Søg
Avatar billede lassegj Nybegynder
22. oktober 2008 - 22:50 Der er 8 kommentarer og
1 løsning

W32 worm og andet godt - Hijackthis

Hej

Jeg har fået noget snavs på min computer, som jeg ikke kan komme af med. Jeg er på udveksling i Canada, og vi er påkrævet at have installeret McAfee. Den kommer ofte op med en meddelse om virus, identificeret som "W32/Autorun.worm.bl" - info om den her: http://vil.nai.com/vil/content/v_152632.htm. Som dog ikke har hjulpet mig til at fjerne den. Har et screenshot med hvad McaFee skriver, men ved ikke lige hvor jeg kan uploade det?

Kørte først Hijackthis - her er første logfil.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:25:54, on 22-10-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmer\Launch Manager\LaunchAp.exe
C:\Programmer\Launch Manager\HotkeyApp.exe
C:\Programmer\Launch Manager\OSDCtrl.exe
C:\Programmer\Launch Manager\Wbutton.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\CHRIST~1\POST-I~1\PostItt.exe
C:\Programmer\McAfee\Common Framework\udaterui.exe
C:\Programmer\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\VM303_STI.EXE
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Logitech\SetPoint\SetPoint.exe
C:\Programmer\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Programmer\Fælles filer\Logishrd\KHAL2\KHALMNPR.EXE
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Programmer\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Programmer\Bonjour\mDNSResponder.exe
C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmer\McAfee\Common Framework\FrameworkService.exe
C:\Programmer\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Programmer\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\McAfee\Common Framework\naPrdMgr.exe
C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Programmer\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
d:\dokume~1\passwo~1\passkeep.exe
C:\Documents and Settings\Lasse Grosen\Skrivebord\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/ig?hl=da
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: TBSB02156 - {23CD4E85-4DC7-4EF0-89FD-E5A23405408D} - C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\XtraSaverLive.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programmer\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Forbrugerliv XtraSaver - {AA01D2E3-6C81-4266-AA54-A912697110E2} - C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\XtraSaverLive.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LaunchAp] "C:\Programmer\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [LManager] "C:\Programmer\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Programmer\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Programmer\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Programmer\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Post-Itt Mærkater 98] C:\PROGRA~1\CHRIST~1\POST-I~1\PostItt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programmer\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programmer\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Programmer\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programmer\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {07D09E9E-C667-45DD-B035-217BC2A61A3B} (ActiveX sikkerhedssoftware Control) - https://www.portalbank.dk/package/sdc/external/activex/ActiveXSikkerhedssoftware-prod-1.20.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200408621891
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200411837031
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://mppv2flash3.valueactive.com/NordicBet/FlashAX.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DAF94F73-2AA6-44D8-A562-A28831820D34} (Pixum EasyUploadX Control) - http://www.pixum.de/int/EasyUpload/ImgUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3186C142-03EB-4369-A316-CBCE849ED542}: NameServer = 85.255.112.102;85.255.112.168
O17 - HKLM\System\CCS\Services\Tcpip\..\{A73FD3B2-611E-406D-B764-B9CFF5CEA9D8}: NameServer = 85.255.112.102;85.255.112.168
O17 - HKLM\System\CS1\Services\Tcpip\..\{3186C142-03EB-4369-A316-CBCE849ED542}: NameServer = 85.255.112.102;85.255.112.168
O17 - HKLM\System\CS2\Services\Tcpip\..\{3186C142-03EB-4369-A316-CBCE849ED542}: NameServer = 85.255.112.102;85.255.112.168
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FÆLLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programmer\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programmer\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programmer\Fælles filer\Logitech\Bluetooth\LBTServ.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Programmer\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Programmer\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Programmer\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programmer\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 12979 bytes




Derefter kørte jeg Malwarebytes (da jeg kunne se fra andre indlæg at det var næste trin), og loggen derfra er her:




Malwarebytes' Anti-Malware 1.29
Database version: 1306
Windows 5.1.2600 Service Pack 3

22-10-2008 17:41:28
mbam-log-2008-10-22 (17-41-28).txt

Skan type: Fuldstændig skanning (C:\|D:\|)
Objekter skannet: 126283
Tid tilbagelagt: 1 hour(s), 10 minute(s), 6 second(s)

Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 23
Inficerede Registeringsdatabase Værdier: 2
Inficerede Registeringsdatabase Filer: 11
Inficerede Mapper: 3
Inficerede Filer: 45

Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)

Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Nøgler:
HKEY_CLASSES_ROOT\Interface\{4897bba6-48d9-468c-8efa-846275d7701b} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ca3eb689-8f09-4026-aa10-b9534c691ce0} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{4509d3cc-b642-4745-b030-645b79522c6d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{82eb9649-bb21-4d71-a521-0f1595058df6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0e9737a6-cbd9-4c8c-8e84-841075f270d8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{9adbfc71-2898-4669-8fe9-65b1f0e0b5ee} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5f9726a6-6bd9-498c-8e40-849d75ed70ae} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{502c56b6-aea4-421b-8b84-4aa5be7893ba} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c12bc181-650c-4920-8f04-feb4eb6f3b2f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{fc3693f8-9571-471a-bd1b-3e5beaf2b7ea} (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{14bb309a-c77b-4d5b-82d7-15dcb81fe9f1} (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1d5c3aae-aab0-4dc3-bac2-bac608e7435f} (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3fbb739a-fd7b-455b-8224-15cfb85ee98e} (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{585c4bae-f3b0-44c3-baf8-bace08db4373} (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{66bbd29a-127b-4e5b-828c-15c1b822e979} (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7d5cfeae-25b0-48c3-baef-baca08524367} (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e67d5bc7-7129-493e-9281-f47bdaface4f} (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{23cd4e85-4dc7-4ef0-89fd-e5a23405408d} (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{23cd4e85-4dc7-4ef0-89fd-e5a23405408d} (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{57cadc46-58ff-4105-b733-5a9f3fc9783c} (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{aa01d2e3-6c81-4266-aa54-a912697110e2} (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Pornovid (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\URLSearchHook.ToolbarURLSearchHook (Adware.DosPopToolbar) -> Quarantined and deleted successfully.

Inficerede Registeringsdatabase Værdier:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{aa01d2e3-6c81-4266-aa54-a912697110e2} (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{aa01d2e3-6c81-4266-aa54-a912697110e2} (Adware.DosPopToolbar) -> Quarantined and deleted successfully.

Inficerede Registeringsdatabase Filer:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdffp.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3186c142-03eb-4369-a316-cbce849ed542}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.102;85.255.112.168 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3186c142-03eb-4369-a316-cbce849ed542}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.102;85.255.112.168 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a73fd3b2-611e-406d-b764-b9cff5cea9d8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.102;85.255.112.168 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3186c142-03eb-4369-a316-cbce849ed542}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.102;85.255.112.168 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3186c142-03eb-4369-a316-cbce849ed542}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.102;85.255.112.168 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{a73fd3b2-611e-406d-b764-b9cff5cea9d8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.102;85.255.112.168 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3186c142-03eb-4369-a316-cbce849ed542}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.102;85.255.112.168 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{a73fd3b2-611e-406d-b764-b9cff5cea9d8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.102;85.255.112.168 -> Quarantined and deleted successfully.

Inficerede Mapper:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver (Adware.DosPopToolbar) -> Quarantined and deleted successfully.

Inficerede Filer:
C:\WINDOWS\system32\kdffp.exe (Rootkit.DNSChanger.H) -> Delete on reboot.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\tbhelper.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\XtraSaverLive.dll (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\basis.xml (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\version.txt (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\traffic_yellow.v.9.gif (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\traffic_yellow.v.8.gif (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\traffic_yellow.v.4.gif (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\tool_suggest.gif (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\forbrugerliv_logo_black.gif (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\helpbutton_green.bmp (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\traffic_yellow.bmp (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\traffic_red.bmp (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\tbs_include_script_019111.js (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\traffic_yellow.gif (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\traffic_green_bg.gif (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\XtraSaverIcon.bmp (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\icons.bmp_64.bmp (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\icons.bmp_16.bmp (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\update.exe (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\tbs_include_script_025923.js (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\tbs_include_script_023197.js (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\tbs_include_script_006056.js (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\script.js (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\siteActiv_plugin.dll (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\siteActivation_URLs.txt (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\info.txt (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\fblLogo16x16.bmp (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\uninstall.exe (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\icons.bmp (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\XtraSaverLive.crc (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\Programmer\IEToolbar\Forbrugerliv XtraSaver\XtraSaverLive.inf (Adware.DosPopToolbar) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-67.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-C11.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-09B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-7A5.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-0D7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-637.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-CC7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-263.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-FFB.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-53D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-539.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-41F.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.



Genstartede derefter og tog en ny Hijacklog:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:46:59, on 22-10-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmer\Launch Manager\LaunchAp.exe
C:\Programmer\Launch Manager\HotkeyApp.exe
C:\Programmer\Launch Manager\OSDCtrl.exe
C:\Programmer\Launch Manager\Wbutton.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\CHRIST~1\POST-I~1\PostItt.exe
C:\Programmer\McAfee\Common Framework\udaterui.exe
C:\Programmer\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\VM303_STI.EXE
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Logitech\SetPoint\SetPoint.exe
C:\Programmer\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Programmer\Fælles filer\Logishrd\KHAL2\KHALMNPR.EXE
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Programmer\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Programmer\Bonjour\mDNSResponder.exe
C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmer\McAfee\Common Framework\FrameworkService.exe
C:\Programmer\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Programmer\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmer\McAfee\Common Framework\McTray.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Lasse Grosen\Skrivebord\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/ig?hl=da
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programmer\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LaunchAp] "C:\Programmer\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [LManager] "C:\Programmer\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Programmer\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Programmer\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Programmer\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Post-Itt Mærkater 98] C:\PROGRA~1\CHRIST~1\POST-I~1\PostItt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programmer\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programmer\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdffp.exe] C:\WINDOWS\system32\kdffp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Programmer\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programmer\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {07D09E9E-C667-45DD-B035-217BC2A61A3B} (ActiveX sikkerhedssoftware Control) - https://www.portalbank.dk/package/sdc/external/activex/ActiveXSikkerhedssoftware-prod-1.20.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200408621891
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200411837031
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://mppv2flash3.valueactive.com/NordicBet/FlashAX.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DAF94F73-2AA6-44D8-A562-A28831820D34} (Pixum EasyUploadX Control) - http://www.pixum.de/int/EasyUpload/ImgUploader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FÆLLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programmer\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programmer\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programmer\Fælles filer\Logitech\Bluetooth\LBTServ.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Programmer\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Programmer\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Programmer\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programmer\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 11985 bytes



Jeg håber virkelig nogle kan hjælpe. Sidder som sagt i Canada, og har ikke mulighed for at reinstallere hele skidtet...


Grosen
Avatar billede levich Nybegynder
22. oktober 2008 - 22:52 #1
Øjeblik, så ser jeg på det.
Avatar billede levich Nybegynder
22. oktober 2008 - 22:58 #2
Hej Lasse. Det ser ud til at du næsten har fået fjernet det hele, så for at ordne den sidste ting, så har jeg lavet en lille vejledning til dig.

(1)
Hent AFT-cleaner her: http://www.geekstogo.com/forum/index.php?autocom=downloads&showfile=21
Start programmet og vælg "select all" og derefter "empty all".
Hvis du har Firefox skal du først vælge det i menuen og derefter "select all" og "empty all".

(2)
Genstart computeren i fejlsikret tilstand (tryk F8 når Windows starter op) og Fix følgende linjer med HijackThis:
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdffp.exe] C:\WINDOWS\system32\kdffp.exe

(3)
Åbn "denne computer", i menuen skal du klikke på Funktioner -> Mappeindstillinger -> Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler" og ved "Skjul filtypenavne for kendte filtyper", sæt prik i "Vis skjulte filer og mapper". Husk at trykke på knappen "Anvend på alle mapper" i stedet for "ok".

søg efter og slet følgende fil(er):
C:\WINDOWS\system32\kdffp.exe

(4)
Genstart computeren normalt. Lav en ny log med HijackThis og send den herind.
Avatar billede lassegj Nybegynder
22. oktober 2008 - 23:26 #3
Tak for den hurtige respons. Jeg kunne ikke finde filen C:\WINDOWS\system32\kdffp.exe. Slettede jeg den ikke med Hijackthis??

Her er ny log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:25:07, on 22-10-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Programmer\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Programmer\Bonjour\mDNSResponder.exe
C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmer\McAfee\Common Framework\FrameworkService.exe
C:\Programmer\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Programmer\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmer\Launch Manager\LaunchAp.exe
C:\Programmer\Launch Manager\HotkeyApp.exe
C:\Programmer\Launch Manager\OSDCtrl.exe
C:\Programmer\Launch Manager\Wbutton.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\CHRIST~1\POST-I~1\PostItt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\McAfee\Common Framework\udaterui.exe
C:\Programmer\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\VM303_STI.EXE
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\McAfee\Common Framework\McTray.exe
C:\Programmer\Logitech\SetPoint\SetPoint.exe
C:\Programmer\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\Fælles filer\Logishrd\KHAL2\KHALMNPR.EXE
C:\Documents and Settings\Lasse Grosen\Skrivebord\HiJackThis.exe
C:\Programmer\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/ig?hl=da
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programmer\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LaunchAp] "C:\Programmer\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [LManager] "C:\Programmer\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Programmer\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Programmer\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Programmer\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Post-Itt Mærkater 98] C:\PROGRA~1\CHRIST~1\POST-I~1\PostItt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programmer\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programmer\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Programmer\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programmer\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {07D09E9E-C667-45DD-B035-217BC2A61A3B} (ActiveX sikkerhedssoftware Control) - https://www.portalbank.dk/package/sdc/external/activex/ActiveXSikkerhedssoftware-prod-1.20.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200408621891
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200411837031
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://mppv2flash3.valueactive.com/NordicBet/FlashAX.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DAF94F73-2AA6-44D8-A562-A28831820D34} (Pixum EasyUploadX Control) - http://www.pixum.de/int/EasyUpload/ImgUploader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FÆLLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programmer\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programmer\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programmer\Fælles filer\Logitech\Bluetooth\LBTServ.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Programmer\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Programmer\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Programmer\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programmer\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 11914 bytes
Avatar billede lassegj Nybegynder
22. oktober 2008 - 23:31 #4
Med AFT-cleaner kunne jeg sagtens slette alt fra Internet Explorer. Når jeg valgte Firefox, som jeg egentlig primært bruger fik jeg beskeden: "No files were removed".

Et problem er dog ikke gået væk: Når jeg går i denne computer (hvor jeg har et C: og D: drev, og vil ind på mit D:-drev får jeg beskeden: "resycled\boot.com er ikke et gyldigt Win-32-program" og får ikke adgang - kan kun vælge "ok". Jeg kan dog godt komme til mit D:-drev hvis jeg gør det via en genvej til en mappe på drevet, bare ikke når det er direkte til roden. Er det også snavs?

Grosen
Avatar billede levich Nybegynder
23. oktober 2008 - 00:06 #5
Hmm, beskeden "resycled\boot.com er ikke et gyldigt Win-32-program" skyldes helt klart en virus: http://www.precisesecurity.com/blogs/2008/09/20/resycledbootcom/.

Jeg har to forsigtige forslag til, hvordan vi får den fjernet. Jeg regner med, at det er en såkaldt rootkit, som du har fået ind på computeren. Forslag (2) og (3) er beregnet til at fjerne rootkits.

(1)
Det letteste er at scanne med Malwarebytes' Anti-Malware igen, men hvor du har startet Windows i fejlsikret tilstand og husker at scanne alle interne og eksterne harddiske.

(2)
Hent programmet blacklight her: http://www.f-secure.com/security_center/ (se link nederst på siden). Start programmet og scan.

(3)
Hent programmet Unhackme her: http://greatis.com/unhackme/ (gratis evalueringskopi). Start programmet og scan.
Avatar billede fromsej Praktikant
23. oktober 2008 - 08:50 #6
Levich >> Det er Wareout der er årsagen, den er jeg ikke sikker på kan pelses uden specielværktøjet.
NameServer = 85.255.112.102;85.255.112.168 - 85.255.112.0 - 85.255.127.255 UkrTeleGroup Ltd.
---------------------
Under dette fix vil computeren blive genstartet, og du bør derfor printe vejledningen ud, for at have den ved din side under hele fixet. Fixet skal bruge adgang til internettet, så det skal du sikre dig, at der er.

