virus? Andets?

Logfile of HijackThis v1.99.1
Scan saved at 18:28:18, on 16-04-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmer\Java\jre1.5.0_03\bin\jusched.exe
C:\Programmer\AVPersonal\AVWUPSRV.EXE
C:\Programmer\ScrubXP\scrubxp.exe
C:\WINDOWS\system32\crypserv.exe
C:\Programmer\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\Fælles filer\Command Software\dvpapi.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Analog Devices\SoundMAX\SMTray.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\AVPersonal\AVGNT.EXE
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\LiveUpdate\LiveUpdate.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Programmer\Fælles filer\Ahead\lib\NMBgMonitor.exe
C:\Programmer\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Programmer\VoipDiscount.com\VoipDiscount\VoipDiscount.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\Programmer\WinAce\WinAce.exe
C:\DOCUME~1\CJ1E1C~1.CJ-\LOKALE~1\Temp\~AceTemp\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/wdgt3/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar2.dll
O2 - BHO: (no name) - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [sc] C:\Programmer\ScrubXP\scrubxp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmer\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Smapp] C:\Programmer\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Programmer\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [STDL] C:\WINDOWS\system32\stub.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programmer\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Project1.lnk = C:\WINDOWS\system32\Stub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128867154500
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programmer\AVPersonal\AVWUPSRV.EXE
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Programmer\Fælles filer\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe

Kigger

http://www.cexx.org/lspfix.zip + http://www.itc.virginia.edu/desktop/central/display/versions.php3?softwareID=67&nav=title

Hent disse 2, men brug dem ikke endnu. tjekker loggen!

Hent denne scanner, den skal du bruge senere.
http://www.mwti.net/antivirus/free_utilities.asp - Virusscanner.

http://www.new.net/support/uninstall6_30.exe

Luk alle åbne vinduer undtagen hijackthis. Marker disse og klik på fix checked:

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - (no file)O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - (no file)
O2 - BHO: (no name) - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

Hent MicroWorld AntiVirus Toolkit Utility (MWAV) som linket til øverst.
Genstart i fejlsikret tilstand (F8 i opstart). Tag en scanning med mwav.exe
Aktiver det hele i opsætningen derinde sæt (flueben/prik) alle steder, så du får scannet alt igennem. Denne scanning kan godt tage et par timer alt efter hvor meget du har liggende på din computer.

Genstart computeren - hvis du har mistet internetforbindelsen pga. du har fixet de 010 linier, gør dette:
Pak filen LSPfix ud og kør programmet, sæt flueben i "I know what I am doing" klik på finish. P.s. Du må kun bruge programmet hvis du mister forbindelsen!


Smid en ny log ind til tjek.

john_S

hvorfor slette Userinit.exe ?

userinit - userinit.exe - Process Information
Process File: userinit or userinit.exe
Process Name: Userinit Logon Application
 
Description:
Userinit.exe is a key process in the Windows operating system. On boot-up it manages the different start up sequences needed, such as establishing network connection and starting up the Windows shell. This program is important for the stable and secure running of your computer and should not be terminated.

Note: userinit.exe is also a process which is registered as the Satiloler Trojan. This Trojan allows attackers to access your computer, stealing passwords, Internet banking and personal data. It is a registered security risk and should be removed immediately.

Den kom med ved en fejl, og opdagede den ikke før du nu siger det :(

men jeg kan fortælle dig af hvis spørger ikke har gjort noget endnu kan spøger jo undlad at gøre noget hvis den er slettet kan man via backup i hijackthis forudsat den ikke er slettet gendanne den ting man har slettet forudsat hijackthis ikke er slettet

john_stigers
du kan jo lige kontakte mig på msn engang når du har tid så har jeg en gave til dig

vil gerne have et svar...  så point kan tildeles

mvh claus

ok

http://www.eksperten.dk/enyt.phtml?id=164

* Selv tage pointene i eget spørgsmål

Hvis man selv finder løsningen på sit spørgsmål, har man selvfølgelig ret til at tage pointene retur. Husk dog at løsningen så skal nævnes i spørgsmålet jf. punkt 2.10 i reglerne.

Det er ikke tilladt at tage pointene retur bare fordi der ikke er nogen der har lavet et indlæg som et "Svar". I dette tilfælde beder man blot brugeren/brugerne der har løst sit problem, om at lave et svar.

Opretter du nyt spørgsmål med point til mig?