HijackThis - hjælp til HijackThis

Der er nu kun en enkelt entry, som er illegal -- men det kan jo også være slemt nok :-)

-- Hent Ewido herfra (14 dages version af plus-versionen)
http://www.spywarefri.dk/downloads1/ewido-setup.exe
Installer og opdater programmet. Vent med at scanne.

-- Kør Hijackthis, vælg "Do a system scan only", sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked.
O4 - HKCU\..\Run: [msngta32] msngta32.exe

-- Genstart i fejlsikret, hvis du ikke ved hvordan så kig her:
http://www.ctrlaltdel.dk/forum/forum_posts.asp?TID=23&PN=1

-- Du skal nu til at slette. Som indledning hertil skal du have slået "Udvidet filvisning" til:
Åbn en mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

-- Slet herefter følgende (hvis du kan finde dem):
Søg efter denne fil, og slet den, hvis du finder den:
msngta32.exe

-- Kør en fuld scanning med Ewido, og lad den slette det, den finder. Programmet laver en lille log, som du skal kopiere herind i dit næste svar.

-- Genstart til normal tilstand, lav en ny HJT-log, som du sender herind til check.

Logfile of HijackThis v1.99.1
Scan saved at 13:33:10, on 17-06-2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Sygate\SPF\smc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Google\Gmail Notifier\gnotify.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\NetMeter\NetMeter.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
D:\Program Files\ewido\security suite\SecuritySuite.exe
D:\WINDOWS\System32\RTLCPL.EXE
D:\WINDOWS\ALCFDRTM.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Administrator\Desktop\Programmer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.111.9.49:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - D:\WINDOWS\System32\xxyvstr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Google Desktop Search] "D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nTrayFw] D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [WinDLL (wchshield.exe)] rundll32.exe D:\WINDOWS\System32\wchshield.exe,start
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] D:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [D:\Program Files\NetMeter\NetMeter.exe] D:\Program Files\NetMeter\NetMeter.exe
O4 - HKCU\..\RunServices: [msngta32] msngta32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/raptisoftgameloader.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150469926685
O20 - AppInit_DLLs: D:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: xxyvstr - D:\WINDOWS\SYSTEM32\xxyvstr.dll
O23 - Service: app_filter - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe

__________________________________________________________________________________

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:            13:31:20, 17-06-2006
+ Report-Checksum:        A92B2B56

+ Scan result:

    :mozilla.8:D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2f20hlmi.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
    :mozilla.22:D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rbc0d5og.Standard bruger\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
    :mozilla.23:D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rbc0d5og.Standard bruger\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
    :mozilla.25:D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rbc0d5og.Standard bruger\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
    D:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
    D:\Documents and Settings\Administrator\Cookies\administrator@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup
    D:\Documents and Settings\Administrator\Cookies\administrator@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    D:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    D:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Y5RM2LPW\drsmartload278a[1].exe -> Downloader.Adload.bo : Cleaned with backup
    D:\Documents and Settings\Administrator\mrexe.exe -> Downloader.Adload.bo : Cleaned with backup
    D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KXINYJKH\udp-update[1].exe -> Proxy.Ranky.cq : Cleaned with backup
    D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UF4ZKPSL\cl-94-69-81[1].exe -> Proxy.Ranky.cq : Cleaned with backup
    D:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WK46B7CL\drsmartload278a[1].exe -> Downloader.Adload.bo : Cleaned with backup
    D:\WINDOWS\system32\jioarfam.exe -> Backdoor.Rbot.adf : Cleaned with backup
    D:\WINDOWS\system32\mrexe.exe -> Downloader.Adload.bo : Cleaned with backup
    D:\WINDOWS\system32\svghostd.exe -> Backdoor.Rbot.adf : Cleaned with backup
    D:\WINDOWS\system32\wchshield.exe -> Backdoor.Cloner : Cleaned with backup


::Report End

Det var en begrænset success, og så igen. For nu blev én af de slemme infektioner synlige. Den behandler vi således:

-- Hent "SuperAntiSpyware free" herfra:
http://www.spywarefri.dk/downloads1.htm
Installer, og opdater scannereren.

-- Download dette fix til dit skrivebord:
http://www.atribune.org/ccount/click.php?id=4

-- Dobbeltklik på VundoFix.exe for at køre det. Sæt flueben ud for "Run VundoFix as a task". Du vil få en besked om at Vundofix vil lukke og genåbne indenfor ca. et minut. Klik på OK.

-- Når Vundofix genåbner, skal du klikke på "Scan for Vundo"-knappen.

-- Når den er færdig med at scanne, skal du klikke på "Remove Vundo"-knappen.

