Notifikationer

Markér alle som læst Log ud

pjatmail Mester

18. marts 2006 - 13:02 Der er 40 kommentarer og
1 løsning

Kan kun komme på nettet hvis jeg går via uønsket popup

Jeg kan ikke komme nettet ved at klikke på internet eksplorer ikonet. Så kommer der en fejl meddelelse og programmet lukker... men lidt senere dukker et popup vindúe frem - og herfra kan jeg skrive i adressefeltet og søge uhindret. Hvordan slipper jeg af med dette problem.
Jeg har kørt Ad-Aware SE, Spybot search & destroy og AVG virus scanner. Alle er opdateret!

Synes godt om

var Nybegynder

18. marts 2006 - 13:51 #1

http://arlet.dk/ewidohjt

følg instrukserne og kom med loggene..

Synes godt om

Computer Hjælp (Gratis) Mester

18. marts 2006 - 14:49 #2

Der er (stadig) 'snavs' tilbage på din putter!!!
Følg guiden herfra -> http://www.eksperten.dk/artikler/755

Synes godt om

Computer Hjælp (Gratis) Mester

18. marts 2006 - 14:49 #3

<fazli>: Sorry - havde ikke fået opdateret...

Synes godt om

pjatmail Mester

18. marts 2006 - 15:33 #4

Her skulle de være!
---------------------------------------------------------
ewido anti-malware - Scanningsrapport
---------------------------------------------------------

+ Oprettet den: 15:19:16, 18-03-2006
+ Rapport-Checksum: 3F515DFD

+ Scanningsresultat:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CCAR -> Adware.CometCursor : Renset med backup
[704] C:\WINDOWS\system32\sbscrap.dll -> Adware.Look2Me : Renset med backup
C:\Documents and Settings\Johnny\Cookies\johnny@ilead.itrack[1].txt -> TrackingCookie.Itrack : Renset med backup
C:\Documents and Settings\Johnny\Cookies\johnny@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Renset med backup
C:\Documents and Settings\Johnny\Cookies\johnny@www.belstat[2].txt -> TrackingCookie.Belstat : Renset med backup
C:\Documents and Settings\Johnny\Cookies\johnny@yadro[1].txt -> TrackingCookie.Yadro : Renset med backup
C:\Documents and Settings\Region 3 Falck\Lokale indstillinger\Temp\Cookies\region 3 falck@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Renset med backup
C:\Documents and Settings\Region 3 Falck\Lokale indstillinger\Temp\Cookies\region 3 falck@adtech[2].txt -> TrackingCookie.Adtech : Renset med backup
C:\Documents and Settings\Region 3 Falck\Lokale indstillinger\Temp\Cookies\region 3 falck@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Renset med backup
C:\Documents and Settings\Region 3 Falck\Lokale indstillinger\Temp\Cookies\region 3 falck@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Renset med backup
C:\Documents and Settings\Region 3 Falck\Lokale indstillinger\Temp\Cookies\region 3 falck@sel.as-eu.falkag[2].txt -> TrackingCookie.Falkag : Renset med backup
C:\Documents and Settings\Region 3 Falck\Lokale indstillinger\Temp\Cookies\region 3 falck@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Renset med backup
C:\newname3.exe -> Downloader.VB.ri : Renset med backup
C:\Programmer\Save -> Adware.SaveNow : Renset med backup
C:\WHCC2.exe/whAgent.exe -> Adware.WebHancer : Renset med backup
C:\WINDOWS\azesearch.bmp -> Adware.Azesearch : Renset med backup
C:\WINDOWS\system32\dqsshlex.dll -> Adware.Look2Me : Renset med backup
C:\WINDOWS\system32\guard.tmp -> Adware.Look2Me : Renset med backup
C:\WINDOWS\system32\kt6sl7j71.dll -> Adware.Look2Me : Renset med backup
C:\WINDOWS\system32\mfiseq.dll -> Adware.Look2Me : Renset med backup
C:\WINDOWS\system32\sbscrap.dll -> Adware.Look2Me : Renset med backup
C:\WINDOWS\Temp\Cookies\region 3 falck@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Renset med backup
C:\WINDOWS\Temp\Cookies\region 3 falck@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Renset med backup
C:\WINDOWS\Temp\Cookies\region 3 falck@data1.perf.overture[1].txt -> TrackingCookie.Overture : Renset med backup
C:\WINDOWS\Temp\Cookies\region 3 falck@perf.overture[1].txt -> TrackingCookie.Overture : Renset med backup
C:\WINDOWS\Temp\Cookies\region 3 falck@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Renset med backup
C:\WINDOWS\Temp\Cookies\region 3 falck@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Renset med backup
C:\WINDOWS\Temp\Cookies\region 3 falck@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Renset med backup

::Rapport slut

Logfile of HijackThis v1.99.1
Scan saved at 15:29:43, on 18-03-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\Programmer\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\mousepad3.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Region 3 Falck\Skrivebord\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lfdb.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ad-w-a-r-e.com/cgi-bin/PopupV3?ID={168843F1-D193-E3D5-DDBF-38E3EDFD2757}&type=normal&mSkip=1&rnd=30458
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [keyboard] C:\\keyboard3.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad3.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\kt4ul7h91.dll
O20 - Winlogon Notify: skyx16 - C:\WINDOWS\SYSTEM32\skyx16.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido anti-malware\ewidoguard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe

Synes godt om

var Nybegynder

18. marts 2006 - 18:24 #5

1. Hent Look2Me-Destroyer herfra:

http://www.atribune.org/ccount/click.php?id=7

...og gem værktøjet på dit Skrivebord.

2. Luk alle åbne programvinduer - inklusiv Internet Explorer.

3. Dobbeltklik på Look2Me-Destroyer, sæt et flueben i "Run this program as a task". Du får en meddelelse om, at Look2Me-Destroyer vil lukke og åbne efter 10 sekunder - klik på OK.

Når Look2Me-Destroyer genåbner - klik på "Scan for L2M" - dine ikoner forsvinder - klik "Remove L2M". Klik OK når du får meddelelsen "Done scanning".

Nu får du meddelelsen "Done removing infected files!. Programmet vil lukke din computer - klik OK. Nu skal du finde filen C:\Look2Me-Destroyer.txt og kopiere indholdet herind, sammen med en frisk HijackThis log.

4. Hvis din firewall vil blokere Look2Me-Destroyers adgang til nettet, så skal du lade programmet få adgang.

Hvis du får en runtime error 339, så skal du hente MSWINSCK.OCX herfra:

http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

...og placere den i mappen C:\Windows\System32 Directory.

Synes godt om

pjatmail Mester

18. marts 2006 - 19:25 #6

Det skulle vist være det her!

Look2Me-Destroyer V1.0.11

Scanning for infected files.....
Scan started at 18-03-2006 19:13:03

Infected! C:\WINDOWS\system32\h84m0ih1e84.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\h84m0ih1e84.dll
C:\WINDOWS\system32\h84m0ih1e84.dll could not be deleted!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1F667293-7E5B-4892-8F6C-B99ABEE7F6DC}"
HKCR\Clsid\{1F667293-7E5B-4892-8F6C-B99ABEE7F6DC}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5D5EC21F-76BD-4AA2-BD09-BCEA9A674FA2}"
HKCR\Clsid\{5D5EC21F-76BD-4AA2-BD09-BCEA9A674FA2}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{43DF9287-24BA-474F-AF2C-9D21E41E05F9}"
HKCR\Clsid\{43DF9287-24BA-474F-AF2C-9D21E41E05F9}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8B43FE30-FD5A-42F9-99E0-AA031E5520F6}"
HKCR\Clsid\{8B43FE30-FD5A-42F9-99E0-AA031E5520F6}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4346094F-5184-4654-84FC-9BACF1EE229F}"
HKCR\Clsid\{4346094F-5184-4654-84FC-9BACF1EE229F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0E076C4F-8776-4A4D-8BEE-952B06709394}"
HKCR\Clsid\{0E076C4F-8776-4A4D-8BEE-952B06709394}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CA7AE620-D443-4961-B46D-00382BDD1BA3}"
HKCR\Clsid\{CA7AE620-D443-4961-B46D-00382BDD1BA3}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administratorer - Succeeded

Og hijackthis filen ser sådan ud:

Logfile of HijackThis v1.99.1
Scan saved at 19:21:49, on 18-03-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\Programmer\ewido anti-malware\ewidoguard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\mousepad3.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Region 3 Falck\Skrivebord\Hijackthis\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lfdb.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ad-w-a-r-e.com/cgi-bin/PopupV3?ID={168843F1-D193-E3D5-DDBF-38E3EDFD2757}&type=normal&mSkip=1&rnd=30458
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [keyboard] C:\\keyboard3.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad3.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\h84m0ih1e84.dll
O20 - Winlogon Notify: skyx16 - C:\WINDOWS\SYSTEM32\skyx16.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido anti-malware\ewidoguard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe

Synes godt om

var Nybegynder

18. marts 2006 - 19:28 #7

Åbn HIjackThis og tjek disse linier:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ad-w-a-r-e.com/cgi-bin/PopupV3?ID={168843F1-D193-E3D5-DDBF-38E3EDFD2757}&type=normal&mSkip=1&rnd=30458
O4 - HKLM\..\Run: [keyboard] C:\\keyboard3.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\kt4ul7h91.dll
O20 - Winlogon Notify: skyx16 - C:\WINDOWS\SYSTEM32\skyx16.dll

Luk alle vinduer og browsere undtagen HijackThis og klik Fix checked

Genstart i fejlsikret tilstand ( F8 under opstart )

find og slet disse filer/mapper:

C:\\keyboard3.exe
C:\\mousepad3.exe
C:\WINDOWS\system32\kt4ul7h91.dll
C:\WINDOWS\SYSTEM32\skyx16.dll

Genstart og kom med en ny log.. :)

Synes godt om

pjatmail Mester

18. marts 2006 - 19:58 #8

Her har vi så en ny logfil.

Logfile of HijackThis v1.99.1
Scan saved at 19:54:53, on 18-03-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\Programmer\ewido anti-malware\ewidoguard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Region 3 Falck\Skrivebord\Hijackthis\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lfdb.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard3.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\enp6l17s1.dll
O20 - Winlogon Notify: skyx16 - C:\WINDOWS\SYSTEM32\skyx16.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido anti-malware\ewidoguard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe

Synes godt om

var Nybegynder

18. marts 2006 - 20:01 #9

Hent L2mfix.exe fra et af disse steder:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Gem filen på dit Skrivebord og dobbeltklik på l2mfix.exe. Klik på Install knappen og følg instruktionerne. Åben herefter den nye mappe der er dannet på dit Skrivebord (l2mfix). Dobbeltklik på l2mfix.bat og vælg option 1 (Run Find log) ved at taste "1" og "Enter". Din computer bliver nu scannet - efter et par minutter åbnes en tekstfil i Notesblok. Kopier indholdet herind.

NB: Du må ikke køre option 2 eller andre af filerne i l2mfix mappen, før du er blevet bedt om det

Synes godt om

pjatmail Mester

18. marts 2006 - 20:12 #10

her skulle den så være
L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enp6l17s1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\skyx16]
"DllName"=hex(2):73,00,6b,00,79,00,78,00,31,00,36,00,2e,00,64,00,6c,00,6c,00,\
00,00
"Startup"="KeX32Image"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
"MaxWait"=dword:00000001
"secureUID"="[208814881958500998]"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,bf,42,7d,40,14,6e,db,48,af,d4,e2,6e,59,50,30,90,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,a1,f9,10,d7,8c,e5,94,2d,\
38,80,95,a7,0a,ab,77,c5,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,57,\
44,bc,3f,2d,1a,92,aa,ae,fa,99,50,fd,ee,e1,be,b0,02,00,00,40,6e,b6,76,d4,c8,\
60,6a,d3,12,63,c0,42,ae,ec,c7,0d,42,d6,7c,d2,ee,21,12,46,cd,2e,2e,1a,46,cd,\
c7,cc,e0,a0,fc,54,ea,08,17,a5,de,55,8e,96,c5,b1,02,3e,81,d2,cd,c1,1e,7a,0e,\
1b,f3,7a,93,68,59,ee,fb,08,df,7e,e8,fa,8c,08,76,c3,20,73,25,1a,55,3f,72,05,\
2e,93,f2,1f,15,6d,cc,b6,7f,41,66,48,1f,5b,73,e6,e2,7c,20,7c,58,43,87,04,ee,\
b7,a1,b8,28,7e,48,bb,49,22,2a,e5,d4,ba,dc,b0,77,83,bc,a0,02,49,16,00,e5,a6,\
bc,6f,fd,39,69,c4,d4,c4,08,49,88,24,d8,6b,2c,51,b5,86,a3,47,61,f4,7c,66,23,\
b6,58,46,2e,78,be,61,11,31,f3,cb,19,e4,be,3b,e4,a0,7f,0d,ab,b1,da,5f,e2,e8,\
34,76,91,21,fd,a6,53,69,62,03,13,48,3d,5a,7b,2a,00,f7,fe,42,0e,6e,83,26,ea,\
c2,c2,76,64,08,e9,16,8f,8a,12,f2,7c,b4,d9,9e,ff,51,ed,66,e0,11,64,e9,b0,57,\
62,17,34,a2,b9,01,53,b7,58,7c,7e,f0,98,a5,0b,31,94,1b,1e,08,26,1c,1f,f0,00,\
10,6d,02,40,dd,33,20,7d,16,c0,86,20,17,48,dc,c8,22,dc,24,a4,ff,7f,d9,55,37,\
dd,2c,6e,11,88,9f,b5,31,f4,e2,b0,e3,e6,bc,03,86,85,dd,8f,22,4a,de,a5,92,39,\
f4,56,db,13,cf,64,a4,d0,e8,93,95,48,97,48,09,6b,0a,12,ab,77,04,8b,40,d7,ee,\
01,1c,66,86,13,3b,c9,1a,5c,4f,b3,3e,7d,01,72,28,94,9f,d7,a4,0d,b3,22,ed,a8,\
e2,c6,56,c4,9c,87,b3,01,5c,e2,ec,4e,05,ee,0b,16,59,f0,96,36,1f,cf,65,9e,8d,\
73,e5,0b,2e,38,71,f3,c1,f7,6c,49,ae,7a,56,47,c1,23,5b,99,4b,ef,84,3b,ba,ca,\
2c,e0,a6,8f,f4,6a,1f,d5,cb,89,0d,18,4e,85,07,75,99,b6,fe,f9,a7,98,5e,fa,ea,\
b5,1f,57,38,6f,17,6d,3c,f9,41,90,b2,93,aa,3f,f8,3e,85,61,40,32,70,1a,83,df,\
55,1a,28,64,9c,4f,98,ee,7a,15,1d,5d,76,36,68,87,b8,5a,54,a9,e9,92,f1,ef,54,\
cd,2b,51,bc,78,eb,1b,7c,76,91,2a,d2,63,1d,75,a7,ad,17,23,bc,75,10,df,24,d2,\
5f,21,16,74,4b,86,04,42,85,59,5f,45,8e,32,37,ca,87,a5,1c,f7,d9,fe,23,a9,99,\
00,5b,5e,3a,de,62,58,9c,8e,64,03,57,7d,80,3c,8f,62,5f,8e,0e,0b,27,b5,2c,fb,\
61,74,4f,67,31,66,36,24,7d,23,3f,43,62,aa,0a,17,86,78,6f,76,b8,81,ea,8b,e7,\
cc,2a,18,b3,3b,78,b6,64,59,09,57,47,c7,9e,70,b5,63,0e,f1,b9,9f,7a,a2,d3,44,\
38,91,65,e3,d3,30,24,8e,06,3d,01,fa,1a,77,58,b3,2d,af,1b,c5,c0,ac,e4,17,50,\
ca,eb,4a,e2,ae,59,c8,31,0f,f6,e3,a6,ba,a2,42,5e,3b,5e,1b,23,00,06,33,92,15,\
87,f6,62,9f,6d,28,a1,bc,ef,1f,55,3e,84,08,e3,40,0b,ec,d5,6d,ed,09,a0,ae,ad,\
bd,59,6b,49,3d,b4,44,14,00,00,00,d1,13,f8,86,6a,ff,bd,ad,76,6c,6b,db,39,8d,\
0b,48,8e,f1,dc,e3

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{168843F1-D193-E3D5-DDBF-38E3EDFD2757}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Egenskabsark for multimediefiler"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM-scannerstyring"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Sikkerhedsside"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Egenskabsside for OLE-dokumentfil"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Gr‘nsefladeudvidelse til deling"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Kontrolpanel-udvidelse til sk‘rmkort"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Kontrolpanel-udvidelse til sk‘rm"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Kontrolpanel-udvidelse til sk‘rmpanorering"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security-side"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilitetsside"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Udvidelsen Diskcopy"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Gr‘nsefladeudvidelser til Microsoft Windows-netv‘rksobjekter"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM-sk‘rmstyring"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM-printerstyring"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Gr‘nsefladeudvidelser til filkomprimering"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Gr‘nsefladeudvidelse til webudskrift"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Kontekstmenu til kryptering"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Rejsetaske"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal-ikon"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-profil"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Sikkerhedsside"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Gr‘nsefladeudvidelse til deling"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO-filtype"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto signeringsfiltype"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Netv‘rksforbindelser"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Netv‘rksforbindelser"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scannere og kameraer"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scannere og kameraer"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scannere og kameraer"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scannere og kameraer"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scannere og kameraer"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell-udvidelser til Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft-dataforbindelse"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Planlagte opgaver"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Proceslinje og menuen Start"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="S›g"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hj‘lp og support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hj‘lp og support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="K›r..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internettet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administration"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="V‘rkt›jslinje til Microsoft Internet"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Webs›gning"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Redigeringsboks til adresse"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft URL-oversigtstjeneste"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Oversigt"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Velkomstbillede til Internet Explorer 4-suiten"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internettet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX-cachemappe"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Programstyring"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Opt‘lling af installerede programmer"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Udpakning af miniaturer til GDI+-filer"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Dokumentinfo om miniaturehandler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Udpakning af HTML-miniaturer"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Guiden Webudgivelse"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestil billedudskrift over World Wide Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objekt til guiden Webudgivelse"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Guiden F† et Passport"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Brugerkonti"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Kanalfil"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Genvej til kanal"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Mappen Offlinefiler"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Efter &personer..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Webmapper"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universal Plug and Play-enheder"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{8BE13461-936F-11D1-A87D-444553540000}"="Eraser Shell Extension"
"{CA7AE620-D443-4961-B46D-00382BDD1BA3}"=""
"{775C1135-97EA-4177-B196-BC62AEED2178}"=""
"{218A4F05-CCC3-4649-91D2-26B5A5181F9D}"=""
"{F77ED13C-DEBF-4496-9A23-9FA24A0C4A47}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{CA7AE620-D443-4961-B46D-00382BDD1BA3}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA7AE620-D443-4961-B46D-00382BDD1BA3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA7AE620-D443-4961-B46D-00382BDD1BA3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA7AE620-D443-4961-B46D-00382BDD1BA3}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{775C1135-97EA-4177-B196-BC62AEED2178}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{775C1135-97EA-4177-B196-BC62AEED2178}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{775C1135-97EA-4177-B196-BC62AEED2178}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{775C1135-97EA-4177-B196-BC62AEED2178}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{218A4F05-CCC3-4649-91D2-26B5A5181F9D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{218A4F05-CCC3-4649-91D2-26B5A5181F9D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{218A4F05-CCC3-4649-91D2-26B5A5181F9D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{218A4F05-CCC3-4649-91D2-26B5A5181F9D}\InprocServer32]
@="C:\\WINDOWS\\system32\\ukdmxfrm.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F77ED13C-DEBF-4496-9A23-9FA24A0C4A47}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F77ED13C-DEBF-4496-9A23-9FA24A0C4A47}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F77ED13C-DEBF-4496-9A23-9FA24A0C4A47}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F77ED13C-DEBF-4496-9A23-9FA24A0C4A47}\InprocServer32]
@="C:\\WINDOWS\\system32\\wsweb.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
enp6l1~1.dll Sat 18 Mar 2006 19.49.12 ..S.R 233.997 228,51 K
g0lmla~1.dll Sat 18 Mar 2006 16.54.56 ..S.R 235.526 230,00 K
gdi32.dll Thu 29 Dec 2005 3.56.06 A.... 280.064 273,50 K
l00ula~1.dll Sat 18 Mar 2006 19.50.52 ..S.R 234.166 228,68 K
legitc~1.dll Tue 14 Feb 2006 9.20.14 ..... 550.120 537,23 K
spmsg.dll Mon 13 Feb 2006 19.04.16 ..... 9.144 8,93 K
webclnt.dll Wed 4 Jan 2006 4.36.24 A.... 68.096 66,50 K
wgalogon.dll Tue 14 Feb 2006 9.20.14 ..... 567.016 553,73 K
wmp.dll Mon 19 Dec 2005 19.30.46 A.... 4.730.880 4,51 M
wsweb.dll Sat 18 Mar 2006 19.53.34 ..S.R 233.997 228,51 K

10 items found: 10 files (4 H/S), 0 directories.
Total of file sizes: 7.143.006 bytes 6,81 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Disken i drev C har ikke noget navn.
Diskens serienummer er 221C-D239

Indhold af C:\WINDOWS\System32

18-03-2006 19:53 233.997 wsweb.dll
18-03-2006 19:50 234.166 l00ulad91d0.dll
18-03-2006 19:49 233.997 enp6l17s1.dll
18-03-2006 16:54 235.526 g0lmla311d.dll
18-03-2006 11:41 <DIR> dllcache
09-09-2004 07:01 <DIR> Microsoft
22-05-2001 01:00 22.016 borlndmm.dll
5 fil(er) 959.702 byte
2 mappe(r) 28.393.574.400 byte ledig

Synes godt om

var Nybegynder

18. marts 2006 - 20:14 #11

Luk alle programmer - du vil om lidt blive bedt om at genstarte din computer.

Fra mappen l2mfix skal du køre l2mfix.bat igen - denne gang skal du vælge option 2 (Run Fix). Så går processen i gang. Dit skrivebord og ikoner vil forsvinde en tid. L2Mfix vil fortsætte med at scanne din computer, og når den er færdig vil den være klar til en genstart. Tryk en taste for at genstarte. Efter genstarten, vil Notepad åbnes med en ny log. Kopiér indholdet af denne log ind i denne tråd sammen med en ny HIjackthis

Synes godt om

pjatmail Mester

18. marts 2006 - 20:33 #12

L2mfix 010406
Creating Account.
Kommandoen blev udf›rt.

Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 588 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of winlogon.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of explorer.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1324 'rundll32.exe'
Restoring Sedebugprivilege:

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
0 fil(er) kopieret.
0 fil(er) kopieret.
0 fil(er) kopieret.
0 fil(er) kopieret.
0 fil(er) kopieret.
Deleting: C:\WINDOWS\system32\__delete_on_reboot__iswphbk.dll
Deleting: C:\WINDOWS\system32\g0lmla311d.dll
Successfully Deleted: C:\WINDOWS\system32\g0lmla311d.dll
Deleting: C:\WINDOWS\system32\l00ulad91d0.dll
Successfully Deleted: C:\WINDOWS\system32\l00ulad91d0.dll
Deleting: C:\WINDOWS\system32\__delete_on_reboot__guard.tmp
Successfully Deleted: C:\WINDOWS\system32\__delete_on_reboot__guard.tmp
Deleting: C:\WINDOWS\system32\guard.tmp

msg11?.dll
0 fil(er) kopieret.

Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enp6l17s1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\skyx16]
"DllName"=hex(2):73,00,6b,00,79,00,78,00,31,00,36,00,2e,00,64,00,6c,00,6c,00,\
00,00
"Startup"="KeX32Image"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
"MaxWait"=dword:00000001
"secureUID"="[208814881958500998]"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,bf,42,7d,40,14,6e,db,48,af,d4,e2,6e,59,50,30,90,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,cb,d2,1c,68,22,d3,15,a1,\
bd,6d,c1,d6,c9,7f,26,77,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,e6,\
fe,8a,02,a1,31,51,f3,d7,0e,86,c4,f9,b4,5e,31,b0,02,00,00,52,7e,75,02,15,e1,\
7a,2c,22,c2,55,23,d4,55,95,79,6d,e4,ca,6b,36,ab,8f,5b,b8,99,16,5f,8f,5f,d1,\
ed,cd,10,c8,d8,d5,e9,fc,6b,86,b8,d7,ab,ca,46,9c,15,3c,79,3a,36,ca,86,36,ec,\
22,82,d6,36,c8,69,aa,1a,3c,20,1b,4f,d3,47,66,67,cc,a9,9e,f6,21,d0,8b,bc,b2,\
a7,3c,7f,5b,1e,cd,0c,56,dd,ad,58,02,81,3b,d5,86,f4,09,07,4c,ce,28,be,b2,2d,\
58,89,3f,df,c5,ec,a8,13,fc,e3,7c,97,d9,9c,58,73,da,ea,01,6b,dd,17,2b,8e,d4,\
23,0d,7a,71,05,c3,3c,5c,a7,e3,fc,fe,50,91,8b,9a,40,12,41,b4,49,7d,9c,33,27,\
30,ce,17,07,3c,61,6b,a8,17,8d,17,eb,a8,17,36,59,e7,80,8d,e5,dd,54,be,1f,35,\
69,65,95,64,20,90,27,cb,d7,c8,10,32,37,db,22,e0,bb,ee,5a,12,d5,64,f8,50,e4,\
2a,d8,1f,07,c3,dc,6d,38,57,81,9a,5e,64,b1,50,bd,6b,de,b3,82,78,b9,10,6a,90,\
76,73,96,8b,49,cf,ca,45,ed,e9,0f,17,1d,5a,4e,b8,85,d8,d8,1e,ed,e9,bc,2e,3c,\
b5,ac,b0,87,1c,a3,41,6b,e3,12,8f,7d,2c,c8,8c,da,2d,fe,53,ae,21,45,54,fa,e9,\
12,c5,6a,95,dd,3f,cc,c1,22,17,c0,9e,ee,18,3e,44,b1,1a,9c,2a,cf,3b,ae,7b,f3,\
49,c6,43,69,98,f9,2e,3f,38,1f,e9,a3,c6,e0,7f,1b,28,ba,5a,42,be,d3,bd,94,d4,\
4d,04,fb,91,7d,0a,b0,04,47,ba,d7,99,0c,b4,96,e5,c2,5a,01,fc,b6,f9,23,f7,a4,\
69,d1,fa,c1,fb,35,fa,ce,a4,90,57,3e,69,1a,00,c6,bd,81,1a,0f,93,4c,e2,1c,5f,\
a6,b2,bf,da,6b,ec,2e,52,3f,7c,96,84,d5,a7,16,fa,26,7f,a3,1c,fe,55,51,dd,56,\
6f,23,d1,77,5f,64,16,e0,91,75,29,9f,5e,ea,98,1b,5a,75,1e,25,95,e0,ad,6f,9a,\
8a,11,c3,62,36,87,c5,6c,91,85,4a,69,ac,9d,30,32,54,e2,48,b4,19,92,b0,d9,69,\
0c,e4,07,2c,a1,50,92,a0,a2,13,4b,58,3d,ff,1f,33,5e,d2,46,8c,d1,2b,d5,43,7c,\
e7,58,29,7c,57,10,4c,c5,c1,77,31,f7,75,d1,5a,23,b1,03,7e,a1,9d,88,d0,43,1b,\
a9,98,0f,32,fb,28,85,37,bc,4c,0d,f7,85,e8,42,27,0d,e8,4a,12,a2,fb,0f,9e,7a,\
5b,45,b0,27,b1,e4,fa,29,f8,f7,84,28,b0,b1,e0,de,70,c6,b5,1f,23,d8,78,59,a2,\
a2,d1,e4,cf,98,78,7e,c3,57,a0,0a,4e,4d,d6,f1,fd,e7,0b,d0,3a,f1,e8,37,6c,6b,\
ae,b7,b1,a8,f2,16,4f,4d,4b,53,2b,7a,ae,ec,21,bc,82,1c,04,fb,ef,cf,24,d7,df,\
34,b6,d0,1a,9e,04,e8,2a,83,d8,99,3e,fd,d4,9a,44,2b,c2,38,f6,07,a5,44,dc,c1,\
a8,7e,5f,a4,af,1e,bf,cd,70,30,da,15,b3,fb,f9,be,b9,3d,44,c2,0d,ea,84,5d,f5,\
f7,bc,dd,08,0b,52,2d,dc,2b,67,83,ea,9d,ef,b4,73,85,bd,cf,35,73,0b,7d,02,8e,\
1f,8f,52,f2,09,2a,41,14,00,00,00,7c,25,56,0e,a8,ba,ea,6c,91,9d,d2,0e,42,f5,\
b2,40,53,d4,0d,3b

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\__delete_on_reboot__iswphbk.dll
C:\WINDOWS\system32\g0lmla311d.dll
C:\WINDOWS\system32\l00ulad91d0.dll
C:\WINDOWS\system32\__delete_on_reboot__guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{CA7AE620-D443-4961-B46D-00382BDD1BA3}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA7AE620-D443-4961-B46D-00382BDD1BA3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA7AE620-D443-4961-B46D-00382BDD1BA3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA7AE620-D443-4961-B46D-00382BDD1BA3}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{775C1135-97EA-4177-B196-BC62AEED2178}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{775C1135-97EA-4177-B196-BC62AEED2178}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{775C1135-97EA-4177-B196-BC62AEED2178}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{775C1135-97EA-4177-B196-BC62AEED2178}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{218A4F05-CCC3-4649-91D2-26B5A5181F9D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{218A4F05-CCC3-4649-91D2-26B5A5181F9D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{218A4F05-CCC3-4649-91D2-26B5A5181F9D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{218A4F05-CCC3-4649-91D2-26B5A5181F9D}\InprocServer32]
@="C:\\WINDOWS\\system32\\ukdmxfrm.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F77ED13C-DEBF-4496-9A23-9FA24A0C4A47}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F77ED13C-DEBF-4496-9A23-9FA24A0C4A47}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F77ED13C-DEBF-4496-9A23-9FA24A0C4A47}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F77ED13C-DEBF-4496-9A23-9FA24A0C4A47}\InprocServer32]
@="C:\\WINDOWS\\system32\\iswphbk.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{CA7AE620-D443-4961-B46D-00382BDD1BA3}"=-
"{775C1135-97EA-4177-B196-BC62AEED2178}"=-
"{218A4F05-CCC3-4649-91D2-26B5A5181F9D}"=-
"{F77ED13C-DEBF-4496-9A23-9FA24A0C4A47}"=-
[-HKEY_CLASSES_ROOT\CLSID\{CA7AE620-D443-4961-B46D-00382BDD1BA3}]
[-HKEY_CLASSES_ROOT\CLSID\{775C1135-97EA-4177-B196-BC62AEED2178}]
[-HKEY_CLASSES_ROOT\CLSID\{218A4F05-CCC3-4649-91D2-26B5A5181F9D}]
[-HKEY_CLASSES_ROOT\CLSID\{F77ED13C-DEBF-4496-9A23-9FA24A0C4A47}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/218A4F05-CCC3-4649-91D2-26B5A5181F9D.reg (104 bytes security) (deflated 70%)
adding: backregs/775C1135-97EA-4177-B196-BC62AEED2178.reg (104 bytes security) (deflated 70%)
adding: backregs/CA7AE620-D443-4961-B46D-00382BDD1BA3.reg (104 bytes security) (deflated 70%)
adding: backregs/F77ED13C-DEBF-4496-9A23-9FA24A0C4A47.reg (104 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 82%)

Logfile of HijackThis v1.99.1
Scan saved at 20:33:04, on 18-03-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\Programmer\ewido anti-malware\ewidoguard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Region 3 Falck\Skrivebord\Hijackthis\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lfdb.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard3.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\enp6l17s1.dll
O20 - Winlogon Notify: skyx16 - C:\WINDOWS\SYSTEM32\skyx16.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido anti-malware\ewidoguard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe

Synes godt om

var Nybegynder

18. marts 2006 - 20:36 #13

Åbn hijackthis og tjek disse linier:

O4 - HKLM\..\Run: [keyboard] C:\\keyboard3.exe
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\enp6l17s1.dll
O20 - Winlogon Notify: skyx16 - C:\WINDOWS\SYSTEM32\skyx16.dll

Luk alle vinduer og browsere undtagen HijackThis og klik Fix checked

Genstart i fejlsikret tilstand ( F8 under opstart )

find og slet disse filer/mapper:

C:\\keyboard3.exe
C:\WINDOWS\system32\kt4ul7h91.dll
C:\WINDOWS\SYSTEM32\skyx16.dll

Genstart og kom med en ny log.. :)

Synes godt om

pjatmail Mester

18. marts 2006 - 21:04 #14

Her er en ny log..... Jeg kunne ikke finde de 3 filer denne gang!!!!!

Logfile of HijackThis v1.99.1
Scan saved at 21:02:24, on 18-03-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\Programmer\ewido anti-malware\ewidoguard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Documents and Settings\Region 3 Falck\Skrivebord\Hijackthis\hjt.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lfdb.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\fp4q03h5e.dll
O20 - Winlogon Notify: skyx16 - C:\WINDOWS\SYSTEM32\skyx16.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido anti-malware\ewidoguard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe

Synes godt om

var Nybegynder

18. marts 2006 - 21:13 #15

Genstart til fejlsikret tilstand:

i fejlsikret:

Åbn en mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

find og slet disse filer/mapper:

find og slet disse filer/mapper:

C:\\keyboard3.exe
C:\WINDOWS\system32\kt4ul7h91.dll
C:\WINDOWS\SYSTEM32\skyx16.dll

Åbn hijackthis og tjek disse linier:

O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\enp6l17s1.dll
O20 - Winlogon Notify: skyx16 - C:\WINDOWS\SYSTEM32\skyx16.dll

Luk alle vinduer og browsere undtagen HijackThis og klik Fix checked

Genstart og kom med en ny hijackthis log fra normal tilstand.. :)

Synes godt om

pjatmail Mester

18. marts 2006 - 21:38 #16

jeg kan desværre stadigvæk ikke finde de filer du beskriver..........er der andre måder at finde dem på?

Synes godt om

pjatmail Mester

18. marts 2006 - 22:14 #17

men jeg sætter alligevel en ny hijackthis log ind!!!

Logfile of HijackThis v1.99.1
Scan saved at 22:12:06, on 18-03-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\Programmer\ewido anti-malware\ewidoguard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Region 3 Falck\Skrivebord\Hijackthis\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lfdb.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: skyx16 - C:\WINDOWS\SYSTEM32\skyx16.dll
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\i8600ijme8oa0.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido anti-malware\ewidoguard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe

Synes godt om

var Nybegynder

19. marts 2006 - 11:07 #18

http://arlet.dk/ewidohjt

følg instrukserne og kom med loggene.. :)

Synes godt om

pjatmail Mester

19. marts 2006 - 13:13 #19

Vi prøver endnu engang :o)

Logfile of HijackThis v1.99.1
Scan saved at 13:07:53, on 19-03-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Region 3 Falck\Skrivebord\Hijackthis\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lfdb.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: skyx16 - C:\WINDOWS\SYSTEM32\skyx16.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\n44s0eh7eh4.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido anti-malware\ewidoguard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe

---------------------------------------------------------
ewido anti-malware - Scanningsrapport
---------------------------------------------------------

+ Oprettet den: 13:07:17, 19-03-2006
+ Rapport-Checksum: 4B14E752

+ Scanningsresultat:
[704] C:\WINDOWS\system32\iWsads.dll -> Adware.Look2Me : Renset med backup
C:\Documents and Settings\Region 3 Falck\Lokale indstillinger\Temp\Cookies\region 3 falck@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Renset med backup
C:\Documents and Settings\Region 3 Falck\Lokale indstillinger\Temp\Cookies\region 3 falck@adtech[1].txt -> TrackingCookie.Adtech : Renset med backup
C:\Documents and Settings\Region 3 Falck\Lokale indstillinger\Temp\Cookies\region 3 falck@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Renset med backup
C:\Documents and Settings\Region 3 Falck\Lokale indstillinger\Temp\Cookies\region 3 falck@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Renset med backup
C:\Documents and Settings\Region 3 Falck\Lokale indstillinger\Temp\Cookies\region 3 falck@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Renset med backup
C:\Documents and Settings\Region 3 Falck\Lokale indstillinger\Temp\Cookies\region 3 falck@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Renset med backup
C:\Documents and Settings\Region 3 Falck\Lokale indstillinger\Temporary Internet Files\Content.IE5\SLQ7WL6V\AppWrap[1].exe -> Adware.AdURL : Renset med backup
C:\WINDOWS\icont.exe -> Adware.AdURL : Renset med backup
C:\WINDOWS\system32\dfconfig.dll -> Adware.Look2Me : Renset med backup
C:\WINDOWS\system32\enpql1751.dll -> Adware.Look2Me : Renset med backup
C:\WINDOWS\system32\guard.tmp -> Adware.Look2Me : Renset med backup
C:\WINDOWS\system32\iWsads.dll -> Adware.Look2Me : Renset med backup
C:\WINDOWS\system32\mlxoci.dll -> Adware.Look2Me : Renset med backup
C:\WINDOWS\Temp\Cookies\region 3 falck@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Renset med backup
C:\WINDOWS\Temp\Cookies\region 3 falck@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Renset med backup
C:\WINDOWS\Temp\Cookies\region 3 falck@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Renset med backup
C:\WINDOWS\Temp\Cookies\region 3 falck@data3.perf.overture[1].txt -> TrackingCookie.Overture : Renset med backup
C:\WINDOWS\Temp\Cookies\region 3 falck@perf.overture[1].txt -> TrackingCookie.Overture : Renset med backup
C:\WINDOWS\Temp\Cookies\region 3 falck@statcounter[1].txt -> TrackingCookie.Statcounter : Renset med backup
C:\WINDOWS\Temp\Cookies\region 3 falck@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Renset med backup

