Notifikationer

Markér alle som læst Log ud

lonerangr Nybegynder

19. juni 2006 - 13:32 Der er 12 kommentarer og
1 løsning

HiJack igen igen

Jeg har fået endnu en kammerats PC til behandling. Den var særdeles inficeret, og stort set uden beskyttelse.

Jeg har kørt Dr.Web og Superantispyware, og er nu kommet frem til følgende logfil. Jeg er overhovedet ikke sikker på at den nu er ren.

En der gider tage et lille kik ?

Logfile of HijackThis v1.99.1
Scan saved at 13:22:42, on 19-06-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\ATI Multimedia\main\launchpd.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\ATI Multimedia\MAIN\ATISched.EXE
C:\Programmer\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Programmer\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Programmer\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Grisoft\AVG Free\avgcc.exe
C:\Programmer\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Niels\Skrivebord\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\cwkcf.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\winsock\csrss.exe,nsqgqug.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SQL Services] C:\WINDOWS\system32\\sqhost.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [defender] C:\\defender26.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKLM\..\Run: [lfwpfn] C:\WINDOWS\System32\lnsxgp.exe reg_run
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Programmer\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Scheduler] C:\Programmer\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [PowerBar] "C:\Programmer\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [OM_Monitor] C:\Programmer\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [Run Service Vxdrun] vxddirectx32.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programmer\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0 -reboot 1
O4 - HKCU\..\Run: [umuk] C:\PROGRA~1\FLLESF~1\umuk\umukm.exe
O4 - HKCU\..\Run: [hceqh] C:\WINDOWS\System32\lnsxgp.exe reg_run
O4 - HKCU\..\Run: [Ddmp] C:\Programmer\?icrosoft.NET\w?auclt.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunServices: [Run Service Vxdrun] vxddirectx32.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Programmer\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.media-motor.net/cabs/alien.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINDOWS\System32\dxdmain.exe (file missing)
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINDOWS\winsock\csrss.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Programmer\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Synes godt om

sorensen_123 Nybegynder

19. juni 2006 - 13:34 #1

Kigger på det..Du skulle tage at gå ind på www.spywarefri.dk -> online værktøjer og så den der xcleaner, den fjerner meget..

Synes godt om

ejvindh Ekspert

19. juni 2006 - 13:40 #2

-- Hent "Brute Force Uninstaller" ned på dit skrivebord. (højreklik på linket, og vælg "Gem som" eller "Gem link som")
http://www.merijn.org/files/bfu.zip

Pak filen ud til denne mappe:
c:\BFU

-- Hent herefter qoofix.bat, og gem den også i c:\BFU-mappen
http://downloads.subratam.org/Lon/qooFix.bat
Dobbeltklik på qooFix.bat, luk alle vinduer. Vælg Option 1 (Qoolfix autofix), og følg anvisningerne
(det kan godt gå op mod 5 minutter).

-- Når computeren har genstartet må du gerne lave en frisk log med Hijackthis, som du lægger herind.

Synes godt om

sorensen_123 Nybegynder

19. juni 2006 - 13:45 #3

De her ting skal fjernes:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
Jeg tror også at det her er noget:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\cwkcf.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\winsock\csrss.exe,nsqgqug.exe
O4 - HKLM\..\Run: [lfwpfn] C:\WINDOWS\System32\lnsxgp.exe reg_run
O4 - HKCU\..\Run: [umuk] C:\PROGRA~1\FLLESF~1\umuk\umukm.exe
O4 - HKCU\..\Run: [hceqh] C:\WINDOWS\System32\lnsxgp.exe reg_run
O4 - HKCU\..\RunServices: [Run Service Vxdrun] vxddirectx32.exe
Så fjern dem
Gå ind i start--kør-- skriv Services.msc
Hvis du finder noget med vxddirectx32.exe eller Vxdrun eller cmdService
, så deaktiver dem.

Synes godt om

ejvindh Ekspert

19. juni 2006 - 13:58 #4

Hov, vi er kommet til at lægge 2 forskellige forslag til rensningen. Når du responderer, så skriv lige hvilken procedure du har fulgt :-)

sorensen_123: Alle de entries du har listet skal fixes (undtaget den sidste R0). Men som du kan se, er jeg ikke overbevist om, at man kan gøre det med din metode :-)

Synes godt om

arlet Juniormester

19. juni 2006 - 14:00 #5

Samtidig mangler sorensen 123 en masse andre linjer, der skal fixes, så jeg holder også på ejvindh´s metode..

