----

Dobbeltklik på drweb-cureit.exe, den vil køre en expressscan, det siger du ja til.
Når den skriver Done nederst til venstre, skal du klikke på Options->Change settings.
Skift til fanebladet Scan, fjern fluebenet ved Heuristic analysis.
Skift til fanebladet Actions, her skal alle punkter under Malware sættes til Rename.
Klik så på det eller de drev du vil have scannet, der kommer en rød prik for at vise det/de er valgt.

Klik så på den grønne pil ovre til højre på siden, så starter scanningen.
Første gang Dr.Web finder noget, klik "Yes to All", så fjerner den hvad den finder.
Klik så på Start->Søg, find filen drweb32w.log kopier det nederste af teksten herind, startende med:
Scan statistics.
-----

Begge rapporter kopier du herind sammen med en ny hijackthis taget efter du har kørt de 2 scannere

Hej igen,

her nyt hijackthis fil:

Logfile of HijackThis v1.99.1
Scan saved at 11:24:48, on 15-01-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ccsrvc.exe
C:\PROGRA~1\CARBON~1\shellker.exe
C:\Progra~1\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\Progra~1\NavNT\rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\Promon.exe
C:\Progra~1\NavNT\vptray.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\windows\winsysban.exe
C:\WINNT\system32\internat.exe
C:\Program Files\TEXTware\HotKey\Twalink.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Hijackthis-ny\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.mail.tdconline.dk/
R3 - Default URLSearchHook is missing
O1 - Hosts: Botzor2005 Made By .... Greetz to good friend Coder. Based On HellBot3
O1 - Hosts: MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!
O1 - Hosts: n127.0.0.1 www.symantec.com
O3 - Toolbar: (no name) - {EA0D26BD-9029-431A-86E0-83152D67828A} - (no file)
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [vptray] C:\Progra~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PostImg] C:\Drivers\postimg.exe
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\5D.tmp
O4 - HKLM\..\Run: [csm Win Updates] csm.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\system32\Isass.exe
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban.exe
O4 - HKLM\..\RunServices: [csm Win Updates] csm.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: HotKey.lnk = C:\Program Files\TEXTware\HotKey\Twalink.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O15 - Trusted Zone: http://ie.config.asia.compaq.com
O15 - Trusted Zone: http://ie.config.eur.compaq.com
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
O15 - Trusted Zone: http://ie.config.jp.compaq.com
O15 - Trusted Zone: http://ie.config.ecom.dec.com
O15 - Trusted Zone: http://ie.config.tandem.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)
O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137099188654
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8B3512EF-4FF5-4AA4-9CDE-56BB03E04B9F} (SAXFileEE ActiveX Control) - http://www.billedbutikken.dk/upload/SAXFileEE.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.photocare.dk/ImageUploader3.cab
O16 - DPF: {CA79DF4A-E7DD-4175-A88A-7B72533A4130} (Sky Software FolderView ActiveX Control 6.0) - http://www.billedbutikken.dk/upload/digiupload.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netpension.danicapension.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O20 - Winlogon Notify: Controls Folder - C:\WINNT\system32\kadcan.dll
O20 - Winlogon Notify: WebCheck - C:\WINNT\system32\n04s0ah7ed4.dll
O23 - Service: Carbon Copy Access Edition (CarbonCopy32) - Compaq Computer Corporation. - C:\WINNT\System32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Compaq Computer Corporation. - C:\WINNT\System32\schdsrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Progra~1\NavNT\defwatch.exe
O23 - Service: windows dll service (dll service) - Unknown owner - C:\WINNT\rund1132.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: MPService - Canon Information Systems, Inc. - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Progra~1\NavNT\rtvscan.exe
O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcsvc) - Unknown owner - C:\WINNT\system32\rpcsvc.exe (file missing)
O23 - Service: Windows UPnP Service (wupnp) - Unknown owner - C:\WINNT\system32\wupnp.exe (file missing)
O23 - Service: Workstation NetLogon Service (½O.#ž‚„õØ´â) - Unknown owner - C:\WINNT\system32\mfcss32.exe (file missing)

og her er filen fra drweb:

Scan statistics
-----------------------------------------------------------------------------
Objects scanned: 71067
Infected objects found: 9
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 1
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 9
Objects renamed: 1
Objects moved: 0
Objects ignored: 0
Scan speed: 194 Kb/s
Scan time: 02:30:10
-----------------------------------------------------------------------------

Filen fra ewido kunne jeg ikke finde i fejlsikret tilstand.

