Først og fremmest - når du lægger et svar, så skal du bruge “Kommenter” i bunden af denne tråd, ellers laver du en ny tråd og det bliver vanskeligt at følge forløbet.

Der er jo lidt at gå i gang med

1. Du skal nu i gang med at fixe. Først deaktiver systemgendannelse (http://www.spywarefri.dk/virusscannere.htm#alle).

2. For at kunne se alle filer:

Åbn en mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved “Skjul beskyttede operativsystemfiler”.
Fjern flueben ved “Skjul filtypenavne for kendte filtyper”.
Sæt prik i “Vis skjulte filer og mapper”.

3. Dernæst genstart i Fejlsikret tilstand (ved at taste F8 under opstart).

4. Kør HijackThis, scan og sæt et flueben ud for følgende linier - luk øvrige programvinduer - klik “Fix checked”:

R1 - HKCU/Software/Microsoft/Internet Explorer/Main,SearchURL = http://ie.marketdart.com
R1 - HKLM/Software/Microsoft/Internet Explorer/Search,(Default) = about:blank
O4 - HKLM/../Run: [QuickTime Task] “C:/Program Files/QuickTime/qttask.exe” -atboottime
O4 - HKLM/../Run: [Winhost] C:/WINNT/winh.exe
O4 - HKLM/../Run: [TkBellExe] “C:/Program Files/Common Files/Real/Update_OB/realsched.exe” -osboot
O4 - HKLM/../Run: [win32.exe] C:/WINNT/win32.exe
O4 - HKCU/../Run: [System Update] C:/WINNT/System/webcheck.exe
O4 - HKCU/../Run: [Esau] C:/Documents and Settings/Administrator/Application Data/etps.exe
O4 - HKCU/../Run: [WNSC] C:/WINNT/System32/wnsintsv.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:/Program Files/Microsoft Office/Office/OSA9.EXE
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:/winnt/win.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01e33d3d4dd7156bd920/netzip/RdxIE601.cab
O19 - User stylesheet: C:/WINNT/win32.bmp

5. Find og slet

C:/WINNT/winh.exe
C:/WINNT/win32.exe
C:/WINNT/System/webcheck.exe
C:/Documents and Settings/Administrator/Application Data/etps.exe
C:/WINNT/System32/wnsintsv.exe
c:/winnt/win.exe

6. Genstart din computer i Normal tilstand, kør HijackThis, scan og læg en frisk log herind.

Her er en ny log efter brug af hijackthis i fejlsikret tilstand og sletning af filer i winnt.

Jeg har forresten Windows 2000. Så jeg regner ikke med at step 1 i din vejledning gør sig gældende.

Jeg har desuden fundet en fil c:/WINNT/System/wovpost.exe
Er det spyware eller lignende?

Tusind tak for hjælpen indtil videre.

Her er den nye log

Logfile of HijackThis v1.97.7
Scan saved at 16:22:45, on 02-05-2004
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINNT/System32/smss.exe
C:/WINNT/system32/winlogon.exe
C:/WINNT/system32/services.exe
C:/WINNT/system32/lsass.exe
C:/WINNT/system32/svchost.exe
C:/WINNT/system32/spoolsv.exe
C:/Program Files/Common Files/Symantec Shared/ccEvtMgr.exe
C:/WINNT/System32/Ati2evxx.exe
C:/WINNT/System32/svchost.exe
C:/Program Files/Norton AntiVirus/navapsvc.exe
C:/Program Files/Norton SystemWorks/Norton Utilities/NPROTECT.EXE
C:/WINNT/system32/regsvc.exe
C:/WINNT/system32/MSTask.exe
C:/Program Files/Norton SystemWorks/Norton Speed Disk/nopdb.exe
C:/WINNT/system32/stisvc.exe
C:/WINNT/System32/WBEM/WinMgmt.exe
C:/WINNT/Explorer.exe
C:/WINNT/System32/mspmspsv.exe
C:/WINNT/system32/services.exe
C:/WINNT/System32/Atiptaxx.exe
C:/Program Files/Common Files/Symantec Shared/SymTray.exe
C:/Program Files/Common Files/Symantec Shared/ccApp.exe
C:/Program Files/Hewlett-Packard/HP Share-to-Web/hpgs2wnd.exe
C:/WINNT/loadqm.exe
C:/WINNT/System32/internat.exe
C:/Program Files/MSN Messenger/MsnMsgr.Exe
C:/Program Files/Common Files/Microsoft Shared/Works Shared/wkcalrem.exe
C:/Program Files/Hewlett-Packard/Digital Imaging/bin/hpobnz08.exe
C:/Program Files/Hewlett-Packard/HP Share-to-Web/hpgs2wnf.exe
C:/Program Files/Hewlett-Packard/Digital Imaging/bin/hposol08.exe
C:/Program Files/Norton SystemWorks/Norton Utilities/SYSDOC32.EXE
C:/Program Files/Hijack This/hijackthis.exe

R1 - HKCU/Software/Microsoft/Windows/CurrentVersion/Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=C:/WINNT/system32/services/services.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:/Program Files/Adobe/Acrobat 5.0/Reader/ActiveX/AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:/Program Files/Popup Manager/PopupMgr_1.0.1.5.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:/PROGRA~1/FLASHGET/jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:/program files/google/googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:/Program Files/Norton AntiVirus/NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:/Program Files/Norton AntiVirus/NavShExt.dll
O3 - Toolbar: &Radio; - {8E718888-423F-11D2-876E-00A0C9082467} - C:/WINNT/System32/msdxm.ocx
O3 - Toolbar: &Google; - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:/program files/google/googletoolbar1.dll
O4 - HKLM/../Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM/../Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM/../Run: [SymTray - Norton SystemWorks] C:/Program Files/Common Files/Symantec Shared/SymTray.exe “Norton SystemWorks”
O4 - HKLM/../Run: [ccApp] “C:/Program Files/Common Files/Symantec Shared/ccApp.exe”
O4 - HKLM/../Run: [ccRegVfy] “C:/Program Files/Common Files/Symantec Shared/ccRegVfy.exe”
O4 - HKLM/../Run: [Advanced Tools Check] C:/PROGRA~1/NORTON~2/AdvTools/ADVCHK.EXE
O4 - HKLM/../Run: [Share-to-Web Namespace Daemon] C:/Program Files/Hewlett-Packard/HP Share-to-Web/hpgs2wnd.exe
O4 - HKLM/../Run: [LoadQM] loadqm.exe
O4 - HKCU/../Run: [internat.exe] internat.exe
O4 - HKCU/../Run: [MsnMsgr] “C:/Program Files/MSN Messenger/MsnMsgr.Exe” /background
O4 - Startup: Norton System Doctor.lnk = C:/Program Files/Norton SystemWorks/Norton Utilities/SYSDOC32.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:/Program Files/Common Files/Microsoft Shared/Works Shared/wkcalrem.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:/Program Files/Hewlett-Packard/Digital Imaging/bin/hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = C:/Program Files/Hewlett-Packard/Digital Imaging/bin/hposol08.exe
O8 - Extra context menu item: &Google; Search - res://C:/Program Files/Google/GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links; - res://C:/Program Files/Google/GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed; Snapshot of Page - res://C:/Program Files/Google/GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:/Program Files/FlashGet/jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:/Program Files/FlashGet/jc_link.htm
O8 - Extra context menu item: Si&milar; Pages - res://C:/Program Files/Google/GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:/Program Files/Google/GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ (HKLM)
O9 - Extra ‘Tools’ menuitem: ICQ (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra ‘Tools’ menuitem: &FlashGet; (HKLM)
O12 - Plugin for .spop: C:/Program Files/Internet Explorer/Plugins/NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey®) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {F6A56D95-A3A3-11D2-AC26-400000058481} (Danske e-Sec) - https://netbank.danskebank.dk/netbank/activex/DanskeSikker.cab

Jeg ved ikke hvordan jeg bar mig ad med at overse denne, men den skal også fixes (beklager):

F1 - win.ini: run=C:/WINNT/system32/services/services.exe

Find og slet mappen: C:/WINNT/system32/services

Genstart og læg en frisk log herind

Ok. Hehe. Det er mig der er super taknemmelig for hjælpen

Logfile of HijackThis v1.97.7
Scan saved at 17:26:48, on 02-05-2004
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINNT/System32/smss.exe
C:/WINNT/system32/winlogon.exe
C:/WINNT/system32/services.exe
C:/WINNT/system32/lsass.exe
C:/WINNT/system32/svchost.exe
C:/WINNT/system32/spoolsv.exe
C:/Program Files/Common Files/Symantec Shared/ccEvtMgr.exe
C:/WINNT/System32/Ati2evxx.exe
C:/WINNT/System32/svchost.exe
C:/Program Files/Norton AntiVirus/navapsvc.exe
C:/Program Files/Norton SystemWorks/Norton Utilities/NPROTECT.EXE
C:/WINNT/system32/regsvc.exe
C:/WINNT/system32/MSTask.exe
C:/Program Files/Norton SystemWorks/Norton Speed Disk/nopdb.exe
C:/WINNT/system32/stisvc.exe
C:/WINNT/System32/WBEM/WinMgmt.exe
C:/WINNT/System32/mspmspsv.exe
C:/WINNT/Explorer.exe
C:/WINNT/System32/Atiptaxx.exe
C:/Program Files/Common Files/Symantec Shared/SymTray.exe
C:/Program Files/Common Files/Symantec Shared/ccApp.exe
C:/Program Files/Hewlett-Packard/HP Share-to-Web/hpgs2wnd.exe
C:/WINNT/loadqm.exe
C:/WINNT/System32/internat.exe
C:/Program Files/MSN Messenger/MsnMsgr.Exe
C:/Program Files/Common Files/Microsoft Shared/Works Shared/wkcalrem.exe
C:/Program Files/Hewlett-Packard/HP Share-to-Web/hpgs2wnf.exe
C:/Program Files/Hewlett-Packard/Digital Imaging/bin/hpobnz08.exe
C:/Program Files/Hewlett-Packard/Digital Imaging/bin/hposol08.exe
C:/Program Files/Norton SystemWorks/Norton Utilities/SYSDOC32.EXE
C:/Program Files/Hijack This/hijackthis.exe

