Popups der ikke burde være der

tjekker den nu

Fjerner alle entries i zonen:
Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf

Download og gem denne scanner på skrivebordet. (Vi skal bruge den senere)
http://www.spywareinfo.dk/download/mwav.exe

Du skal nu til at i gang med at fixe:

Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked, luk hijackthis igen.
Dobbelttjek, så alt kommer med.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dr.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavigate.com/search.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.jubii.dk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINNT\System32\hp6832.tmp

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~2\DAP\dapextie.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~2\DAP\DAP.EXE

O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://207.234.185.217/ABoxInst_int2.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/112a6bfa1db2675e6006/netzip/RdxIE601.cab


--------------------------------------------------------------------

Åbn en tilfældig mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

--------------------------------------------------------------------

Find og slet manuelt i fejlsikret(f8 ved opstart):


C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----------------------------------------------------------

Klik på mwav.exe som du hentede, programmet pakker sig selv ud og starter.
Sæt flueben i følgende:
Memory, Startup folders, drive, Registry, System folders og Services.
Sæt prik i følgende:
All local drives og Scan all files
Og så trykker du på Scan Clean
Det tager lidt over en time at scanne


----------------------------------------------------------

Derefter genstarter du og sender en ny log herind, for at se om vi har fået den helt ren.

Her er den nye log men det ser ikke ud til den er helt ren endnu........

Logfile of HijackThis v1.99.1
Scan saved at 10:02:37 AM, on 5/11/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\popuper.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\shnlog.exe
C:\WINNT\System32\intmonp.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\intmon.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinAce\WinAce.exe
C:\DOCUME~1\Whatever\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dr.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavigate.com/search.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.jubii.dk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = users.cybercity.dk/~dsl72313
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINNT\System32\hp35D0.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~2\DAP\dapextie.htm
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Documents and Settings\Whatever\Application Data\MGI\PhotoSuite4\Temp\MGI00000.html
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~2\DAP\DAP.EXE
O9 - Extra button: TvGuide - {E6850551-1B82-47cd-BBF3-8E7D6099F9B3} - www.tvguide.dk (file missing)
O9 - Extra 'Tools' menuitem: TvGuide.dk - {E6850551-1B82-47cd-BBF3-8E7D6099F9B3} - www.tvguide.dk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {CB48E885-6992-47A0-8BEF-14F65F76AFA6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CB48E885-6992-47A0-8BEF-14F65F76AFA6} - (no file) (HKCU)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://207.234.185.217/ABoxInst_int2.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/112a6bfa1db2675e6006/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://scanner.virus112.com/cabs/cssweb.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{018A96F2-A900-41D8-9338-1B6715F67BF8}: NameServer = 212.242.40.3,212.242.40.51
O17 - HKLM\System\CCS\Services\Tcpip\..\{684FA207-2F7B-4B0D-9C80-1DE5B9EF26FE}: NameServer = 212.242.40.3,212.242.40.51
O17 - HKLM\System\CS1\Services\Tcpip\..\{018A96F2-A900-41D8-9338-1B6715F67BF8}: NameServer = 212.242.40.3,212.242.40.51
O17 - HKLM\System\CS2\Services\Tcpip\..\{018A96F2-A900-41D8-9338-1B6715F67BF8}: NameServer = 212.242.40.3,212.242.40.51
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\javaeh32.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

Ka' de dog ikke snart lære det - samme plade:

Du har ikke opdateret dit Windows XP til ServicePack2 (SP2).
[1Klik.dk: Ubeskyttede pc’er holder i 20 minutter]:
http://1klik.dk/news_1klik/nyhed_32992.html

Det er ikke så godt, for så er du ikke sikret mod mange af de vira, der suser rundt på nettet og kigger efter uopdaterede maskiner.

Du kan hente SP2 her som 'løs' fil (~280Mb):
http://intern.sdu.dk/it-service/tjenester/ftphotel/ftpindhold/
Download/copy til et passende medie.
Afbryd fra det 'farlige' internet (stikket fysisk UD).
Instaler SP2 pakken.
Når det er så gået godt og efter en genstart eller to - først DA tilslut internettet igen og gå i start ->programmer ->Windowsupdate og lade din maskine scanne for nyeste opdateringer. Installer dem du får anbefalet.

Good Luck... men først når putter er erklæret 'ren' ...

(Tja - hvis du ikke får dette gennemført ses vi nok snart igen...i virus kategorien?)

----

PS: Husk også denne - http://www.eksperten.dk/spm/616551

Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf
og kør programmet

-----------------------

Download og gem denne scanner på skrivebordet. (Vi skal bruge den senere)
http://www.spywareinfo.dk/download/mwav.exe

Du skal nu til at i gang med at fixe:

Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked, luk hijackthis igen.
Dobbelttjek, så alt kommer med.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavigate.com/search.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=

O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINNT\System32\hp35D0.tmp

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~2\DAP\dapextie.htm

O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~2\DAP\DAP.EXE

O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://207.234.185.217/ABoxInst_int2.exe

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\javaeh32.exe (file missing)


--------------------------------------------------------------------

Klik på Start->Kør skriv Regedit klik OK.
Du får et vindue lidt som Stifinder, klik dig frem til:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\javaeh32.exe
Højreklik på den, og slet den, hvis den findes.
Klik dig så frem til:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_javaeh32.exe
Højreklik på den, og slet den, hvis den findes.
Får du ikke lov til at slette den, klik en gang på den, så den er markeret, vælg rediger, vælg tilladelser og tag fuld kontrol over nøglen, så kan du slette den.


----------------------------------------------------------

Klik på mwav.exe som du hentede, programmet pakker sig selv ud og starter.
Sæt flueben i følgende:
Memory, Startup folders, drive, Registry, System folders og Services.
Sæt prik i følgende:
All local drives og Scan all files
Og så trykker du på Scan Clean
Det tager lidt over en time at scanne


----------------------------------------------------------

Derefter genstarter du og sender en ny log herind, for at se om vi har fået den helt ren.

???
Husk også denne: http://www.eksperten.dk/spm/616551

Logfile of HijackThis v1.99.1
Scan saved at 5:15:41 PM, on 5/20/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\popuper.exe
C:\WINNT\System32\shnlog.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINNT\System32\intmonp.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\intmon.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Whatever\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = users.cybercity.dk/~dsl72313
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\System32\hpB7A2.tmp (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: TvGuide - {E6850551-1B82-47cd-BBF3-8E7D6099F9B3} - www.tvguide.dk (file missing)
O9 - Extra 'Tools' menuitem: TvGuide.dk - {E6850551-1B82-47cd-BBF3-8E7D6099F9B3} - www.tvguide.dk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://scanner.virus112.com/cabs/cssweb.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{684FA207-2F7B-4B0D-9C80-1DE5B9EF26FE}: NameServer = 212.242.40.3,212.242.40.51
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\javaeh32.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

Hent denne scanner:
Ewido kan du downloade her: http://www.ewido.net/en/download/
Klik på Download now. Installer og kør Ewido. Opdater straks efter installationen programmet, (men lad være med at scanne endnu).
Genstart i fejlsikret tilstand. Du skal klikke på f8 tasten under genstarten (ca. lige når der er talt ram), og så vælge fejlsikret tilstand. Er du i tvivl, så klik bare på f8 flere gange. Kør nu en fuld scanning med Ewido. Programmet laver en lille log, som du skal kopiere herind sammen med en hijackthis log taget efter du har kørt Ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:            12:18:22 AM, 5/21/2005
+ Report-Checksum:        60EBB610

+ Date of database:        5/20/2005
+ Version of scan engine:    v3.0

+ Duration:                92 min
+ Scanned Files:            109484
+ Speed:                19.64 Files/Second
+ Infected files:            76
+ Removed files:            74
+ Files put in quarantine:        74
+ Files that could not be opened:    0
+ Files that could not be cleaned:    2

+ Binder:        Yes
+ Crypter:        Yes
+ Archives:        Yes

+ Scanned items:
    C:\
    D:\

+ Scan result:
    C:\Documents and Settings\Whatever\Cookies\whatever@advertising[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
    C:\Documents and Settings\Whatever\Cookies\whatever@servedby.advertising[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
    C:\WINDOWS\TEMP\gdg314\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg3143\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg3150\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg3242\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg3245\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg3342\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg355\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg4003\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg4064\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg40E1\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg41F3\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg42A3\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg42F4\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg5094\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg52D3\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg5300\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg5342\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg53A3\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg53B0\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg6011\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg60A5\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg6160\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg6343\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg6394\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg7064\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg7074\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg70B1\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg70F4\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg7125\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg71B4\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg7382\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg8071\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg8135\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg8244\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg82F0\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg9113\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg91B1\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg92A4\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdg9314\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgA0A0\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgA0F1\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgA111\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgA1D3\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgA240\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgA271\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgA344\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgB084\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgB092\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgB0F2\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgB113\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgB170\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgB200\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgB2B0\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgB2C0\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgB3\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgB325\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgB3A5\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgB3A6\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgB3B5\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgC063\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgC245\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgC343\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgD302\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgE071\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgE173\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgE1B2\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgE335\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\gdgF343\index.htm.mwt -> Backdoor.DSSdoor.a -> Cleaned with backup
    C:\WINDOWS\TEMP\__unin__.exe -> Spyware.BrillianDigital -> Cleaned with backup
    C:\WINNT\Downloaded Program Files\cssweb.dll -> Spyware.CSSWeb.a -> Cleaned with backup
    C:\WINNT\popuper.exe -> Trojan.Puper.h -> Cleaned with backup
    C:\WINNT\system32\hp1DCB.tmp -> Trojan.Puper.g -> Cleaned with backup
    C:\WINNT\system32\hp43D1.tmp -> Trojan.Puper.g -> Cleaned with backup
    C:\WINNT\system32\shnlog.exe -> Spyware.Hijacker.Generic -> Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 12:21:21 AM, on 5/21/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinAce\WinAce.exe
C:\DOCUME~1\Whatever\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = users.cybercity.dk/~dsl72313
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\System32\hpB7A2.tmp (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: TvGuide - {E6850551-1B82-47cd-BBF3-8E7D6099F9B3} - www.tvguide.dk (file missing)
O9 - Extra 'Tools' menuitem: TvGuide.dk - {E6850551-1B82-47cd-BBF3-8E7D6099F9B3} - www.tvguide.dk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://scanner.virus112.com/cabs/cssweb.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{684FA207-2F7B-4B0D-9C80-1DE5B9EF26FE}: NameServer = 212.242.40.3,212.242.40.51
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\javaeh32.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe