Søg
Avatar billede madworld Nybegynder
28. november 2006 - 18:03 Der er 2 kommentarer

Logger fra MSN virus

FRA DR. WEB

dxcbho.dll    c:\programmer\deluxecommunications    Adware.Surfside   
dxclib303562752.dll    c:\windows\system32    Adware.Surfside   
dfndrff_e8.#xe    C:\    Adware.DollarRevenue    Renamed.
dfndrff_e9.#xe    C:\    Adware.DollarRevenue    Renamed.
kybrdff_e8.#xe    C:\    Adware.DollarRevenue    Renamed.
kybrdff_e9.#xe    C:\    Adware.DollarRevenue    Renamed.
nwnmff_e8.#xe    C:\    Adware.DollarRevenue    Renamed.
daA.tmp    C:\Documents and Settings\Frederik\Lokale indstillinger\Temp    Adware.Surfside    Renamed.
ErrorSafeFreeInstall_dk[1].exe    C:\Documents and Settings\Frederik\Lokale indstillinger\Temporary Internet Files\Content.IE5\GLQB8PQN    Trojan.DownLoader.10963    Deleted.
setup.exe    C:\Documents and Settings\Peter Bülow\Lokale indstillinger\Temp\NI.UWA6PK_0001_N91M2107    Trojan.Fakealert    Deleted.
ErrorSafeFreeInstall_dk[1].exe    C:\Documents and Settings\Peter Bülow\Lokale indstillinger\Temporary Internet Files\Content.IE5\A3KV1URY    Trojan.DownLoader.10963    Deleted.
DxcBho.dll    C:\Programmer\DeluxeCommunications    Adware.Surfside    Will be renamed after reboot.
DxcCore.dll    C:\Programmer\DeluxeCommunications    Adware.Surfside    Will be renamed after reboot.
A0021908.#xe    C:\System Volume Information\_restore{8951D6C3-1F86-4BB7-8013-138D3FF5A799}\RP230    Adware.DollarRevenue    Renamed.
A0021909.#xe    C:\System Volume Information\_restore{8951D6C3-1F86-4BB7-8013-138D3FF5A799}\RP230    Adware.DollarRevenue    Renamed.
A0021915.#xe    C:\System Volume Information\_restore{8951D6C3-1F86-4BB7-8013-138D3FF5A799}\RP230    Adware.DollarRevenue    Renamed.
A0021916.#xe    C:\System Volume Information\_restore{8951D6C3-1F86-4BB7-8013-138D3FF5A799}\RP230    Adware.DollarRevenue    Renamed.
A0021918.#xe    C:\System Volume Information\_restore{8951D6C3-1F86-4BB7-8013-138D3FF5A799}\RP230    Adware.DollarRevenue    Renamed.
A0021930.ocx    C:\System Volume Information\_restore{8951D6C3-1F86-4BB7-8013-138D3FF5A799}\RP230    Trojan.Isbar.439    Deleted.
A0023595.dll    C:\System Volume Information\_restore{8951D6C3-1F86-4BB7-8013-138D3FF5A799}\RP241    Adware.PrintView    Renamed.
A0034378.exe    C:\System Volume Information\_restore{8951D6C3-1F86-4BB7-8013-138D3FF5A799}\RP257    Trojan.DownLoader.6550    Deleted.
A0035523.exe    C:\System Volume Information\_restore{8951D6C3-1F86-4BB7-8013-138D3FF5A799}\RP261    Trojan.DownLoader.10963    Deleted.
A0035574.dll    C:\System Volume Information\_restore{8951D6C3-1F86-4BB7-8013-138D3FF5A799}\RP262    Adware.Surfside    Renamed.
A0035575.dll    C:\System Volume Information\_restore{8951D6C3-1F86-4BB7-8013-138D3FF5A799}\RP262    Adware.Surfside    Renamed.
dxclib303562752.dll    C:\WINDOWS\system32    Adware.Surfside    Will be renamed after reboot.



Fra Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 17:29:52, on 28-11-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\AntiVir PersonalEdition Classic\sched.exe
C:\Programmer\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmer\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\sistray.exe
C:\Programmer\MediaKey\OSD.EXE
C:\Programmer\MediaKey\Versato.exe
C:\Documents and Settings\Frederik\Lokale indstillinger\Temporary Internet Files\Content.IE5\GHIJKLMN\hijackthis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dk.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.dk/0SEDADK/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~2\PRINTV~1\PRINTH~1.DLL (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [BearShare] "C:\Programmer\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [avgnt] "C:\Programmer\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [PVModule] C:\Program Files\PrintView\pvmodule.exe
O4 - HKLM\..\Run: [uerscw] C:\Programmer\Error Safe Free\uerscw.exe -c
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MediaKey.lnk = C:\Programmer\MediaKey\MagicRun.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmer\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Åbn på ny baggrundsfane - res://C:\Programmer\Windows Live Toolbar\Components\da-dk\msntabres.dll.mui/229?1d77b23e21824416aa914b6576f600c6
O8 - Extra context menu item: Åbn på ny forgrundsfane - res://C:\Programmer\Windows Live Toolbar\Components\da-dk\msntabres.dll.mui/230?1d77b23e21824416aa914b6576f600c6
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\gzdef.dll (file missing)
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\dlserver.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmer\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programmer\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe


Fra superantispyware


SUPERAntiSpyware Scan Log
Generated 11/28/2006 at 04:36 PM

Application Version : 3.3.1020

Core Rules Database Version : 3137
Trace Rules Database Version: 1154

Scan type      : Complete Scan
Total Scan Time : 00:04:58

Memory items scanned      : 365
Memory threats detected  : 3
Registry items scanned    : 4225
Registry threats detected : 17
File items scanned        : 1414
File threats detected    : 23

Adware.DeluxeCommunications
    C:\WINDOWS\SYSTEM32\DXCLIB303562752.DLL
    C:\WINDOWS\SYSTEM32\DXCLIB303562752.DLL
    C:\PROGRAMMER\DELUXECOMMUNICATIONS\DXCBHO.DLL
    C:\PROGRAMMER\DELUXECOMMUNICATIONS\DXCBHO.DLL
    C:\PROGRAMMER\DELUXECOMMUNICATIONS\DXCCORE.DLL
    C:\PROGRAMMER\DELUXECOMMUNICATIONS\DXCCORE.DLL
    HKLM\Software\Classes\CLSID\{A8BD6820-6ED7-423E-9558-2D1486B0FEEA}
    HKCR\CLSID\{A8BD6820-6ED7-423E-9558-2D1486B0FEEA}
    HKCR\CLSID\{A8BD6820-6ED7-423E-9558-2D1486B0FEEA}\InprocServer32
    HKCR\CLSID\{A8BD6820-6ED7-423E-9558-2D1486B0FEEA}\InprocServer32#ThreadingModel
    HKU\S-1-5-21-1957994488-1580818891-839522115-1005\Software\Microsoft\Internet Explorer\URLSearchHooks#{A8BD6820-6ED7-423E-9558-2D1486B0FEEA}
    HKLM\Software\Microsoft\Internet Explorer\URLSearchHooks#{A8BD6820-6ED7-423E-9558-2D1486B0FEEA}
    HKCR\CLSID\{A8BD6820-6ED7-423E-9558-2D1486B0FEEA}
    HKU\S-1-5-21-1957994488-1580818891-839522115-1005\Software\DeluxeCommunications
    HKLM\Software\DeluxeCommunications
    HKLM\Software\DeluxeCommunications\Internet Explorer
    HKLM\Software\DeluxeCommunications\Internet Explorer#PInfo
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DeluxeCommunications
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DeluxeCommunications#DisplayName
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DeluxeCommunications#UninstallString
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run#DeluxeCommunications [ C:\Programmer\DeluxeCommunications\Dxc.exe ]
    HKU\S-1-5-21-1957994488-1580818891-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Run#DeluxeCommunications [ C:\Programmer\DeluxeCommunications\Dxc.exe ]
    C:\Programmer\DeluxeCommunications\Dxc.exe
    C:\Programmer\DeluxeCommunications
    C:\WINDOWS\Prefetch\DXC.EXE-1A399A1F.pf

Adware.Tracking Cookie
    C:\Documents and Settings\Frederik\Cookies\frederik@new-pcp[1].txt
    C:\Documents and Settings\Frederik\Cookies\frederik@dxcdirect[2].txt
    C:\Documents and Settings\Frederik\Cookies\frederik@tradedoubler[2].txt
    C:\Documents and Settings\Frederik\Cookies\frederik@cgi-bin[1].txt
    C:\Documents and Settings\Frederik\Cookies\frederik@track.adform[1].txt
    C:\Documents and Settings\Frederik\Cookies\frederik@yourmedia[1].txt
    C:\Documents and Settings\Frederik\Cookies\frederik@adserver.banneradministration[2].txt
    C:\Documents and Settings\Frederik\Cookies\frederik@msnportal.112.2o7[1].txt
    C:\Documents and Settings\Frederik\Cookies\frederik@cpvfeed[2].txt
    C:\Documents and Settings\Frederik\Cookies\frederik@doubleclick[1].txt
    C:\Documents and Settings\Frederik\Cookies\frederik@pacificpoker[1].txt
    C:\Documents and Settings\Frederik\Cookies\frederik@atdmt[2].txt
    C:\Documents and Settings\Frederik\Cookies\frederik@www.pacificpoker[1].txt
    C:\Documents and Settings\Frederik\Cookies\frederik@stats1.reliablestats[2].txt
    C:\Documents and Settings\Frederik\Cookies\frederik@adtech[2].txt
    C:\Documents and Settings\Frederik\Cookies\frederik@mediaplex[1].txt
    C:\Documents and Settings\Frederik\Cookies\frederik@partypoker[1].txt

Browser Hijacker.Internet Explorer Settings Hijack
    HKU\S-1-5-21-1957994488-1580818891-839522115-1005\Software\Microsoft\Internet Explorer\Search\SearchAssistant Explorer\Main#Default_Search_URL [ http://searchbar.findthewebsiteyouneed.com ]

På forhånd tusind tak for hjælpen nu hvor det har irriteret mig i evigheder:)
Avatar billede levich Nybegynder
28. november 2006 - 19:19 #1
Øjeblik, jeg ser på det.
Avatar billede levich Nybegynder
28. november 2006 - 19:24 #2
Læs alle punkterne inden du gør noget.

(1)
Hent http://www.spywarefri.dk/downloads1/ewido-setup.exe (Ewido).
Installer programmer og opdater det, men vent med at scanne.

Hent: http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Dobbeltklik på SmitfraudFix.zip, hvorefter programmet pakker sig ud til mappen smitRem.

(2)
Genstart computeren i fejlsikret tilstand (tryk F8 når Windows starter op), og fix følgende linjer med HijackThis:
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~2\PRINTV~1\PRINTH~1.DLL (file missing)
O4 - HKLM\..\Run: [PVModule] C:\Program Files\PrintView\pvmodule.exe
O4 - HKLM\..\Run: [uerscw] C:\Programmer\Error Safe Free\uerscw.exe -c
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\gzdef.dll (file missing)
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\dlserver.dll (file missing)

(3)
Scan med Ewido, fix de ting som den finder og gem loggen, f.eks. på skrivebordet.

(5)
Åbn mappen smitfraudfix mappen, dobbeltklik på smitfraudfix.cmd, vælg option #2, svar yes (=y) til at rense inficerede filer.
Hvis du bliver bedt om at erstatte  filen wininet.dll med en anden, skal du svare yes (=y).
Hvis du bliver bedt om at genstarte computer, skal du genstarte den i normal tilstand.

(5)
Hvis du lige har genstartet i normalt tilstand, så skal du genstart igen i fejlsikret tilstand, eller ikke.
Åbn "denne computer", i menuen skal du klikke på Funktioner -> Mappeindstillinger -> Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler" og ved "Skjul filtypenavne for kendte filtyper", sæt prik i "Vis skjulte filer og mapper". Husk at trykke på knappen "Anvend på alle mapper" i stedet for "ok".

søg efter og slet følgende fil(er):
dxclib303562752.dll
C:\WINDOWS\system32\gzdef.dll
C:\WINDOWS\system32\dlserver.dll
... og følgende mappe(r):
C:\PROGRA~2\PRINTV~1\
C:\Program Files\PrintView\
C:\Programmer\Error Safe Free\

(6)
Start -> kør -> skriv "cleanmgr" -> Slet Temporary internet files, papirkurv og midlertidige filer. Gentag for alle dine drev.

(7)
Genstart computeren normalt. Lav en ny log med HijackThis, og send den herind sammen med loggen fra Ewido.
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
Se alle it-kurser fra Computerworld Kurser
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.
Se alle it-kurser

Flere spørgsmål fra Virus kategorien

Titel Indlæg Oprettet Seneste aktivitet
Vil skrifte antivirusprogram. Af ErikHg i Virus 22 26/11/202510:42 23/12/202514:29
Er gratis Bitdefender værd at installere ? Af Ikke-ekspert i Virus 8 31/08/202519:08 01/09/202514:18
Ukendte filer på min Pc Af jonpet i Virus 10 03/02/202514:20 04/02/202511:05
mulig ukendt virus Af jackie18 i Virus 3 18/01/202514:07 18/01/202516:39
virus popper op med jævne mellemrum Af Malm i Virus 13 18/01/202511:40 20/01/202517:53
Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Opret Log ind

Du kan også logge ind via nedenstående tjenester

Alle kategorier på Eksperten
Seneste spørgsmål Seneste aktivitet
06/0419:53 installer mange programmer på en gang Af Overgaard1654 i Andet software
06/0417:48 Min hp Officejet pro 7740 skærer det nederste af billedet i word Af rosmarin i Printere
06/0413:13 Batch OCR Af KurtG i Billedbehandling
06/0410:42 AI integreret i Access Af per2edb i Access
04/0409:43 AI google.com Af Peter Olsen i Andre onlineløsninger
White papers
Flere white papers »