R1 - HKCU/Software/Microsoft/Windows/CurrentVersion/Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:/Program Files/Adobe/Acrobat 5.0/Reader/ActiveX/AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:/Program Files/Popup Manager/PopupMgr_1.0.1.5.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:/PROGRA~1/FLASHGET/jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:/program files/google/googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:/Program Files/Norton AntiVirus/NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:/Program Files/Norton AntiVirus/NavShExt.dll
O3 - Toolbar: &Radio; - {8E718888-423F-11D2-876E-00A0C9082467} - C:/WINNT/System32/msdxm.ocx
O3 - Toolbar: &Google; - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:/program files/google/googletoolbar1.dll
O4 - HKLM/../Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM/../Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM/../Run: [SymTray - Norton SystemWorks] C:/Program Files/Common Files/Symantec Shared/SymTray.exe “Norton SystemWorks”
O4 - HKLM/../Run: [ccApp] “C:/Program Files/Common Files/Symantec Shared/ccApp.exe”
O4 - HKLM/../Run: [ccRegVfy] “C:/Program Files/Common Files/Symantec Shared/ccRegVfy.exe”
O4 - HKLM/../Run: [Advanced Tools Check] C:/PROGRA~1/NORTON~2/AdvTools/ADVCHK.EXE
O4 - HKLM/../Run: [Share-to-Web Namespace Daemon] C:/Program Files/Hewlett-Packard/HP Share-to-Web/hpgs2wnd.exe
O4 - HKLM/../Run: [LoadQM] loadqm.exe
O4 - HKCU/../Run: [internat.exe] internat.exe
O4 - HKCU/../Run: [MsnMsgr] “C:/Program Files/MSN Messenger/MsnMsgr.Exe” /background
O4 - Startup: Norton System Doctor.lnk = C:/Program Files/Norton SystemWorks/Norton Utilities/SYSDOC32.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:/Program Files/Common Files/Microsoft Shared/Works Shared/wkcalrem.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:/Program Files/Hewlett-Packard/Digital Imaging/bin/hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = C:/Program Files/Hewlett-Packard/Digital Imaging/bin/hposol08.exe
O8 - Extra context menu item: &Google; Search - res://C:/Program Files/Google/GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links; - res://C:/Program Files/Google/GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed; Snapshot of Page - res://C:/Program Files/Google/GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:/Program Files/FlashGet/jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:/Program Files/FlashGet/jc_link.htm
O8 - Extra context menu item: Si&milar; Pages - res://C:/Program Files/Google/GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:/Program Files/Google/GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ (HKLM)
O9 - Extra ‘Tools’ menuitem: ICQ (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra ‘Tools’ menuitem: &FlashGet; (HKLM)
O12 - Plugin for .spop: C:/Program Files/Internet Explorer/Plugins/NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey®) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {F6A56D95-A3A3-11D2-AC26-400000058481} (Danske e-Sec) - https://netbank.danskebank.dk/netbank/activex/DanskeSikker.cab

Det var bedre - din log er ren

Du skal lige have et par gode råd om sikker surfing med på vejen:

http://www.spywarefri.dk/pakken.htm

Det bedste råd jeg kan give dig er dog at opdatere din WIN2000 - man er nået til SP4.

God fornøjelse

Tusind tak for hjælpen.
Så er jeg ellers igang med at installere anti spyware programmer. Rigtig fed service i har gang i. Har også fået lyst til at donere en smule til jer.
Håber det kommer til at gå jer godt fremover.
Hilsener

Hej staaloeknudsen

Velbekommen. Vi er glade for at vi kunne hjælpe dig. Og det er virkelig godt at du henter de prg. der, de beskytter dig mægtig godt.
Jeg vil da også på vegne af hele TeamSpywarefri takke for at du vil være med til at støtte vores arbejde her i forum. Tak for det. [:D]

Jeg låser tråden igen, og har du brug for os en anden gang, så opretter du bare et nyt spørgsmål.