::Rapport slut

Synes godt om

var Nybegynder

19. marts 2006 - 13:17 #20

genstart til fejlsikret tilstand ( F8 under opstart )
Åbn hijackthis og tjek disse linier:

O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\enp6l17s1.dll
O20 - Winlogon Notify: skyx16 - C:\WINDOWS\SYSTEM32\skyx16.dll

Luk alle vinduer og browsere undtagen HijackThis og klik Fix checked

Genstart og kom med en ny hijackthis log fra normal tilstand.. :) lad os se om de to linier forsvinder denne gang.. :)

Synes godt om

pjatmail Mester

19. marts 2006 - 13:40 #21

Hej endnu engang.
Jeg gør præcissom vejledningen siger, men da jeg åbnede i fejlsikret tilstand og kørte hijackthis igen for at tjekke de 2 linier af, manglede den øverste af dem du skrev skulle tjekkes.
Jeg tjekkede den anden men det ser ud til den fortsat er der !!!!

Logfile of HijackThis v1.99.1
Scan saved at 13:35:20, on 19-03-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\Programmer\ewido anti-malware\ewidoguard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Region 3 Falck\Skrivebord\Hijackthis\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lfdb.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\hrpq0575e.dll
O20 - Winlogon Notify: skyx16 - C:\WINDOWS\SYSTEM32\skyx16.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido anti-malware\ewidoguard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe

Synes godt om

var Nybegynder

19. marts 2006 - 13:42 #22

naviger til
C:\WINDOWS\system32

højreklik på mappen og sig "scan with Ewido" slet hvad den finder og kom med en ny hijackthis log..

Synes godt om

pjatmail Mester

19. marts 2006 - 13:48 #23

Logfile of HijackThis v1.99.1
Scan saved at 13:48:36, on 19-03-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\Programmer\ewido anti-malware\ewidoguard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Region 3 Falck\Skrivebord\Hijackthis\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lfdb.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\hrpq0575e.dll
O20 - Winlogon Notify: skyx16 - C:\WINDOWS\SYSTEM32\skyx16.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido anti-malware\ewidoguard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe

Synes godt om

var Nybegynder

19. marts 2006 - 13:57 #24

DEt irreterer mig at den ikke vil forsvinde.. så derfor bliver vi mere grove.. :)

1. Hent Look2Me-Destroyer herfra:

http://www.atribune.org/ccount/click.php?id=7

...og gem værktøjet på dit Skrivebord.

2. Luk alle åbne programvinduer - inklusiv Internet Explorer.

3. Dobbeltklik på Look2Me-Destroyer, sæt et flueben i "Run this program as a task". Du får en meddelelse om, at Look2Me-Destroyer vil lukke og åbne efter 10 sekunder - klik på OK.

Når Look2Me-Destroyer genåbner - klik på "Scan for L2M" - dine ikoner forsvinder - klik "Remove L2M". Klik OK når du får meddelelsen "Done scanning".

Nu får du meddelelsen "Done removing infected files!. Programmet vil lukke din computer - klik OK. Nu skal du finde filen C:\Look2Me-Destroyer.txt og kopiere indholdet herind, sammen med en frisk HijackThis log.

4. Hvis din firewall vil blokere Look2Me-Destroyers adgang til nettet, så skal du lade programmet få adgang.

Hvis du får en runtime error 339, så skal du hente MSWINSCK.OCX herfra:

http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

...og placere den i mappen C:\Windows\System32 Directory.

Derefter Henter du denne scanner:
http://www.spywareinfo.dk/download/mwav.exe

Åbn mwaw.exe unxip den og den udpakker sig og starter

Sæt flueben i følgende:
Memory, Startup folders, drive, Registry, System folders og Services.
Sæt prik i følgende:
All local drives og Scan all files
Og så trykker du på Scan Clean
Den skanner nu, og dette kan godt tage et par timer.

når den er færdig så kopier loggen herind

Synes godt om

pjatmail Mester

19. marts 2006 - 14:17 #25

Look2Me-Destroyer V1.0.11

Scanning for infected files.....
Scan started at 19-03-2006 14:11:17

Infected! C:\WINDOWS\system32\hrpq0575e.dll

Logfile of HijackThis v1.99.1
Scan saved at 14:14:15, on 19-03-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\Programmer\ewido anti-malware\ewidoguard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Region 3 Falck\Skrivebord\Hijackthis\hjt.exe
C:\WINDOWS\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lfdb.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\hrpq0575e.dll
O20 - Winlogon Notify: skyx16 - C:\WINDOWS\SYSTEM32\skyx16.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido anti-malware\ewidoguard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe

Synes godt om

pjatmail Mester

19. marts 2006 - 14:49 #26

imens jeg venter på scanningsresultatet kan jeg måske få et svar på hvorfor der er kommet virus på maskinen når nu min AVG scanner hele tiden er opdateret?

Synes godt om

pjatmail Mester

19. marts 2006 - 17:25 #27

Her er de virus der blev fundet. Er det nok eller skal du have hele logfilen?File C:\WINDOWS\secure32.html infected by "Trojan.Win32.Harnig.a" Virus. Action Taken: File Deleted.
File C:\WINDOWS\system32\guard.tmp tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\WINDOWS\system32\__delete_on_reboot__guard.tmp tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\WINDOWS\system32\__delete_on_reboot__pxrfproc.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\Documents and Settings\Johnny\Lokale indstillinger\Temp\Midlertidig mappe 1 for MSN6.EmoPackV14.zip\Extract.exe tagged as not-a-virus:AdWare.Win32.180Solutions. No Action Taken.
File C:\Documents and Settings\Johnny\Lokale indstillinger\Temporary Internet Files\Content.IE5\0H6J416Z\RaseGPL-BW-Pr infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\LFDB\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1e3b1005-17fa0b5f.zip infected by "Exploit.Java.ByteVerify" Virus. Action Taken: File Renamed.
File C:\DR140306.exe infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
File C:\I386\RDPSND.DLx infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\I386\RDPWSX.DLx infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Programmer\InterVideo\WCreator2\Skins\WCreator2\Right_Highlight.p? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP150\A0035138.exe tagged as not-a-virus:AdWare.Win32.WebHancer.381. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP151\A0035154.exe tagged as not-a-virus:AdWare.Win32.WebHancer.351. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP151\A0035155.dll tagged as not-a-virus:AdWare.Win32.WebHancer.381. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP151\A0035156.dll tagged as not-a-virus:AdWare.Win32.WebHancer.381. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP151\A0035193.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037542.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037558.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037569.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037573.exe tagged as not-a-virus:AdWare.Win32.WebHancer.351. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037574.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037575.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037576.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037578.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037579.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037586.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037587.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037593.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037594.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037622.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037629.DLL tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037630.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037636.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037640.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037642.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037643.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037647.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037651.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037656.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037657.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037658.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037804.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037809.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037810.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037814.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037818.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037821.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037822.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037827.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037832.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037838.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037839.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037874.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037875.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037879.exe tagged as not-a-virus:AdWare.Win32.AdURL.c. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037880.exe tagged as not-a-virus:AdWare.Win32.AdURL.c. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037881.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037882.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037883.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037885.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037886.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037892.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037893.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037897.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037901.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{1E07E8F1-2C1A-4DE4-A086-31ABEBFD4B31}\RP180\A0037904.exe infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
File C:\WINDOWS\$NtServicePackUninstall$\qedwipes.x infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\WINDOWS\$NtServicePackUninstall$\rdpsnd.dlx infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\WINDOWS\$NtServicePackUninstall$\rdpwsx.dlx infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\WINDOWS\ServicePackFiles\i386\qedwipes.x infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\WINDOWS\ServicePackFiles\i386\qmgrprxy.x infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\WINDOWS\ServicePackFiles\i386\racpldlg.x infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\WINDOWS\ServicePackFiles\i386\rdpsnd.dlx infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\WINDOWS\ServicePackFiles\i386\rdpwsx.dlx infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\WINDOWS\system32\guard.tmp tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\WINDOWS\system32\__delete_on_reboot__guard.tmp tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\WINDOWS\system32\__delete_on_reboot__pxrfproc.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.

Synes godt om

pjatmail Mester

19. marts 2006 - 17:43 #28

Jeg kan lige tilføje at selv om der er fundet alle disse virusér, kommer der stadigvæk uønskede popup frem på skærmen.

Synes godt om

var Nybegynder

20. marts 2006 - 08:41 #29

Hvor er Hijackthis loggen?

Synes godt om

var Nybegynder

20. marts 2006 - 09:25 #30

First skal du hente HSFix http://www.atribune.org/downloads/HSFix.zip
efter download skal du udpakke den
hent derefter Cleanup http://antispyware.nextdesigns.net/showsoftware.php?id=1 Installer den ( men du skal ikke køre den endnu! )
Genstart til fejlsikret tilstand ( F8 under opstart )
Nu skal du åbne mappen HSFix og klikke på hsfix.bat programmet laver en logfil som du skal kopirer herind
nu åbner du hijackthis og fjerner disse Linier:

O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\hrpq0575e.dll
O20 - Winlogon Notify: skyx16 - C:\WINDOWS\SYSTEM32\skyx16.dll

Kør cleanup nu og genstart til normal tilstand og kom med en ny Hijackthis log.. :)

Synes godt om

pjatmail Mester

20. marts 2006 - 11:50 #31

Er det det rigtige link?? jeg kan ikke umiddelbart finde noget cleanup program

http://antispyware.nextdesigns.net/showsoftware.php?id=1

Synes godt om

pjatmail Mester

20. marts 2006 - 12:12 #32

1. Denne linie var ikke i hijackthis loggen!
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\hrpq0575e.dll
Den anden er slettet men ses stadigvæk !!!!!!!!!!?

2.
Her er de log filer
Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
ps.a3d
w32tm.exe
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-

Logfile of HijackThis v1.99.1
Scan saved at 12:01:33, on 20-03-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Region 3 Falck\Skrivebord\Hijackthis\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lfdb.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: skyx16 - C:\WINDOWS\SYSTEM32\skyx16.dll
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\dnnm0151e.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido anti-malware\ewidoguard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe

PS. jeg er snart klar til en formatering...........

Synes godt om

pjatmail Mester

20. marts 2006 - 12:15 #33

Jeg fik sendt en hijack log fra fejlsikret tilstand...
her er den log fra normal tilstand:
Logfile of HijackThis v1.99.1
Scan saved at 12:13:46, on 20-03-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\Programmer\ewido anti-malware\ewidoguard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Region 3 Falck\Skrivebord\Hijackthis\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lfdb.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: skyx16 - C:\WINDOWS\SYSTEM32\skyx16.dll
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\i4jq0e15eh.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido anti-malware\ewidoguard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe

Synes godt om

ejvindh Ekspert

20. marts 2006 - 13:10 #34

Du har 2 svære infektioner i din log. En l2m-infektion, og en Haxdoor-infektion. Men de burde kunne fixes vha. følgende metode:

Hent haxfix, og gem den på skrivebordet:
http://users.telenet.be/marcvn/tools/haxfix.exe

Dobbeltklik på haxfix.exe og installér haxfix (standard installations-stien er c:\programmer\haxfix eller c:\program files\haxfix). Når installationen er færdig, skal du sikre dig, at der er flueben i "Launch HaxFix". Klik på "Finish"

Luk alle åbne vinduer. Kør fix.bat fra haxfix værktøjet (enten via en genvej på skrivebordet, eller ved at gå ind i den mappe, hvor du installerede værktøjet). Vælg option 3 ved at taste 3, og trykke Enter. Så vil følgende tekst dukke op:

-------------
Insert the haxdoor notify subkey without the numbers,
and then press enter:
-------------

Her skal du indtaste følgende:
skyx

Herefter får du mulighed for at indtaste flere nøgler. Her taster du (n).

Så vil computeren genstarte. Efter genstarten skal du finde logfilen: c:\haxfix.txt, som du lægger herind sammen i næste svar.

============================
Herefter skal du køre l2mfix igen. Men først skal du gøre følgende:

Gå ind i mappen l2mfix, og find filen l2mfix.bat. Højreklik på den, og vælg "Rediger". Så åbner der sig et notesblok-vindue. Her taster du ctrl-h.

I feltet "Søg efter" skal du skriver: Administrateurs
I feltet "Erstat med" skal du skriver: Administratorer

Klik herefter på Erstat alle. Luk herefter søgemenuen ned, og gem filen l2mfix.bat, hvorefter du lukker notesblok-vinduet ned.

Herefter højreklikker du på second.bat (også i l2mfix-mappen), vælger "Rediger". Så åbner der sig et notesblok-vindue. Her taster du ctrl-h.

I feltet "Søg efter" skal du skriver: Administrateurs
I feltet "Erstat med" skal du skriver: Administratorer

Klik herefter på Erstat alle. Luk herefter søgemenuen ned, og gem filen second.bat, hvorefter du lukker notesblok-vinduet ned.

Fra mappen l2mfix skal du så køre l2mfix.bat igen - denne gang skal du vælge option 2 (Run Fix). Så går processen i gang. Dit skrivebord og ikoner vil forsvinde en tid. L2Mfix vil fortsætte med at scanne din computer, og når den er færdig vil den være klar til en genstart. Tryk en taste for at genstarte. Efter genstarten, vil Notepad åbnes med en ny log. Kopiér indholdet af denne log ind i denne tråd, sammen med en ny Hijackthis-log.

Synes godt om

pjatmail Mester

20. marts 2006 - 16:43 #35

Så har jeg gjort det.

HAXFIX logfile - by Marckie
--------------
20-03-2006 16:19:36,17

Manual Haxdoorfix

Adding haxdoorkeys to delete...
skyx

haxdoor key: skyx

searching for services....
services found
deleting services.....
[SWSC] DeleteService SUCCESS
[SWSC] DeleteService SUCCESS

rebooting the computer.....

haxdoor key: skyx
searching for services....
services not found

checking if files are found.....
skyx16.dll exist
skyx24.sys exist
skyx32.dll not found
skyx32.sys not found
skyx64.sys not found
skyx16.sys not found

deleting files.....

checking if files are deleted.....

checking for other files.....
klgcptini.dat exist
qz.dll exist
qz.sys exist
ps.a3d exist
set87.ini exist
qm.dll not found
qm.sys not found
qy.dll not found
qy.sys not found
stt82.ini not found
klogini.dll not found
p3.ini not found
klo5.sys not found
fux87.ini not found

deleting other files.....

checking if the files are deleted.....

Finished

-------------------------------------------

L2mfix 010406
Creating Account.
Kommandoen blev udf›rt.

Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 424 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 508 'winlogon.exe'
Killing PID 508 'winlogon.exe'
Killing PID 508 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1392 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1104 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administratorer ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 fil(er) kopieret.
1 fil(er) kopieret.
1 fil(er) kopieret.
1 fil(er) kopieret.
1 fil(er) kopieret.
1 fil(er) kopieret.
1 fil(er) kopieret.
Deleting: C:\WINDOWS\system32\__delete_on_reboot__natcfgx.dll
Successfully Deleted: C:\WINDOWS\system32\__delete_on_reboot__natcfgx.dll
Deleting: C:\WINDOWS\system32\dnp8017ue.dll
Successfully Deleted: C:\WINDOWS\system32\dnp8017ue.dll
Deleting: C:\WINDOWS\system32\i4jq0e15eh.dll
Successfully Deleted: C:\WINDOWS\system32\i4jq0e15eh.dll
Deleting: C:\WINDOWS\system32\IUIresizeP6.dll
Successfully Deleted: C:\WINDOWS\system32\IUIresizeP6.dll
Deleting: C:\WINDOWS\system32\l2j8lc1u1f.dll
Successfully Deleted: C:\WINDOWS\system32\l2j8lc1u1f.dll
Deleting: C:\WINDOWS\system32\VU5DB.DLL
Successfully Deleted: C:\WINDOWS\system32\VU5DB.DLL
Deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

msg11?.dll
0 fil(er) kopieret.

Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dnp8017ue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,bf,42,7d,40,14,6e,db,48,af,d4,e2,6e,59,50,30,90,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,c0,69,2a,3a,57,a2,49,a1,\
ba,38,1a,9c,9c,9c,9a,15,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,ac,\
8b,e3,8d,5d,f4,db,c5,ca,b4,9d,a6,c4,f5,b8,b7,b0,02,00,00,19,53,11,dd,ad,fc,\
32,0a,04,1b,15,2b,c6,af,5e,4d,01,5e,21,1b,dc,ef,e0,7a,7c,7f,8a,2f,91,39,89,\
46,3d,61,43,f7,af,e4,6b,e0,45,54,3b,26,65,a5,11,aa,41,8c,92,1f,00,f6,eb,9d,\
d6,52,1b,52,43,7a,51,d5,9f,eb,03,35,0d,ec,6d,f6,2c,ba,49,b1,57,6a,65,93,c6,\
f7,7d,88,e7,61,76,f4,74,de,aa,45,ac,47,74,a4,3d,27,dc,c7,02,28,14,1e,36,0b,\
4a,89,b2,fd,2a,e7,05,63,f7,2c,ad,42,17,77,05,d5,45,e5,37,01,1e,6b,89,65,1b,\
46,4c,16,8e,0a,4e,df,10,f3,26,cc,6c,05,d5,57,c0,1b,f9,d1,d6,28,4f,70,06,81,\
c9,42,32,f2,86,51,9f,99,42,64,46,fe,ae,f0,4a,22,24,c5,a5,cb,00,a3,cd,d1,94,\
ee,b2,75,30,ff,82,61,4c,4b,48,13,64,1f,0c,3f,d9,0c,bc,98,b5,d1,2f,42,b8,5a,\
74,f9,9e,8c,40,fb,eb,1d,7b,62,4a,d0,2a,75,76,1b,f0,2b,97,6c,f9,83,c9,9b,7c,\
7d,4b,04,b0,17,d7,1a,cd,2c,2c,74,8c,e7,3a,59,4f,a5,50,e0,68,01,be,a1,53,c4,\
7b,64,ae,18,c7,b3,91,b7,b7,fe,d1,01,8a,1a,b0,c9,9b,50,95,aa,8c,73,64,c6,6f,\
ca,28,72,de,1d,45,ab,11,08,14,62,69,c2,da,ed,44,f5,29,6f,11,72,9a,a6,6d,43,\
d6,07,48,3d,f5,ad,fc,18,ee,eb,18,60,59,50,1e,54,ed,37,2a,9c,39,55,b6,96,05,\
8f,00,f0,d6,36,f5,8a,23,ea,23,5c,dd,be,1b,2e,1e,18,e8,bf,ab,53,e2,bd,03,2f,\
60,58,6f,69,ff,bb,c2,04,33,0e,77,71,b7,a0,1a,4f,63,3a,b1,c7,96,a8,a7,81,ec,\
bf,6d,ed,a7,a3,3b,ba,07,b2,db,35,36,e0,9a,a9,a8,0a,50,4c,41,24,b1,7c,2e,38,\
81,96,6b,a8,ee,5c,be,d9,fd,5c,2e,e9,93,3d,d3,e5,85,d6,6e,1b,23,f7,4f,6e,94,\
7a,cb,d8,8c,2c,90,80,1f,83,d0,9a,7c,80,72,ec,d0,38,ff,2e,cc,ed,55,1a,d1,ec,\
28,90,92,e3,c5,31,76,0f,b5,dc,e6,03,18,59,b6,92,0e,2d,59,95,4e,9f,9a,3f,0a,\
e8,df,4c,df,16,39,2c,cf,0d,0b,a0,92,4a,a6,5e,6a,6e,a3,c4,59,40,a5,9a,a5,06,\
40,9f,d9,b5,2d,40,44,09,ac,a7,cc,aa,ad,76,4b,f8,db,0a,4d,49,7a,ea,6f,b5,50,\
9a,fb,bc,d1,af,9c,95,cf,d5,e6,0c,41,ab,2f,6a,5f,62,e5,d2,e7,85,11,dd,dd,f4,\
e3,94,75,b1,76,43,43,77,8e,bf,f9,71,d4,11,5a,71,92,b8,56,ca,c8,d5,8e,5e,ec,\
b6,08,94,96,ba,08,2e,93,43,45,97,fe,e9,9c,bc,45,83,1b,44,09,01,d2,34,25,28,\
82,ba,c9,2b,32,5f,47,e4,e8,90,26,3f,3f,5a,23,e4,c1,6e,7e,93,58,1f,43,41,16,\
c5,43,b0,2e,30,dd,57,2f,81,bf,81,35,89,32,b6,1b,60,9d,91,16,a2,36,df,a1,66,\
fb,91,0e,81,9f,24,ca,49,d6,97,6c,18,55,4b,28,d6,ad,a8,3c,6a,5e,50,17,9c,9d,\
a2,e6,f9,6f,e3,ca,36,14,00,00,00,2b,5e,0d,9b,3f,a6,df,c7,31,5f,4b,bb,15,d2,\
ab,f8,09,2d,1a,7f

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\__delete_on_reboot__natcfgx.dll
C:\WINDOWS\system32\dnp8017ue.dll
C:\WINDOWS\system32\i4jq0e15eh.dll
C:\WINDOWS\system32\IUIresizeP6.dll
C:\WINDOWS\system32\l2j8lc1u1f.dll
C:\WINDOWS\system32\VU5DB.DLL
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{CA7AE620-D443-4961-B46D-00382BDD1BA3}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA7AE620-D443-4961-B46D-00382BDD1BA3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA7AE620-D443-4961-B46D-00382BDD1BA3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA7AE620-D443-4961-B46D-00382BDD1BA3}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{775C1135-97EA-4177-B196-BC62AEED2178}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{775C1135-97EA-4177-B196-BC62AEED2178}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{775C1135-97EA-4177-B196-BC62AEED2178}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{775C1135-97EA-4177-B196-BC62AEED2178}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{218A4F05-CCC3-4649-91D2-26B5A5181F9D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{218A4F05-CCC3-4649-91D2-26B5A5181F9D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{218A4F05-CCC3-4649-91D2-26B5A5181F9D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{218A4F05-CCC3-4649-91D2-26B5A5181F9D}\InprocServer32]
@="C:\\WINDOWS\\system32\\ukdmxfrm.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F77ED13C-DEBF-4496-9A23-9FA24A0C4A47}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F77ED13C-DEBF-4496-9A23-9FA24A0C4A47}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F77ED13C-DEBF-4496-9A23-9FA24A0C4A47}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F77ED13C-DEBF-4496-9A23-9FA24A0C4A47}\InprocServer32]
@="C:\\WINDOWS\\system32\\lpgif11n.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{142EC994-AD93-43E8-9316-2F5FC361B7B4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{142EC994-AD93-43E8-9316-2F5FC361B7B4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{142EC994-AD93-43E8-9316-2F5FC361B7B4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{142EC994-AD93-43E8-9316-2F5FC361B7B4}\InprocServer32]
@="C:\\WINDOWS\\system32\\mLpi32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{621F451E-ED6D-4B11-A0FD-2715A55D11DB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{621F451E-ED6D-4B11-A0FD-2715A55D11DB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{621F451E-ED6D-4B11-A0FD-2715A55D11DB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{621F451E-ED6D-4B11-A0FD-2715A55D11DB}\InprocServer32]
@="C:\\WINDOWS\\system32\\dfconfig.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8460426F-E1ED-4EDC-B531-F03E2927652F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8460426F-E1ED-4EDC-B531-F03E2927652F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8460426F-E1ED-4EDC-B531-F03E2927652F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8460426F-E1ED-4EDC-B531-F03E2927652F}\InprocServer32]
@="C:\\WINDOWS\\system32\\mlxoci.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{42A82CC0-3088-42FC-B062-0D86602ADB5E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{42A82CC0-3088-42FC-B062-0D86602ADB5E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{42A82CC0-3088-42FC-B062-0D86602ADB5E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{42A82CC0-3088-42FC-B062-0D86602ADB5E}\InprocServer32]
@="C:\\WINDOWS\\system32\\fyamebuf.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C4050B88-7625-476B-A095-156777E729E4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C4050B88-7625-476B-A095-156777E729E4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C4050B88-7625-476B-A095-156777E729E4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C4050B88-7625-476B-A095-156777E729E4}\InprocServer32]
@="C:\\WINDOWS\\system32\\utrsvpia.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DB20011B-25AE-4081-9733-91A72F8BBFA2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB20011B-25AE-4081-9733-91A72F8BBFA2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB20011B-25AE-4081-9733-91A72F8BBFA2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB20011B-25AE-4081-9733-91A72F8BBFA2}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7103B000-35BC-4018-84A6-E68BDE97CAF2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7103B000-35BC-4018-84A6-E68BDE97CAF2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7103B000-35BC-4018-84A6-E68BDE97CAF2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7103B000-35BC-4018-84A6-E68BDE97CAF2}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{913CAF08-6938-4690-8C5B-81C5FA91F696}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{913CAF08-6938-4690-8C5B-81C5FA91F696}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{913CAF08-6938-4690-8C5B-81C5FA91F696}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{913CAF08-6938-4690-8C5B-81C5FA91F696}\InprocServer32]
@="C:\\WINDOWS\\system32\\mhorc32r.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{58EBE6A6-001B-4F19-9AF9-EDE207CEB428}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{58EBE6A6-001B-4F19-9AF9-EDE207CEB428}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{58EBE6A6-001B-4F19-9AF9-EDE207CEB428}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{58EBE6A6-001B-4F19-9AF9-EDE207CEB428}\InprocServer32]
@="C:\\WINDOWS\\system32\\szxcoins.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1640E590-F218-4E8A-84F0-02772A86D8CB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1640E590-F218-4E8A-84F0-02772A86D8CB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1640E590-F218-4E8A-84F0-02772A86D8CB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1640E590-F218-4E8A-84F0-02772A86D8CB}\InprocServer32]
@="C:\\WINDOWS\\system32\\natcfgx.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{CA7AE620-D443-4961-B46D-00382BDD1BA3}"=-
"{775C1135-97EA-4177-B196-BC62AEED2178}"=-
"{218A4F05-CCC3-4649-91D2-26B5A5181F9D}"=-
"{F77ED13C-DEBF-4496-9A23-9FA24A0C4A47}"=-
"{142EC994-AD93-43E8-9316-2F5FC361B7B4}"=-
"{621F451E-ED6D-4B11-A0FD-2715A55D11DB}"=-
"{8460426F-E1ED-4EDC-B531-F03E2927652F}"=-
"{42A82CC0-3088-42FC-B062-0D86602ADB5E}"=-
"{C4050B88-7625-476B-A095-156777E729E4}"=-
"{DB20011B-25AE-4081-9733-91A72F8BBFA2}"=-
"{7103B000-35BC-4018-84A6-E68BDE97CAF2}"=-
"{913CAF08-6938-4690-8C5B-81C5FA91F696}"=-
"{58EBE6A6-001B-4F19-9AF9-EDE207CEB428}"=-
"{1640E590-F218-4E8A-84F0-02772A86D8CB}"=-
[-HKEY_CLASSES_ROOT\CLSID\{CA7AE620-D443-4961-B46D-00382BDD1BA3}]
[-HKEY_CLASSES_ROOT\CLSID\{775C1135-97EA-4177-B196-BC62AEED2178}]
[-HKEY_CLASSES_ROOT\CLSID\{218A4F05-CCC3-4649-91D2-26B5A5181F9D}]
[-HKEY_CLASSES_ROOT\CLSID\{F77ED13C-DEBF-4496-9A23-9FA24A0C4A47}]
[-HKEY_CLASSES_ROOT\CLSID\{142EC994-AD93-43E8-9316-2F5FC361B7B4}]
[-HKEY_CLASSES_ROOT\CLSID\{621F451E-ED6D-4B11-A0FD-2715A55D11DB}]
[-HKEY_CLASSES_ROOT\CLSID\{8460426F-E1ED-4EDC-B531-F03E2927652F}]
[-HKEY_CLASSES_ROOT\CLSID\{42A82CC0-3088-42FC-B062-0D86602ADB5E}]
[-HKEY_CLASSES_ROOT\CLSID\{C4050B88-7625-476B-A095-156777E729E4}]
[-HKEY_CLASSES_ROOT\CLSID\{DB20011B-25AE-4081-9733-91A72F8BBFA2}]
[-HKEY_CLASSES_ROOT\CLSID\{7103B000-35BC-4018-84A6-E68BDE97CAF2}]
[-HKEY_CLASSES_ROOT\CLSID\{913CAF08-6938-4690-8C5B-81C5FA91F696}]
[-HKEY_CLASSES_ROOT\CLSID\{58EBE6A6-001B-4F19-9AF9-EDE207CEB428}]
[-HKEY_CLASSES_ROOT\CLSID\{1640E590-F218-4E8A-84F0-02772A86D8CB}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/dnp8017ue.dll (164 bytes security) (deflated 5%)
adding: dlls/guard.tmp (164 bytes security) (deflated 4%)
adding: dlls/i4jq0e15eh.dll (164 bytes security) (deflated 5%)
adding: dlls/IUIresizeP6.dll (164 bytes security) (deflated 5%)
adding: dlls/l2j8lc1u1f.dll (164 bytes security) (deflated 4%)
adding: dlls/VU5DB.DLL (164 bytes security) (deflated 4%)
adding: dlls/__delete_on_reboot__natcfgx.dll (164 bytes security) (deflated 5%)
adding: backregs/142EC994-AD93-43E8-9316-2F5FC361B7B4.reg (104 bytes security) (deflated 70%)
adding: backregs/1640E590-F218-4E8A-84F0-02772A86D8CB.reg (104 bytes security) (deflated 70%)
adding: backregs/218A4F05-CCC3-4649-91D2-26B5A5181F9D.reg (104 bytes security) (deflated 70%)
adding: backregs/42A82CC0-3088-42FC-B062-0D86602ADB5E.reg (104 bytes security) (deflated 70%)
adding: backregs/58EBE6A6-001B-4F19-9AF9-EDE207CEB428.reg (104 bytes security) (deflated 70%)
adding: backregs/621F451E-ED6D-4B11-A0FD-2715A55D11DB.reg (104 bytes security) (deflated 70%)
adding: backregs/7103B000-35BC-4018-84A6-E68BDE97CAF2.reg (104 bytes security) (deflated 70%)
adding: backregs/775C1135-97EA-4177-B196-BC62AEED2178.reg (104 bytes security) (deflated 70%)
adding: backregs/8460426F-E1ED-4EDC-B531-F03E2927652F.reg (104 bytes security) (deflated 70%)
adding: backregs/913CAF08-6938-4690-8C5B-81C5FA91F696.reg (104 bytes security) (deflated 70%)
adding: backregs/C4050B88-7625-476B-A095-156777E729E4.reg (104 bytes security) (deflated 70%)
adding: backregs/CA7AE620-D443-4961-B46D-00382BDD1BA3.reg (104 bytes security) (deflated 70%)
adding: backregs/DB20011B-25AE-4081-9733-91A72F8BBFA2.reg (104 bytes security) (deflated 70%)
adding: backregs/F77ED13C-DEBF-4496-9A23-9FA24A0C4A47.reg (104 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 82%)
adding: backregs/shell.reg (164 bytes security) (deflated 72%)

----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 16:38:22, on 20-03-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\Programmer\ewido anti-malware\ewidoguard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Region 3 Falck\Skrivebord\Hijackthis\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lfdb.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmer\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\dnp8017ue.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmer\Fælles filer\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmer\Fælles filer\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido anti-malware\ewidoguard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe

!!!!!!!!!!

Synes godt om

ejvindh Ekspert

20. marts 2006 - 17:19 #36

Det hjalp gevaldigt på den. Du skulle gerne være kommet af med dine popups nu. Kør lige HJT igen, og fix denne linie:
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\dnp8017ue.dll (file missing)

Genstart computeren, og check at linien er forsvundet fra loggen. Hvis den er det, er loggen ren :-)

For at gøre arbejdet helt færdig:
Det kan være en god ide og rydde op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.spywarefri.dk/virusscannere.htm#alle) - genstart din computer - aktiver systemgendannelse.
Og så kan det også være en god ide at skjule dine systemfiler og -mapper igen, så du ikke ved en fejl kommer til at slette en vigtig fil. Det gør du samme sted, hvor du satte det til at vise alle filer, denne gang vælger du bare: Vis ikke skjulte filer og mapper.

Det kan også være en god ide at få renset ud i dine midlertidige filer. Det kan gøres på en hurtig og nem måde med denne fil
www.spywareinfo.dk/download/cleantempxp2k.bat
---------------------------

For at forhindre gentagelser, vil jeg anbefale dig at lægge nogle små programmer ind, som forhindrer spyware i at komme ind i første omgang. Du finder links og gode råd her:
http://www.spywarefri.dk/manualer/sikkerhedspakke.htm

Jeg vil også foreslå, at du læser denne artikel om hvordan du kan undgå at blive inficeret i fremtiden:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414

Synes godt om

pjatmail Mester

20. marts 2006 - 18:10 #37

Fantastisk. Det ser ud til at være ok nu. Tusind tak for hjælpen. De to links til læsestof - får jeg set hurtigst muligt og ihvertfald skal min søn se lidt nærmere på det tror jeg.
Da det var Ejvindh´s hjælp der hjalp er jeg nødt til at give ham de alt for få point jeg havde sat på spil, men Fazli - skal jeg åbne et nyt spørgsmål for at tildele dig point for alt dit arbejde så gør jeg gerne det.

Synes godt om

ejvindh Ekspert

20. marts 2006 - 20:05 #38

Dejligt at det hjalp. Angående point, kan jeg også oprette et tillægsspørgsmål, så Fazli og jeg deler i porten. Det ville i hvert fald være rimeligt, at han også får nogle point, idet han lavede den indledende rensing, som også var et vigtigt skridt i at få computeren ren :-)

Synes godt om

pjatmail Mester

21. marts 2006 - 07:23 #39

Hvis jeg forstår dig ret vil du dele de 60 point du har fået.... det er ikke rimeligt, så nu opretter jeg et nyt til Fazli -- og en anden gang jeg får problemer sætter jeg flere på højkant :o)
Endnu engang tak til jer begge to.

Synes godt om

ejvindh Ekspert

21. marts 2006 - 08:18 #40

Alt i orden :-)
http://www.eksperten.dk/spm/696810

...men til en anden gang er 60p nu ellers meget rimeligt i forhold til loggens sværhedsgrad. 60p er jo faktisk "taksten" for et svært spørgsmål. Noget andet er så, at der nogle gange er gået lidt inflation i det...

Synes godt om

pjatmail Mester

21. marts 2006 - 12:24 #41

Ja inflationen kender vi jo til i hele samfundet :o)
Men alligevel - jeg er bare lykkelig for at I gider bruge jeres tid på os der ikke har samme evner. Vores alternativ til "eksperten" kan ikke betales med point - og så er vi tilbage til inflationen igen :o)

Synes godt om

Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Følg dette spørgsmål

Opret Preview

Se alle it-kurser fra Computerworld Kurser

IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Se alle it-kurser

Flere spørgsmål fra Virus kategorien

Titel	Indlæg	Oprettet	Seneste aktivitet
Vil skrifte antivirusprogram. Af ErikHg i Virus	22	26/11/202510:42	23/12/202514:29
Er gratis Bitdefender værd at installere ? Af Ikke-ekspert i Virus	8	31/08/202519:08	01/09/202514:18
Ukendte filer på min Pc Af jonpet i Virus	10	03/02/202514:20	04/02/202511:05
mulig ukendt virus Af jackie18 i Virus	3	18/01/202514:07	18/01/202516:39
virus popper op med jævne mellemrum Af Malm i Virus	13	18/01/202511:40	20/01/202517:53

Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester

Alle kategorier på Eksperten

Seneste artiklerRSS