Mystisk Internet Explorer vender hele tiden tilbage.

Jeg skal bede dig om at hente 2 programmer.
Dem bruger vi som værktøj til at komme nærmere en løsning på dit problem.

Først spybot : http://www.spywarefri.dk/vaerktoj.htm#spybot
direkte link : http://download.com.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button

Installer og kør Spybot, opdater online, scan, alle filer den har fundet, der er røde skal markeres, tryk så på afhjælp valgte problemer, derefter genstarter du

Derefter hijackthis : http://danborg.org/spy/HJT/hijackthis.exe
Den udpakker du til en mappe for sig selv, og kører Hijackthis, scan, save log og kopier logfilen herind, så kigger vi på den.

Har kørt Spybot til hudløshed. Prøver at kører hijackthis.

Logfile of HijackThis v1.98.0
Scan saved at 19:58:17, on 02-08-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\VeriSign\NAVI\naviagent.exe
C:\Program Files\Ghost75\ngserver.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ghost75\bin\dbserv.exe
C:\Program Files\Ghost75\bin\rteng7.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tp4mon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\CONNEC~1\QCTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\WindUpdates\WinUpdt.exe
C:\WINDOWS\System32\pmzgjm.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\Program Files\TEXTware\HotKey\TWALINK.EXE
C:\Program Files\WindUpdates\WinKA.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ICA Client\Wfcrun32.exe
C:\PROGRA~1\ICACLI~1\WFICA32.EXE
D:\Install\Spywarefri\HijackThis\hijackthis.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.royalscandinavia.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.30.34:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet.royalscandinavia.com;<local>
R3 - URLSearchHook: VeriSign Inc. i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_1_4.dll
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: VeriSign Inc. i-Nav IDN Resolver - {CE000992-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_1_4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [InstNOW] C:\MILAN\kix32.exe C:\MILAN\InstNOW.scr
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE V-Gear TalkCam 1.1
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [bmufkcvxxmof] C:\WINDOWS\System32\pmzgjm.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotKey.lnk = C:\Program Files\TEXTware\HotKey\TWALINK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra 'Tools' menuitem: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_1_4.dll
O9 - Extra 'Tools' menuitem: i-Nav Options - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_1_4.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet.royalscandinavia.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\gqvrccjq.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?zX=ie&p=64276fb9efc3565fee97b287d3b2a64de55b67e90e1783d691843786455d914c50f6d13edd6d8d887becaac6a09aa805fc5355c30eed521e15dd92da31dc:3c1049dbc81820f00dc048e710a78631
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://business.bgbank.dk/html/activex/BG/Menu.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {F6A56D95-A3A3-11D2-AC26-400000058481} (Danske e-Sec) - https://business.bgbank.dk/html/activex/danskesikker/BG/DanskeSikker.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RS.local
O17 - HKLM\Software\..\Telephony: DomainName = RS.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RS.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = RS.local

Der var masser af snavs i den log :O)

Jeg kigger den lige igennem...

Tak.

Først opretter du en mappe kun til hijackthis og lægger programmet derover. Så har vi nemlig styr på backup filerne.
Kommer du til at slette noget forkert, kan vi altid komme tilbage og lave en restore. Derfor skal Hijack have sin egen mappe.

Første vigtige punkt er at slå systemgendannelsen fra. For Xp er det:
Højreklik på Denne Computer på skrivebordet, vælg Egenskaber og fanebladet Systemgendannelse og sæt flueben i Deaktiver systemgendannelse. Klik ok og genstart.
For ME er det: Højreklik Denne Computer, vælg Egenskaber - Ydeevne - Filsystem - Fejlfinding.
Sæt flueben i Deaktiver Systemgendannelse.
Klik OK og genstart computeren.
Ellers genskabes alt hvad vi fjerner.

Derefter skal du åbne hijackthis.
Du skal vinge disse filer af, jeg har beskrevet nedenunder.
Når du har gjort det så lukker du alle andre vinduer ned.
Klik på Fix checkede.

R3 - URLSearchHook: VeriSign Inc. i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_1_4.dll
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: VeriSign Inc. i-Nav IDN Resolver - {CE000992-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_1_4.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [bmufkcvxxmof] C:\WINDOWS\System32\pmzgjm.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O9 - Extra button: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra 'Tools' menuitem: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_1_4.dll
O9 - Extra 'Tools' menuitem: i-Nav Options - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_1_4.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\gqvrccjq.exe

Vi skal kunne se dine skjulte filer for at finde snavs, der skal slettes manuelt. Det er en del af processen.
Åbn en tilfældig mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

Disse programmer skal slettes i fejlsikret tilstand. Du genstarter og trykker F8 når Windows starter op.

Søg efter disse filer:
C:\Windows\System32\wsaupdater.exe>>>>slet filen
C:\WINDOWS\twaintec.dll>>>>slet filen
C:\Program Files\WindUpdates\WinKA.exe>>>>slet filen
C:\Program Files\WindUpdates\WinUpdt.exe>>>>slet mappen  WindUpdates
C:\WINDOWS\System32\pmzgjm.exe>>>>slet filen
C:\Program Files\WindowsSA\omniscient.exe>>>>slet mappen WindowsSA

Derefter genstarter du og sender en ny log ind til check

Jo og så skal du forresten fjerne Verisign i kontrolpanel -> tilføj/fjern programmer.
Der er fyldt med spyware...

skal det også være i fejlsikret tilstand ?

Ikke nødvendigvis....

Her den nye logfil.

Logfile of HijackThis v1.98.0
Scan saved at 21:00:50, on 02-08-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\VeriSign\NAVI\naviagent.exe
C:\Program Files\Ghost75\ngserver.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ghost75\bin\dbserv.exe
C:\Program Files\Ghost75\bin\rteng7.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tp4mon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\CONNEC~1\QCTray.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\TEXTware\HotKey\TWALINK.EXE
C:\4\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.royalscandinavia.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.30.34:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet.royalscandinavia.com;<local>
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [InstNOW] C:\MILAN\kix32.exe C:\MILAN\InstNOW.scr
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE V-Gear TalkCam 1.1
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [sfeatxkhm] C:\WINDOWS\System32\pmzgjm.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotKey.lnk = C:\Program Files\TEXTware\HotKey\TWALINK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet.royalscandinavia.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?zX=ie&p=64276fb9efc3565fee97b287d3b2a64de55b67e90e1783d691843786455d914c50f6d13edd6d8d887becaac6a09aa805fc5355c30eed521e15dd92da31dc:3c1049dbc81820f00dc048e710a78631
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://business.bgbank.dk/html/activex/BG/Menu.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {F6A56D95-A3A3-11D2-AC26-400000058481} (Danske e-Sec) - https://business.bgbank.dk/html/activex/danskesikker/BG/DanskeSikker.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RS.local
O17 - HKLM\Software\..\Telephony: DomainName = RS.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RS.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = RS.local

Du skal lige på den igen....

Fix disse i fejlsikret tilstand:
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [sfeatxkhm] C:\WINDOWS\System32\pmzgjm.exe

Søg og slet stadig i fejlsikret:
C:\Program Files\VeriSign\NAVI\naviagent.exe>>>>slet mappen VeriSign
C:\Program Files\WindUpdates\WinUpdt.exe>>>>slet mappen WindUpdates
Kig efter om den også ligger i C:\programmer\
C:\WINDOWS\System32\pmzgjm.exe>>>>>slet filen pmzgjm.exe

Genstart og ny log

C:\Program Files\WindUpdates\WinUpdt.exe>>>>slet mappen WindUpdates => fandtes ikke
C:\WINDOWS\System32\pmzgjm.exe>>>>>slet filen pmzgjm.exe => fandtes ikke

Logfile of HijackThis v1.98.0
Scan saved at 21:26:38, on 02-08-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Ghost75\ngserver.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ghost75\bin\dbserv.exe
C:\Program Files\Ghost75\bin\rteng7.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tp4mon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\CONNEC~1\QCTray.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\4\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.royalscandinavia.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.30.34:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet.royalscandinavia.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [InstNOW] C:\MILAN\kix32.exe C:\MILAN\InstNOW.scr
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE V-Gear TalkCam 1.1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotKey.lnk = C:\Program Files\TEXTware\HotKey\TWALINK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet.royalscandinavia.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?zX=ie&p=64276fb9efc3565fee97b287d3b2a64de55b67e90e1783d691843786455d914c50f6d13edd6d8d887becaac6a09aa805fc5355c30eed521e15dd92da31dc:3c1049dbc81820f00dc048e710a78631
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://business.bgbank.dk/html/activex/BG/Menu.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {F6A56D95-A3A3-11D2-AC26-400000058481} (Danske e-Sec) - https://business.bgbank.dk/html/activex/danskesikker/BG/DanskeSikker.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RS.local
O17 - HKLM\Software\..\Telephony: DomainName = RS.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RS.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = RS.local

Så er din log ren og du kan godt slå systemgendannelsen til igen.
http://www.eksperten.dk/artikler/144
http://www.eksperten.dk/artikler/254
Her er lidt læsning om sikker surfing på nettet.

Thanks!

Det var så lidt.
Tak for point :O)

Kan du svarer mig på en sidste ting ?

Nu har jeg prøvet at kører Spybot og den finder følgende :

VX2/f 3 entries
DSO Exploit 5 entries
Statblaster.All files7 2 entries

Hvordan kan det være når min pc er "ren" ?

DSO exploit et en fejl i Spybot.
Den bliver rettet ved næste opdatering.
Se her:
http://home8.inet.tele.dk/fbj/spybot_melder_om_dso_exploit.htm

Hent spysweeper her og scan med den:
http://www.spysweeper.com/spyware-remover-download.html

Hent og opdater Ad-Aware: http://www.spywarefri.dk/vaerktoj.htm#adaware
Kør programmet.

Så kører du spybot igen. Se om der kommer mere....

Din log var ren, nogle gange kan der godt ligge noget og gemme sig. Det finder de andre programmer.
Det står det også noget om i artiklerne :O)

Ok! Tak for svaret.