Hej igen!

Smider lige en HiJackThis-log her:

Logfile of HijackThis v1.97.7
Scan saved at 17:10:14, on 16-05-2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINNT/System32/smss.exe
C:/WINNT/system32/winlogon.exe
C:/WINNT/system32/services.exe
C:/WINNT/system32/lsass.exe
C:/WINNT/system32/svchost.exe
C:/WINNT/System32/svchost.exe
C:/WINNT/system32/spoolsv.exe
C:/Programmer/NavNT/defwatch.exe
C:/Programmer/NavNT/rtvscan.exe
C:/WINNT/System32/nvsvc32.exe
C:/WINNT/system32/regsvc.exe
C:/WINNT/system32/MSTask.exe
C:/Programmer/SSH Communications Security/SSH Sentinel/sshipm.exe
C:/Programmer/SSH Communications Security/SSH Sentinel/sshmonitor.exe
C:/WINNT/system32/stisvc.exe
C:/WINNT/SYSTEM32/THOTKEY.EXE
C:/Programmer/TOSHIBA/TME3/Tmesbs3.exe
C:/Programmer/TOSHIBA/TME3/Tmesrv3.exe
C:/WINNT/System32/WBEM/WinMgmt.exe
C:/WINNT/System32/mspmspsv.exe
C:/WINNT/system32/svchost.exe
C:/WINNT/System32/MsgSys.EXE
C:/WINNT/Explorer.EXE
C:/WINNT/System32/TPWRTRAY.EXE
C:/WINNT/System32/TFNF5.exe
C:/Programmer/TOSHIBA/Wireless Hotkey/TosHKCW.exe
C:/Programmer/NavNT/vptray.exe
C:/Programmer/QuickTime/qttask.exe
C:/Programmer/Hewlett-Packard/PhotoSmart/Photo Imaging/Hpi_JetSend.exe
C:/Programmer/Hewlett-Packard/PhotoSmart/Photo Imaging/Hpi_Monitor.exe
C:/Programmer/Fælles filer/Real/Update_OB/realsched.exe
C:/PROGRA~1/FragPlus/cdrom mags.exe
C:/WINNT/dl.exe
C:/WINNT/winupd.exe
C:/Programmer/Microsoft Office/Office/OSA.EXE
C:/Programmer/Microsoft Office/Office/MSOFFICE.EXE
C:/Programmer/SSH Communications Security/SSH Sentinel/sshtray.exe
C:/Programmer/SSH Communications Security/SSH Sentinel/Accession/ssh_accession.exe
C:/WINNT/System32/SCardSvr.exe
C:/WINNT/System32/wuauclt.exe
C:/PROGRA~1/WinZip/winzip32.exe
C:/Anna/hiJackThis/HijackThis.exe

R1 - HKCU/Software/Microsoft/Internet Explorer/Main,Search Bar = res://C:/WINNT/System32/jhfljlc.dll/sp.html (obfuscated)
R1 - HKCU/Software/Microsoft/Internet Explorer/Main,Search Page = res://C:/WINNT/System32/jhfljlc.dll/sp.html (obfuscated)
R1 - HKCU/Software/Microsoft/Internet Explorer/Search,SearchAssistant = res://C:/WINNT/System32/jhfljlc.dll/sp.html (obfuscated)
R1 - HKLM/Software/Microsoft/Internet Explorer/Main,Search Bar = res://C:/WINNT/System32/jhfljlc.dll/sp.html (obfuscated)
R1 - HKLM/Software/Microsoft/Internet Explorer/Main,Search Page = res://C:/WINNT/System32/jhfljlc.dll/sp.html (obfuscated)
R0 - HKLM/Software/Microsoft/Internet Explorer/Search,SearchAssistant = res://C:/WINNT/System32/jhfljlc.dll/sp.html (obfuscated)
R1 - HKCU/Software/Microsoft/Internet Explorer/Main,HomeOldSP = about:blank
R0 - HKCU/Software/Microsoft/Internet Explorer/Toolbar,LinksFolderName = Hyperlinks
O1 - Hosts: 193.166.100.251 mail
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:/Programmer/Adobe/Acrobat 5.0/Reader/ActiveX/AcroIEHelper.ocx
O2 - BHO: (no name) - {83534DFC-02B8-4D60-86D0-830E8F4F1ACF} - C:/WINNT/System32/jhfljlc.dll
O3 - Toolbar: &Radio; - {8E718888-423F-11D2-876E-00A0C9082467} - C:/WINNT/System32/msdxm.ocx
O4 - HKLM/../Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM/../Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM/../Run: [000StTHK] 000StTHK.exe
O4 - HKLM/../Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM/../Run: [TMESRV.EXE] C:/Programmer/TOSHIBA/TME3/TMESRV3.EXE /Logon
O4 - HKLM/../Run: [TMESBS.EXE] C:/Programmer/TOSHIBA/TME3/TMESBS3.EXE /logon
O4 - HKLM/../Run: [TFNF5] TFNF5.exe
O4 - HKLM/../Run: [TosHKCW.exe] C:/Programmer/TOSHIBA/Wireless Hotkey/TosHKCW.exe
O4 - HKLM/../Run: [vptray] C:/Programmer/NavNT/vptray.exe
O4 - HKLM/../Run: [QuickTime Task] “C:/Programmer/QuickTime/qttask.exe” -atboottime
O4 - HKLM/../Run: [SetupType] Portable
O4 - HKLM/../Run: [HPIJetSend] C:/Programmer/Hewlett-Packard/PhotoSmart/Photo Imaging/Hpi_JetSend.exe
O4 - HKLM/../Run: [CXMon] “C:/Programmer/Hewlett-Packard/PhotoSmart/Photo Imaging/Hpi_Monitor.exe”
O4 - HKLM/../Run: [windows auto update] msblast.exe
O4 - HKLM/../Run: [TkBellExe] “C:/Programmer/Fælles filer/Real/Update_OB/realsched.exe” -osboot
O4 - HKLM/../Run: [Dale Skip] C:/PROGRA~1/FragPlus/cdrom mags.exe
O4 - HKLM/../Run: [Dial32] C:/WINNT/dl.exe
O4 - HKLM/../Run: [Upgrade Service] C:/WINNT/winupd.exe
O4 - Global Startup: Microsoft Office-start.lnk = C:/Programmer/Microsoft Office/Office/OSA.EXE
O4 - Global Startup: Microsoft Office Programlinje.lnk = C:/Programmer/Microsoft Office/Office/MSOFFICE.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = ?
O4 - Global Startup: SSH Sentinel Agent.lnk = C:/Programmer/SSH Communications Security/SSH Sentinel/sshtray.exe
O4 - Global Startup: SSH Accession.lnk = C:/Programmer/SSH Communications Security/SSH Sentinel/Accession/ssh_accession.exe
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0556834E-F56C-4545-8FAD-4F0ED25999BE} (Jackie Control) - http://www.6jackpot.com/dialup/jackie.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23ae25885320f837f420/netzip/RdxIE601.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37539.5235416667
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Hej ripley og velkommen til Spywarefri.dk

Jeg har brug for et par forsøgskaniner til et nyt fix, så jeg vil henvise dig til denne link:

http://home8.inet.tele.dk/fbj/CWSfix.htm

Du vender bare tilbage lige så snart du støder ind i problemer. Jeg skylder måske at sige, at du har flere problemer, så du skal vende tilbage under alle omstændigheder.

God fornøjelse

Hej igen!

Så har jeg kørt hele fixet igennem og har her følgende:

Frisk HiJackThis-log:

Logfile of HijackThis v1.97.7
Scan saved at 21:54:59, on 16-05-2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINNT/System32/smss.exe
C:/WINNT/system32/winlogon.exe
C:/WINNT/system32/services.exe
C:/WINNT/system32/lsass.exe
C:/WINNT/system32/svchost.exe
C:/WINNT/System32/svchost.exe
C:/WINNT/system32/spoolsv.exe
C:/Programmer/NavNT/defwatch.exe
C:/Programmer/NavNT/rtvscan.exe
C:/WINNT/System32/nvsvc32.exe
C:/WINNT/system32/regsvc.exe
C:/WINNT/system32/MSTask.exe
C:/Programmer/SSH Communications Security/SSH Sentinel/sshipm.exe
C:/Programmer/SSH Communications Security/SSH Sentinel/sshmonitor.exe
C:/WINNT/system32/stisvc.exe
C:/WINNT/SYSTEM32/THOTKEY.EXE
C:/Programmer/TOSHIBA/TME3/Tmesbs3.exe
C:/Programmer/TOSHIBA/TME3/Tmesrv3.exe
C:/WINNT/System32/WBEM/WinMgmt.exe
C:/WINNT/System32/mspmspsv.exe
C:/WINNT/system32/svchost.exe
C:/WINNT/Explorer.EXE
C:/WINNT/System32/MsgSys.EXE
C:/WINNT/System32/TPWRTRAY.EXE
C:/WINNT/System32/TFNF5.exe
C:/Programmer/TOSHIBA/Wireless Hotkey/TosHKCW.exe
C:/Programmer/NavNT/vptray.exe
C:/Programmer/QuickTime/qttask.exe
C:/Programmer/Hewlett-Packard/PhotoSmart/Photo Imaging/Hpi_JetSend.exe
C:/Programmer/Hewlett-Packard/PhotoSmart/Photo Imaging/Hpi_Monitor.exe
C:/Programmer/Fælles filer/Real/Update_OB/realsched.exe
C:/PROGRA~1/FragPlus/cdrom mags.exe
C:/WINNT/winupd.exe
C:/Programmer/Microsoft Office/Office/OSA.EXE
C:/Programmer/Microsoft Office/Office/MSOFFICE.EXE
C:/Programmer/SSH Communications Security/SSH Sentinel/sshtray.exe
C:/Programmer/SSH Communications Security/SSH Sentinel/Accession/ssh_accession.exe
C:/WINNT/System32/SCardSvr.exe
C:/Anna/hiJackThis/HijackThis.exe

