Stort virusproblem.

Tilføjelse:

Ved opstart i normal tilstand melder MS: Systemet er genoprettet efter en alvorlig fejl.

Jeg har også forsøgt at starte XP i sidste fungerende version (under F8 menuen). Men det hjælper ikke.

Jeg installerede opdateringer til XP for et par dage siden. Måske det har noget med sagen at gøre ?

http://www.eksperten.dk/artikler/954

Følg artiklen og kom med logfilerne ;)

Ok, jeg vender tilbage i løbet af 1½ time.

Tak.

Jeg har læst vejledningen og forstår ikke hvordag jeg skal installere og starte SAS og når PC'en går ned med det samme (dvs. ca. 1 minut efter opstart af XP).

Ny info.: Hvis jeg starter XP op uden at logge ind på nogen brugerkonti, så går PC'en også ned efter ca. 1 minut. Det virker som om det er XP der er noget galt med. Under tekniske oplysninger står der:

*** STOP: 0x0000008E (0xC0000005),0xEF313AF4,0xEEDD39EC,0x00000000)

Med mindre andre kommer med et bedre forslag prøver jeg med Windows Gen-inatallations CD til XP.

bare kom med en hijackthis log det er helt fint

Jeg har startet reparations CD. Jeg vender lige tilbage når den er færdig og jeg har forsøgt at genstarte. Der går ca. 20 min. fra nu.

Jeg har problemer med at sende HiJackThis filen men vil arbejde videre med det.

Jeg stopper dog for i dag - vender tilbage i morgen formiddag.

Det er bare iorden ;)

Jeg har nu fået PC'en op at køre uden at den slukker efter 1 min. Det var Gen-installation af Win XP der gjorde det muligt. Så vidt jag kan se er ingen data mistet.

fazli -> jeg vil nu følge din vejledning og er straks tilbage med yderligere information.

Det er bare iorden, du bestemmer tempoet ;)

Dr.Web har spurgt om den skal rename nogle filer. det har jeg sagt ja til. Det var c:\downloads\GoldMinerSetup-dm[1].exe og c:\downloads\mauiWoweeSetup-dm[1].exe.

DrWeb skanningen tager lang tid ... den er kun nået igennem 1/3.

Tak for din tålmodighed :-)

Bare lad Dr. Web gøre det den forslår ;)

Og det er jo mit "job" at hjælpe dig til en ren computer ;)

Dr.Web: 70% færdig

Så er SAS startet med skanning.

ok

Da SAS er færdig klikker jeg OK og så kommer "SAS - Detect and remove Harmful software". Der er en række "items" og jeg kan vælge mellem knapperne "Trust/allow items", "Manage allowed items", "Report False Positive.." eller "Explain detected items"

Hvad skal jeg vælge her ?

Pga. skærmopløsningen i Safemode kunne jeg ikke se "næste ->" knappen. Se derfor bort fra ovenstående spørgsmål.

iorden ;)

Hermed SUPERAtniSpyware Scan Log:

SUPERAntiSpyware Scan Log
Generated 09/17/2006 at 01:41 PM

Core Rules Database Version : 0
Trace Rules Database Version: 0

Memory threats detected  : 0
Registry threats detected : 4
File threats detected    : 16

Adware.AlfaCleaner
    C:\WINDOWS\warnhp.html

Trojan.SpySheriff
    c:\secure32.html

Trojan.SpyFalcon
    C:\WINDOWS\system32\oleext.dll

Trojan.Malware
    HKCR\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}
    HKCR\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}#IT
    HKCR\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}#Bin
    HKCR\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}#NoE

Adware.Tracking Cookie
    C:\Documents and Settings\Emma\Cookies\emma@ad.cibleclick[2].txt
    C:\Documents and Settings\Emma\Cookies\emma@ad.msn.co[1].txt
    C:\Documents and Settings\Emma\Cookies\emma@adbrite[1].txt
    C:\Documents and Settings\Emma\Cookies\emma@adfair[2].txt
    C:\Documents and Settings\Emma\Cookies\emma@ads.arto[1].txt
    C:\Documents and Settings\Emma\Cookies\emma@atwola[1].txt
    C:\Documents and Settings\Emma\Cookies\emma@indextools[2].txt
    C:\Documents and Settings\Emma\Cookies\emma@popularscreensavers[2].txt
    C:\Documents and Settings\Emma\Cookies\emma@stat.www[1].txt
    C:\Documents and Settings\Emma\Cookies\emma@toplist[2].txt
    C:\Documents and Settings\Emma\Cookies\emma@track.adform[1].txt
    C:\Documents and Settings\Emma\Cookies\emma@xiti[1].txt
    C:\Documents and Settings\Emma\Cookies\emma@yadro[2].txt

Jeg kan se der er en del Cookies under brugeren "Emma". Har hendes brug/accept af cookies noget med sikkerhed at gøre ?

Hvad med Hijackthis log?

"Jeg kan se der er en del Cookies under brugeren "Emma". Har hendes brug/accept af cookies noget med sikkerhed at gøre ?"

En lille smule men der er noget meget større som skal fixes først ;)

DrWeb.CSV ser således ud:

"bikini.exe;C:\WINDOWS\System32;Trojan.LowZones.174;Deleted.;"
"6b5d4608.exe;C:\WINDOWS\System32;Trojan.DownLoader.based;Deleted.;"
"intell321.exe;C:\WINDOWS\System32;Trojan.Fakealert;Deleted.;"
"idersrvc.sys;C:\WINDOWS\System32;Trojan.PWS.GoldSpy;Deleted.;"
"awcqywdq.exe;C:\;Trojan.Click.1050;Deleted.;"
"ej.exe;C:\;Trojan.LowZones.174;Deleted.;"
"tpjtsip.exe;C:\;Trojan.DownLoader.based;Deleted.;"
"6b5d4608.exe;C:\Documents and Settings\Emma\Lokale indstillinger\Application Data;Trojan.DownLoader.based;Deleted.;"
"BlackBox.class-7fe6e43c-74a705dd.class;C:\Documents and Settings\Jan Pietraszek\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file;Exploit.ByteVerify;Deleted.;"
"Dummy.class-649054b4-671fbb9f.class;C:\Documents and Settings\Jan Pietraszek\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file;Trojan.NoCheat.240;Deleted.;"
"Dummy.class-d529bee-77cbce63.class;C:\Documents and Settings\Jan Pietraszek\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file;Trojan.NoCheat.240;Deleted.;"
"VerifierBug.class-4b2a5f44-539e909c.class;C:\Documents and Settings\Jan Pietraszek\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file;Exploit.ByteVerify;Deleted.;"
"VerifierBug.class-57911cca-48709933.class;C:\Documents and Settings\Jan Pietraszek\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file;Exploit.ByteVerify;Deleted.;"
"6b5d4608.exe;C:\Documents and Settings\Jan Pietraszek\Lokale indstillinger\Application Data;Trojan.DownLoader.based;Deleted.;"
"6b5d4608.exe;C:\Documents and Settings\Lotte Pietraszek\Lokale indstillinger\Application Data;Trojan.DownLoader.based;Deleted.;"
"6b5d4608.exe;C:\Documents and Settings\O\Lokale indstillinger\Application Data;Trojan.DownLoader.based;Deleted.;"
"GoldMinerSetup-dm[1].exe;C:\Downloads;Adware.TryMedia;Renamed.;"
"MauiWoweeSetup-dm[1].exe;C:\Downloads;Adware.TryMedia;Renamed.;"
"A0000012.exe;C:\System Volume Information\_restore{8B8967CB-CFD7-4068-A2A2-720D4D4CCD9E}\RP0;Trojan.DownLoader.based;Deleted.;"
"A0000032.dll;C:\System Volume Information\_restore{8B8967CB-CFD7-4068-A2A2-720D4D4CCD9E}\RP1;Trojan.Fakealert;Deleted.;"
"A0000045.exe;C:\System Volume Information\_restore{8B8967CB-CFD7-4068-A2A2-720D4D4CCD9E}\RP1;Trojan.Fakealert;Deleted.;"
"A0000210.exe;C:\System Volume Information\_restore{8B8967CB-CFD7-4068-A2A2-720D4D4CCD9E}\RP1;Trojan.DownLoader.based;Deleted.;"
"A0000228.exe;C:\System Volume Information\_restore{8B8967CB-CFD7-4068-A2A2-720D4D4CCD9E}\RP2;Trojan.DownLoader.based;Deleted.;"
"A0000232.exe;C:\System Volume Information\_restore{8B8967CB-CFD7-4068-A2A2-720D4D4CCD9E}\RP2;Trojan.LowZones.174;Deleted.;"
"A0000233.exe;C:\System Volume Information\_restore{8B8967CB-CFD7-4068-A2A2-720D4D4CCD9E}\RP2;Trojan.DownLoader.based;Deleted.;"
"A0000234.exe;C:\System Volume Information\_restore{8B8967CB-CFD7-4068-A2A2-720D4D4CCD9E}\RP2;Trojan.Fakealert;Deleted.;"
"A0000235.sys;C:\System Volume Information\_restore{8B8967CB-CFD7-4068-A2A2-720D4D4CCD9E}\RP2;Trojan.PWS.GoldSpy;Deleted.;"
"A0000236.exe;C:\System Volume Information\_restore{8B8967CB-CFD7-4068-A2A2-720D4D4CCD9E}\RP2;Trojan.Click.1050;Deleted.;"
"A0000237.exe;C:\System Volume Information\_restore{8B8967CB-CFD7-4068-A2A2-720D4D4CCD9E}\RP2;Trojan.LowZones.174;Deleted.;"
"A0000238.exe;C:\System Volume Information\_restore{8B8967CB-CFD7-4068-A2A2-720D4D4CCD9E}\RP2;Trojan.DownLoader.based;Deleted.;"
"A0000239.exe;C:\System Volume Information\_restore{8B8967CB-CFD7-4068-A2A2-720D4D4CCD9E}\RP2;Trojan.DownLoader.based;Deleted.;"
"A0000240.exe;C:\System Volume Information\_restore{8B8967CB-CFD7-4068-A2A2-720D4D4CCD9E}\RP2;Trojan.DownLoader.based;Deleted.;"
"A0000241.exe;C:\System Volume Information\_restore{8B8967CB-CFD7-4068-A2A2-720D4D4CCD9E}\RP2;Trojan.DownLoader.based;Deleted.;"
"A0000242.exe;C:\System Volume Information\_restore{8B8967CB-CFD7-4068-A2A2-720D4D4CCD9E}\RP2;Trojan.DownLoader.based;Deleted.;"
"A0000243.exe;C:\System Volume Information\_restore{8B8967CB-CFD7-4068-A2A2-720D4D4CCD9E}\RP2;Adware.TryMedia;Renamed.;"
"A0000244.exe;C:\System Volume Information\_restore{8B8967CB-CFD7-4068-A2A2-720D4D4CCD9E}\RP2;Adware.TryMedia;Renamed.;"
"uninstDsk.exe;C:\WINDOWS;Trojan.Fakealert;Deleted.;"
"oleext.dll;C:\WINDOWS\SYSTEM32;Trojan.Fakealert;Will be cured after reboot.;"
"wininet.dll;C:\WINDOWS\SYSTEM32;Trojan.DownLoader.2636;Will be cured after reboot.;"
"wininet.dll.mwt;C:\WINDOWS\SYSTEM32;Trojan.DownLoader.2636;Cured.;"
"{AD52024E-6C77-4883-8E79-1C457B0A9D8E}.exe;C:\WINDOWS\SYSTEM32;Trojan.DownLoader.10747;Deleted.;"
"{B1B61571-9392-4EF5-A3E7-AF82D6980842}.exe;C:\WINDOWS\SYSTEM32;Trojan.Raze;Deleted.;"

Hijackthis loggen er den på vej eller?

Ja, den kommer som nr. 3 om 30sek. Følger pænt din gode vejledning ;-)

HiJackThisLog :

Logfile of HijackThis v1.99.1
Scan saved at 14:26:50, on 17-09-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\Programmer\VeriSign\NAVI\naviagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmer\Dell\Media Experience\PCMService.exe
C:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe
C:\Programmer\QuickTime\qttask.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\FÆLLES~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmer\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\SMC\SMCWPCI-G 54Mbps Wireless PCI adapter\Monitor.exe
C:\Programmer\Microsoft Office\Office\1030\OLFSNT40.EXE
C:\Programmer\SpywareGuard\sgmain.exe
C:\Programmer\SpywareGuard\sgbhp.exe
C:\dummy\S\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.megetlet.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Programmer\VeriSign\i-Nav\i-nav_4_2_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: LastWinDet Class - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Programmer\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmer\SpywareGuard\dlprotect.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: i-Nav IDN Resolver - {CE000992-A58C-4441-8938-744CD72AB27F} - C:\Programmer\VeriSign\i-Nav\i-nav_4_2_1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Programmer\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RIS2PostReboot] C:\Programmer\LEGO MINDSTORMS\RIS 2.0\LaunchRIS2.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [SysTray] c:\Program Files\ryads.exe
O4 - HKLM\..\Run: [f6d8662.exe] C:\WINDOWS\System32\f6d8662.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Programmer\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [IE Privacy Keeper] "C:\Programmer\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" -stcleanup
O4 - HKCU\..\Run: [6b5d4608.exe] C:\Documents and Settings\Jan Pietraszek\Lokale indstillinger\Application Data\6b5d4608.exe
O4 - HKCU\..\Run: [f6d8662.exe] C:\Documents and Settings\Jan Pietraszek\Lokale indstillinger\Application Data\f6d8662.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: SpywareGuard.lnk = C:\Programmer\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SMCWPCI-G 54Mbps Wireless PCI adapter.lnk = C:\Programmer\SMC\SMCWPCI-G 54Mbps Wireless PCI adapter\Monitor.exe
O4 - Global Startup: Symantec WinFax Starter Port.lnk = C:\Programmer\Microsoft Office\Office\1030\OLFSNT40.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\Programmer\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Programmer\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: i-Nav Hjælp - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra 'Tools' menuitem: i-Nav Hjælp - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Programmer\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra 'Tools' menuitem: i-Nav Indstillinger - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Programmer\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140759886500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142102253953
O16 - DPF: {83229950-AD1D-4B94-8304-F56E95AFACF7} (CSurgientTerminal Object) - http://labview.ni.demoservers.com/proxy/srdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{788CBC5F-FDC3-4D4D-BC1E-110107154DFE}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B04C899-3F53-4303-9A3A-D541AD3B53A2}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE37CBE2-B57A-4E9F-A0FC-1CF847890D79}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112
O20 - Winlogon Notify: ideusr50 - ideusr50.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\SYSTEM32\acs.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: VeriSign Updater (navi) - VeriSign, Inc. - C:\Programmer\VeriSign\NAVI\naviagent.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmer\Sygate\SPF\smc.exe

Okay det lyder helt fint.. Når den kommer vil jeg prøve at mikse en renselse sammen hurtigt så du ikke behøver at vente.. der er nemlig ret meget som skal renses

Fornemt - jeg følger trop.

Det må jeg nok sige, Nogle slemme infektioner du har fået der ..

Hent haxfix, og gem den på skrivebordet:
http://users.telenet.be/marcvn/tools/haxfix.exe

Dobbeltklik på haxfix.exe og installér haxfix (standard installations-stien er c:\programmer\haxfix eller c:\program files\haxfix). Når installationen er færdig, skal du sikre dig, at der er flueben i "Launch HaxFix". Klik på "Finish"

Et rødt dos-vindue vil åbne, med følgende muligheder:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix

Vælg option 2 ved at taste 2, og trykke Enter. Hvis der findes en infektion, vil du få besked på at lukke alle åbne vinduer. Gør dette (undtaget haxfix-vinduet selv). Tast Enter. Computeren vil nu genstarte. Efter genstarten vil en logfil åbne  (c:\haxfix.txt). Indholdet af denne log, må du gerne lægge herind, sammen med en ny HijackThis log.


Hent Smitfraudfix:
http://www.bleepingcomputer.com/resources/link243.html
Udpak det og Åbn mappen SmitfraudFix som du fik på Skrivebordet, og dobbeltklik på SmitfraudFix.cmd og tast 2 - svar ja til at rense (y=yes). Lad programmet gennemføre en rensning. Det vil også checke om systemfilen wininet.dll er inficeret. Hvis den er det, vil du blive bedt om tilladelse til at erstatte den med en anden. Her skal du vælge "Yes", ved at taste "y".

Programmet bliver muligvis nødt til at genstarte undervejs. Herefter vil der dukke en liste med resultaterne af rensningen op . Kopiér denne liste ind i tråden.

Hent Fixwareout:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Gem filen på dit Skrivebord og dobbeltklik på den. Klik Next -> Install og check, at der er et flueben i "Run fixit" - klik herefter på Finish. Fixet vil nu starte, og du skal blot følge instruktionerne. Du vil blive bedt om at genstarte din computer - gør venligst det. Genstarten vil tage lidt længere tid end normalt
Når dit skrivebord er loadet skal du Kopiere indholdet af C:\fixwareout\report.txt ind i dit spørgsmål sammen med en frisk HijackThis log.

Åbn Hijackthis og sæt et flueben ved disse linier:

R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Programmer\VeriSign\i-Nav\i-nav_4_2_1.dll
O4 - HKLM\..\Run: [f6d8662.exe] C:\WINDOWS\System32\f6d8662.exe
O4 - HKCU\..\Run: [6b5d4608.exe] C:\Documents and Settings\Jan Pietraszek\Lokale indstillinger\Application Data\6b5d4608.exe
O4 - HKCU\..\Run: [f6d8662.exe] C:\Documents and Settings\Jan Pietraszek\Lokale indstillinger\Application Data\f6d8662.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{788CBC5F-FDC3-4D4D-BC1E-110107154DFE}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B04C899-3F53-4303-9A3A-D541AD3B53A2}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE37CBE2-B57A-4E9F-A0FC-1CF847890D79}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112
O20 - Winlogon Notify: ideusr50 - ideusr50.dll (file missing)

Luk alle vinduer og browsere undtagen HijackThis og klik Fix checked

Genstart

Find og slet disse mapper/filer:
C:\WINDOWS\System32\f6d8662.exe < Filen
C:\Documents and Settings\Jan Pietraszek\Lokale indstillinger\Application Data\6b5d4608.exe < Filen
C:\Documents and Settings\Jan Pietraszek\Lokale indstillinger\Application Data\f6d8662.exe < Filen

Genstart og kom med følgende logfiler:
Hijackthis
Loggen fra HaxFix kan findes her: (c:\haxfix.txt)
Loggen fra smitfraudfix kan findes her: (c:\rapport.txt)
Loggen fra Fixwareout kan findes her: (C:\fixwareout\report.txt)

Det var det jeg kunne mikse sammen på 10 minutter :)

Bliver udført med det samme.

Jeg får fejl fra HaxFix. Fejl: The setup files are corrupted. Please obtain a new copy of the program.

Nyt HaxFix link:
http://download.bleepingcomputer.com/marckie/haxfix.exe

Prøv så i fejlsikret tilstand. hvis du stadig for fejl så fortsæt med resten af instrukserne

Jeg prøvede en gang til og denne gang meldte den ikke fejl.

HaxFix:

HAXFIX logfile - by Marckie
--------------
version 4.17
17-09-2006  14:59:02,71

--- Auto Haxdoorfix ---


searching for files:

no infections found


--- Goldunfix ---


searching for files:

searching for notifykeys:
ideusr50

searching for services:
idersrvc


deleting service idersrvc
[SWSC] DeleteService SUCCESS


.....rebooting the computer..... 


searching for notifykeys

notifykey ideusr50 not found


searching for services

service idersrvc not found


searching for safeboot services

not needed 


searching for files

ideusr50.dll exists 
deleting ideusr50.dll
ideusr50.dll has been deleted

idersrvc.sys exists 
deleting idersrvc.sys
idersrvc.sys has been deleted


checking for other files

ksl48.bin exists 
deleting ksl48.bin
ksl48.bin has been deleted


checking for a3d files

no a3d files found


Finished

HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 15:05:11, on 17-09-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\Programmer\VeriSign\NAVI\naviagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe
C:\Programmer\Dell\Media Experience\PCMService.exe
C:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe
C:\Programmer\QuickTime\qttask.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\PROGRA~1\FÆLLES~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\Valve\Steam\Steam.exe
C:\Programmer\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\SMC\SMCWPCI-G 54Mbps Wireless PCI adapter\Monitor.exe
C:\Programmer\Microsoft Office\Office\1030\OLFSNT40.EXE
C:\Programmer\SpywareGuard\sgmain.exe
C:\Programmer\SpywareGuard\sgbhp.exe
C:\dummy\S\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.megetlet.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Programmer\VeriSign\i-Nav\i-nav_4_2_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: LastWinDet Class - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Programmer\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmer\SpywareGuard\dlprotect.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: i-Nav IDN Resolver - {CE000992-A58C-4441-8938-744CD72AB27F} - C:\Programmer\VeriSign\i-Nav\i-nav_4_2_1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Programmer\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RIS2PostReboot] C:\Programmer\LEGO MINDSTORMS\RIS 2.0\LaunchRIS2.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [SysTray] c:\Program Files\ryads.exe
O4 - HKLM\..\Run: [f6d8662.exe] C:\WINDOWS\System32\f6d8662.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Programmer\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [IE Privacy Keeper] "C:\Programmer\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" -stcleanup
O4 - HKCU\..\Run: [6b5d4608.exe] C:\Documents and Settings\Jan Pietraszek\Lokale indstillinger\Application Data\6b5d4608.exe
O4 - HKCU\..\Run: [f6d8662.exe] C:\Documents and Settings\Jan Pietraszek\Lokale indstillinger\Application Data\f6d8662.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: SpywareGuard.lnk = C:\Programmer\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SMCWPCI-G 54Mbps Wireless PCI adapter.lnk = C:\Programmer\SMC\SMCWPCI-G 54Mbps Wireless PCI adapter\Monitor.exe
O4 - Global Startup: Symantec WinFax Starter Port.lnk = C:\Programmer\Microsoft Office\Office\1030\OLFSNT40.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\Programmer\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Programmer\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: i-Nav Hjælp - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra 'Tools' menuitem: i-Nav Hjælp - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Programmer\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra 'Tools' menuitem: i-Nav Indstillinger - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Programmer\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140759886500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142102253953
O16 - DPF: {83229950-AD1D-4B94-8304-F56E95AFACF7} (CSurgientTerminal Object) - http://labview.ni.demoservers.com/proxy/srdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{788CBC5F-FDC3-4D4D-BC1E-110107154DFE}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B04C899-3F53-4303-9A3A-D541AD3B53A2}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE37CBE2-B57A-4E9F-A0FC-1CF847890D79}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\SYSTEM32\acs.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: VeriSign Updater (navi) - VeriSign, Inc. - C:\Programmer\VeriSign\NAVI\naviagent.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmer\Sygate\SPF\smc.exe

Og så arbejder jeg lige videre med de andre ting.

Smitfraudfix:

SmitFraudFix v2.90

Scan done at 15:12:07,68, 17-09-2006
Run from C:\dummy\S\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\toolbar.exe Deleted
C:\Documents and Settings\LocalService\Application Data\AlfaCleaner Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Rapport fra FixWareOut:


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ypszr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\daolnwodi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\onisacputes
...

Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 15:27:22, on 17-09-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\Programmer\VeriSign\NAVI\naviagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe
C:\Programmer\Dell\Media Experience\PCMService.exe
C:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe
C:\Programmer\QuickTime\qttask.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\FÆLLES~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmer\Valve\Steam\Steam.exe
C:\Programmer\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\SMC\SMCWPCI-G 54Mbps Wireless PCI adapter\Monitor.exe
C:\Programmer\Microsoft Office\Office\1030\OLFSNT40.EXE
C:\Programmer\SpywareGuard\sgmain.exe
C:\Programmer\SpywareGuard\sgbhp.exe
C:\dummy\S\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Programmer\VeriSign\i-Nav\i-nav_4_2_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: LastWinDet Class - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Programmer\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmer\SpywareGuard\dlprotect.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: i-Nav IDN Resolver - {CE000992-A58C-4441-8938-744CD72AB27F} - C:\Programmer\VeriSign\i-Nav\i-nav_4_2_1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Programmer\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RIS2PostReboot] C:\Programmer\LEGO MINDSTORMS\RIS 2.0\LaunchRIS2.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [f6d8662.exe] C:\WINDOWS\System32\f6d8662.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Programmer\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [IE Privacy Keeper] "C:\Programmer\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" -stcleanup
O4 - HKCU\..\Run: [6b5d4608.exe] C:\Documents and Settings\Jan Pietraszek\Lokale indstillinger\Application Data\6b5d4608.exe
O4 - HKCU\..\Run: [f6d8662.exe] C:\Documents and Settings\Jan Pietraszek\Lokale indstillinger\Application Data\f6d8662.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: SpywareGuard.lnk = C:\Programmer\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SMCWPCI-G 54Mbps Wireless PCI adapter.lnk = C:\Programmer\SMC\SMCWPCI-G 54Mbps Wireless PCI adapter\Monitor.exe
O4 - Global Startup: Symantec WinFax Starter Port.lnk = C:\Programmer\Microsoft Office\Office\1030\OLFSNT40.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\Programmer\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Programmer\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: i-Nav Hjælp - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra 'Tools' menuitem: i-Nav Hjælp - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Programmer\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra 'Tools' menuitem: i-Nav Indstillinger - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Programmer\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140759886500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142102253953
O16 - DPF: {83229950-AD1D-4B94-8304-F56E95AFACF7} (CSurgientTerminal Object) - http://labview.ni.demoservers.com/proxy/srdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{788CBC5F-FDC3-4D4D-BC1E-110107154DFE}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B04C899-3F53-4303-9A3A-D541AD3B53A2}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE37CBE2-B57A-4E9F-A0FC-1CF847890D79}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\SYSTEM32\acs.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: VeriSign Updater (navi) - VeriSign, Inc. - C:\Programmer\VeriSign\NAVI\naviagent.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmer\Sygate\SPF\smc.exe

Til sidst skriver du følgende:
"
Genstart og kom med følgende logfiler:
Hijackthis
Loggen fra HaxFix kan findes her: (c:\haxfix.txt)
Loggen fra smitfraudfix kan findes her: (c:\rapport.txt)
Loggen fra Fixwareout kan findes her: (C:\fixwareout\report.txt)
"
skal jeg køre programmerne igen for at generere disse filer ?

Disse filer eksisterer ikke:

C:\WINDOWS\System32\f6d8662.exe < Filen
C:\Documents and Settings\Jan Pietraszek\Lokale indstillinger\Application Data\6b5d4608.exe < Filen
C:\Documents and Settings\Jan Pietraszek\Lokale indstillinger\Application Data\f6d8662.exe < Filen

Der er en mappe der hedder C:\Documents and Settings\Jan Pietraszek\Application Data\*.* men her er filen ikke

Du skulle ikke køre programmerne igen men det er ligemeget..

Jeg vil dog lige sige at programmerne har gjort et fantastisk godt arbejde lad os lige nappe det sidste med Hijackthis ;)

Genstart i fejlsikret tilstand (F8 under opstart)

Åbn Hijackthis og sæt et flueben ved disse linier:

R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Programmer\VeriSign\i-Nav\i-nav_4_2_1.dll
O4 - HKLM\..\Run: [f6d8662.exe] C:\WINDOWS\System32\f6d8662.exe
O4 - HKCU\..\Run: [6b5d4608.exe] C:\Documents and Settings\Jan Pietraszek\Lokale indstillinger\Application Data\6b5d4608.exe
O4 - HKCU\..\Run: [f6d8662.exe] C:\Documents and Settings\Jan Pietraszek\Lokale indstillinger\Application Data\f6d8662.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{788CBC5F-FDC3-4D4D-BC1E-110107154DFE}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B04C899-3F53-4303-9A3A-D541AD3B53A2}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE37CBE2-B57A-4E9F-A0FC-1CF847890D79}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112
O20 - Winlogon Notify: ideusr50 - ideusr50.dll (file missing)

Luk alle vinduer og browsere undtagen HijackThis og klik på "Fix checked"

Genstart og kom med en ny Hijackthislog ;)

Nå ... ok ... jeg var ved at generere nye logfiler. Det dropper jeg og gør som du skriver herover.

Ja :)

Husk at sætte flueben ved de linier jeg har sagt du skal gøre ;)

Selvfølgelig ....

R3 eksisterer ikke
De 3 stk. O4 eksisterer ikke
Der eksisterer slet ingen O17
O20 eksister ikke - det gjorde den heller ikke i sidste HiJackThis-Log

Ny HiJackThis kommer om lidt.

Dvs. der er ikke udført nogen FIX denne gang.

Det er jo kun gode nyheder ;)

HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 16:22:25, on 17-09-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\Programmer\VeriSign\NAVI\naviagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe
C:\Programmer\Dell\Media Experience\PCMService.exe
C:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe
C:\Programmer\QuickTime\qttask.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\FÆLLES~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmer\Valve\Steam\Steam.exe
C:\Programmer\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmer\SMC\SMCWPCI-G 54Mbps Wireless PCI adapter\Monitor.exe
C:\Programmer\Microsoft Office\Office\1030\OLFSNT40.EXE
C:\Programmer\SpywareGuard\sgmain.exe
C:\Programmer\SpywareGuard\sgbhp.exe
C:\dummy\S\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Programmer\VeriSign\i-Nav\i-nav_4_2_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: LastWinDet Class - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Programmer\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmer\SpywareGuard\dlprotect.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: i-Nav IDN Resolver - {CE000992-A58C-4441-8938-744CD72AB27F} - C:\Programmer\VeriSign\i-Nav\i-nav_4_2_1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Programmer\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RIS2PostReboot] C:\Programmer\LEGO MINDSTORMS\RIS 2.0\LaunchRIS2.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Programmer\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [IE Privacy Keeper] "C:\Programmer\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" -stcleanup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: SpywareGuard.lnk = C:\Programmer\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SMCWPCI-G 54Mbps Wireless PCI adapter.lnk = C:\Programmer\SMC\SMCWPCI-G 54Mbps Wireless PCI adapter\Monitor.exe
O4 - Global Startup: Symantec WinFax Starter Port.lnk = C:\Programmer\Microsoft Office\Office\1030\OLFSNT40.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\Programmer\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Programmer\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: i-Nav Hjælp - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra 'Tools' menuitem: i-Nav Hjælp - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Programmer\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra 'Tools' menuitem: i-Nav Indstillinger - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Programmer\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140759886500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142102253953
O16 - DPF: {83229950-AD1D-4B94-8304-F56E95AFACF7} (CSurgientTerminal Object) - http://labview.ni.demoservers.com/proxy/srdp.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\SYSTEM32\acs.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: VeriSign Updater (navi) - VeriSign, Inc. - C:\Programmer\VeriSign\NAVI\naviagent.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmer\Sygate\SPF\smc.exe

Super !!!

Hvordan kører din computer?

ØØØØHHHHH nu ville jeg ind under Kontrolpanelet i XP, men der kan PC'en ikke. Den melder "Active Desktop Recovery". Der opstod en uventet fejl. Som sikkerhedsforanstaltning er Sctive  desktop blevet slået fra midlertidigt.

Skal jeg slå active desktop fra ?

Eller skal jeg gendanne Active desktop ?

Jeg vil forslå at du skal gendanne den..

Og jeg forslår også du prøver CCleaner:
http://www.spywarefri.dk/manualer/ccleaner-manual.htm

Har du flere problemer? med hensyn til virus?

Jeg troede det var et virusproblem.

Nej, jeg har ikke flere problemer. PC'en kører fint nu. Mange tak skal du ha'.

Jeg skal også have analyseret min bærbare PC en aften næste uge. Hvis du har tid og lyst må du meget gerne nævne et tidspunkt.

Det var et slemt virus problem ;)

Du kan da bare sende mig en mail ;)

warp@bluebottle.com

;)

Jeg vil lige forslå at du skal opdatere dit windows til service pack 2 ;)

Arbejder du prof. med dette ?

Nej det er min hobby :)

For 1 år siden var jeg en virusramt men nu hjælper jeg bare folk

Ja, min overskrift passede ;-)

Stor respekt for folk som dig der vil hjælpe ander ...

Ha' en god aften.

Tak og i ligemåde :)