Synes godt om

lonerangr Nybegynder

19. juni 2006 - 16:41 #6

Jeg har forsøgt mig med ejvindh's løsning, og får nu flg. logfil.

Logfile of HijackThis v1.99.1
Scan saved at 16:39:33, on 19-06-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\ATI Multimedia\main\launchpd.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\ATI Multimedia\MAIN\ATISched.EXE
C:\Programmer\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Programmer\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Programmer\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Niels\Skrivebord\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SQL Services] C:\WINDOWS\system32\\sqhost.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [defender] C:\\defender26.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Programmer\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Scheduler] C:\Programmer\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [PowerBar] "C:\Programmer\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [OM_Monitor] C:\Programmer\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [Run Service Vxdrun] vxddirectx32.exe
O4 - HKCU\..\Run: [umuk] C:\PROGRA~1\FLLESF~1\umuk\umukm.exe
O4 - HKCU\..\Run: [Ddmp] C:\Programmer\?icrosoft.NET\w?auclt.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunServices: [Run Service Vxdrun] vxddirectx32.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Programmer\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.media-motor.net/cabs/alien.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINDOWS\System32\dxdmain.exe (file missing)
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner -

C:\WINDOWS\winsock\csrss.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Programmer\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Synes godt om

lonerangr Nybegynder

19. juni 2006 - 16:48 #7

Og lige endnu en, efter at have fjernet de sidste rester

Logfile of HijackThis v1.99.1
Scan saved at 16:46:40, on 19-06-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\ATI Multimedia\main\launchpd.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\ATI Multimedia\MAIN\ATISched.EXE
C:\Programmer\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Programmer\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Programmer\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Niels\Skrivebord\hijackthis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmer\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SQL Services] C:\WINDOWS\system32\\sqhost.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [defender] C:\\defender26.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Programmer\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Scheduler] C:\Programmer\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [PowerBar] "C:\Programmer\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [OM_Monitor] C:\Programmer\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [Run Service Vxdrun] vxddirectx32.exe
O4 - HKCU\..\Run: [Ddmp] C:\Programmer\?icrosoft.NET\w?auclt.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Programmer\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.media-motor.net/cabs/alien.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINDOWS\System32\dxdmain.exe (file missing)
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINDOWS\winsock\csrss.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Programmer\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Synes godt om

ejvindh Ekspert

19. juni 2006 - 17:00 #8

Det hjalp på den. Nu får du lige et allround-fix mere, så tager vi de sidste rester bagefter :-)

-- Hent Ewido herfra (14 dages version af plus-versionen)
http://www.spywarefri.dk/downloads1/ewido-setup.exe
Installer og opdater programmet. Vent med at scanne.

-- Hent Brute Force Uninstaller, og pak det ud til sin egen mappe (c:\BFU):
http://www.merijn.org/files/bfu.zip

-- Højreklik på følgende link, og vælg "Gem som" for at downloade Alcan Remover. Gem det i samme mappe som du gemte Brute Force Uninstaller i (c:\BFU):
http://metallica.geekstogo.com/alcanshorty.bfu

-- Genstart i fejlsikret, hvis du ikke ved hvordan så kig her:
http://www.ctrlaltdel.dk/forum/forum_posts.asp?TID=23&PN=1

-- Klik på "Min computer", og naviger frem til c:\BFU mappen. Dobbeltklik på BFU.exe. Så åbnes "The Brute Force Uninstaller". Til højre for det øverste indtastningsfelt, skal du nu klikke på det gule mappe-ikon ("Open script file"), og navigere frem til alcanshorty.bfu, som du hentede tidligere:
c:\bfu\alcanshorty.bfu

Klik herefter på "execute", og lad programmet gøre sit arbejde. Når scriptet er færdig, klikker du på OK, og derefter på EXIT.

-- Kør en fuld scanning med Ewido, og tillad programmet at fixe de ting, som det finder. Programmet laver en lille log, som du skal kopiere herind.

-- Genstart og læg en frisk Hijackthislog herind, sammen med loggen fra Ewido.