Der popper stadig reklamer op.

... der er nemlig stadig "masser" af snavs i loggen; disse sakses i anden omgang - af <arlet> ... normal procedure med flere omgang af HiJackThis Log ...

Ja, vi er slet ikke færdige endnu..

Hent L2mfix.exe fra et af disse steder:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Gem filen på dit Skrivebord og dobbeltklik på l2mfix.exe. Klik på Install knappen og følg instruktionerne. Åben herefter den nye mappe der er dannet på dit Skrivebord (l2mfix). Dobbeltklik på l2mfix.bat og vælg option 1 (Run Find log) ved at taste "1" og "Enter". Din computer bliver nu scannet - efter et par minutter åbnes en tekstfil i Notesblok. Kopier indholdet herind.

NB: Du må ikke køre option 2 eller andre af filerne i l2mfix mappen, før du er blevet bedt om det.

Her er tekstfilen fra l2mfix:

L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\gpl4l33q1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\n04s0ah7ed4.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{66F8B33C-1A48-84A3-B0A0-C50C72D9C727}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{34EC3EDE-0279-4358-80AC-9F6B6D314DFE}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{34EC3EDE-0279-4358-80AC-9F6B6D314DFE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{34EC3EDE-0279-4358-80AC-9F6B6D314DFE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{34EC3EDE-0279-4358-80AC-9F6B6D314DFE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{34EC3EDE-0279-4358-80AC-9F6B6D314DFE}\InprocServer32]
@="C:\\WINNT\\system32\\kedsf.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
One or more CON code pages invalid for given keyboard code

C:\WINNT\SYSTEM32\
  atmtd.dll      Wed Dec 21 2005  11:16:04a  A....        687,592  671.48 K
  gpj4l3~1.dll  Mon Jan 16 2006  11:45:40a  ..S.R        235,781  230.25 K
  gpl4l3~1.dll  Sun Jan 15 2006  10:40:26p  ..S.R        234,272  228.78 K
  kedsf.dll      Mon Jan 16 2006  8:09:48p  .....        234,272  228.78 K
  kt8ql7~1.dll  Sat Jan 14 2006  11:45:18a  ..S.R        235,839  230.31 K
  m4nqle~1.dll  Sun Jan 15 2006  9:07:22p  ..S.R        235,826  230.30 K
  sj2res.dll    Sun Jan 15 2006  9:07:30p  ..S.R        234,272  228.78 K

7 items found:  7 files (5 H/S), 0 directories.
  Total of file sizes:  2,097,854 bytes      2.00 M
Locate .tmp files:

C:\WINNT\SYSTEM32\
  17.tmp        Fri Oct 21 2005  10:32:00a  A....              0    0.00 K
  19.tmp        Sun Oct 30 2005  7:18:24p  A....              0    0.00 K
  3d.tmp        Tue Dec 27 2005  8:07:22a  A....              0    0.00 K
  3f.tmp        Tue Dec 27 2005  9:20:54p  A....              0    0.00 K
  42.tmp        Thu Dec 29 2005  8:16:20a  A....              0    0.00 K
  4e.tmp        Mon Jan 16 2006  11:54:20a  A....        150,528  147.00 K
  59.tmp        Wed Jan 11 2006  11:51:20a  A....          2,529    2.47 K
  5a.tmp        Thu Jan 12 2006  9:30:40p  A....          2,529    2.47 K
  5b.tmp        Thu Jan 12 2006  9:41:52p  A....          2,529    2.47 K
  5c.tmp        Fri Jan 13 2006  11:32:54a  A....          2,529    2.47 K
  5d.tmp        Sat Jan 14 2006  9:04:30p  A....        150,528  147.00 K
  5e.tmp        Sat Jan 14 2006  10:02:46p  A....        150,528  147.00 K
  68.tmp        Sat Jan 14 2006  10:17:06p  A....              0    0.00 K
  guard.tmp      Mon Jan 16 2006  8:32:48p  ..S.R        234,272  228.78 K

14 items found:  14 files (1 H/S), 0 directories.
  Total of file sizes:  695,972 bytes    679.66 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is ACF5-7AF2

Directory of C:\WINNT\System32

16-01-2006  20:32              234.272 guard.tmp
16-01-2006  12:01                8.773 .exe
16-01-2006  11:45              235.781 gpj4l31q1.dll
15-01-2006  22:40              234.272 gpl4l33q1.dll
15-01-2006  21:07              234.272 sj2res.dll
15-01-2006  21:07              235.826 m4nqle551h.dll
14-01-2006  11:45              235.839 kt8ql7l51.dll
12-01-2006  21:56      <DIR>          dllcache
11-07-2004  20:14              11.591 bssdi.dat
17-06-2004  03:29              11.388 fifnn.dat
              9 File(s)      1.442.014 bytes
              1 Dir(s)  4.333.416.448 bytes free

Luk alle programmer - du vil om lidt blive bedt om at genstarte din computer.

Fra mappen l2mfix skal du køre l2mfix.bat igen - denne gang skal du vælge option 2 (Run Fix). Så vil du blive bedt om et password. Her skriver du (efterfulgt af <Enter>)
bye

Dit skrivebord og ikoner vil forsvinde en tid så. L2Mfix vil fortsætte med at scanne din computer, vil den være klar til en genstart. Tryk en taste for at genstarte. Efter genstarten, vil Notepad åbnes med en ny log. Kopiér indholdet af denne log ind i denne tråd, sammen med en ny Hijackthis-log.

Loggen åbnede ikke op automatisk, men jeg fandt denne i mappen:

L2mfix 010406
Creating Account.
The command completed successfully.


Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX  ... successful
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
    zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
updating: backregs/notibac.reg (152 bytes security) (deflated 86%)

Her nyt Hijackthis-log:

Logfile of HijackThis v1.99.1
Scan saved at 22:38:38, on 16-01-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ccsrvc.exe
C:\PROGRA~1\CARBON~1\shellker.exe
C:\Progra~1\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
C:\WINNT\system32\rundll32.exe
C:\Progra~1\NavNT\rtvscan.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\Promon.exe
C:\Progra~1\NavNT\vptray.exe
C:\WINNT\system32\ntvdm.exe
C:\windows\winsysban.exe
C:\WINNT\system32\internat.exe
C:\Program Files\TEXTware\HotKey\Twalink.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijackthis-ny\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.dk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.mail.tdconline.dk/
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {EA0D26BD-9029-431A-86E0-83152D67828A} - (no file)
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [vptray] C:\Progra~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PostImg] C:\Drivers\postimg.exe
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\4E.tmp
O4 - HKLM\..\Run: [csm Win Updates] csm.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\system32\Isass.exe
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban.exe
O4 - HKLM\..\RunServices: [csm Win Updates] csm.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: HotKey.lnk = C:\Program Files\TEXTware\HotKey\Twalink.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O15 - Trusted Zone: http://ie.config.asia.compaq.com
O15 - Trusted Zone: http://ie.config.eur.compaq.com
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
O15 - Trusted Zone: http://ie.config.jp.compaq.com
O15 - Trusted Zone: http://ie.config.ecom.dec.com
O15 - Trusted Zone: http://ie.config.tandem.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)
O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137099188654
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8B3512EF-4FF5-4AA4-9CDE-56BB03E04B9F} (SAXFileEE ActiveX Control) - http://www.billedbutikken.dk/upload/SAXFileEE.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.photocare.dk/ImageUploader3.cab
O16 - DPF: {CA79DF4A-E7DD-4175-A88A-7B72533A4130} (Sky Software FolderView ActiveX Control 6.0) - http://www.billedbutikken.dk/upload/digiupload.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netpension.danicapension.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O20 - Winlogon Notify: BITS - C:\WINNT\system32\gpj4l31q1.dll
O20 - Winlogon Notify: WebCheck - C:\WINNT\system32\n04s0ah7ed4.dll (file missing)
O23 - Service: Carbon Copy Access Edition (CarbonCopy32) - Compaq Computer Corporation. - C:\WINNT\System32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Compaq Computer Corporation. - C:\WINNT\System32\schdsrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Progra~1\NavNT\defwatch.exe
O23 - Service: windows dll service (dll service) - Unknown owner - C:\WINNT\rund1132.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: MPService - Canon Information Systems, Inc. - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Progra~1\NavNT\rtvscan.exe
O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcsvc) - Unknown owner - C:\WINNT\system32\rpcsvc.exe
O23 - Service: Windows UPnP Service (wupnp) - Unknown owner - C:\WINNT\system32\wupnp.exe (file missing)
O23 - Service: Workstation NetLogon Service (½O.#ž‚„õØ´â) - Unknown owner - C:\WINNT\system32\mfcss32.exe (file missing)

Hent KillBox her:
http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Brugsanvisning kan du finde her:
http://www.fbeej.dk/KillBox2_manual.htm

Kør KillBox, sæt prik i "Delete on reboot". Kopier nedenstående linier ind i tekstfeltet på Killbox og klik herefter på den røde knap med det hvide kryds. Programmet vil spørge om du vil genstarte - svar NEJ undtagen når du når til den sidste linie - der skal du svare JA, og din computer vil genstarte
C:\WINNT\system32\4E.tmp
C:\windows\winsysban.exe
C:\WINNT\system32\gpj4l31q1.dll

Hent Spysweeper prøveversion her: http://www.spywarefri.dk/downloads1.htm
Installer og opdater det (check for definition update)
Derefter, tryk på Options.
sæt prik i- sweep all folders on selected drive (s)
fjern flueben ved-don´t sweep systemrestore folder.
sæt flueben ved- sweep for Rootkits

Luk programmet.

Så lukker du computeren, og lader den være i ca. 30 sekunder. Så starter du op i fejlsikret tilstand (Tryk f8 flere gange under opstart). Vælg med piletasterne fejlsikret tilstand og tast <enter>


Start Spysweeper. Så popper der en boks op fra Spysweeper, der trykker du på NO

Kør så en Sweep. Når scanningen er færdig, tryk på- next-select all-next-finish. Luk programmet.

Kør en scanning med HijackThis, så du kan se alle filer. Luk alle vinduer, sæt flueben ved denne linie, og klik fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R3 - Default URLSearchHook is missing

O3 - Toolbar: (no name) - {EA0D26BD-9029-431A-86E0-83152D67828A} - (no file)

O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\4E.tmp
O4 - HKLM\..\Run: [csm Win Updates] csm.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\system32\Isass.exe
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban.exe
O4 - HKLM\..\RunServices: [csm Win Updates] csm.exe

O20 - Winlogon Notify: BITS - C:\WINNT\system32\gpj4l31q1.dll
O20 - Winlogon Notify: WebCheck - C:\WINNT\system32\n04s0ah7ed4.dll (file missing)

O23 - Service: windows dll service (dll service) - Unknown owner - C:\WINNT\rund1132.exe (file missing)
O23 - Service: Workstation NetLogon Service (½O.#ž‚„õØ´â) - Unknown owner - C:\WINNT\system32\mfcss32.exe (file missing)

