Søg
Avatar billede wormsk8 Nybegynder
25. august 2006 - 15:32 Der er 8 kommentarer og
2 løsninger

Tjekke hijack log

Hej derude, jeg ville blive rigtig glad hvis en gad løbe min hijack-log igennem og lige se om der ligger noget der ikke burde.

På forhånd tak.
Avatar billede wormsk8 Nybegynder
25. august 2006 - 15:32 #1
Logfile of HijackThis v1.99.1
Scan saved at 15:31:08, on 25-08-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\qttask.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmer\Winamp\winampa.exe
C:\Programmer\DAEMON Tools\daemon.exe
C:\programmer\zango\zango.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\programmer\steam\steam.exe
C:\Programmer\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Programmer\TEXTware\HotKey\TWALINK.EXE
C:\Programmer\iFinger\iFinger.exe
C:\Programmer\AntiVir PersonalEdition Classic\sched.exe
C:\Programmer\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Winamp\winamp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Kasper W. Andersson\Skrivebord\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3D8775C7B462A3DCE - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\programmer\zango\zangohook.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [p2pnetworking] xz.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmer\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NI.UERSK_0001_N68M2202] "C:\Documents and Settings\Kasper W. Andersson\Skrivebord\ErrorSafeFreeInstall_dk.exe" -nag
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmer\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [styleerrormagslocks] C:\Documents and Settings\All Users\Application Data\Extra ante style error\else stupid.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [zango] "c:\programmer\zango\zango.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\programmer\steam\steam.exe" -silent
O4 - HKCU\..\Run: [zfzf] C:\PROGRA~1\FLLESF~1\zfzf\zfzfm.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [CURB FOUR] C:\DOCUME~1\KASPER~1.AND\APPLIC~1\INTERT~1\OWNSBIASISO.exe
O4 - Startup: BitTorrent.lnk = C:\Programmer\BitTorrent\bittorrent.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotKey.lnk = C:\Programmer\TEXTware\HotKey\TWALINK.EXE
O4 - Global Startup: iFinger.lnk = C:\Programmer\iFinger\iFinger.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144262533185
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\fppu0379e.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmer\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programmer\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
Avatar billede ejvindh Ekspert
25. august 2006 - 19:55 #2
Den er ikke ren. Jeg kigger den lige igennem :-)
Avatar billede ejvindh Ekspert
25. august 2006 - 20:08 #3
Der er flere forskellige infektioner, så derfor denne lidt omstændelige anvisning.

-- Hent "SuperAntiSpyware free" herfra:
http://www.spywarefri.dk/downloads1.htm
Installer, og opdater scannereren. Men vent med at scanne.

Fuld vejledning til superantispyware finder du her:
http://www.spywarefri.dk/manualer/superantispyware-manual.htm

-- Hent Brute Force Uninstaller, og pak det ud til sin egen mappe (c:\BFU):
http://www.merijn.org/files/bfu.zip

-- Højreklik på følgende link, og vælg "Gem som" for at downloade Alcan Remover. Gem det i samme mappe som du gemte Brute Force Uninstaller i (c:\BFU):
http://metallica.geekstogo.com/MediaGateway.BFU

-- Klik på "Min computer", og naviger frem til c:\BFU mappen. Dobbeltklik på BFU.exe. Så åbnes "The Brute Force Uninstaller". Til højre for det øverste indtastningsfelt, skal du nu klikke på det gule mappe-ikon ("Open script file"), og navigere frem til alcanshorty.bfu, som du hentede tidligere:
c:\bfu\MediaGateway.BFU

Klik herefter på "execute", og lad programmet gøre sit arbejde (hvis BFU straks melder færdig er der sket en fejl, og du må gerne meddele det her i tråden). Når scriptet er færdig, klikker du på OK, og derefter på EXIT.

-- Gå ind i kontrolpanel-tilføj/fjern programmer, og se om du kan få lov til at afinstallere følgende programmer:
ErrorSafe
Messenger+

-- Hent NoLop.exe og gem den på skrivebordet:
http://www.spywareedge.net/nolop/NoLop.exe

Kør programmet. Tryk på "Search and Destroy"-knappen. Hvis den finder noget, bliver du bedt om at trykke på Reboot-knappen. Dette skal du så gøre. Efter genstarten har NoLop.exe lavet en log-fil, der ligger her: C:\NoLop.txt
Kopiér indholdet af denne fil herind.

-- Kør Hijackthis, vælg "Do a system scan only", sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked (nogle af dem er nok allerede forsvundet på dette tidspunkt).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/dk/
O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3D8775C7B462A3DCE - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\programmer\zango\zangohook.dll
O4 - HKLM\..\Run: [p2pnetworking] xz.exe
O4 - HKLM\..\Run: [NI.UERSK_0001_N68M2202] "C:\Documents and Settings\Kasper W. Andersson\Skrivebord\ErrorSafeFreeInstall_dk.exe" -nag
O4 - HKLM\..\Run: [styleerrormagslocks] C:\Documents and Settings\All Users\Application Data\Extra ante style error\else stupid.exe
O4 - HKLM\..\Run: [zango] "c:\programmer\zango\zango.exe"
O4 - HKCU\..\Run: [zfzf] C:\PROGRA~1\FLLESF~1\zfzf\zfzfm.exe
O4 - HKCU\..\Run: [CURB FOUR] C:\DOCUME~1\KASPER~1.AND\APPLIC~1\INTERT~1\OWNSBIASISO.exe
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\fppu0379e.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

-- Genstart i fejlsikret, hvis du ikke ved hvordan så kig her:
http://www.ctrlaltdel.dk/forum/forum_posts.asp?TID=23&PN=1

-- Start SuperAntispyware, klik "Scan your computer", sæt flueben i dine drev, ovre til venstre i vinduet. Ovre til højre i vinduet, sætter du prik i "Perform Complete Scan". Klik "næste", nu scanner den. Når den er færdig, så markerer du det den finder, og lader scannereren fjerne det.

-- Genstart til normal tilstand. Åbn SuperAntispyware-scannereren igen, og klik "preferences"-> "stastics/logs". Marker loggen, og klik "View log". Kopier loggen her ind i tråden, sammen med en ny HijackThis log og indholdet af C:\NoLop.txt.
Avatar billede wormsk8 Nybegynder
27. august 2006 - 13:00 #4
SUPERAntiSpyware Scan Log
Generated 08/27/2006 at 12:33 PM

Core Rules Database Version : 3062
Trace Rules Database Version: 1107

Memory threats detected  : 0
Registry threats detected : 18
File threats detected    : 87

Adware.Tracking Cookie
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@cts.metricsdirect[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@tradedoubler[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@banners.searchingbooth[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@pro-market[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@serving-sys[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w[15].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@winfixer[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@indexstats[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@banner.monacogoldcasino[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w[12].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@microsoftwga.112.2o7[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@bs.serving-sys[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@media.fastclick[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@ads.beamfile[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w[3].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@adopt.hbmediapro[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@www.amaena[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@fastclick[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w[13].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@http.edge.vru4[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@ilead.itrack[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@mediaplex[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@ad1.emediate[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@msninvite.112.2o7[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@track.adform[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@revenue[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@optimost[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@2o7[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@ads1.revenue[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@offeroptimizer[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@amaena[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@ads.monster[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@partypoker[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@stats1.clicktracks[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@doubleclick[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@questionmarket[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@banner.cdpoker[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@banner.32vegas[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@atdmt[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@partygaming.122.2o7[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@server.iad.liveperson[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@zedo[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@ads.spele[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@as-eu.falkag[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@microsofteup.112.2o7[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w[14].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@adultfriendfinder[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@stats.drivecleaner[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@adtech[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@ad.yieldmanager[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@stats1.reliablestats[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@advertising[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@media.top-banners[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w[6].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@ads.zwoops[1].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@www.winfixer[2].txt
    C:\Documents and Settings\Kasper W. Andersson\Cookies\kasper w. andersson@flixbanner.bearshare[2].txt

Adware.180solutions/ZangoSearch
    C:\Programmer\Zango\zango.exe
    C:\Programmer\Zango\zangoau.dat
    C:\Programmer\Zango\zangohook.dll
    C:\Programmer\Zango\zango_gdf.dat
    C:\Programmer\Zango\zango_kyf.dat
    C:\Programmer\Zango
    C:\Documents and Settings\All Users\Menuen Start\Programmer\Zango\Open Library.url
    C:\Documents and Settings\All Users\Menuen Start\Programmer\Zango\Uninstall Zango Instructions.lnk
    C:\Documents and Settings\All Users\Menuen Start\Programmer\Zango\Zango Customer Support.url
    C:\Documents and Settings\All Users\Menuen Start\Programmer\Zango
    C:\WINDOWS\Prefetch\ZANGO.EXE-26086242.pf

