Pyware på computer

... du bør nok ikke skrive logfilen med hvid tekst på hvid bund ????

Det går også laaaaaangsom med at vende tilbage til dine tidl. spm. -> http://www.eksperten.dk/list.phtml?sort=&order=DESC&status_1=on&status_2=on&spm_creator=0123&spm_part=&spm_answer=&find=&engine=exp ???

(Det HAR du vist fået at vide før *S*)

Logfile of HijackThis v1.99.1
Scan saved at 23:00:32, on 12-08-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Programmer\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\henrik lai jensen\Dokumenter\hijack\alternativ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Leveret af Henrik jensen
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Huskesedel.txt
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://193.138.215.254/cgi-bin/SysCamInst.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://domecam.uridium.ch/kxhcm10.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174835246786
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://80.198.229.250/activex/AMC.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://193.138.213.169/cgi-bin/bl_camera.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.opentopia.com/support/activex/AxisCamControl.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://80.160.169.182/activex/AMC.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winxwp32 - winxwp32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

-- Hent Combofix fra et af disse links, og gem den på dit skrivebord:
http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

-- Kør så combofix.exe, som du hentede tidligere, og følg anvisningerne.
Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når combofix er færdig, og efter det har genstartet, skulle der gerne åbnes en logfil: combofix.txt
Indholdet af denne fil må du gerne lægge herind.

Yes!

ComboFix 07-08-09.3 - "henrik lai jensen" 2007-08-12 23:41:45.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1030.18.154 [GMT 2:00]
* Created a new restore point

Rootkit driver xpdt is present. ... attempting disinfection
xpdt ...... driver unloaded successfully.

(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\HENRIK~1\APPLIC~1\..\err.log
C:\WINDOWS\system32\xpdt.sys


(((((((((((((((((((((((((((((((((((((((  Drivers/Services  )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NTIO256
-------\ntio256


(((((((((((((((((((((((((  Files Created from 2007-07-12 to 2007-08-12  )))))))))))))))))))))))))))))))


2007-08-12 23:36    51,200    --a------    C:\WINDOWS\nircmd.exe


((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 23:49    ---------    d--------    C:\Programmer\SUPERAntiSpyware
2007-07-28 00:07    783224    --a------    C:\WINDOWS\system32\aswBoot.exe
2007-07-28 00:02    94416    --a------    C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-28 00:02    92848    --a------    C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-28 00:00    23152    --a------    C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 23:59    42912    --a------    C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 23:58    26624    --a------    C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 23:57    95608    --a------    C:\WINDOWS\system32\AVASTSS.scr
2007-07-27 14:04    1852    --a------    C:\WINDOWS\system32\d3d9caps.dat
2007-07-15 01:19    2322688    --a------    C:\WINDOWS\system32\TUKernel.exe
2007-07-14 00:21    ---------    d--------    C:\Programmer\Google
2007-07-11 21:31    69784    --a------    C:\WINDOWS\system32\perfc006.dat
2007-07-11 21:31    409696    --a------    C:\WINDOWS\system32\perfh006.dat
2007-07-08 21:53    1740    --a------    C:\WINDOWS\system32\d3d8caps.dat
2007-07-07 13:51    ---------    d--------    C:\DOCUME~1\HENRIK~1\APPLIC~1\Google
2007-07-05 22:27    ---------    d--------    C:\Programmer\X-Cleaner
2007-07-01 22:04    ---------    d--------    C:\Programmer\Banner Maker Pro for Flash
2007-06-28 21:35    455238    --a------    C:\uninstall.exe
2007-06-28 21:35    2125824    --a------    C:\Antenna.exe
2007-06-27 20:44    ---------    d--------    C:\Programmer\Via-net ApS
2007-06-26 22:03    ---------    d--------    C:\DOCUME~1\HENRIK~1\APPLIC~1\KompoZer
2007-06-26 21:41    ---------    d--------    C:\Programmer\Nvu
2007-06-26 20:57    ---------    d--------    C:\DOCUME~1\HENRIK~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-25 21:54    ---------    d--h-----    C:\Programmer\InstallShield Installation Information
2007-06-25 21:54    ---------    d--------    C:\Programmer\Xara
2007-06-25 21:13    ---------    d--------    C:\Programmer\Banner Maker Pro 6
2007-06-24 03:01    ---------    d--------    C:\Programmer\MSXML 4.0
2007-06-20 21:30    ---------    d--------    C:\DOCUME~1\HENRIK~1\APPLIC~1\LGSync
2007-06-20 21:27    ---------    d--------    C:\Programmer\LG Electronics
2007-06-20 21:25    ---------    d--------    C:\Programmer\LGE GSM PC Sync
2007-06-17 15:36    1956    --a------    C:\WINDOWS\system32\tmp.reg
2007-06-17 00:01    ---------    d--------    C:\Programmer\Selteco
2007-06-16 23:55    ---------    d--------    C:\DOCUME~1\HENRIK~1\APPLIC~1\Likno
2007-06-13 22:12    ---------    d--------    C:\Programmer\Web Button Menu Maker
2007-06-13 21:54    ---------    d--------    C:\Programmer\LiknoWebButtonMakerFree
2007-06-07 06:23    1040384    --a------    C:\WINDOWS\system32\libeay32.dll
2007-06-07 06:22    196608    --a------    C:\WINDOWS\system32\ssleay32.dll
2007-06-02 14:55    1536    --a------    C:\cwainda.exe
2007-05-16 17:14    86528    --a--c---    C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 17:14    85504    --a--c---    C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 17:14    683520    --a--c---    C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 17:14    683520    --a------    C:\WINDOWS\system32\inetcomm.dll
2007-05-16 17:14    510976    --a--c---    C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 17:14    1314816    --a--c---    C:\WINDOWS\system32\dllcache\msoe.dll
    ---------        C:\Programmer\Fælles filer\Wise Installation Wizard
    ---------        C:\Programmer\Fælles filer\System
    ---------        C:\Programmer\Fælles filer\NSV
    ---------        C:\Programmer\Fælles filer\InstallShield
    ---------        C:\Programmer\Fælles filer


(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Programmer\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-28 00:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-27 14:00]

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Huskesedel.txt [2007-07-19 06:00:18]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmer\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL 2007-08-07 23:48 294912 C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winxwp32]
winxwp32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^Adobe Reader Hurtigstart.lnk]
path=C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\Adobe Reader Hurtigstart.lnk
backup=C:\WINDOWS\pss\Adobe Reader Hurtigstart.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^henrik lai jensen^Menuen Start^Programmer^Start^huskesedel.txt]
path=C:\Documents and Settings\henrik lai jensen\Menuen Start\Programmer\Start\huskesedel.txt
backup=C:\WINDOWS\pss\huskesedel.txtStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc]
rundll32.exe "C:\WINDOWS\system32\xgievutk.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveCleaner 2006 Free]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipmon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\novsvida.exe]
C:\Documents and Settings\All Users\Application Data\novsvida.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Programmer\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup]
rundll32.exe "C:\WINDOWS\system32\myeolxwp.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundService]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\X-Cleaner Deluxe]
"C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" -turbo -autostart -NOREBOOT

R1 SASDIFSV;SASDIFSV;\??\C:\Programmer\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Programmer\SUPERAntiSpyware\SASKUTIL.sys
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 3dfxvs;3dfxvs;C:\WINDOWS\system32\DRIVERS\3dfxvsm.sys
S3 SASENUM;SASENUM;\??\C:\Programmer\SUPERAntiSpyware\SASENUM.SYS
S3 TSP;TSP;\??\C:\WINDOWS\system32\drivers\klif.sys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp


Contents of the 'Scheduled Tasks' folder
2007-08-10 15:33:04 C:\WINDOWS\Tasks\1-Click Maintenance.job
2007-05-15 19:59:40 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Programmer\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 23:48:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Aavmker4]


Completion time: 2007-08-12 23:51:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-12 23:50

    --- E O F ---

Registreringsdatabase oprydning ->
RegCleaner http://www.ccleaner.com/ + http://www.spywarefri.dk/manualer/ccleaner-manual.htm (Specielt punktet [Problemer]...)
Under installationen får du tilbudt [Yahoo Toolbar]. Du kan sige ja eller NEJ til den.


Og fortæl hvordan PC'en arbejder nu ???

Den kører upåklagelig.
Tusind tak for hjælpen.
Smid et svar.

Ping...

(Det var et [svar]..)

Du er velkommen en anden gang...

Åbn en mappe, klik på Funktioner >Mappeindstillinger >Vis.
Sæt flueben ved "Skjul beskyttede operativsystemfiler".
Sæt prik i "Vis ikke skjulte filer og mapper".

Du bør rense temp med denne fil, det tager kun få sek.
http://www.spywareinfo.dk/download/cleantempxp2k.bat

Efter sådan en tur er det altid en god ide og rydde op i systemgendannelsesfilerne.
Deaktiver systemgendannelse -> http://www.spywareinfo.dk/#/tip-og-tricks/deaktiver_systemgendannelse.htm
Genstart din computer - aktiver systemgendannelse. Dette gøres samme sted, hvor du deaktiverede, denne gang skal du blot aktivere.
Det vil også være en god idé manuelt at oprette et nyt punkt, som du kan navngive, og vende tilbage til, hvis du skulle få problemer af nogen art.

Et par artikler om sikker surfing finder du her:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414

Safe Surfing...

tak for hjælpen.