-- Du vil så blive spurgt om du er sikker på, at du vil fjerne filerne. Her skal du klikke på "Yes". Herefter bliver dit skrivebord blankt, og fixet vil forsøge at fjerne Vundo. Når den er færdig, vil værktøjet have lov til at lukke computeren ned. Det skal du acceptere.

-- Genstart i fejlsikret tilstand.
Lidt hjælp til at komme i fejlsikret tilstand:
http://www.spywareinfo.dk/#/htm/fejlsikret_tilstand.htm

-- Start Superantispyware-scannereren, klik "Scan your computer", sæt flueben i dine drev, ovre til venstre i vinduet. Ovre til højre i vinduet, sætter du prik i "Perform Complete Scan". Klik "næste", nu scanner den. Når den er færdig, så markerer du det den finder, og lader scannereren fjerne det.

-- Genstart til normal tilstand (scannereren tilbyder måske at gøre det).

-- Åbn scannereren igen, og klik "preferences"-> "stastics/logs". Marker loggen, og klik "View log". Kopier loggen her ind i tråden, sammen med en ny HijackThis log og logfilen fra Vundofixet (C:\vundofix.txt).

Må hellere lige sige at jeg sætter stor pris på hjælpen :-)

SUPERAntiSpyware Scan Log
Generated 06/18/2006 at 02:44 PM

Core Rules Database Version : 2982
Trace Rules Database Version: 1075

Memory threats detected  : 0
Registry threats detected : 0
File threats detected    : 10

Adware.Tracking Cookie
    D:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
    D:\Documents and Settings\Administrator\Cookies\administrator@adtech[2].txt
    D:\Documents and Settings\Administrator\Cookies\administrator@winantivirus[1].txt
    D:\Documents and Settings\Administrator\Cookies\administrator@dk.winantivirus[2].txt
    D:\Documents and Settings\Administrator\Cookies\administrator@stats1.reliablestats[2].txt
    D:\Documents and Settings\Administrator\Cookies\administrator@microsofteup.112.2o7[1].txt
    D:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt
    D:\Documents and Settings\Administrator\Cookies\administrator@track.adform[2].txt
    D:\Documents and Settings\Administrator\Cookies\administrator@indexstats[1].txt

Trojan.SIPlugins
    D:\Documents and Settings\Administrator\Desktop\Programmer\backups\backup-20060615-140654-992.dll

______________________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 14:50:35, on 18-06-2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\savedump.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Sygate\SPF\smc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
D:\Program Files\Google\Gmail Notifier\gnotify.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\NetMeter\NetMeter.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\notepad.exe
D:\Documents and Settings\Administrator\Desktop\Programmer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.111.9.49:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {632FFBAF-98BE-4D88-87D3-FE190999A029} - D:\WINDOWS\System32\jkhhh.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Google Desktop Search] "D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nTrayFw] D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] D:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [D:\Program Files\NetMeter\NetMeter.exe] D:\Program Files\NetMeter\NetMeter.exe
O4 - HKCU\..\RunServices: [msngta32] msngta32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/raptisoftgameloader.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150469926685
O20 - AppInit_DLLs: D:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: app_filter - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe

____________________________________________________________________

VundoFix V4.2.84

Checking Java version...

Java version is 1.5.0.4

Scan started at 14:23:54 18-06-2006

Listing files found while scanning....


D:\WINDOWS\system32\hhhkj.bak1
D:\WINDOWS\system32\hhhkj.ini
D:\WINDOWS\system32\jkhhh.dll
Attempting to delete D:\WINDOWS\system32\hhhkj.bak1
D:\WINDOWS\system32\hhhkj.bak1 Has been deleted!

Attempting to delete D:\WINDOWS\system32\hhhkj.ini
D:\WINDOWS\system32\hhhkj.ini Has been deleted!

Attempting to delete D:\WINDOWS\system32\jkhhh.dll
D:\WINDOWS\system32\jkhhh.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V4.2.84

Checking Java version...

Java version is 1.5.0.4

Scan started at 14:27:02 18-06-2006

Listing files found while scanning....


No infected files were found.

Det hjalp lidt, men der er stadig noget tilbage:

-- Hent Avenger her:
http://swandog46.geekstogo.com/avenger.zip

-- Pak Avenger-programmet ud og dobbeltklik på avenger.exe

-- Sæt en prik i "Input Script Manually" og klik på Luppen - nu dukker der et lille vindue op, hvor du skal kopiere indholdet mellem de stiplede linier ind:

-----------------------------
Files to delete:
c:\windows\system32\msngta32.exe
-----------------------------

-- Klik på Trafiklyset i Avenger. Programmet vil opfordre dig til at genstarte computeren straks, hvilket du skal gøre. Programmet vil lukke din computer, slette filerne og starte computeren igen.

