Hjælp til Hijackthis log

ser på det

Download Ewido (Trial version) (Installer programmer så det kan opdatere sig selv, men vent med at scanne til jeg siger til)
http://shop.element5.com/product.html?productid=531168

Genstart i Fejlsikret tilstand ved at taste F8 under opstart.

Kør HijackThis, scan og sæt et flueben ud for disse linjer - luk øvrige programvinduer. Dobbelt tjeck alt kom med!. Klik herefter "Fix checked" i hijackthis:

O2 - BHO: (no name) - {8F3732C0-B397-1AAD-7FCB-CA532B5A1FE6} - D:\DOCUME~1\YAKUBO~1\APPLIC~1\Castnurb\Barb Move.exe (file missing)
O4 - HKCU\..\Run: [cashbird] D:\DOCUME~1\YAKUBO~1\APPLIC~1\EXITPL~1\ActiveSeek.exe

Gå herefter i Start -> Programmer -> Tilbehør -> Systemværktøjer -> Diskoprydning og slet temp-filer, temporary internet files og papirkurv.

Scan med Ewido nu!

Genstart windows normalt op nu.

Hent denne fil http://cexx.org/lspfix.zip

Kør LSPfix, sæt flueben i "I know what I am doing" klik på finish, genstart din computer... og send mig en frisk hijackthislog til tjek

Hej Kalp. Jeg er ret sikker på at det er en rest af en lop-infektion. Du bør derfor også checke at der ikke ligger nogle jobs i %windir%\Tasks\

Hvis der gør det, skal de også væk -- ellers kommer hele infektionen tilbage i løbet af et par dage. Se fx. denne tråd:
http://www.eksperten.dk/spm/648045

:-)

Hej ejvindh. Jeg kigger lige på dit link også.
Her er så min seneste Hijackthis efter at have gået gennem alle procedurerne.

Logfile of HijackThis v1.99.1
Scan saved at 12:30:07, on 15-09-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\brss01a.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\AGRSMMSG.exe
D:\Program Files\Synaptics\SynTP\SynTPLpr.exe
D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
D:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
D:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
d:\progra~1\mcafee.com\vso\mcvsescn.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Skype\Phone\Skype.exe
D:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
d:\progra~1\mcafee.com\vso\mcvsftsn.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
D:\WINDOWS\Cpqdiag\Cpqdfwag.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
D:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Bonjour\mDNSResponder.exe
d:\PROGRA~1\mcafee.com\vso\mcshield.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Spil\LucasArts\Rebellion\Saves\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] D:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] D:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] D:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "d:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] D:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] D:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all by Net Transport - D:\Program Files\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - D:\Program Files\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O10 - Unknown file in Winsock LSP: d:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110115000311
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,20/mcgdmgr.cab
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - D:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - D:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - d:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - D:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - D:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Hmm, er ikke helt sikker på at jeg fatter alt det der - men prøvede at hente den dersens fl.bat. Efter at have kørt den, kom der en notepad op, men den indeholdt ikke noget tekst.

Jeg skal gerne give flere point, efter behov.

Prøv det her så:
Kopier teksten mellem de stiplede linier ind i et notepad-vindue. Gem filen som visjob.bat, hvor du sikrer dig, at der under Filtype står "Alle filer"

-----------------------------------
if exist c:\findlop.txt del c:\findlop.txt
set savepath=%CD%
c:
cd %USERPROFILE%
cd ..

FOR /F "tokens=*" %%G IN ('dir/b ^"*.^"') DO dir ^"%%G\Application Data\^" >> c:\findlop.txt
FOR /F "tokens=*" %%G IN ('dir/b /ah ^"*.^"') DO dir /ah ^"%%G\Application Data\^" >> c:\findlop.txt

dir %Windir%\tasks /a h >> findlop.txt
notepad findlop.txt

cd %savepath%
-----------------------------------
Dobbeltklik på filen og læg den tekst, der kommer frem herved ind i tråden.

Vent, der var en fejl. Sådan her istedet:

Kopier teksten mellem de stiplede linier ind i et notepad-vindue. Gem filen som visjob.bat, hvor du sikrer dig, at der under Filtype står "Alle filer"

-----------------------------------
if exist c:\findlop.txt del c:\findlop.txt
set savepath=%CD%
c:
cd %USERPROFILE%
cd ..

FOR /F "tokens=*" %%G IN ('dir/b ^"*.^"') DO dir ^"%%G\Application Data\^" >> c:\findlop.txt
FOR /F "tokens=*" %%G IN ('dir/b /ah ^"*.^"') DO dir /ah ^"%%G\Application Data\^" >> c:\findlop.txt

dir %Windir%\tasks /a h >> c:\findlop.txt
notepad c:\findlop.txt

cd %savepath%
-----------------------------------
Dobbeltklik på filen og læg den tekst, der kommer frem herved ind i tråden.

Hmm, jeg får stadig popups
Efter at have lavet en batfil står der:

Volume in drive D is Stensig
Volume Serial Number is 880F-9C14

Directory of D:\WINDOWS\tasks

15-09-2005  09:43    <DIR>          .
15-09-2005  09:43    <DIR>          ..
15-09-2005  13:00              288 B30ABDC595092FF5.job
29-08-2002  22:00                65 desktop.ini
15-09-2005  09:43              494 McAfee.com Update Check (YAKUBO-Yakubo Stensig).job
15-09-2005  12:28                6 SA.DAT
              4 File(s)            853 bytes
              2 Dir(s)  4.531.470.336 bytes free

Volume in drive C is Yakubo
Volume Serial Number is C0FD-9021

Directory of C:\

Kopier teksten mellem de stiplede linier ind i et notepad-vindue. Gem filen som sletjob.bat, hvor du sikrer dig, at der under Filtype står "Alle filer"

--------------------------
%systemdrive%
cd %systemdrive%\WINDOWS\Tasks
attrib -r -s -h B30ABDC595092FF5.job
del B30ABDC595092FF5.job
--------------------------

Genstart herefter til fejlsikret tilstand. Dobbeltklik på sletjob.bat. Et sort dos-vindue vil kort åbnes og lukkes. Genstart herefter til normal tilstand.

Angående visjob.bat og fl.bat, så er problemet, at du kører på D-drevet. Det havde jeg lige overset. Så du skal lige lave en ny visjob.bat:

Kopier teksten mellem de stiplede linier ind i et notepad-vindue. Gem filen som visjob.bat, hvor du sikrer dig, at der under Filtype står "Alle filer"

-----------------------------------
if exist c:\findlop.txt del c:\findlop.txt
set savepath=%CD%
%homedrive%
cd %USERPROFILE%
cd ..

FOR /F "tokens=*" %%G IN ('dir/b ^"*.^"') DO dir ^"%%G\Application Data\^" >> c:\findlop.txt
FOR /F "tokens=*" %%G IN ('dir/b /ah ^"*.^"') DO dir /ah ^"%%G\Application Data\^" >> c:\findlop.txt

dir %Windir%\tasks /a h >> c:\findlop.txt
notepad c:\findlop.txt

cd %savepath%
-----------------------------------
Dobbeltklik på filen og læg den tekst, der kommer frem herved ind i tråden.

Læg også en ny HJT-log, for at vi kan se, om der er kommet nyt i den siden sidst (da var den nemlig ren).

Først visjob.bat

Volume in drive D is Stensig
Volume Serial Number is 880F-9C14

Directory of D:\Documents and Settings\All Users\Application Data

15-03-2005  17:55    <DIR>          Adobe
14-09-2005  22:48    <DIR>          Apple Computer
11-09-2005  23:47    <DIR>          Blah Vc Tray Peak
21-03-2005  19:39    <DIR>          McAfee.com
06-03-2005  18:46    <DIR>          QuickTime
12-09-2005  16:07    <DIR>          Skype
17-03-2005  16:22    <DIR>          Spybot - Search & Destroy
              0 File(s)              0 bytes
              7 Dir(s)  4.530.974.720 bytes free
Volume in drive D is Stensig
Volume Serial Number is 880F-9C14

Directory of D:\Documents and Settings\Yakubo Stensig\Application Data

16-08-2005  16:57    <DIR>          Adobe
01-09-2005  15:33    <DIR>          AdobeAUM
15-03-2005  17:58    <DIR>          AdobeUM
26-04-2005  15:57    <DIR>          Ahead
15-09-2005  10:35    <DIR>          Apple Computer
14-09-2005  11:42    <DIR>          Castnurb
21-04-2005  16:32    <DIR>          Cryptomathic
11-09-2005  23:47    <DIR>          Exit Play
10-05-2005  15:41    <DIR>          GlobalSCAPE
23-08-2005  21:03    <DIR>          Google
22-03-2005  20:25    <DIR>          Help
05-03-2005  17:57    <DIR>          Identities
12-09-2005  13:56    <DIR>          Lavasoft
06-03-2005  11:51    <DIR>          Macromedia
21-03-2005  19:46    <DIR>          McAfee.com Personal Firewall
08-03-2005  11:38    <DIR>          Mozilla
12-09-2005  00:00    <DIR>          NetPumper
09-05-2005  17:35    <DIR>          Opera
07-03-2005  20:15    <DIR>          Real
15-09-2005  14:03    <DIR>          Skype
05-03-2005  18:25    <DIR>          Sun
18-04-2005  00:36    <DIR>          vlc
03-09-2005  00:05    <DIR>          Yahoo!
06-03-2005  13:14    <DIR>          Yahoo! Messenger
              0 File(s)              0 bytes
              24 Dir(s)  4.530.974.720 bytes free
Volume in drive D is Stensig
Volume Serial Number is 880F-9C14

Directory of D:\Documents and Settings\Default User\Application Data

05-03-2005  18:37    <DIR>          .
05-03-2005  18:37    <DIR>          ..
05-03-2005  18:37                62 desktop.ini
              1 File(s)            62 bytes
              2 Dir(s)  4.530.974.720 bytes free
Volume in drive D is Stensig
Volume Serial Number is 880F-9C14

Directory of D:\Documents and Settings\LocalService\Application Data

Volume in drive D is Stensig
Volume Serial Number is 880F-9C14

Directory of D:\Documents and Settings\NetworkService\Application Data

Volume in drive D is Stensig
Volume Serial Number is 880F-9C14

Directory of D:\WINDOWS\tasks

15-09-2005  13:54    <DIR>          .
15-09-2005  13:54    <DIR>          ..
29-08-2002  22:00                65 desktop.ini
15-09-2005  13:54              494 McAfee.com Update Check (YAKUBO-Yakubo Stensig).job
15-09-2005  14:01                6 SA.DAT
              3 File(s)            565 bytes

Directory of D:\Documents and Settings

Dernæst Hijacklog:

Logfile of HijackThis v1.99.1
Scan saved at 14:07:19, on 15-09-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\brss01a.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\AGRSMMSG.exe
D:\Program Files\Synaptics\SynTP\SynTPLpr.exe
D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
D:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
d:\progra~1\mcafee.com\vso\mcvsescn.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Skype\Phone\Skype.exe
d:\progra~1\intern~1\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
D:\WINDOWS\Cpqdiag\Cpqdfwag.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
d:\progra~1\mcafee.com\vso\mcvsftsn.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
D:\WINDOWS\system32\cmd.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Spil\LucasArts\Rebellion\Saves\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] D:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] D:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] D:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "d:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] D:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] D:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [cashbird] D:\DOCUME~1\YAKUBO~1\APPLIC~1\EXITPL~1\ActiveSeek.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all by Net Transport - D:\Program Files\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - D:\Program Files\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O10 - Unknown file in Winsock LSP: d:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110115000311
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,20/mcgdmgr.cab
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - D:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - D:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - d:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - D:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - D:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Har lidt på fornemmelsen at det muligvis er denne her der startede hele misæren:

12-09-2005  00:00    <DIR>          NetPumper

Hmmm. Infektionen er tilsyneladende desameret nu. Nogle af de mapper, som er listet hernedenfor indeholder resterne af den, men jeg må indrømme, at jeg er faktisk lidt i tvivl om hvilke:

Directory of D:\Documents and Settings\All Users\Application Data
11-09-2005 23:47 <DIR> Blah Vc Tray Peak

Directory of D:\Documents and Settings\Yakubo Stensig\Application Data
14-09-2005 11:42 <DIR> Castnurb
11-09-2005 23:47 <DIR> Exit Play
12-09-2005 00:00 <DIR> NetPumper

Jeg synes derfor du skal tage et scan med Dr. Web. Den plejer at være god til at finde Lop-rester og slette dem:
Hent dette program
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Dobbeltklik på drweb-cureit.exe, den vil køre en expressscan, det siger du ja til.
Når den skriver Done nederst til venstre, skal du klikke på det eller de drev du vil have scannet, der kommer en rød prik for at vise det/de valgte.
Klik så på den grønne fodgænger ovre til højre på siden, så starter scanningen.
Klik så på Start->Søg, find filen drweb32w.log kopier det nederste af teksten herind, startende med:
Scan statistics.

Prøv også at lægge mærke til, hvilke mapper de inficerede filer ligger i. Hvis nogle af dem ovenfor nævnes, så slet den pågældende mappe.

Genstart herefter computeren. Hvis du stadig har problemet, skal vi have fat i et lidt mere avanceret analyse-værktøj:

Hent Silentrunners her: http://www.silentrunners.org/Silent%20Runners.vbs

Kør programmet og læg log-filen herind (den lægger sig i samme mappe som silentrunner programmet ligger i).

Rettelse (igen): Nu kan uden problemer slette alle de 4 nævnte mapper:

D:\Documents and Settings\All Users\Application Data\Blah Vc Tray Peak
D:\Documents and Settings\Yakubo Stensig\Application Data\Castnurb
D:\Documents and Settings\Yakubo Stensig\Application Data\Exit Play
D:\Documents and Settings\Yakubo Stensig\Application Data\NetPumper

For at kunne se alle mapper: Åbn en mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

Jeg har fået slettet de 4 mapper, men længere kan jeg ikke komme.
DRweb Cureit går ned efter et stykke tid. Har genstartet men det hjalp ikke. Den nåede dog at finde noget der ganske rigtigt hed noget med lop inde i System
Restore, inden den gik ned. Men - dvs. at jeg nu mangler at scanne ca. 30 %

Hvad skal jeg gøre med

Hov...
Her er Silentrunner resultat:
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"Skype" = ""D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"cashbird" = "D:\DOCUME~1\YAKUBO~1\APPLIC~1\EXITPL~1\ActiveSeek.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"SynTPLpr" = "D:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "D:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"ATIPTA" = "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"Cpqset" = "D:\Program Files\HPQ\Default Settings\cpqset.exe" [null data]
"eabconfg.cpl" = "D:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start" ["Hewlett-Packard "]
"MCAgentExe" = "d:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "D:\PROGRA~1\McAfee.com\Agent\mcupdate.exe" ["McAfee, Inc"]
"VSOCheckTask" = ""d:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask" ["Networks Associates Technology, Inc"]
"VirusScan Online" = ""d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"" ["Networks Associates Technology, Inc"]
"MPFExe" = "D:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" ["McAfee Security"]
"NeroFilterCheck" = "D:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"QuickTime Task" = ""D:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{C56CB6B0-0D96-11D6-8C65-B2868B609932}\(Default) = "NTIECatcher Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\NetTransport 2\NTIEHelper.dll" ["Xi"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\btneighborhood.dll" ["WIDCOMM, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys"
  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\phototoys.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\Yakubo Stensig\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "Yakubo Stensig" & "All Users" startup folders:
----------------------------------------------------------------

D:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


Enabled Scheduled Tasks:
------------------------

"McAfee.com Update Check (YAKUBO-Yakubo Stensig)" -> launches: "D:\PROGRA~1\McAfee.com\Agent\mcupdate.exe /Schedule" ["McAfee, Inc"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "D:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 14
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
  -> {CLSID}\InProcServer32\(Default) = "d:\progra~1\mcafee.com\vso\mcvsshl.dll" ["Networks Associates Technology, Inc"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\msjava.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Opslag"

{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"
"Script" = "D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm" [null data]

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe" ["Yahoo! Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "D:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Bluetooth Service, btwdins, "D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["WIDCOMM, Inc."]
Bonjour-tjeneste, Bonjour Service, ""D:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]
ewido security suite control, ewido security suite control, "D:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "D:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
HTTP SSL, HTTPFilter, "D:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"D:\WINDOWS\System32\w3ssl.dll" [MS]}
McAfee Personal Firewall Service, MpfService, "D:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe" ["McAfee Corporation"]
McAfee.com McShield, McShield, "d:\PROGRA~1\mcafee.com\vso\mcshield.exe" ["Network Associates, Inc."]
McAfee.com VirusScan Online Realtime Engine, MCVSRte, "d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe /Embedding" ["Networks Associates Technology, Inc"]
Remote Diagnostics Enabling Agent, DfwWebAgent, "D:\WINDOWS\Cpqdiag\Cpqdfwag.exe" ["Hewlett-Packard"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Windows User Mode Driver Framework, UMWdf, "D:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
  use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 24 seconds, including 3 seconds for message boxes)

Der var en enkelt vi skal have fixet i SilentRunners-loggen:

Kopier indholdet mellem de stiplede linier ind i et notepad-vindue, som du gemmer som regfix.reg på skrivebordet.
--------------------------
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cashbird"=-
--------------------------

Dobbeltklik på den nye fil, og sig ja til at tilføje oplysningerne til registreringsdatabasen.

Genstart herefter computeren igen, og lav en ny silent runners log, som du lægger herind.

Får du stadig popups?

Angående de filer i system restore, så skal du ikke lade dig bekymre af dem. De er inaktive, og vi sletter dem, når vi er til bunds med det aktive skidt.

Umiddelbart virker det ikke til at jeg får flere popups.
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"Skype" = ""D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"SynTPLpr" = "D:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "D:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"ATIPTA" = "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"Cpqset" = "D:\Program Files\HPQ\Default Settings\cpqset.exe" [null data]
"eabconfg.cpl" = "D:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start" ["Hewlett-Packard "]
"MCAgentExe" = "d:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "D:\PROGRA~1\McAfee.com\Agent\mcupdate.exe" ["McAfee, Inc"]
"VSOCheckTask" = ""d:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask" ["Networks Associates Technology, Inc"]
"VirusScan Online" = ""d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"" ["Networks Associates Technology, Inc"]
"MPFExe" = "D:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" ["McAfee Security"]
"NeroFilterCheck" = "D:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"QuickTime Task" = ""D:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{C56CB6B0-0D96-11D6-8C65-B2868B609932}\(Default) = "NTIECatcher Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\NetTransport 2\NTIEHelper.dll" ["Xi"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\btneighborhood.dll" ["WIDCOMM, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys"
  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\phototoys.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\Yakubo Stensig\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "Yakubo Stensig" & "All Users" startup folders:
----------------------------------------------------------------

D:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


Enabled Scheduled Tasks:
------------------------

"McAfee.com Update Check (YAKUBO-Yakubo Stensig)" -> launches: "D:\PROGRA~1\McAfee.com\Agent\mcupdate.exe /Schedule" ["McAfee, Inc"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "D:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 14
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
  -> {CLSID}\InProcServer32\(Default) = "d:\progra~1\mcafee.com\vso\mcvsshl.dll" ["Networks Associates Technology, Inc"]

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Opslag"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\msjava.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Opslag"

{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"
"Script" = "D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm" [null data]

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe" ["Yahoo! Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "D:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Bluetooth Service, btwdins, "D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["WIDCOMM, Inc."]
Bonjour-tjeneste, Bonjour Service, ""D:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]
ewido security suite control, ewido security suite control, "D:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "D:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
HTTP SSL, HTTPFilter, "D:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"D:\WINDOWS\System32\w3ssl.dll" [MS]}
McAfee Personal Firewall Service, MpfService, "D:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe" ["McAfee Corporation"]
McAfee.com McShield, McShield, "d:\PROGRA~1\mcafee.com\vso\mcshield.exe" ["Network Associates, Inc."]
McAfee.com VirusScan Online Realtime Engine, MCVSRte, "d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe /Embedding" ["Networks Associates Technology, Inc"]
Remote Diagnostics Enabling Agent, DfwWebAgent, "D:\WINDOWS\Cpqdiag\Cpqdfwag.exe" ["Hewlett-Packard"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Windows User Mode Driver Framework, UMWdf, "D:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 87 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
  took 18 seconds.
---------- (total run time: 146 seconds)

Så er regfix kørt, og her kommer en silentrunner:

Dejligt at høre. For nu er den sidste log nemlig også ren.

Hvis du vil være helt sikker på at alt snavs er væk, kan det være en god ide at køre et scan med denne engangsvirus-scanner. Du kunne ikke få Dr. Web til at virke, så prøv evt. denne. Den kan nogle gange tage ting, der ikke ses i loggen:

Download og gem denne scanner på skrivebordet. http://www.spywareinfo.dk/download/mwav.exe
Genstart til fejlsikret tilstand. Klik på mwav.exe som du hentede, programmet pakker sig selv ud og starter.
Sæt flueben i følgende:
Memory, Startup folders, drive, Registry, System folders og Services.
Sæt prik i følgende:
All local drives og Scan all files. Klik på scan clean. Den vil selv fjerne de alvorlige ting. De mindre alvorlige ting informerer den blot om. Dem kan du evt. vælge at slette manuelt bagefter.

For at gøre arbejdet helt færdig skal du også have ryddet op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.spywarefri.dk/virusscannere.htm#alle) - genstart din computer - aktiver systemgendannelse.
Og så kan det også være en god ide at skjule dine systemfiler og -mapper igen, så du ikke ved en fejl kommer til at slette en vigtig fil. Det gør du samme sted, hvor du satte det til at vise alle filer, denne gang vælger du bare: Vis ikke skjulte filer og mapper.

Du kan også rense browser cachen (hvis du bruger IE-explorer)
1. Klik på Funktioner - Internetindstillinger
2. Under midlertidige filer, klik på Slet cookies
3. Under midlertidige filer, klik på slet filer – sæt flueben i slet alt offline indhold
4. Under Oversigten, klik på ryd oversigten
5. Klik på ok.
Tøm din papirkurv.
---------------------------
For at forhindre gentagelser, vil jeg anbefale dig at lægge nogle små programmer ind, som forhindrer spyware i at komme ind i første omgang. Som minimum vil jeg anbefale at lægge Spywareguard, Spywareblaster og IE-spyad ind. Alle programmer kan du finde links til herfra:
http://www.spywarefri.dk/vaerktoj.htm

Alle computere bør beskyttet af en firewall. Link og vejledning til en god og gratis firewall finder du her:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=9706

Så kom der vist styr på det. Tak for giganthjælpen ejvindh!
Hvis du vil have lidt point også kalp, så sig til. Så skal jeg nok lige lave en tråd med point.

Det er helt i orden.. jeg var ikke tilstede så det fint at ejvindh havde tid til at tage over:)

Jeg takker for point :-)