Trojan.NetMon/DNSChange
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc

Trojan.cmdService
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

BearShare File Sharing Client
    C:\Programmer\BearShare\BearShare.exe
    C:\Documents and Settings\All Users\Menuen Start\Programmer\BearShare.lnk
    C:\WINDOWS\Prefetch\BEARSHARE.EXE-1F7FB804.pf

Adware.Lop
    C:\NoLopBackups\Duygsvek.exe.02.infected
    C:\NoLopBackups\Else Stupid.exe.012.infected
    C:\NoLopBackups\Ownsbiasiso.exe.03.infected
    C:\NoLopBackups\Store4drive.exe.04.infected
    C:\NoLopBackups\Typerectsafebat.exe.05.infected
    C:\RECYCLER\S-1-5-21-1417001333-1592454029-682003330-1004\Dc34.exe

Adware.180solutions/Search Assistant
    C:\RECYCLER\S-1-5-21-1417001333-1592454029-682003330-1004\Dc2.dll

Adware.Adservs
    C:\WINDOWS\S2FzcGVyIFdvcm0gQW5kZXJzc29u\asappsrv.dll

Trojan.Unknown Origin
    C:\WINDOWS\S2FzcGVyIFdvcm0gQW5kZXJzc29u\mZIWw3pVKIxSwAX0kqc4trLWwZ6R.vbs

Worm.Alcra Variant
    C:\WINDOWS\system32\cmd.com
    C:\WINDOWS\system32\ping.com
    C:\WINDOWS\system32\regedit.com
    C:\WINDOWS\system32\tasklist.com
    C:\WINDOWS\system32\tracert.com

Adware.NicTech Networks
    C:\WINDOWS\system32\en6ml1j11.dll
    C:\WINDOWS\system32\ktnul7591.dll
Avatar billede wormsk8 Nybegynder
27. august 2006 - 13:00 #5
NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Kasper W. Andersson\Skrivebord
[27-08-2006]
[11:51:56]

---Infection Files Found/Removed---
C:\Documents and Settings\Kasper W. Andersson\Application Data\Intertest\Store4Drive.exe
C:\Documents and Settings\Kasper W. Andersson\Application Data\Intertest\Typerectsafebat.exe
C:\Documents and Settings\All Users\Application Data\Extra ante style error\else stupid.exe
C:\Documents and Settings\Kasper W. Andersson\Application Data\Intertest\duygsvek.exe
C:\WINDOWS\tasks\A99CF3B4902F6C9C.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Antivir Personaledition Classic
C:\Documents and Settings\All Users\Application Data\Ati Mmc
C:\Documents and Settings\All Users\Application Data\Macrovision
C:\Documents and Settings\All Users\Application Data\Messenger Plus!
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Sony Ericsson
C:\Documents and Settings\All Users\Application Data\Tarma Installer
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Kasper W. Andersson\Application Data\.bittornado
C:\Documents and Settings\Kasper W. Andersson\Application Data\.bittorrent
C:\Documents and Settings\Kasper W. Andersson\Application Data\Adobe
C:\Documents and Settings\Kasper W. Andersson\Application Data\Adobeum
C:\Documents and Settings\Kasper W. Andersson\Application Data\Ahead
C:\Documents and Settings\Kasper W. Andersson\Application Data\Coalerrormp3  -- EMPTY Directory
C:\Documents and Settings\Kasper W. Andersson\Application Data\Help  -- EMPTY Directory
C:\Documents and Settings\Kasper W. Andersson\Application Data\Identities
C:\Documents and Settings\Kasper W. Andersson\Application Data\Macromedia
C:\Documents and Settings\Kasper W. Andersson\Application Data\Microsoft
C:\Documents and Settings\Kasper W. Andersson\Application Data\Mozilla
C:\Documents and Settings\Kasper W. Andersson\Application Data\Mozillacontrol
C:\Documents and Settings\Kasper W. Andersson\Application Data\Nikon
C:\Documents and Settings\Kasper W. Andersson\Application Data\Real
C:\Documents and Settings\Kasper W. Andersson\Application Data\Sun
C:\Documents and Settings\Kasper W. Andersson\Application Data\Superantispyware.com
C:\Documents and Settings\Kasper W. Andersson\Application Data\Talkback
C:\Documents and Settings\Kasper W. Andersson\Application Data\Thunderbird
C:\Documents and Settings\Kasper W. Andersson\Application Data\Utorrent
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Netmon
C:\Documents and Settings\Networkservice\Application Data\Microsoft
Avatar billede wormsk8 Nybegynder
27. august 2006 - 13:01 #6
Logfile of HijackThis v1.99.1
Scan saved at 13:01:28, on 27-08-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\qttask.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmer\Winamp\winampa.exe
C:\Programmer\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\programmer\steam\steam.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\TEXTware\HotKey\TWALINK.EXE
C:\Programmer\iFinger\iFinger.exe
C:\Programmer\AntiVir PersonalEdition Classic\sched.exe
C:\Programmer\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kasper W. Andersson\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmer\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmer\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\programmer\steam\steam.exe" -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: BitTorrent.lnk = C:\Programmer\BitTorrent\bittorrent.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotKey.lnk = C:\Programmer\TEXTware\HotKey\TWALINK.EXE
O4 - Global Startup: iFinger.lnk = C:\Programmer\iFinger\iFinger.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144262533185
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\fppu0379e.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmer\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programmer\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
Avatar billede wormsk8 Nybegynder
27. august 2006 - 13:01 #7
Tak for hjælpen so far!
Avatar billede ejvindh Ekspert
27. august 2006 - 14:50 #8
Det hjalp på det. Prøv med Hijackthis at fixe denne linie:

O20 - Winlogon Notify: Run - C:\WINDOWS\system32\fppu0379e.dll (file missing)

Genstart computeren, og check at linien er forsvundet. Hvis den er det, er der ikke mere skidt i dine logs. Har det hjulpet på computeren?

For at gøre arbejdet helt færdig:
Det kan være en god ide og rydde op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.spywarefri.dk/virusscannere.htm#alle) - genstart din computer - aktiver systemgendannelse.
Og så kan det også være en god ide at skjule dine systemfiler og -mapper igen, så du ikke ved en fejl kommer til at slette en vigtig fil. Det gør du samme sted, hvor du satte det til at vise alle filer, denne gang vælger du bare: Vis ikke skjulte filer og mapper.

Det kan også være en god ide at få renset ud i dine midlertidige filer. Det kan gøres på en hurtig og nem måde med denne fil
www.spywareinfo.dk/download/cleantempxp2k.bat
---------------------------

For at forhindre gentagelser, vil jeg anbefale dig at lægge nogle små programmer ind, som forhindrer spyware i at komme ind i første omgang. Du finder links og gode råd her:
http://www.spywarefri.dk/manualer/sikkerhedspakke.htm

Jeg vil også foreslå, at du læser denne artikel om hvordan du kan undgå at blive inficeret i fremtiden:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414
Avatar billede wormsk8 Nybegynder
27. august 2006 - 16:00 #9
Mange tak, kan jeg på en måde give dig flere points?
Avatar billede ejvindh Ekspert
27. august 2006 - 19:18 #10
Du er velkommen. Og point-uddelingen er helt i orden, så det skal du ikke tænke på :-)
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
Se alle it-kurser fra Computerworld Kurser
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.
Se alle it-kurser

Flere spørgsmål fra Andet sikkerhed kategorien

Titel Indlæg Oprettet Seneste aktivitet
Er det sandsynligt, at jeg har været udsat for phishing Af Slettet bruger i Andet sikkerhed 4 13/11/202515:09 14/11/202510:45
Google fake Af johp i Andet sikkerhed 3 27/10/202516:31 28/10/202506:52
Generator til strømafbrydelse Af arnepedersen i Andet sikkerhed 11 06/10/202510:26 07/10/202516:37
Sophus Scan og Clean på USB- samler den "snavs" op? Af Uvanga i Andet sikkerhed 7 24/09/202522:06 25/09/202518:27
synology surveillance Af johnnylassen i Andet sikkerhed 2 09/06/202514:49 09/06/202518:18
Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Opret Log ind

Du kan også logge ind via nedenstående tjenester

Alle kategorier på Eksperten
Seneste spørgsmål Seneste aktivitet
42 min siden Offline opdatering af co-working excell sheet Af morten vestergaard i Excel
27/1222:02 Låse brugt iPad op Af drstein i iOS, iPhone & iPad
27/1219:21 Hvor finder jeg en oversigt over mine spørgsmål Af KurtG i Hjælp og fejl
27/1211:31 TP-Link Wifi extender opsat som accesspoint giver 50% up- og download, Af Uvanga i Wifi
26/1213:05 Hvorfor bliver tiff-filer større ved konvertering til samme format Af KurtG i Billedbehandling
White papers
Flere white papers »