-- Efter genstarten vil der dukke et notepad-vindue op, med en log for Avengers handlinger. Den må du gerne lægge ind i dit næste svar.

-- Kør Hijackthis, vælg "Do a system scan only", sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked.

O2 - BHO: (no name) - {632FFBAF-98BE-4D88-87D3-FE190999A029} - D:\WINDOWS\System32\jkhhh.dll (file missing)
O4 - HKCU\..\RunServices: [msngta32] msngta32.exe

-- Genstart computeren, og lav en ny log med Hijackthis, som du lægger herind sammen med loggen fra Avenger

-- Download også Gmer-rootkit scanner, og pak den ud til skrivebordet:
http://www.gmer.net/gmer.zip

Kør programmet, klik på fanebladet "Rootkit", og klik på "Scan". Når scanningen er færdig, skal du klikke på "Copy". Så dukker et vindue op, som fortæller at resultatet af rootkit-scanningen er blevet lagt ind i udklipsholderen. Du kan herefter gå ind i denne tråd, og kopiere indholdet herind, ved at stille dig i indtastningsfeltet, og trykke ctrl-v.

Det er denne infektion, der er tilbage:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39437

Nå jeg trykker på trafiklyset i Avenger for jeg de følgende fejl:
Error: Selected file does not appear to be a valid script
Press OK to log error and continue

Nå jeg trykker på trafiklyset i Avenger for jeg de følgende fejl:
Error: Selected file does not appear to be a valid script
Press OK to log error and continue or cancel to abort
Error code: 1813

Ved ikke hvor mange der kender den. Men www.hijackthis.de skal du bare indtaste din log, og så finder den selv ud af hvad der er snavs :)

tak for tippet sorensen_123.

Logfile of HijackThis v1.99.1
Scan saved at 16:21:22, on 18-06-2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Sygate\SPF\smc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Google\Gmail Notifier\gnotify.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\NetMeter\NetMeter.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Administrator\Desktop\Programmer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.111.9.49:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Google Desktop Search] "D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nTrayFw] D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] D:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [D:\Program Files\NetMeter\NetMeter.exe] D:\Program Files\NetMeter\NetMeter.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvappfilter.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/raptisoftgameloader.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150469926685
O20 - AppInit_DLLs: D:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: app_filter - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe


GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-06-18 16:17:58
Windows 5.1.2600


---- System - GMER 1.0.10 ----

SSDT    \??\D:\WINDOWS\System32\drivers\wpsdrvnt.sys                                ZwAllocateVirtualMemory
SSDT    \??\D:\WINDOWS\System32\drivers\wpsdrvnt.sys                                ZwCreateThread
SSDT    \??\D:\WINDOWS\System32\drivers\wpsdrvnt.sys                                ZwMapViewOfSection
SSDT    \??\D:\WINDOWS\System32\drivers\wpsdrvnt.sys                                ZwProtectVirtualMemory
SSDT    \??\D:\WINDOWS\System32\drivers\wpsdrvnt.sys                                ZwShutdownSystem
SSDT    \??\D:\WINDOWS\System32\drivers\wpsdrvnt.sys                                ZwTerminateProcess
SSDT    \??\D:\WINDOWS\System32\drivers\wpsdrvnt.sys                                ZwWriteVirtualMemory

---- Devices - GMER 1.0.10 ----

Device  \Driver\NVTCP \Device\nvTcp IRP_MJ_CREATE                                    [EFB7E220] wpsdrvnt.sys
Device  \Driver\NVTCP \Device\nvTcp IRP_MJ_CLOSEIRP_MJ_READ                          [EFB7E480] wpsdrvnt.sys
Device  \Driver\NVTCP \Device\nvTcp IRP_MJ_INTERNAL_DEVICE_CONTROL                  [EFB7E5A0] wpsdrvnt.sys
Device  \Driver\NVTCP \Device\nvTcp IRP_MJ_SHUTDOWN                                  [EFB7E5D0] wpsdrvnt.sys
Device  \Driver\prodrv06 \Device\ProDrv06 IRP_MJ_CREATE                              E19F5930
Device  \Driver\prohlp02 \Device\ProHlp02 IRP_MJ_CREATE                              E146FAF0
Device  \Driver\nvatabus \Device\0000007a IRP_MJ_SHUTDOWN                            [F7D376C1] prosync1.sys
Device  \Driver\nvatabus \Device\NvAta0 IRP_MJ_SHUTDOWN                              [F7D376C1] prosync1.sys
Device  \Driver\nvatabus \Device\0000007b IRP_MJ_SHUTDOWN                            [F7D376C1] prosync1.sys
Device  \Driver\nvatabus \Device\NvAta1 IRP_MJ_SHUTDOWN                              [F7D376C1] prosync1.sys
Device  \Driver\nvatabus \Device\0000007c IRP_MJ_SHUTDOWN                            [F7D376C1] prosync1.sys
Device  \Driver\nvatabus \Device\NvAta2 IRP_MJ_SHUTDOWN                              [F7D376C1] prosync1.sys