Synes godt om

sorensen_123 Nybegynder

19. juni 2006 - 17:01 #9

Der er sku stadig noget lort som malware osv:

O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe (se http://fileinfo.prevx.com/adware/qq307c22049989-KEYB16980441/KEYBOARD25.EXE.html)
O4 - HKLM\..\Run: [defender] C:\\defender26.exe (http://fileinfo.prevx.com/spyware/qq278d23208249-DEFE17783796/DEFENDER26.EXE.html)
O4 - HKLM\..\Run: [newname] C:\\newname25.exe (se http://fileinfo.prevx.com/spyware/qq396722049947-NEWN16980434/NEWNAME25.EXE.html)
O15 - Trusted Zone: *.media-motor.net (se http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=ADW%5FMOTOR%2EA)
O15 - Trusted Zone: *.mmohsix.com

Tror lige det var det..

Synes godt om

lonerangr Nybegynder

19. juni 2006 - 18:44 #10

Jeg har i mellmtiden kørt dr.web og superantispyware endnu en gang med flg. logfil.
Jeg henter lige de sidste, og kører dem også.

Logfile of HijackThis v1.99.1
Scan saved at 18:39:26, on 19-06-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\ATI Multimedia\main\launchpd.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\ATI Multimedia\MAIN\ATISched.EXE
C:\Programmer\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Programmer\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Programmer\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Niels\Skrivebord\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SQL Services] C:\WINDOWS\system32\\sqhost.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [defender] C:\\defender26.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Programmer\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Scheduler] C:\Programmer\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [PowerBar] "C:\Programmer\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [OM_Monitor] C:\Programmer\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [Run Service Vxdrun] vxddirectx32.exe
O4 - HKCU\..\Run: [Ddmp] C:\Programmer\?icrosoft.NET\w?auclt.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Programmer\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.media-motor.net/cabs/alien.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINDOWS\System32\dxdmain.exe (file missing)
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINDOWS\winsock\csrss.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Programmer\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Synes godt om

ejvindh Ekspert

19. juni 2006 - 19:20 #11

Ok, Dr.Web og SAS er også gode scannere at have kørt. Det var en ret "beskidt" computer. Jeg afventer lige at du har kørt det fix, som jeg nævnte (og som bl.a. også skulle fixe et par af dem som sorensen_123 nævner). :-)

Synes godt om

lonerangr Nybegynder

19. juni 2006 - 19:48 #12

Diverse logs

v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 18:51:18, on 19-06-2006

Option Unload Explorer: Yes
Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)
Failed: ServiceStop Network Monitor (service not found)
Failed: ServiceStop cmdService (service not found)
Failed: ServiceDisable Network Monitor (service not found)
Failed: ServiceDisable cmdService (service not found)
Failed: ServiceDelete Network Monitor (service not found)
Failed: ServiceDelete cmdService (service not found)
Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (key not found)
Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Programmer\MsConfigs (folder not found)
Failed: FolderDelete C:\Programmer\winupdates (folder not found)
Failed: FolderDelete C:\Programmer\winupdate (folder not found)
Failed: FolderDelete C:\Programmer\winsupdater (folder not found)
Failed: FolderDelete C:\Programmer\MsUpdate (folder not found)
Failed: FolderDelete C:\Programmer\MsMovies (folder not found)
Failed: FolderDelete C:\Programmer\wmplayer (folder not found)
Failed: FolderDelete C:\Programmer\outlook (folder not found)
Failed: FileDelete C:\Programmer\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Programmer\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FileDelete C:\DOCUME~1\Niels\LOKALE~1\Temp\~DF6513.tmp (operation failed)
Failed: FolderDelete C:\Programmer\Maxifiles (folder not found)
Failed: FolderDelete C:\Programmer\DNS (folder not found)
Failed: FolderDelete C:\Programmer\EQAdvice (folder not found)
Failed: FolderDelete C:\Programmer\FCAdvice (folder not found)
Failed: FolderDelete C:\Programmer\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Programmer\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Programmer\Common Files\InetGet (folder not found)
Failed: FolderDelete C:\Programmer\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Programmer\InetGet2 (folder not found)
Failed: FolderDelete C:\Programmer\Common Files\VCClient (folder not found)
Failed: FolderDelete C:\Programmer\Network Monitor (folder not found)
Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)
Failed: FolderDelete C:\Programmer\Update06 (folder not found)
Failed: FolderDelete C:\Programmer\Update03 (folder not found)
Failed: FolderDelete C:\Programmer\Update04 (folder not found)
Failed: FolderDelete C:\Programmer\Update08 (folder not found)
Failed: FolderDelete C:\Programmer\W-Update (folder not found)
Failed: FolderDelete C:\Programmer\Yazzle Sudoku (folder not found)
Failed: FolderDelete C:\Programmer\Cas (folder not found)
Failed: FolderDelete C:\Programmer\CasStub (folder not found)
Failed: FolderDelete C:\Programmer\Cas2Stub (folder not found)
Failed: FolderDelete C:\Programmer\ipwins (folder not found)
Failed: FolderDelete C:\Programmer\PECarlin (folder not found)
Failed: FolderDelete C:\Programmer\AXVenore (folder not found)
Failed: FolderDelete C:\Programmer\SDVita (folder not found)
Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)
Script completed.

------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 19:40:34, 19-06-2006
+ Report-Checksum: 53EA9420

+ Scan result:

HKU\S-1-5-21-1060284298-813497703-1343024091-1003\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
C:\Documents and Settings\Niels\Cookies\niels@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\Niels\Cookies\niels@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Niels\Cookies\niels@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Niels\Cookies\niels@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Niels\Cookies\niels@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Niels\Cookies\niels@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\warebundl0.#xe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SoftwareDistribution\Download\3181ff0986f6247624154a79edaf56178a465479/mrt.exe -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\WINDOWS\SoftwareDistribution\Download\3181ff0986f6247624154a79edaf56178a465479/mrt.exe -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\WINDOWS\system32\Ghost[5].cpl -> Worm.Randon.aa : Cleaned with backup
C:\WINDOWS\system32\MRT.exe -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\WINDOWS\xdisk.exe/mediam.exe -> Trojan.LowZones.cq : Cleaned with backup

::Report End

file of HijackThis v1.99.1
Scan saved at 19:45:49, on 19-06-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\ATI Multimedia\main\launchpd.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\ATI Multimedia\MAIN\ATISched.EXE
C:\Programmer\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Programmer\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\ewido\security suite\ewidoguard.exe
C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Programmer\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Documents and Settings\Niels\Skrivebord\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SQL Services] C:\WINDOWS\system32\\sqhost.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Programmer\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Scheduler] C:\Programmer\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [PowerBar] "C:\Programmer\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [OM_Monitor] C:\Programmer\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [Run Service Vxdrun] vxddirectx32.exe
O4 - HKCU\..\Run: [Ddmp] C:\Programmer\?icrosoft.NET\w?auclt.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Programmer\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.media-motor.net/cabs/alien.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINDOWS\System32\dxdmain.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido\security suite\ewidoguard.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmer\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINDOWS\winsock\csrss.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Programmer\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Jeg kan ikke komme vider i denne omgang, så jeg håber den er rimeligt kørende. Hvis der stadig er snavs, må det vente til jeg kan få PC'en i en længere periode næste gang.

Tak for hjælpen. Points var alt for små, men jeg glemte at rette dem til før første indlæg. Flere er på vej om nødvendigt.

Synes godt om

ejvindh Ekspert

19. juni 2006 - 20:49 #13

Helt ren er den nu ikke, men med lidt held, er det sidste blot oprydning:

-- Gå ind i kontrolpanel-tilføj/fjern programmer, og se om du kan få lov til at afinstallere følgende programmer:
PurityScan

-- Klik på Start-kør. Skriv: Services.msc, og klik på OK.
Find følgende services, højreklik på dem og vælg egenskaber. Under starttype vælger du deaktiveret. Klik også på Stop:
DirectX Graphics
Hardware Clock Driver
Windows TCP/IP Socket Driver

-- Kør Hijackthis, vælg "Do a system scan only", sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked (nogle af dem er muligvis allerede fjernet).
O4 - HKLM\..\Run: [SQL Services] C:\WINDOWS\system32\\sqhost.exe
O4 - HKCU\..\Run: [Run Service Vxdrun] vxddirectx32.exe
O4 - HKCU\..\Run: [Ddmp] C:\Programmer\?icrosoft.NET\w?auclt.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINDOWS\System32\dxdmain.exe (file missing)
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINDOWS\winsock\csrss.exe (file missing)

