win32/winshow.AK eller win32.trojan.downloader

Generelt - følg guiden herfra -> http://www.eksperten.dk/artikler/755

(Ikke nødvendigvis mig der følger op...)

Velkommen til Eksperten.dk iøvrigt...
http://expfaq.1go.dk/

Tak skal du have :-)

Så har jeg gjort som skrevet - det er altsammen nedenfor - hvad gør jeg nu ?


Scan statistics
-----------------------------------------------------------------------------
Objects scanned: 122690
Infected objects found: 17
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 1
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 17
Objects renamed: 1
Objects moved: 0
Objects ignored: 0
Scan speed: 1497 Kb/s
Scan time: 00:44:43

---------------------------------------------------------
ewido anti-malware - Scanningsrapport
---------------------------------------------------------

+ Oprettet den:            14:19:55, 27-02-2006
+ Rapport-Checksum:        6D0F0FD9

+ Scanningsresultat:
    C:\WINDOWS\system32\per.#xe -> Downloader.Delf.aeu : Renset med backup
    C:\WINDOWS\_default.pif:zhstm -> Downloader.Agent.td : Renset med backup


::Rapport slut

Logfile of HijackThis v1.99.1
Scan saved at 14:26:32, on 27-02-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\Programmer\CA\eTrust Antivirus\InoRpc.exe
C:\Programmer\CA\eTrust Antivirus\InoRT.exe
C:\Programmer\CA\eTrust Antivirus\InoTask.exe
C:\Programmer\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Programmer\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ESB.exe
C:\WINDOWS\System32\4mtcsb.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Programmer\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programmer\BearShare\BearShare.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Programmer\Microsoft ActiveSync\wcescomm.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Programmer\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Aros Shipping\Lokale indstillinger\Temporary Internet Files\Content.IE5\LOCBT5KH\hijackthis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jubii.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - Default URLSearchHook is missing
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmer\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll (file missing)
O4 - HKLM\..\Run: [ESB] C:\WINDOWS\System32\ESB.exe
O4 - HKLM\..\Run: [4mtcsb] C:\WINDOWS\System32\4mtcsb.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Programmer\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Programmer\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BearShare] "C:\Programmer\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [7.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [8.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\8.tmp.exe
O4 - HKLM\..\Run: [crcx.exe] C:\WINDOWS\system32\crcx.exe
O4 - HKLM\..\Run: [7.tmp.exe] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [5.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\5.tmp.exe
O4 - HKLM\..\Run: [5.tmp.exe] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\5.tmp.exe
O4 - HKLM\..\Run: [B.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\B.tmp.exe
O4 - HKLM\..\Run: [B.tmp.exe] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\B.tmp.exe
O4 - HKLM\..\Run: [E.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\E.tmp.exe
O4 - HKLM\..\Run: [E.tmp.exe] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\E.tmp.exe
O4 - HKLM\..\Run: [11.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\11.tmp.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\per.exe internat.dll,LoadKeyboardProfile
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\Programmer\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmer\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Opret Foretrukken på den mobile enhed... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\dan.htm
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {89A312AE-8D21-42B1-848B-FD8E27F9A2A9} (PrimeInk for Web Applications Signing Component) - https://webreg.dk/web.dll
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.hornsrev.dk/live/AxisCamControl.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1D0B77C-622C-4DBE-B89F-918997C9B432}: NameServer = 194.239.134.83,193.162.153.164
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Programmer\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) -  - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Programmer\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Programmer\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Skal jeg lave et nyt spørgsmål eller er der nogen der læser her ??

Jeg læser her :)

Det er noget af en samling møg du har fået. Vi tager det lige over nogle gange.


Hent About:Buster her, og pak den ud til skrivebordet http://www.malwarebytes.org/AboutBuster.zip Du skal ikke køre programet endnu.


Hent og dobbeltklik på smitRem.exe

http://noahdfear.geekstogo.com/click%20counter/click.php?id=1

Programmet pakker sig ud til mappen smitRem.


Hent Ewido, hvis du ikke har den i forvejen:

http://www.spywarefri.dk/downloads1/ewido-setup.exe

Installer og kør Ewido - Opdater straks efter installationen programmet (men lad være med at scanne endnu).


Genstart i fejlsikret, hvis du ikke ved hvordan så kig her:

http://fromsej.dk/html/xpfejl.html


Scan med About:buster. Den laver en log, som jeg gerne vil se.


Åbn mappen smitRem, og dobbeltklik på RunThis.bat (Følg vejledningen i vinduet.)

Kør en fuld scanning med Ewido. Programmet laver en lille log, som du skal kopiere herind.

Genstart og kom med en frisk Hijackthislog, samt loggen fra Ewido. Find smitfiles.txt via Start/Søg. Kopier også denne log ind, samt loggen fra About:buster.

Har gjort som instrueret - alt sammen nedenfor. Hvad gør jeg nu ?




AboutBuster 6.0
Scan started on [27-02-2006] at [15:57:21]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Removed Stream! C:\WINDOWS\KB823182.log:vpuxvt
Removed Stream! C:\WINDOWS\KB828028.log:gqfqro
Removed Stream! C:\WINDOWS\KB833987.log:qrqvtq
Removed Stream! C:\WINDOWS\KB837001.log:jsjbnb
Removed Stream! C:\WINDOWS\KB890859.log:xbcbi
-------------------------------------------------------------
Removed File! : C:\WINDOWS\axmis.log
Removed File! : C:\WINDOWS\buxiw.log
Removed File! : C:\WINDOWS\cixpi.log
Removed File! : C:\WINDOWS\dexlm.log
Removed File! : C:\WINDOWS\dhbja.log
Removed File! : C:\WINDOWS\evvzv.log
Removed File! : C:\WINDOWS\gokfg.txt
Removed File! : C:\WINDOWS\hbsxa.txt
Removed File! : C:\WINDOWS\ifbjl.dat
Removed File! : C:\WINDOWS\iltxc.txt
Removed File! : C:\WINDOWS\jigdw.txt
Removed File! : C:\WINDOWS\mknmr.log
Removed File! : C:\WINDOWS\nwnzn.log
Removed File! : C:\WINDOWS\rgaio.log
Removed File! : C:\WINDOWS\rgmwm.log
Removed File! : C:\WINDOWS\rivsd.dat
Removed File! : C:\WINDOWS\xwbgu.log
Removed File! : C:\WINDOWS\ybboo.dat
Removed File! : C:\WINDOWS\system32\bcmhl.dat
Removed File! : C:\WINDOWS\system32\chdal.dat
Removed File! : C:\WINDOWS\system32\ckgla.dat
Removed File! : C:\WINDOWS\system32\evvik.dat
Removed File! : C:\WINDOWS\system32\feifb.log
Removed File! : C:\WINDOWS\system32\fjxzm.log
Removed File! : C:\WINDOWS\system32\fmbjq.log
Removed File! : C:\WINDOWS\system32\fydmg.dat
Removed File! : C:\WINDOWS\system32\jpbbv.log
Removed File! : C:\WINDOWS\system32\jzbcg.txt
Removed File! : C:\WINDOWS\system32\kiwuh.dat
Removed File! : C:\WINDOWS\system32\ogawi.dat
Removed File! : C:\WINDOWS\system32\pebxe.log
Removed File! : C:\WINDOWS\system32\poybg.log
Removed File! : C:\WINDOWS\system32\qagwc.dat
Removed File! : C:\WINDOWS\system32\qsuqz.dat
Removed File! : C:\WINDOWS\system32\sfmum.txt
Removed File! : C:\WINDOWS\system32\sgqye.log
Removed File! : C:\WINDOWS\system32\squrx.txt
Removed File! : C:\WINDOWS\system32\tyeui.log
Removed File! : C:\WINDOWS\system32\vnhuk.dat
Removed File! : C:\WINDOWS\system32\waall.txt
Removed File! : C:\WINDOWS\system32\xbzyb.dat
Removed File! : C:\WINDOWS\system32\xdqwn.log
Removed File! : C:\WINDOWS\system32\ydesb.dat
Removed File! : C:\WINDOWS\system32\yxyrk.txt
Removed File! : C:\WINDOWS\system32\zkpmt.txt
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 15:59:24


---------------------------------------------------------
ewido anti-malware - Scanningsrapport
---------------------------------------------------------

+ Oprettet den:            16:26:44, 27-02-2006
+ Rapport-Checksum:        5D5B9862

+ Scanningsresultat:
    Ingen inficerede filer fundet!