---- Files - GMER 1.0.10 ----

File    C:\System Volume Information\tracking.log                                   
File    C:\System Volume Information\_restore{3BFAD91B-97B3-4AFF-BD5F-CA19C5FF3C1A} 
File    C:\System Volume Information\_restore{C59EB843-4EBC-4602-8859-461369BEC2ED} 
File    D:\System Volume Information\tracking.log                                   
File    D:\System Volume Information\_restore{C59EB843-4EBC-4602-8859-461369BEC2ED} 

---- EOF - GMER 1.0.10 ----

Jeg vil gerne advare imod ukritisk brug af hijackthis.de. Dels finder den slet ikke det hele. Dels har den også nogle falske positiver (bullguard firewall vil den fx anbefale at man fixer). Dels forklarer den heller ikke særlig godt, hvordan man kommmer af med skidtet. Og det er faktisk efterhånden den sværeste del af HJT-log-analyserne.

Men i øvrigt så ser det ud til at du kom til bunds i problemet alligevel. Logsene er rene. Har du også fået løst dit problem?

For at gøre arbejdet helt færdig:
Det kan være en god ide og rydde op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.spywarefri.dk/virusscannere.htm#alle) - genstart din computer - aktiver systemgendannelse.
Og så kan det også være en god ide at skjule dine systemfiler og -mapper igen, så du ikke ved en fejl kommer til at slette en vigtig fil. Det gør du samme sted, hvor du satte det til at vise alle filer, denne gang vælger du bare: Vis ikke skjulte filer og mapper.

Det kan også være en god ide at få renset ud i dine midlertidige filer. Det kan gøres på en hurtig og nem måde med denne fil
www.spywareinfo.dk/download/cleantempxp2k.bat
---------------------------

For at forhindre gentagelser, vil jeg anbefale dig at lægge nogle små programmer ind, som forhindrer spyware i at komme ind i første omgang. Du finder links og gode råd her:
http://www.spywarefri.dk/manualer/sikkerhedspakke.htm

Jeg vil også foreslå, at du læser denne artikel om hvordan du kan undgå at blive inficeret i fremtiden:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414

Grunden til jeg startede med at lave den her tråd, var fordi jeg ligepludselig mistede al lyd på min computer, og havde en mistanke om at det skyldtes virus eller andet snavs.
Jeg har stadig ikke fået lyden tilbage, men hvis der ikke er mere snavs på computeren må problemet jo ligge et andet sted.
Tak for hjælpen ejvindh.

Det var så lidt :-)

Det ville ikke være typisk opførsel for en virus at fjerne lyden. Måske en side-effekt. Prøv evt. at fjerne lydkortet fra enhedshåndteringen, genstarte computeren, og se om XP automatisk installerer lydkortet igen. Gør den ikke det, kunne det godt tyde på et defekt lydkort. Dette kan du evt. checke ved at prøve at sætte det ind i en anden computer, og se om det virker der (dette er naturligvis kun muligt, hvis lydkortet ikke er onboard på bundkortet *S*)

Hvis du har lydkort-drivere på en cd eller diskette, kan det muligvis være en fordel, hvis du kan få lov til at hente driveren ind derfra når/hvis XP geninstallerer driveren.

Ellers kan du jo sige hvilket lydkort du bruger, så vi kan finde en driver.

Men du skal nok lige teste alt det her inden:
-Er du sikker på det er lydkortet der er noget galt med, og ikke højtalerne? (Prøv at tilslutte et headset eller hovedetelefoner til udgangen!).
-Er lydkortet slået fra i bios?
-Er lydkortet slået fra i windows? Prøv at gå ind i Start->Kontrolpanel->Lyde og Lydenheder.
-Tag lydkortet ud, start computeren, sluk den, og put det i igen, og se om den så har fundet det, er der støv på kortet? Måske i udgangen? Hvis det kun er lyden der ikke virker, og en evt. mikrofon virker er det måske det! Prøv at tage et sugerør og pust ind i indgangen, eller tage en nål og forsigtigt køre rundt derinde.
-Prøv at gå ind i Start->Kontrolpanel->Tilføj Hardware og sig at du allerede har sat hardwaren i. Derefter vil der komme en liste med forskellige hardware. Ved mig er det "SoundMAX Integrated Digital Audio", derefter trykker du næste og følger vejledningen.

Tror ikke der var så meget andet..I hvertfald ikke hvad jeg kan komme på :)

Held og lykke med at få det til at virke!


Mvh. Elias Sørensen