R1 - HKCU/Software/Microsoft/Internet Explorer/Main,HomeOldSP = about:blank
R0 - HKCU/Software/Microsoft/Internet Explorer/Toolbar,LinksFolderName = Hyperlinks
O1 - Hosts: 193.166.100.251 mail
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:/Programmer/Adobe/Acrobat 5.0/Reader/ActiveX/AcroIEHelper.ocx
O3 - Toolbar: &Radio; - {8E718888-423F-11D2-876E-00A0C9082467} - C:/WINNT/System32/msdxm.ocx
O4 - HKLM/../Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM/../Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM/../Run: [000StTHK] 000StTHK.exe
O4 - HKLM/../Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM/../Run: [TMESRV.EXE] C:/Programmer/TOSHIBA/TME3/TMESRV3.EXE /Logon
O4 - HKLM/../Run: [TMESBS.EXE] C:/Programmer/TOSHIBA/TME3/TMESBS3.EXE /logon
O4 - HKLM/../Run: [TFNF5] TFNF5.exe
O4 - HKLM/../Run: [TosHKCW.exe] C:/Programmer/TOSHIBA/Wireless Hotkey/TosHKCW.exe
O4 - HKLM/../Run: [vptray] C:/Programmer/NavNT/vptray.exe
O4 - HKLM/../Run: [QuickTime Task] “C:/Programmer/QuickTime/qttask.exe” -atboottime
O4 - HKLM/../Run: [SetupType] Portable
O4 - HKLM/../Run: [HPIJetSend] C:/Programmer/Hewlett-Packard/PhotoSmart/Photo Imaging/Hpi_JetSend.exe
O4 - HKLM/../Run: [CXMon] “C:/Programmer/Hewlett-Packard/PhotoSmart/Photo Imaging/Hpi_Monitor.exe”
O4 - HKLM/../Run: [windows auto update] msblast.exe
O4 - HKLM/../Run: [TkBellExe] “C:/Programmer/Fælles filer/Real/Update_OB/realsched.exe” -osboot
O4 - HKLM/../Run: [Dale Skip] C:/PROGRA~1/FragPlus/cdrom mags.exe
O4 - HKLM/../Run: [Upgrade Service] C:/WINNT/winupd.exe
O4 - Global Startup: Microsoft Office-start.lnk = C:/Programmer/Microsoft Office/Office/OSA.EXE
O4 - Global Startup: Microsoft Office Programlinje.lnk = C:/Programmer/Microsoft Office/Office/MSOFFICE.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = ?
O4 - Global Startup: SSH Sentinel Agent.lnk = C:/Programmer/SSH Communications Security/SSH Sentinel/sshtray.exe
O4 - Global Startup: SSH Accession.lnk = C:/Programmer/SSH Communications Security/SSH Sentinel/Accession/ssh_accession.exe
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0556834E-F56C-4545-8FAD-4F0ED25999BE} (Jackie Control) - http://www.6jackpot.com/dialup/jackie.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23ae25885320f837f420/netzip/RdxIE601.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37539.5235416667
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

********************************************************************

Samt en frisk output.txt fra dllFix:

********************************************************************

—===**‘FIND-ALL’ VERSION 3, 5/11**===—

Sun May 16 22:00:02 2004—Results:

System Info:

Microsoft Windows 2000 [version 5.00.2195]
C: “LOKAL DISK” (0860:11EF) - FS:FAT clusters:16k
Total: 19 985 874 944 [19G] - Free: 16 141 025 280 [15G]


Locked or ‘Suspect’ file(s) found…
* result//?/C:/WINNT/System32/HLPL.DLL


REGEDIT4

[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows]
“DeviceNotSelectedTimeout”=“15”
“GDIProcessHandleQuota”=dword:00002710
“Spooler”=“yes”
“swapdisk”=”“
“TransmissionRetryTimeout”=“90”
“USERProcessHandleQuota”=dword:00002710
“AppInit_DLLs”=”“