Hent FixWareout fra et af disse links:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Gem filen på dit Skrivebord og dobbeltklik på den. Klik Next -> Install og check, at der er et flueben i "Run fixit" - klik herefter på Finish. Fixet vil nu starte, og du skal blot følge instruktionerne. Du vil blive bedt om at genstarte din computer - gør venligst det.
Genstarten vil tage lidt længere tid end normalt...

Når dit system genstarter skal du fortsat følge den vejledning, der gives på skærmen.
Når fixet er færdigt vil der åbnes en log (report.txt), som du skal gemme og lægge herind i næste post.

Genstart din computer, og kopier indholdet af C:\fixwareout\report.txt herind sammen med en frisk HijackThis log og en frisk Combofixlog.
Avatar billede lassegj Nybegynder
23. oktober 2008 - 17:27 #7
Hej

Umiddelbart ser det ud til at jeg er kommet af med det. Det var Levichs første link der hjalp mig. På sitet skrev folk hvordan man manuelt skulle fjerne 'autorun.inf' samt en mappe ved navn 'resycled' i roden af drevet. Det gjorde jeg og kørte desuden både Malwarebytes, Blacklight og Unhackme tests og de fandt ikke noget efter jeg havde fjernet den manuelt. Kan jeg ikke betragte det som at den er væk? jeg får heller ikke længere beskeden om at jeg ikke kan få adgang til drevet. Eller kan der stadig godt gemme sig snavs et sted som ingen af de programmer kan finde?

Men Levich, du skal have mange tak for hjælpen. Jeg er som sagt i Canada, og ved sgu ikke hvad jeg lige skulle have gjort uden dig hjælp.

Venlig hilsen

Grosen
Avatar billede levich Nybegynder
23. oktober 2008 - 17:36 #8
Hvis du ikke får den der besked mere, så vil jeg også tro at virussen er væk.

fromsej -> mht. til kommentar om navneserveren og Wareout, så er du kommet til at se på hijackthis-loggen fra før scanningen med Malwarebytes' Anti-Malware.
Avatar billede fromsej Praktikant
23. oktober 2008 - 18:00 #9
Tjekker du så Mbam loggen, er det snuppet en masse Wareout også.
Jeg ville bare være 100% sikker på at alt er væk, så for min skyld, kør venligst Fixwareout og kopier loggen ind.
(Point er jeg helt ligeglad med ;-) )
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
Se alle it-kurser fra Computerworld Kurser
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.
Se alle it-kurser

Flere spørgsmål fra Virus kategorien

Titel Indlæg Oprettet Seneste aktivitet
Vil skrifte antivirusprogram. Af ErikHg i Virus 22 26/11/202510:42 23/12/202514:29
Er gratis Bitdefender værd at installere ? Af Ikke-ekspert i Virus 8 31/08/202519:08 01/09/202514:18
Ukendte filer på min Pc Af jonpet i Virus 10 03/02/202514:20 04/02/202511:05
mulig ukendt virus Af jackie18 i Virus 3 18/01/202514:07 18/01/202516:39
virus popper op med jævne mellemrum Af Malm i Virus 13 18/01/202511:40 20/01/202517:53
Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Opret Log ind

Du kan også logge ind via nedenstående tjenester

Alle kategorier på Eksperten
Seneste spørgsmål Seneste aktivitet
27/1222:02 Låse brugt iPad op Af drstein i iOS, iPhone & iPad
27/1219:21 Hvor finder jeg en oversigt over mine spørgsmål Af KurtG i Hjælp og fejl
27/1211:31 TP-Link Wifi extender opsat som accesspoint giver 50% up- og download, Af Uvanga i Wifi
26/1213:05 Hvorfor bliver tiff-filer større ved konvertering til samme format Af KurtG i Billedbehandling
23/1221:36 Gøre Ikonerne lidt større i proceslinjen (Windows 10) Af Ikke-ekspert i Windows
White papers
Flere white papers »