::Rapport slut


smitRem © log file
    version 2.8

    by noahdfear


Microsoft Windows XP [version 5.1.2600]

Running from
C:\Documents and Settings\Aros Shipping\Skrivebord\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F}"="Security Update"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F}\InProcServer32]
@="C:\WINDOWS\system32\wbeconm.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

logfiles


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 156 'explorer.exe'
Killing PID 156 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :)


Logfile of HijackThis v1.99.1
Scan saved at 16:32:33, on 27-02-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\Programmer\CA\eTrust Antivirus\InoRpc.exe
C:\Programmer\CA\eTrust Antivirus\InoRT.exe
C:\Programmer\CA\eTrust Antivirus\InoTask.exe
C:\Programmer\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Programmer\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ESB.exe
C:\WINDOWS\System32\4mtcsb.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Programmer\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Programmer\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Programmer\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Aros Shipping\Skrivebord\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jubii.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - Default URLSearchHook is missing
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmer\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll (file missing)
O4 - HKLM\..\Run: [ESB] C:\WINDOWS\System32\ESB.exe
O4 - HKLM\..\Run: [4mtcsb] C:\WINDOWS\System32\4mtcsb.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Programmer\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Programmer\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BearShare] "C:\Programmer\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [7.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [8.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\8.tmp.exe
O4 - HKLM\..\Run: [crcx.exe] C:\WINDOWS\system32\crcx.exe
O4 - HKLM\..\Run: [7.tmp.exe] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [5.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\5.tmp.exe
O4 - HKLM\..\Run: [5.tmp.exe] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\5.tmp.exe
O4 - HKLM\..\Run: [B.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\B.tmp.exe
O4 - HKLM\..\Run: [B.tmp.exe] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\B.tmp.exe
O4 - HKLM\..\Run: [E.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\E.tmp.exe
O4 - HKLM\..\Run: [E.tmp.exe] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\E.tmp.exe
O4 - HKLM\..\Run: [11.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\11.tmp.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\per.exe internat.dll,LoadKeyboardProfile
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\Programmer\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmer\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Opret Foretrukken på den mobile enhed... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\dan.htm
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {89A312AE-8D21-42B1-848B-FD8E27F9A2A9} (PrimeInk for Web Applications Signing Component) - https://webreg.dk/web.dll
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.hornsrev.dk/live/AxisCamControl.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1D0B77C-622C-4DBE-B89F-918997C9B432}: NameServer = 194.239.134.83,193.162.153.164
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Programmer\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) -  - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Programmer\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Programmer\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Vi skal lige køre lidt flere scanninger:


Hent denne scanner mwav.exe, den skal du bruge senere.

http://www.spywareinfo.dk/download/mwav.exe

Sæt flueben i følgende:
Memory, Startup folders, drive, Registry, System folders og Services.
Sæt prik i følgende:
All local drives og Scan all files.


Hent CWShredder her http://www.trendmicro.com/cwshredder/ Du skal ikke køre den endnu.


Start op i fejlsikret igen.


Kør CWShredder, klik fix, og når den er færdig, klik exit.


Kør MWAV.exe som du også hentede. Klik scan/clean.


Når den er færdig, så klikker du i vinduet "Virus log information". Tryk så Ctrl+A, så er det markeret. Tryk så Ctrl+C, så er det kopieret til udklipsholder. Sæt det ind i et stykke notesblok.


Genstart til normal tilstand, og kom med en frisk HijackThis log, og loggen du kopierede fra MWAV.exe.

Uha da da - har denne putter i det hele taget kunne køre noget som helst ?

Hvad har du dog haft 'gang i' *S* ?

Mon det ikke skulle være [BearShare] der har startet det hele - sammen med [SpySheriff] + 20-30 andre 'snavs' elementer i din LOG ...

Bare følg guiden fra <forevernewbie>. Det bliver nok af flere omgange...

Bliver helt bange - troede kun det var 1 virus. Hvordan kan det ske når jeg kører med licenserede antivirusprogrammer.

Ok - så er det gjort logfiles nedenfor.




Logfile of HijackThis v1.99.1
Scan saved at 19:30:04, on 27-02-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\Programmer\CA\eTrust Antivirus\InoRpc.exe
C:\Programmer\CA\eTrust Antivirus\InoRT.exe
C:\Programmer\CA\eTrust Antivirus\InoTask.exe
C:\Programmer\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Programmer\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ESB.exe
C:\WINDOWS\System32\4mtcsb.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Programmer\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programmer\BearShare\BearShare.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Programmer\Microsoft ActiveSync\wcescomm.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Programmer\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Documents and Settings\Aros Shipping\Skrivebord\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jubii.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - Default URLSearchHook is missing
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmer\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll (file missing)
O4 - HKLM\..\Run: [ESB] C:\WINDOWS\System32\ESB.exe
O4 - HKLM\..\Run: [4mtcsb] C:\WINDOWS\System32\4mtcsb.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Programmer\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Programmer\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BearShare] "C:\Programmer\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [8.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\8.tmp.exe
O4 - HKLM\..\Run: [7.tmp.exe] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [5.tmp.exe] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\5.tmp.exe
O4 - HKLM\..\Run: [B.tmp.exe] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\B.tmp.exe
O4 - HKLM\..\Run: [E.tmp.exe] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\E.tmp.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\per.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [7.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [crcx.exe] C:\WINDOWS\system32\crcx.exe
O4 - HKLM\..\Run: [5.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\5.tmp.exe
O4 - HKLM\..\Run: [B.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\B.tmp.exe
O4 - HKLM\..\Run: [E.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\E.tmp.exe
O4 - HKLM\..\Run: [11.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\11.tmp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\Programmer\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmer\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Opret Foretrukken på den mobile enhed... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\dan.htm
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {89A312AE-8D21-42B1-848B-FD8E27F9A2A9} (PrimeInk for Web Applications Signing Component) - https://webreg.dk/web.dll
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.hornsrev.dk/live/AxisCamControl.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1D0B77C-622C-4DBE-B89F-918997C9B432}: NameServer = 194.239.134.83,193.162.153.164
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Programmer\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) -  - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Programmer\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Programmer\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE



File C:\WINDOWS\RESTORE.INS tagged as not-a-virus:NetTool.Win32.PsKill. No Action Taken.
File C:\Programmer\BearShare\Installer\BSInstall5.2.1.2.exe tagged as not-a-virus:AdWare.Win32.SaveNow.bo. No Action Taken.
File C:\WINDOWS\RESTORE.INS tagged as not-a-virus:NetTool.Win32.PsKill. No Action Taken.
File C:\WINDOWS\system\RESTORE.INS tagged as not-a-virus:NetTool.Win32.PsKill. No Action Taken.

Skal jeg afinstallere bear share ?

Skal mit ad-watch SE plus være aktivt eller skal jeg deaktiver det. Den popper op med en masse efter jeg genstartede ?

God ide at smide Bearshare langt væk. Det er der alt skidtet kommer fra.

Du må godt lige midlertidigt afinstallere Ad-Aware, så jeg kans hvilke ændringer der er sket efter kørsel af CWShredder. Adwatch "holder" nemlig på dine indstillinger. Tag så en genstart, og kør en ny HijackThis.

Vi er ved at være i mål, men det var en ordentlig omgang skidt.

Ok - bear share og Adwatch er afinstalleret.

Her er loggen:

Logfile of HijackThis v1.99.1
Scan saved at 20:53:52, on 27-02-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\Programmer\CA\eTrust Antivirus\InoRpc.exe
C:\Programmer\CA\eTrust Antivirus\InoRT.exe
C:\Programmer\CA\eTrust Antivirus\InoTask.exe
C:\Programmer\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Programmer\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ESB.exe
C:\WINDOWS\System32\4mtcsb.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Programmer\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Microsoft ActiveSync\wcescomm.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Programmer\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Aros Shipping\Skrivebord\hijackthis.exe
C:\WINDOWS\system32\HPZinw12.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jubii.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - Default URLSearchHook is missing
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmer\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll (file missing)
O4 - HKLM\..\Run: [ESB] C:\WINDOWS\System32\ESB.exe
O4 - HKLM\..\Run: [4mtcsb] C:\WINDOWS\System32\4mtcsb.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Programmer\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Programmer\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BearShare] "C:\Programmer\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [8.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\8.tmp.exe
O4 - HKLM\..\Run: [7.tmp.exe] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [5.tmp.exe] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\5.tmp.exe
O4 - HKLM\..\Run: [B.tmp.exe] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\B.tmp.exe
O4 - HKLM\..\Run: [E.tmp.exe] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\E.tmp.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\per.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [7.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [crcx.exe] C:\WINDOWS\system32\crcx.exe
O4 - HKLM\..\Run: [5.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\5.tmp.exe
O4 - HKLM\..\Run: [B.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\B.tmp.exe
O4 - HKLM\..\Run: [E.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\E.tmp.exe
O4 - HKLM\..\Run: [11.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\11.tmp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmer\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Opret Foretrukken på den mobile enhed... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\dan.htm
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {89A312AE-8D21-42B1-848B-FD8E27F9A2A9} (PrimeInk for Web Applications Signing Component) - https://webreg.dk/web.dll
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.hornsrev.dk/live/AxisCamControl.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1D0B77C-622C-4DBE-B89F-918997C9B432}: NameServer = 194.239.134.83,193.162.153.164
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Programmer\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) -  - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Programmer\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Programmer\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Kør en scanning med HijackThis, så du kan se alle filer. Luk alle vinduer, sæt flueben ved disse linier, og klik fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nfunw.dll/sp.html#77035%
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [BearShare] "C:\Programmer\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [8.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\8.tmp.exe
O4 - HKLM\..\Run: [7.tmp.exe] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [5.tmp.exe] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\5.tmp.exe
O4 - HKLM\..\Run: [B.tmp.exe] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\B.tmp.exe
O4 - HKLM\..\Run: [E.tmp.exe] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\E.tmp.exe
O4 - HKLM\..\Run: [7.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [crcx.exe] C:\WINDOWS\system32\crcx.exe
O4 - HKLM\..\Run: [5.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\5.tmp.exe
O4 - HKLM\..\Run: [B.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\B.tmp.exe
O4 - HKLM\..\Run: [E.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\E.tmp.exe
O4 - HKLM\..\Run: [11.tmp] C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp\11.tmp.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe


-----------------------------------------------

For at kunne se alle filer og mapper, gør du dette http://www.spywareinfo.dk/#/tip-og-tricks/mappeindstillinger.htm


Så starter du op i fejlsikret tilstand, og sletter disse filer og mapper. Nogle af dem er sikkert væk. Det er normalt.

C:\WINDOWS\RESTORE.INS << slet filen
C:\winstall.exe  << slet filen
C:\WINDOWS\system32\crcx.exe  << slet filen
C:\WINDOWS\system32\nfunw.dll  << slet filen
C:\DOCUME~1\AROSSH~1\LOKALE~1\Temp  << tøm mappen for filer

C:\Programmer\BearShare  << slet mappen
C:\Program Files\SpySheriff << slet mappen

Genstart til normal tilstand, og kom med en frisk HijackThis log.

Ok - så er det gjort. Der var 2 filer jeg ikke kunne slette under temp mappen DF72A2.tmp & DFAEEF.tmp

Logfilen nedenfor:

Logfile of HijackThis v1.99.1
Scan saved at 21:52:59, on 27-02-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\Programmer\CA\eTrust Antivirus\InoRpc.exe
C:\Programmer\CA\eTrust Antivirus\InoRT.exe
C:\Programmer\CA\eTrust Antivirus\InoTask.exe
C:\Programmer\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Programmer\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ESB.exe
C:\WINDOWS\System32\4mtcsb.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Programmer\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Microsoft ActiveSync\wcescomm.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Programmer\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Aros Shipping\Skrivebord\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jubii.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmer\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll (file missing)
O4 - HKLM\..\Run: [ESB] C:\WINDOWS\System32\ESB.exe
O4 - HKLM\..\Run: [4mtcsb] C:\WINDOWS\System32\4mtcsb.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Programmer\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Programmer\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\per.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmer\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Programmer\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Opret Foretrukken på den mobile enhed... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\dan.htm
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {89A312AE-8D21-42B1-848B-FD8E27F9A2A9} (PrimeInk for Web Applications Signing Component) - https://webreg.dk/web.dll
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.hornsrev.dk/live/AxisCamControl.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1D0B77C-622C-4DBE-B89F-918997C9B432}: NameServer = 194.239.134.83,193.162.153.164
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programmer\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Programmer\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) -  - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Programmer\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Programmer\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Det ser godt ud. Din log er ren. De to tempfiler er ok, og er nok i brug, siden de ikke kunne slettes. De "grimme" er væk :)


Efter et virus/spyware angreb, er det altid en god ide at rydde op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.spywarefri.dk/virusscannere.htm#alle) - genstart din computer - aktiver systemgendannelse.


Afsluttende rensning af browser cachen:


1. Klik på Funktioner - Internetindstillinger.

2. Under midlertidige filer, klik på slet cookies.

3. Under midlertidige filer, klik på slet filer – sæt flueben i slet alt offline indhold.

4. Under oversigten, klik på ryd oversigten.

5. Klik på ok.

6  Tøm papirkurven.


Husk at "skjule" dine filer igen.


Link til sikring af din computer http://www.spywarefri.dk/manualer/sikkerhedspakke.htm

Mange tusinde tak for hjælpen :-) Det var virkeligt dejligt at du havde tid til at hjælpe.

Velbekomme, og god fornøjelse med din rene maskine :)

Tak for point.