REGEDIT4

[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects]

[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

REGEDIT4

[HKEY_CLASSES_ROOT/PROTOCOLS/Filter]

[HKEY_CLASSES_ROOT/PROTOCOLS/Filter/Class Install Handler]
@=“AP Class Install Handler filter”
“CLSID”=”{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}”

[HKEY_CLASSES_ROOT/PROTOCOLS/Filter/deflate]
@=“AP Deflate Encoding/Decoding Filter “
“CLSID”=”{8f6b0360-b80d-11d0-a9b3-006097942311}”

[HKEY_CLASSES_ROOT/PROTOCOLS/Filter/gzip]
@=“AP GZIP Encoding/Decoding Filter “
“CLSID”=”{8f6b0360-b80d-11d0-a9b3-006097942311}”

[HKEY_CLASSES_ROOT/PROTOCOLS/Filter/lzdhtml]
@=“AP lzdhtml encoding/decoding Filter”
“CLSID”=”{8f6b0360-b80d-11d0-a9b3-006097942311}”

[HKEY_CLASSES_ROOT/PROTOCOLS/Filter/text/webviewhtml]
@=“MIME-filter til WebView”
“CLSID”=”{733AC4CB-F1A4-11d0-B951-00A0C90312E1}”

*Security settings for ‘Windows’ key:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows:
(NI)  ALLOW Read       BUILTIN/Brugere
(IO)  ALLOW Read       BUILTIN/Brugere
(NI)  ALLOW Read       BUILTIN/Superbrugere
(IO)  ALLOW Read       BUILTIN/Superbrugere
(NI)  ALLOW Full access BUILTIN/Administratorer
(IO)  ALLOW Full access BUILTIN/Administratorer
(NI)  ALLOW Full access NT AUTHORITY/SYSTEM
(IO)  ALLOW Full access NT AUTHORITY/SYSTEM
(NI)  ALLOW Full access BUILTIN/Administratorer
(IO)  ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows:
Read       BUILTIN/Brugere
Read       BUILTIN/Superbrugere
Full access   BUILTIN/Administratorer
Full access   NT AUTHORITY/SYSTEM

Håber, det siger jer noget!
Min startside i IE er nu en anden - som jeg kender ??!!

Mine opsætninger af startside i browseren ignoreres total :o(

Kørte du Start.bat - option 2, underoption 1 og skrev navnet “HLPL.DLL” ind? Det ser ikke ud til at det virkede.

Først må du af med “chef-filen” - den der styrer de andre

Hent TheKillBox - http://home8.inet.tele.dk/fbj/TheKillBox.exe

Kør programmet og kopier denne tekst ind i tekstfeltet - C:/WINNT/System32/HLPL.DLL og klik “Find and Kill this file”. Hvis det ikke virker, så gentag proceduren, men i stedet for “Find and kill..” så skal du klikke på den grønne pil (nederst til venstre), vælge “Add file” og klikke på “Delete on reboot”. Instruktionen kan du finde her:

http://home8.inet.tele.dk/fbj/TheKillBoxBrugsanvisning.htm

Når filen er slettet - og det bliver den forhåbentlig, så scan med Adaware og CWShredder.

Nu skal du hente og køre dette værktøj:

http://securityresponse.symantec.com/avcenter/FixBlast.exe

Læg en ny log herind, når du er klar.

Hej igen!

Jeg skal lige sige, at det med startsiden er i orden.
Jeg dummede mig lidt ved at åbne en browser, der var en genvej til den side, jeg godt kender :o/

Mht. TheKillBox så har jeg downloadet programmet, men det kan ikke køre. Der kommer en fejlmedd. om, at en enkelt fil mangler eller ikke er registreret, så programmet ikke kan køres.

Er der andre steder, man kan downloade det?

Hvilken fil melder den fejl på?
Missingfiles: http://danborg.org/spyware/Spyblaster_Guard/missingfilesetup.exe
Vbrun: http://danborg.org/spyware/Spyblaster_Guard/vbrun60sp5.exe
Prøv at hente de to, og se om ikke det hjælper.

Genialt - så kunne jeg køre TheKillBox.

Nu har jeg fulgt alle de trin, du beskrev - så her er en frisk log:

Logfile of HijackThis v1.97.7
Scan saved at 21:30:37, on 17-05-2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINNT/System32/smss.exe
C:/WINNT/system32/winlogon.exe
C:/WINNT/system32/services.exe
C:/WINNT/system32/lsass.exe
C:/WINNT/system32/svchost.exe
C:/WINNT/System32/svchost.exe
C:/WINNT/system32/spoolsv.exe
C:/Programmer/NavNT/defwatch.exe
C:/Programmer/NavNT/rtvscan.exe
C:/WINNT/System32/nvsvc32.exe
C:/WINNT/system32/regsvc.exe
C:/WINNT/system32/MSTask.exe
C:/Programmer/SSH Communications Security/SSH Sentinel/sshipm.exe
C:/Programmer/SSH Communications Security/SSH Sentinel/sshmonitor.exe
C:/WINNT/system32/stisvc.exe
C:/WINNT/SYSTEM32/THOTKEY.EXE
C:/Programmer/TOSHIBA/TME3/Tmesbs3.exe
C:/Programmer/TOSHIBA/TME3/Tmesrv3.exe
C:/WINNT/System32/WBEM/WinMgmt.exe
C:/WINNT/System32/mspmspsv.exe
C:/WINNT/system32/svchost.exe
C:/WINNT/Explorer.EXE
C:/WINNT/System32/MsgSys.EXE
C:/WINNT/System32/TPWRTRAY.EXE
C:/WINNT/System32/TFNF5.exe
C:/Programmer/TOSHIBA/Wireless Hotkey/TosHKCW.exe
C:/Programmer/NavNT/vptray.exe
C:/Programmer/QuickTime/qttask.exe
C:/Programmer/Hewlett-Packard/PhotoSmart/Photo Imaging/Hpi_JetSend.exe
C:/Programmer/Hewlett-Packard/PhotoSmart/Photo Imaging/Hpi_Monitor.exe
C:/Programmer/Fælles filer/Real/Update_OB/realsched.exe
C:/PROGRA~1/FragPlus/cdrom mags.exe
C:/WINNT/winupd.exe
C:/Programmer/Microsoft Office/Office/OSA.EXE
C:/Programmer/Microsoft Office/Office/MSOFFICE.EXE
C:/Programmer/SSH Communications Security/SSH Sentinel/sshtray.exe
C:/Programmer/SSH Communications Security/SSH Sentinel/Accession/ssh_accession.exe
C:/WINNT/System32/SCardSvr.exe
C:/WINNT/System32/wuauclt.exe
C:/Anna/hiJackThis/HijackThis.exe

R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = http://www.borsen.dk/
R1 - HKCU/Software/Microsoft/Internet Explorer/Main,HomeOldSP = about:blank
R0 - HKCU/Software/Microsoft/Internet Explorer/Toolbar,LinksFolderName = Hyperlinks
O1 - Hosts: 193.166.100.251 mail
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:/Programmer/Adobe/Acrobat 5.0/Reader/ActiveX/AcroIEHelper.ocx
O3 - Toolbar: &Radio; - {8E718888-423F-11D2-876E-00A0C9082467} - C:/WINNT/System32/msdxm.ocx
O4 - HKLM/../Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM/../Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM/../Run: [000StTHK] 000StTHK.exe
O4 - HKLM/../Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM/../Run: [TMESRV.EXE] C:/Programmer/TOSHIBA/TME3/TMESRV3.EXE /Logon
O4 - HKLM/../Run: [TMESBS.EXE] C:/Programmer/TOSHIBA/TME3/TMESBS3.EXE /logon
O4 - HKLM/../Run: [TFNF5] TFNF5.exe
O4 - HKLM/../Run: [TosHKCW.exe] C:/Programmer/TOSHIBA/Wireless Hotkey/TosHKCW.exe
O4 - HKLM/../Run: [vptray] C:/Programmer/NavNT/vptray.exe
O4 - HKLM/../Run: [QuickTime Task] “C:/Programmer/QuickTime/qttask.exe” -atboottime
O4 - HKLM/../Run: [SetupType] Portable
O4 - HKLM/../Run: [HPIJetSend] C:/Programmer/Hewlett-Packard/PhotoSmart/Photo Imaging/Hpi_JetSend.exe
O4 - HKLM/../Run: [CXMon] “C:/Programmer/Hewlett-Packard/PhotoSmart/Photo Imaging/Hpi_Monitor.exe”
O4 - HKLM/../Run: [windows auto update] msblast.exe
O4 - HKLM/../Run: [TkBellExe] “C:/Programmer/Fælles filer/Real/Update_OB/realsched.exe” -osboot
O4 - HKLM/../Run: [Dale Skip] C:/PROGRA~1/FragPlus/cdrom mags.exe
O4 - HKLM/../Run: [Upgrade Service] C:/WINNT/winupd.exe
O4 - Global Startup: Microsoft Office-start.lnk = C:/Programmer/Microsoft Office/Office/OSA.EXE
O4 - Global Startup: Microsoft Office Programlinje.lnk = C:/Programmer/Microsoft Office/Office/MSOFFICE.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = ?
O4 - Global Startup: SSH Sentinel Agent.lnk = C:/Programmer/SSH Communications Security/SSH Sentinel/sshtray.exe
O4 - Global Startup: SSH Accession.lnk = C:/Programmer/SSH Communications Security/SSH Sentinel/Accession/ssh_accession.exe
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0556834E-F56C-4545-8FAD-4F0ED25999BE} (Jackie Control) - http://www.6jackpot.com/dialup/jackie.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23ae25885320f837f420/netzip/RdxIE601.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37539.5235416667
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Jeg går ud fra, at du har kørt FixBlast.exe (og det virkede ikke). Hent Stinger og kør det:

http://vil.nai.com/vil/stinger/

Læg en frisk HijackThis log herind, når du har gjort det.

Hej igen!

Jeg havde glemt at køre FixBlast. Det er gjort nu.
Jeg har også downloadet og kørt Stinger.

Så her er en ny logfil:

******************************************************************

Logfile of HijackThis v1.97.7
Scan saved at 22:14:10, on 17-05-2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINNT/System32/smss.exe
C:/WINNT/system32/winlogon.exe
C:/WINNT/system32/services.exe
C:/WINNT/system32/lsass.exe
C:/WINNT/system32/svchost.exe
C:/WINNT/System32/svchost.exe
C:/WINNT/system32/spoolsv.exe
C:/Programmer/NavNT/defwatch.exe
C:/Programmer/NavNT/rtvscan.exe
C:/WINNT/System32/nvsvc32.exe
C:/WINNT/system32/regsvc.exe
C:/WINNT/system32/MSTask.exe
C:/Programmer/SSH Communications Security/SSH Sentinel/sshipm.exe
C:/Programmer/SSH Communications Security/SSH Sentinel/sshmonitor.exe
C:/WINNT/system32/stisvc.exe
C:/WINNT/SYSTEM32/THOTKEY.EXE
C:/Programmer/TOSHIBA/TME3/Tmesbs3.exe
C:/Programmer/TOSHIBA/TME3/Tmesrv3.exe
C:/WINNT/System32/WBEM/WinMgmt.exe
C:/WINNT/System32/mspmspsv.exe
C:/WINNT/system32/svchost.exe
C:/WINNT/Explorer.EXE
C:/WINNT/System32/MsgSys.EXE
C:/WINNT/System32/TPWRTRAY.EXE
C:/WINNT/System32/TFNF5.exe
C:/Programmer/TOSHIBA/Wireless Hotkey/TosHKCW.exe
C:/Programmer/NavNT/vptray.exe
C:/Programmer/QuickTime/qttask.exe
C:/Programmer/Hewlett-Packard/PhotoSmart/Photo Imaging/Hpi_JetSend.exe
C:/Programmer/Hewlett-Packard/PhotoSmart/Photo Imaging/Hpi_Monitor.exe
C:/Programmer/Fælles filer/Real/Update_OB/realsched.exe
C:/PROGRA~1/FragPlus/cdrom mags.exe
C:/WINNT/winupd.exe
C:/Programmer/Internet Explorer/IEXPLORE.EXE
C:/Programmer/Microsoft Office/Office/OSA.EXE
C:/Programmer/SSH Communications Security/SSH Sentinel/sshtray.exe
C:/Programmer/SSH Communications Security/SSH Sentinel/Accession/ssh_accession.exe
C:/WINNT/System32/SCardSvr.exe
C:/WINNT/System32/wuauclt.exe
C:/Anna/hiJackThis/HijackThis.exe

R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = http://www.borsen.dk/
R1 - HKCU/Software/Microsoft/Internet Explorer/Main,HomeOldSP = about:blank
R0 - HKCU/Software/Microsoft/Internet Explorer/Toolbar,LinksFolderName = Hyperlinks
O1 - Hosts: 193.166.100.251 mail
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:/Programmer/Adobe/Acrobat 5.0/Reader/ActiveX/AcroIEHelper.ocx
O3 - Toolbar: &Radio; - {8E718888-423F-11D2-876E-00A0C9082467} - C:/WINNT/System32/msdxm.ocx
O4 - HKLM/../Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM/../Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM/../Run: [000StTHK] 000StTHK.exe
O4 - HKLM/../Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM/../Run: [TMESRV.EXE] C:/Programmer/TOSHIBA/TME3/TMESRV3.EXE /Logon
O4 - HKLM/../Run: [TMESBS.EXE] C:/Programmer/TOSHIBA/TME3/TMESBS3.EXE /logon
O4 - HKLM/../Run: [TFNF5] TFNF5.exe
O4 - HKLM/../Run: [TosHKCW.exe] C:/Programmer/TOSHIBA/Wireless Hotkey/TosHKCW.exe
O4 - HKLM/../Run: [vptray] C:/Programmer/NavNT/vptray.exe
O4 - HKLM/../Run: [QuickTime Task] “C:/Programmer/QuickTime/qttask.exe” -atboottime
O4 - HKLM/../Run: [SetupType] Portable
O4 - HKLM/../Run: [HPIJetSend] C:/Programmer/Hewlett-Packard/PhotoSmart/Photo Imaging/Hpi_JetSend.exe
O4 - HKLM/../Run: [CXMon] “C:/Programmer/Hewlett-Packard/PhotoSmart/Photo Imaging/Hpi_Monitor.exe”
O4 - HKLM/../Run: [TkBellExe] “C:/Programmer/Fælles filer/Real/Update_OB/realsched.exe” -osboot
O4 - HKLM/../Run: [Dale Skip] C:/PROGRA~1/FragPlus/cdrom mags.exe
O4 - HKLM/../Run: [Upgrade Service] C:/WINNT/winupd.exe
O4 - Global Startup: Microsoft Office-start.lnk = C:/Programmer/Microsoft Office/Office/OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = ?
O4 - Global Startup: SSH Sentinel Agent.lnk = C:/Programmer/SSH Communications Security/SSH Sentinel/sshtray.exe
O4 - Global Startup: SSH Accession.lnk = C:/Programmer/SSH Communications Security/SSH Sentinel/Accession/ssh_accession.exe
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0556834E-F56C-4545-8FAD-4F0ED25999BE} (Jackie Control) - http://www.6jackpot.com/dialup/jackie.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23ae25885320f837f420/netzip/RdxIE601.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37539.5235416667
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM/System/CCS/Services/Tcpip/../{34A29A29-1C91-4FB1-A30D-8941AA68ECE6}: NameServer = 193.162.153.164 194.239.134.83

Fint nok - din blaster infektion er væk.

1. Du skal i gang med at fixe.

2. For at kunne se alle filer:

Åbn en mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved “Skjul beskyttede operativsystemfiler”.
Fjern flueben ved “Skjul filtypenavne for kendte filtyper”.
Sæt prik i “Vis skjulte filer og mapper”.

3. Dernæst genstart i Fejlsikret tilstand (ved at taste F8 under opstart).

4. Kør HijackThis, scan og sæt et flueben ud for følgende linier - luk øvrige programvinduer - klik “Fix checked”:

R1 - HKCU/Software/Microsoft/Internet Explorer/Main,HomeOldSP = about:blank
O4 - HKLM/../Run: [Dale Skip] C:/PROGRA~1/FragPlus/cdrom mags.exe
O4 - HKLM/../Run: [Upgrade Service] C:/WINNT/winupd.exe
O16 - DPF: {0556834E-F56C-4545-8FAD-4F0ED25999BE} (Jackie Control) - http://www.6jackpot.com/dialup/jackie.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23ae25885320f837f420/netzip/RdxIE601.cab

5. Find og slet

C:/(Programmer eller Program Files)/FragPlus <<—hele mappen
C:/WINNT/winupd.exe

Genstart i Normal tilstand, kør HijackThis, scan og læg en frisk log herind.

Så skulle det hele være udført - og her er en frisk log:

Logfile of HijackThis v1.97.7
Scan saved at 21:03:34, on 18-05-2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINNT/System32/smss.exe
C:/WINNT/system32/winlogon.exe
C:/WINNT/system32/services.exe
C:/WINNT/system32/lsass.exe
C:/WINNT/system32/svchost.exe
C:/WINNT/System32/svchost.exe
C:/WINNT/system32/spoolsv.exe
C:/Programmer/NavNT/defwatch.exe
C:/Programmer/NavNT/rtvscan.exe
C:/WINNT/System32/nvsvc32.exe
C:/WINNT/system32/regsvc.exe
C:/WINNT/system32/MSTask.exe
C:/Programmer/SSH Communications Security/SSH Sentinel/sshipm.exe
C:/Programmer/SSH Communications Security/SSH Sentinel/sshmonitor.exe
C:/WINNT/system32/stisvc.exe
C:/WINNT/SYSTEM32/THOTKEY.EXE
C:/Programmer/TOSHIBA/TME3/Tmesbs3.exe
C:/Programmer/TOSHIBA/TME3/Tmesrv3.exe
C:/WINNT/System32/WBEM/WinMgmt.exe
C:/WINNT/System32/mspmspsv.exe
C:/WINNT/system32/svchost.exe
C:/WINNT/System32/MsgSys.EXE
C:/WINNT/Explorer.EXE
C:/WINNT/System32/TPWRTRAY.EXE
C:/WINNT/System32/TFNF5.exe
C:/Programmer/TOSHIBA/Wireless Hotkey/TosHKCW.exe
C:/Programmer/NavNT/vptray.exe
C:/Programmer/QuickTime/qttask.exe
C:/Programmer/Hewlett-Packard/PhotoSmart/Photo Imaging/Hpi_JetSend.exe
C:/Programmer/Hewlett-Packard/PhotoSmart/Photo Imaging/Hpi_Monitor.exe
C:/Programmer/Fælles filer/Real/Update_OB/realsched.exe
C:/Programmer/Microsoft Office/Office/OSA.EXE
C:/Programmer/SSH Communications Security/SSH Sentinel/sshtray.exe
C:/Programmer/SSH Communications Security/SSH Sentinel/Accession/ssh_accession.exe
C:/Programmer/SpywareGuard/sgmain.exe
C:/Programmer/SpywareGuard/sgbhp.exe
C:/WINNT/System32/SCardSvr.exe
C:/WINNT/System32/wuauclt.exe
C:/Anna/hiJackThis/HijackThis.exe

R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = http://www.borsen.dk/
R0 - HKCU/Software/Microsoft/Internet Explorer/Toolbar,LinksFolderName = Hyperlinks
O1 - Hosts: 193.166.100.251 mail
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:/Programmer/Adobe/Acrobat 5.0/Reader/ActiveX/AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:/Programmer/SpywareGuard/dlprotect.dll
O3 - Toolbar: &Radio; - {8E718888-423F-11D2-876E-00A0C9082467} - C:/WINNT/System32/msdxm.ocx
O4 - HKLM/../Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM/../Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM/../Run: [000StTHK] 000StTHK.exe
O4 - HKLM/../Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM/../Run: [TMESRV.EXE] C:/Programmer/TOSHIBA/TME3/TMESRV3.EXE /Logon
O4 - HKLM/../Run: [TMESBS.EXE] C:/Programmer/TOSHIBA/TME3/TMESBS3.EXE /logon
O4 - HKLM/../Run: [TFNF5] TFNF5.exe
O4 - HKLM/../Run: [TosHKCW.exe] C:/Programmer/TOSHIBA/Wireless Hotkey/TosHKCW.exe
O4 - HKLM/../Run: [vptray] C:/Programmer/NavNT/vptray.exe
O4 - HKLM/../Run: [QuickTime Task] “C:/Programmer/QuickTime/qttask.exe” -atboottime
O4 - HKLM/../Run: [SetupType] Portable
O4 - HKLM/../Run: [HPIJetSend] C:/Programmer/Hewlett-Packard/PhotoSmart/Photo Imaging/Hpi_JetSend.exe
O4 - HKLM/../Run: [CXMon] “C:/Programmer/Hewlett-Packard/PhotoSmart/Photo Imaging/Hpi_Monitor.exe”
O4 - HKLM/../Run: [TkBellExe] “C:/Programmer/Fælles filer/Real/Update_OB/realsched.exe” -osboot
O4 - Startup: SpywareGuard.lnk = C:/Programmer/SpywareGuard/sgmain.exe
O4 - Global Startup: Microsoft Office-start.lnk = C:/Programmer/Microsoft Office/Office/OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = ?
O4 - Global Startup: SSH Sentinel Agent.lnk = C:/Programmer/SSH Communications Security/SSH Sentinel/sshtray.exe
O4 - Global Startup: SSH Accession.lnk = C:/Programmer/SSH Communications Security/SSH Sentinel/Accession/ssh_accession.exe
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37539.5235416667
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[:p]

Hej ripley

Der er lige en lille smule mere som skal fixes:

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -

Dem her kan du også med fordel fixe. De forsvinder ikke, kun fra run, og her ligger de bare og sluger dine kræfter:
O4 - HKLM/../Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM/../Run: [QuickTime Task] “C:/Programmer/QuickTime/qttask.exe” -atboottime
O4 - HKLM/../Run: [TkBellExe] “C:/Programmer/Fælles filer/Real/Update_OB/realsched.exe” -osboot
O4 - Global Startup: Microsoft Office-start.lnk = C:/Programmer/Microsoft Office/Office/OSA.EXE

Genstart, og så forhåbnetlig en sidste log til tjek.

Jeg har lige et spørgsmål til dig. Har du selv lagt denne i din host fil:
O1 - Hosts: 193.166.100.251 mail ??

Og så glemte jeg faktisk lige en vigtig ting. Du har kun sp3 installeret, du bør få opdateret til Sp4 så var du måske også sluppet for din blaster. Jeg vil råde dig kraftigt til at hente og installere Sp4 til Windows samt alle kritiske opdateringer her:
http://v4.windowsupdate.microsoft.com/da/default.asp