Genstart til normaltilstand, og tag en online scan her (Complete scan) http://housecall.trendmicro.com/
og med X Cleaner her
http://www.spywarefri.dk/onlinevark.htm

Kom med en frisk HijackThis log.

her ny HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 22:50:42, on 17-01-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ccsrvc.exe
C:\PROGRA~1\CARBON~1\shellker.exe
C:\Progra~1\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
C:\WINNT\Explorer.EXE
C:\Progra~1\NavNT\rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\system32\Promon.exe
C:\Progra~1\NavNT\vptray.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\internat.exe
C:\Program Files\TEXTware\HotKey\Twalink.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijackthis-ny\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.dk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.mail.tdconline.dk/
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [vptray] C:\Progra~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PostImg] C:\Drivers\postimg.exe
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: HotKey.lnk = C:\Program Files\TEXTware\HotKey\Twalink.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O15 - Trusted Zone: http://ie.config.asia.compaq.com
O15 - Trusted Zone: http://ie.config.eur.compaq.com
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
O15 - Trusted Zone: http://ie.config.jp.compaq.com
O15 - Trusted Zone: http://ie.config.ecom.dec.com
O15 - Trusted Zone: http://ie.config.tandem.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)
O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137099188654
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8B3512EF-4FF5-4AA4-9CDE-56BB03E04B9F} (SAXFileEE ActiveX Control) - http://www.billedbutikken.dk/upload/SAXFileEE.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.photocare.dk/ImageUploader3.cab
O16 - DPF: {CA79DF4A-E7DD-4175-A88A-7B72533A4130} (Sky Software FolderView ActiveX Control 6.0) - http://www.billedbutikken.dk/upload/digiupload.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netpension.danicapension.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O23 - Service: Carbon Copy Access Edition (CarbonCopy32) - Compaq Computer Corporation. - C:\WINNT\System32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Compaq Computer Corporation. - C:\WINNT\System32\schdsrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Progra~1\NavNT\defwatch.exe
O23 - Service: windows dll service (dll service) - Unknown owner - C:\WINNT\rund1132.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: MPService - Canon Information Systems, Inc. - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Progra~1\NavNT\rtvscan.exe
O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcsvc) - Unknown owner - C:\WINNT\system32\rpcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows UPnP Service (wupnp) - Unknown owner - C:\WINNT\system32\wupnp.exe (file missing)
O23 - Service: Workstation NetLogon Service (½O.#ž‚„õØ´â) - Unknown owner - C:\WINNT\system32\mfcss32.exe (file missing)

Er dette nogle du selv har lagt i trusted zone:
O15 - Trusted Zone: http://ie.config.asia.compaq.com
O15 - Trusted Zone: http://ie.config.eur.compaq.com
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
O15 - Trusted Zone: http://ie.config.jp.compaq.com
O15 - Trusted Zone: http://ie.config.ecom.dec.com
O15 - Trusted Zone: http://ie.config.tandem.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)
O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)

??????
-----

Klik på Start->Kør skriv Services.msc og klik OK.
Find Tjenesten >> O23 - Service: Workstation NetLogon Service (½O.#ž‚„õØ´â) << stop den, højreklik på den og vælg Starttype Deaktiveret.
Gør det samme med denne: windows dll service (dll service)
og det samme med: Windows Remote Procedure Call Monitoring Service (rpcsvc)

Fix disse i hijackthis
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O23 - Service: windows dll service (dll service) - Unknown owner - C:\WINNT\rund1132.exe (file missing)
O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcsvc) - Unknown owner - C:\WINNT\system32\rpcsvc.exe
O23 - Service: Windows UPnP Service (wupnp) - Unknown owner - C:\WINNT\system32\wupnp.exe (file missing)
O23 - Service: Workstation NetLogon Service (½O.#ž‚„õØ´â) - Unknown owner - C:\WINNT\system32\mfcss32.exe (file missing)

Find og slet disse:
C:\WINNT\rund1132.exe
C:\WINNT\system32\rpcsvc.exe
C:\WINNT\system32\wupnp.exe
C:\WINNT\system32\mfcss32.exe

genstart og ny hijackthis log

De sidste to filer i WINNT kunne den ikke finde.

Ikke alle linier i Hijackthis var der (kun den første og sidste), og det ser ud til at de stadig er der efter fix og reboot.

Her ny Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 22:31:27, on 18-01-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ccsrvc.exe
C:\PROGRA~1\CARBON~1\shellker.exe
C:\Progra~1\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\Progra~1\NavNT\rtvscan.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Promon.exe
C:\Progra~1\NavNT\vptray.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\internat.exe
C:\Program Files\TEXTware\HotKey\Twalink.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Hijackthis-ny\hijackthis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.dk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.mail.tdconline.dk/
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [vptray] C:\Progra~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PostImg] C:\Drivers\postimg.exe
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: HotKey.lnk = C:\Program Files\TEXTware\HotKey\Twalink.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O15 - Trusted Zone: http://ie.config.asia.compaq.com
O15 - Trusted Zone: http://ie.config.eur.compaq.com
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
O15 - Trusted Zone: http://ie.config.jp.compaq.com
O15 - Trusted Zone: http://ie.config.ecom.dec.com
O15 - Trusted Zone: http://ie.config.tandem.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)
O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137099188654
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8B3512EF-4FF5-4AA4-9CDE-56BB03E04B9F} (SAXFileEE ActiveX Control) - http://www.billedbutikken.dk/upload/SAXFileEE.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.photocare.dk/ImageUploader3.cab
O16 - DPF: {CA79DF4A-E7DD-4175-A88A-7B72533A4130} (Sky Software FolderView ActiveX Control 6.0) - http://www.billedbutikken.dk/upload/digiupload.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netpension.danicapension.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O23 - Service: Carbon Copy Access Edition (CarbonCopy32) - Compaq Computer Corporation. - C:\WINNT\System32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Compaq Computer Corporation. - C:\WINNT\System32\schdsrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Progra~1\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: MPService - Canon Information Systems, Inc. - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Progra~1\NavNT\rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows UPnP Service (wupnp) - Unknown owner - C:\WINNT\system32\wupnp.exe (file missing)

Er dette nogle du selv har lagt i trusted zone:
O15 - Trusted Zone: http://ie.config.asia.compaq.com
O15 - Trusted Zone: http://ie.config.eur.compaq.com
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
O15 - Trusted Zone: http://ie.config.jp.compaq.com
O15 - Trusted Zone: http://ie.config.ecom.dec.com
O15 - Trusted Zone: http://ie.config.tandem.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)
O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)

Jeg har selv lagt dem ind tidligere, men bruger dem ikke mere. Så jeg kan vel godt slette dem?

Ja, slet du dem bare..

Du skal lige en tur i Regedit.
Klik på Start->Kør skriv regedit og klik OK.
Du får et vindue lidt ligesom stifinder.
Klik dig frem til:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Tjek om der ligger en nøgle/tekst der hedder "HOMEOldSP", gør der det slet den.
Derefter klikker du på "denne computer" i regedit vinduet, klik så på rediger-Søg skriv Homeoldsp tryk <Enter> slet det hvis den finder noget, tryk så <F3> slet, <F3> slet, indtil du får at vide at søgningen er afsluttet.
Gør bagefter det samme med søgeordet About:blank

derefter fixer du denne:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

genstart og ny hijackthis log

Ny log:

Logfile of HijackThis v1.99.1
Scan saved at 21:07:37, on 19-01-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ccsrvc.exe
C:\PROGRA~1\CARBON~1\shellker.exe
C:\Progra~1\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
C:\WINNT\Explorer.EXE
C:\Progra~1\NavNT\rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\system32\Promon.exe
C:\Progra~1\NavNT\vptray.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\internat.exe
C:\Program Files\TEXTware\HotKey\Twalink.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijackthis-ny\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.dk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.mail.tdconline.dk/
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [vptray] C:\Progra~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PostImg] C:\Drivers\postimg.exe
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: HotKey.lnk = C:\Program Files\TEXTware\HotKey\Twalink.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137099188654
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8B3512EF-4FF5-4AA4-9CDE-56BB03E04B9F} (SAXFileEE ActiveX Control) - http://www.billedbutikken.dk/upload/SAXFileEE.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.photocare.dk/ImageUploader3.cab
O16 - DPF: {CA79DF4A-E7DD-4175-A88A-7B72533A4130} (Sky Software FolderView ActiveX Control 6.0) - http://www.billedbutikken.dk/upload/digiupload.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netpension.danicapension.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O23 - Service: Carbon Copy Access Edition (CarbonCopy32) - Compaq Computer Corporation. - C:\WINNT\System32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Compaq Computer Corporation. - C:\WINNT\System32\schdsrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Progra~1\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: MPService - Canon Information Systems, Inc. - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Progra~1\NavNT\rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows UPnP Service (wupnp) - Unknown owner - C:\WINNT\system32\wupnp.exe (file missing)

Fix lige denne i hijackthis:
O23 - Service: Windows UPnP Service (wupnp) - Unknown owner - C:\WINNT\system32\wupnp.exe (file missing)


Hent CWSHredder herfra: http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe
Kør CWShredder, opdater CWSHredder. Luk CWSHredder. Så skal du afbryde din internetforbindelse fysisk(stikket ud), deaktiver ALLE sikkerhedsprogrammer.

Genstart computeren i fejlsikret tilstand(Du skal klikke på f8 tasten under genstarten (ca. lige når der er talt ram), og så vælge fejlsikret tilstand. Er du i tvivl, så klik bare på f8 flere gange.)

Åbn CWSHredder, klik på Fix, så scanner denog fixer det den finder .Når den er færdig, så trykker du på Next, og bagefter på Exit..

Så skal du aktiver alle dine sikkerhedsprogrammer igen..

Genstart normalt og ny hijackthis log

ny log:

Logfile of HijackThis v1.99.1
Scan saved at 12:22:09, on 22-01-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ccsrvc.exe
C:\Progra~1\NavNT\defwatch.exe
C:\PROGRA~1\CARBON~1\shellker.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
C:\WINNT\Explorer.EXE
C:\Progra~1\NavNT\rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Progra~1\NavNT\vptray.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\internat.exe
C:\Program Files\TEXTware\HotKey\Twalink.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Hijackthis-ny\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.dk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.mail.tdconline.dk/
O4 - HKLM\..\Run: [vptray] C:\Progra~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PostImg] C:\Drivers\postimg.exe
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: HotKey.lnk = C:\Program Files\TEXTware\HotKey\Twalink.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137099188654
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8B3512EF-4FF5-4AA4-9CDE-56BB03E04B9F} (SAXFileEE ActiveX Control) - http://www.billedbutikken.dk/upload/SAXFileEE.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.photocare.dk/ImageUploader3.cab
O16 - DPF: {CA79DF4A-E7DD-4175-A88A-7B72533A4130} (Sky Software FolderView ActiveX Control 6.0) - http://www.billedbutikken.dk/upload/digiupload.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netpension.danicapension.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O23 - Service: Carbon Copy Access Edition (CarbonCopy32) - Compaq Computer Corporation. - C:\WINNT\System32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Compaq Computer Corporation. - C:\WINNT\System32\schdsrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Progra~1\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: MPService - Canon Information Systems, Inc. - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Progra~1\NavNT\rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows UPnP Service (wupnp) - Unknown owner - C:\WINNT\system32\wupnp.exe (file missing)

genstart i fejlsikret og fix disse:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O23 - Service: Windows UPnP Service (wupnp) - Unknown owner - C:\WINNT\system32\wupnp.exe (file missing)

genstart normalt og ny hijackthis log

det ser ikke ud til at den sidste kan fixes

ny log:

Logfile of HijackThis v1.99.1
Scan saved at 13:16:19, on 22-01-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ccsrvc.exe
C:\PROGRA~1\CARBON~1\shellker.exe
C:\Progra~1\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
C:\WINNT\Explorer.EXE
C:\Progra~1\NavNT\rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Progra~1\NavNT\vptray.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\TEXTware\HotKey\Twalink.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Hijackthis-ny\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.dk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.mail.tdconline.dk/
O4 - HKLM\..\Run: [vptray] C:\Progra~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PostImg] C:\Drivers\postimg.exe
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: HotKey.lnk = C:\Program Files\TEXTware\HotKey\Twalink.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137099188654
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8B3512EF-4FF5-4AA4-9CDE-56BB03E04B9F} (SAXFileEE ActiveX Control) - http://www.billedbutikken.dk/upload/SAXFileEE.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.photocare.dk/ImageUploader3.cab
O16 - DPF: {CA79DF4A-E7DD-4175-A88A-7B72533A4130} (Sky Software FolderView ActiveX Control 6.0) - http://www.billedbutikken.dk/upload/digiupload.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netpension.danicapension.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O23 - Service: Carbon Copy Access Edition (CarbonCopy32) - Compaq Computer Corporation. - C:\WINNT\System32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Compaq Computer Corporation. - C:\WINNT\System32\schdsrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Progra~1\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: MPService - Canon Information Systems, Inc. - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Progra~1\NavNT\rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows UPnP Service (wupnp) - Unknown owner - C:\WINNT\system32\wupnp.exe (file missing)

Klik på Start->Kør skriv Services.msc og klik OK.
Find Tjenesten >> O23 - Service: Windows UPnP Service (wupnp) << stop den, højreklik på den og vælg Starttype Deaktiveret.

fix denne i hijackthis:
O23 - Service: Windows UPnP Service (wupnp) - Unknown owner - C:\WINNT\system32\wupnp.exe (file missing)

genstart og ny hijackthis log

ny log:

Logfile of HijackThis v1.99.1
Scan saved at 21:21:05, on 22-01-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ccsrvc.exe
C:\PROGRA~1\CARBON~1\shellker.exe
C:\Progra~1\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
C:\WINNT\Explorer.EXE
C:\Progra~1\NavNT\rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Progra~1\NavNT\vptray.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\internat.exe
C:\Program Files\TEXTware\HotKey\Twalink.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Hijackthis-ny\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.dk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.mail.tdconline.dk/
O4 - HKLM\..\Run: [vptray] C:\Progra~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PostImg] C:\Drivers\postimg.exe
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: HotKey.lnk = C:\Program Files\TEXTware\HotKey\Twalink.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137099188654
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8B3512EF-4FF5-4AA4-9CDE-56BB03E04B9F} (SAXFileEE ActiveX Control) - http://www.billedbutikken.dk/upload/SAXFileEE.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.photocare.dk/ImageUploader3.cab
O16 - DPF: {CA79DF4A-E7DD-4175-A88A-7B72533A4130} (Sky Software FolderView ActiveX Control 6.0) - http://www.billedbutikken.dk/upload/digiupload.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netpension.danicapension.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net
O23 - Service: Carbon Copy Access Edition (CarbonCopy32) - Compaq Computer Corporation. - C:\WINNT\System32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Compaq Computer Corporation. - C:\WINNT\System32\schdsrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Progra~1\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: MPService - Canon Information Systems, Inc. - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Progra~1\NavNT\rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Så er din log ren.

Efter sådan en tur er det altid en god ide og rydde op i dine systemgendannelses filerne.
Deaktiver systemgendannelse ( http://www.arlet.dk/systemgendannelsen.htm ) - genstart din computer - aktiver systemgendannelse.

Generel oprydning: http://www.arlet.dk/oprydning.htm

For at beskytte dig mod snavs har jeg lavet en sikkerhedspakke,
som du kan se her : www.arlet.dk/pakke.htm