-- Genstart i fejlsikret, hvis du ikke ved hvordan så kig her:
http://www.ctrlaltdel.dk/forum/forum_posts.asp?TID=23&PN=1

-- Du skal nu til at slette. Som indledning hertil skal du have slået "Udvidet filvisning" til:
Åbn en mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

-- Slet herefter følgende (hvis du kan finde dem):
Mapper:
C:\Programmer\?icrosoft.NET\
C:\WINDOWS\winsock\

Filer:
C:\WINDOWS\System32\dxdmain.exe
C:\WINDOWS\system32\sqhost.exe
C:\WINDOWS\System32\hwclock.exe

Søg efter denne fil, og slet den, hvis du finder den:
vxddirectx32.exe

-- Genstart til normal tilstand, lav en ny HJT-log, som du sender herind til check.

Synes godt om

Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Følg dette spørgsmål

Opret Preview

Se alle it-kurser fra Computerworld Kurser

IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Se alle it-kurser

Flere spørgsmål fra Virus kategorien

Titel	Indlæg	Oprettet	Seneste aktivitet
Vil skrifte antivirusprogram. Af ErikHg i Virus	22	26/11/202510:42	23/12/202514:29
Er gratis Bitdefender værd at installere ? Af Ikke-ekspert i Virus	8	31/08/202519:08	01/09/202514:18
Ukendte filer på min Pc Af jonpet i Virus	10	03/02/202514:20	04/02/202511:05
mulig ukendt virus Af jackie18 i Virus	3	18/01/202514:07	18/01/202516:39
virus popper op med jævne mellemrum Af Malm i Virus	13	18/01/202511:40	20/01/202517:53

Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester

Alle kategorier på Eksperten

Seneste artiklerRSS

10/04

Test: Denne mikro-pc er langt mere slagkraftig end den ser ud

10/04

SAS Institute rykker rundt i topledelsen: Her er selskabets nye danske landechef

10/04

Dansk AI-ekspert med ildevarslende spådom: "Vi er alle sammen på vej hen imod en stor sort mur, og vi aner ikke, hvad der findes på den anden side"

10/04

Nørgaard: Jeg er skuffet over Googles Gemini - og jeg har min egen forklaring på, hvorfor det er gået galt for Google

10/04

Først blev Teams smidt på porten – nu vil Frankrig også af med Windows

10/04

Nyt job til Danmarks bedste CISO: Får ansvaret for 64.000 ansatte

10/04

Flere hundredetusinder togrejsende ramt: Stjålne persondata sat til salg efter cyberangreb

10/04

Så meget får de danske it-konsulenter i løn: Næsten alle forventer mere i lønposen ved næsten lønforhandling

10/04

Her er 10 konkrete måder at måle på, om kunstig intelligens skaber værdi for dig

10/04

Microsoft sænker prisen på tre af sine cloud-løsninger med 20 procent

10/04

Kunstig intelligens i praksis – og uden hype

Vis flere artikler

IT-JOB

Region Midtjylland

IT-specialist til regionskliniksystemerne

Qpurpose ApS

Hiring talented and senior software engineers

TV2

Product Manager for People & Talent

Unik System Design A/S

QA Engineer

Forsvarsministeriets Materiel- og Indkøbsstyrelse

Teknologirådgiver inden for Sensor Fusion, AI og Teknisk Efterretning ved Forsvarsministeriets Materiel- og Indkøbsstyrelse i Ballerup

Vis flere jobs

Seneste spørgsmål Seneste aktivitet

I dag 20:18	Hvad tænker du om denne reklame. Af swambodk i Andet design
I dag 18:46	Logge ind hos Amazon.de Af Malm i E-handel
I dag 09:46	Messinger virker ikke på Windows 10 og Windows 11 Af eksmojo i Windows
I går 17:32	Jeg kan ikke opdatere min iPad til ios 26.4.1. Af Bettina i Apps til iOS
I går 08:32	Office pakke LTSC vs Retail? Af Don G i Office & Kontorpakker

White papers

Arctic Wolf Threat Report 2026: Sådan ændrer ransomware-landskabet sig
Arctic Wolf
Samarbejde mellem AI og mennesker styrker sikkerheden
Konica Minolta
Arctic Wolf Security Operations Report 2025: Indblik i moderne sikkerhedsdrift
Arctic Wolf
Find den SOC-model, der virker i praksis
SecureDevice

Flere white papers »