Pozzolan Skrevet 18. september 2006 Del Skrevet 18. september 2006 (endret) Kan du poste en logg fra sikkermodus? Har bare lyst til å se om det er noe av ormen som kjører da. Prøv også å følge denne guiden. Endret 18. september 2006 av stealthy Lenke til kommentar
Lord-of-the-End-Times Skrevet 18. september 2006 Forfatter Del Skrevet 18. september 2006 Men er det riktig at begge de greiene du sier skal slettes med hijackthis eller er det en skrivefeil? Lenke til kommentar
Pozzolan Skrevet 18. september 2006 Del Skrevet 18. september 2006 (endret) Kan du spesifisere hva du mener med de greiene? Ser ut som at spredningen av ormen har stoppet Da siden som hostet filen ser ut til å være tatt ned. Endret 18. september 2006 av stealthy Lenke til kommentar
Lord-of-the-End-Times Skrevet 18. september 2006 Forfatter Del Skrevet 18. september 2006 1. Last ned killbox (google it) 2. Last ned CCleaner (google it) 3. Søå av System Restore 4. Start maskinen i sikkermodus 5. Kjør en rens med CCleaner. Husk på å fjerne haken for "Only delete files in windows temp folders older than 48 hours i Options - Advanced 6. Slett disse med hijackthis C:\WINDOWS\system32\hfp.exe C:\WINDOWS\TEMP\JHFB9B.EXE (Se om du finner flere filer i denne mappen) C:\Documents and Settings\thwa0409\ (Ikke gjør dette hvis thwa0409 er brukernavnet ditt) Slett da bare disse: C:\Documents and Settings\thwa0409\Xinstall.exe C:\Programfiler\Fellesfiler\{D8EE11B6-0510-1044-0704-05111420002f}\Update.exe C:\Documents and Settings\thwa0409\Skrivebord\I nstall_Messenger_nous.exe C:\DOCUME~1\thwa0409\LOKALE~1\Temp\IXP000.TMP\bootstrap.exe C:\Programfiler\ToolBar888\ C:\Programfiler\winupdates\ C:\WINDOWS\system32\pgrfnw.dll 7. Så sletter du disse med hijackthis. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.84.254:3128 (bare hvis du ikke vet hva det er) R3 - URLSearchHook: (no name) - - (no file) O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programfiler\ToolBar888\MyToolBar.dll O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programfiler\ToolBar888\MyToolBar.dll O4 - HKLM\..\Run: [winupdates] C:\Programfiler\winupdates\winupdates.exe /auto O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\thwa0409\Xinstall.exe O4 - HKLM\..\Run: [PVModule] C:\PROGRA~2\PRINTV~1\pvmodule.exe O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/pro...133352D2D2D.exe O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://82.147.37.147/activex/AxisCamControl.cab O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktank...ownloadCtrl.cab Kjenner du til C:\Programfiler\Fellesfiler\EzTools ? Hvis ikke slette alle oppføringene med det. O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\pgrfnw.dll O23 - Service: hfP Service (hfprog) - Unknown owner - C:\WINDOWS\system32\hfp.exe O23 - Service: MySQL - Unknown owner - C:\Programfiler\MySQL\MySQL.exe (file missing) 8. Ta online virus scan. Eventuelt Ewido i sikkermodus. 9. Post en blodfersk hijackthis logg fra vanlig windowsmodus. Husk at jeg ikke garanterer at det blir fikset. 6890342[/snapback] Du sier at jeg skal slette begge de to codeboksene med hijackthis. Er det riktig eller skal jeg ikke bruke killbox på den første? Lenke til kommentar
Pozzolan Skrevet 18. september 2006 Del Skrevet 18. september 2006 Opps Selfølgelig skal du bruke Killbox på det første. Dumme meg... Lenke til kommentar
Lord-of-the-End-Times Skrevet 18. september 2006 Forfatter Del Skrevet 18. september 2006 Hehe. Da skal jeg prøve på nytt Brb Lenke til kommentar
Lord-of-the-End-Times Skrevet 18. september 2006 Forfatter Del Skrevet 18. september 2006 (endret) Dette er etter den nye turen innom sikkerhetsmodus: Logfile of HijackThis v1.99.1 Scan saved at 00:26:44, on 19.09.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe C:\Programfiler\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Programfiler\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Intel\Wireless\Bin\ZcfgSvc.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\TEMP\XM9D3A.EXE C:\WINDOWS\Explorer.EXE C:\Programfiler\Apoint\Apoint.exe C:\Programfiler\Apoint\Apntex.exe C:\WINDOWS\system32\hkcmd.exe C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe C:\Programfiler\Dell\QuickSet\quickset.exe C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe C:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\DAEMON Tools\daemon.exe C:\Programfiler\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\MSN Messenger\msnmsgr.exe C:\programfiler\steam\steam.exe C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe C:\WINDOWS\system32\wuauclt.exe C:\Programfiler\iPod\bin\iPodService.exe C:\Programfiler\Trend Micro\OfficeScan Client\pccntupd.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\WinRAR\WinRAR.exe C:\DOCUME~1\thwa0409\LOKALE~1\Temp\Rar$EX00.640\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.root.no/forum R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.84.254:3128 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Programfiler\Deskbar\deskbar.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Apoint] C:\Programfiler\Apoint\Apoint.exe O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [intelWireless] C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Dell QuickSet] C:\Programfiler\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [updateManager] "C:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [starSkin] C:\PROGRAMFILER\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [steam] "c:\programfiler\steam\steam.exe" -silent O4 - HKCU\..\Run: [skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kompelien.spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = opplandvgs.local O17 - HKLM\Software\..\Telephony: DomainName = opplandvgs.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = opplandvgs.local O18 - Protocol: ezstor - {6344A3A0-96A7-11D4-88CC-000000000000} - C:\WINDOWS\system32\viewers\ezspp.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: IntelWireless - C:\Programfiler\Intel\Wireless\Bin\LgNotify.dll O20 - Winlogon Notify: Shell Extentions - C:\WINDOWS\system32\mxhtmled.dll O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\jtrm0791e.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: EvtEng - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe O23 - Service: hfP Service (hfprog) - Unknown owner - C:\WINDOWS\system32\hfp.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Programfiler\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Programfiler\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe O23 - Service: RegSrvc - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Programfiler\Intel\Wireless\Bin\WLKeeper.exe Denne her er fra under sikkerhetsmodus: Logfile of HijackThis v1.99.1 Scan saved at 00:17:25, on 19.09.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\Programfiler\WinRAR\WinRAR.exe C:\DOCUME~1\thwa0409\LOKALE~1\Temp\Rar$EX00.719\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.root.no/forum R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.84.254:3128 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Programfiler\Deskbar\deskbar.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Apoint] C:\Programfiler\Apoint\Apoint.exe O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [intelWireless] C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Dell QuickSet] C:\Programfiler\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [updateManager] "C:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [starSkin] C:\PROGRAMFILER\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [steam] "c:\programfiler\steam\steam.exe" -silent O4 - HKCU\..\Run: [skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kompelien.spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = opplandvgs.local O17 - HKLM\Software\..\Telephony: DomainName = opplandvgs.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = opplandvgs.local O18 - Protocol: ezstor - {6344A3A0-96A7-11D4-88CC-000000000000} - C:\WINDOWS\system32\viewers\ezspp.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: IntelWireless - C:\Programfiler\Intel\Wireless\Bin\LgNotify.dll O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\jtrm0791e.dll (file missing) O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\mxhtmled.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: EvtEng - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe O23 - Service: hfP Service (hfprog) - Unknown owner - C:\WINDOWS\system32\hfp.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Programfiler\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Programfiler\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe O23 - Service: RegSrvc - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Programfiler\Intel\Wireless\Bin\WLKeeper.exe Alle problemer ser ut til å være løst untatt ett. Og det er det at det dukker opp reklame som tabs i browseren heletiden, men jeg har ikke merket noe mer trøbbel med msn. Endret 18. september 2006 av Lord-of-the-End-Times Lenke til kommentar
Pozzolan Skrevet 18. september 2006 Del Skrevet 18. september 2006 Er det flere filer i C:\WINDOWS\TEMP\ ? Det ser ut som om det blir generert en ny fil der hele tiden. Mappen kan godt være tom (Den er det hos meg) Ellers så bør du slette: R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Programfiler\Deskbar\deskbar.dll med hijackthis og C:\Programfiler\Deskbar\ med killbox. Gjøres i sikkermodus. Vi får se hva som skjer etter at du har gjort dette. Post gjerne enda en logg etter at du har gjort dette. Jeg skal til sengs nå men skal se på det når jeg står opp. Lenke til kommentar
Lord-of-the-End-Times Skrevet 18. september 2006 Forfatter Del Skrevet 18. september 2006 Jeg må til sengs nå jeg også. Men jeg gjør det i morgen tidlig. Så håper du følger med, jeg setter veldig stor pris på innsatsen du gjør iallefall Lenke til kommentar
FuzzFuet Skrevet 19. september 2006 Del Skrevet 19. september 2006 Jepp, samme her håper jeg blir kvitt det Så jeg kan logge på MSN nå, siden spredningen har stoppet som du sier? Lenke til kommentar
Lord-of-the-End-Times Skrevet 19. september 2006 Forfatter Del Skrevet 19. september 2006 Det er iallefall fjernet på meg tror jeg. Jeg har ikke hatt mer problemer med at det spres lenger. Skal fjerne de andre filene nå Lenke til kommentar
Lord-of-the-End-Times Skrevet 19. september 2006 Forfatter Del Skrevet 19. september 2006 (endret) Nå har jeg gjordt som du sa og her er den nye loggen: Logfile of HijackThis v1.99.1 Scan saved at 08:44:34, on 19.09.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe C:\Programfiler\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Programfiler\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Intel\Wireless\Bin\ZcfgSvc.exe C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\TEMP\ZN401B.EXE C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\Programfiler\Apoint\Apoint.exe C:\WINDOWS\system32\hkcmd.exe C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe C:\Programfiler\Dell\QuickSet\quickset.exe C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe C:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe C:\Programfiler\Apoint\Apntex.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\DAEMON Tools\daemon.exe C:\Programfiler\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\MSN Messenger\msnmsgr.exe C:\programfiler\steam\steam.exe C:\Programfiler\Skype\Phone\Skype.exe C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\WINDOWS\system32\userinit.exe C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe C:\Programfiler\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe C:\DOCUME~1\thwa0409\LOKALE~1\Temp\Rar$EX00.375\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.root.no/forum R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.84.254:3128 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Apoint] C:\Programfiler\Apoint\Apoint.exe O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [intelWireless] C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Dell QuickSet] C:\Programfiler\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [updateManager] "C:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [starSkin] C:\PROGRAMFILER\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [steam] "c:\programfiler\steam\steam.exe" -silent O4 - HKCU\..\Run: [skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kompelien.spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = opplandvgs.local O17 - HKLM\Software\..\Telephony: DomainName = opplandvgs.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = opplandvgs.local O18 - Protocol: ezstor - {6344A3A0-96A7-11D4-88CC-000000000000} - C:\WINDOWS\system32\viewers\ezspp.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: IntelWireless - C:\Programfiler\Intel\Wireless\Bin\LgNotify.dll O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\lvjo0913e.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: EvtEng - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe O23 - Service: hfP Service (hfprog) - Unknown owner - C:\WINDOWS\system32\hfp.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Programfiler\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Programfiler\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe O23 - Service: RegSrvc - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Programfiler\Intel\Wireless\Bin\WLKeeper.exe Det ser faktisk ut til å virke nå, hvis ikke så prøver jeg å fjerne den TEMP fila. Endret 19. september 2006 av Lord-of-the-End-Times Lenke til kommentar
Pozzolan Skrevet 19. september 2006 Del Skrevet 19. september 2006 Det er nok bare Temp filen som er igjen. Kan du se om du finner flere filer i mappen C:\WINDOWS\TEMP\ ? Eller så ser det mye bedre ut! Lenke til kommentar
Lord-of-the-End-Times Skrevet 19. september 2006 Forfatter Del Skrevet 19. september 2006 Jeg skal gjøre det etterpå. Jeg time akkuratt nå og har ikke opplevd noen problemer. Skal jeg fjerne hele C:\WINDOWS\TEMP i killbox? Tusen takk for all hjelpen. Jeg kjenner flere som har problemet så nå vet jeg sånn ca hvordan jeg skal fikse det så nå kan jeg hjelpe de, Lenke til kommentar
Pozzolan Skrevet 19. september 2006 Del Skrevet 19. september 2006 Kan du ikke først navigere til C:\WINDOWS\TEMP og se om det er flere filer i mappen? Lenke til kommentar
Lord-of-the-End-Times Skrevet 19. september 2006 Forfatter Del Skrevet 19. september 2006 Her er screenshot etter at jeg åpna mappa. Lenke til kommentar
Pozzolan Skrevet 19. september 2006 Del Skrevet 19. september 2006 (endret) Prøv å slette alle filene/mappene du ser der med Killbox. Slå av alle andre programmer når du gjør det. Prøv også å avslutte prosessen i taskmanager før du prøver å slette ZN401B.EXE. Edit: Gjerne prøv dette i sikkermodus Endret 19. september 2006 av stealthy Lenke til kommentar
Lord-of-the-End-Times Skrevet 19. september 2006 Forfatter Del Skrevet 19. september 2006 (endret) Har pause om 30 min. Skal gjøre det da. Skal det gjøres i sikkerhetsmodus btw? Endret 19. september 2006 av Lord-of-the-End-Times Lenke til kommentar
Pozzolan Skrevet 19. september 2006 Del Skrevet 19. september 2006 Jupp i sikkermodus. Ikke slett selve mappen, bare innholdet. Slå på visning av skjulte filer for å se om det er noe anet som gjemmer seg der. Etter det jeg har lest kan man trygt slette alle filene i C:\WINDOWS\TEMP\ Kommer tilbake etter at skolen er ferdig. Begynner klokken 12.00 i dag Lenke til kommentar
Lord-of-the-End-Times Skrevet 19. september 2006 Forfatter Del Skrevet 19. september 2006 (endret) Når jeg fjerner den fila så kommer den opp igjen tilbake etterpå, men da har den et annet navn. Når jeg prøver å slette den i prossesser så får jeg beskjed og at jeg ikke har tilgang til å slette den. Endret 19. september 2006 av Lord-of-the-End-Times Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå