Downloader.Trojan, hvordan fjerner jeg den??

Hent Hijackthis: http://www.spywarefri.dk/downloads1/hijackthis.exe og smid loggen fra denne herind.
Vejledning til programmet finder du her: http://www.spywarefri.dk/hijackthis.man.htm

Tjekker loggen når denne er smidt herind.

Logfile of HijackThis v1.99.1
Scan saved at 20:01:04, on 19-09-2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\logonui.exe
E:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
E:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
E:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\WINDOWS\Explorer.EXE
E:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\Programmer\D-Tools\daemon.exe
E:\Programmer\MSN Apps\Updater\01.02.0002.1001\da\msnappau.exe
E:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
E:\Programmer\Fælles filer\Symantec Shared\Security Center\UsrPrmpt.exe
E:\Nokia\Nokia PC Suite 6\Launch Application 2.exe
E:\PROGRA~1\FLLESF~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Nrbijc\Qmnl.exe
E:\Programmer\Java\jre1.5.0_04\bin\jusched.exe
E:\Program Files\Media Gateway\MediaGateway.exe
E:\DOCUME~1\DAGURH~1\LOKALE~1\Temp\bundle_cdt1006.exe
E:\Nokia\Nokia PC Suite 6\PcSync2.exe
E:\Programmer\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
e:\windows\system32\hyyrwgh.exe
E:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
E:\Programmer\Logitech\MouseWare\system\em_exec.exe
E:\PROGRA~1\FLLESF~1\Nokia\MPAPI\MPAPI3s.exe
E:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
E:\Programmer\Norton AntiVirus\navapsvc.exe
E:\PROGRA~1\FLLESF~1\PCSuite\Services\SERVIC~1.EXE
E:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
E:\Programmer\Norton AntiVirus\IWP\NPFMntor.exe
E:\Programmer\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\system32\pctspk.exe
E:\WINDOWS\System32\svchost.exe
E:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Documents and Settings\Dagur Halfdanarson\Skrivebord\hijackthis\hijackthis.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Documents and Settings\Dagur Halfdanarson\Skrivebord\hijackthis\hijackthis.exe
E:\Documents and Settings\Dagur Halfdanarson\Skrivebord\hijackthis\hijackthis.exe
E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.tdconline.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.tdconline.dk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\Nail.exe
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A2C1059-2E8E-46F9-9FFA-DFCF42F7E6A9} - E:\WINDOWS\System32\nvrszhcd.dll
O2 - BHO: (no name) - {54772855-A4A8-9A30-93E1-32C640D8EE28} - E:\WINDOWS\cdmagent\tjbxhnhfes.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - E:\Programmer\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Programmer\MSN Apps\MSN Toolbar\01.02.0002.1001\da\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Programmer\MSN Apps\MSN Toolbar\01.02.0002.1001\da\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] E:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Microsoft UMA Update] MSuma32.exe
O4 - HKLM\..\Run: [MS Autoloader 32] MSAuto32.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [msnappau] "E:\Programmer\MSN Apps\Updater\01.02.0002.1001\da\msnappau.exe"
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "E:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Programmer\Fælles filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] E:\PROGRA~1\FLLESF~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [qJ83rRs2] E:\WINDOWS\nmilq.exe
O4 - HKLM\..\Run: [mtlospi9] E:\WINDOWS\System32\mtlospi9.exe
O4 - HKLM\..\Run: [bO²
ùð#×y-¯Œ] E:\WINDOWS\nmilq.exe
O4 - HKLM\..\Run: [bO²
ùõö/‚E%)ßfÏNb½¾E:\Programmer\ISTsvc\istsvc.exe] E:\WINDOWS\nmilq.exe
O4 - HKLM\..\Run: [Tkmwwj] C:\Program Files\Nrbijc\Qmnl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Programmer\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Media Gateway] E:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [SAHBundle] E:\DOCUME~1\DAGURH~1\LOKALE~1\Temp\bundle_cdt1006.exe run
O4 - HKLM\..\Run: [fkpaltx] e:\windows\system32\hyyrwgh.exe r
O4 - HKLM\..\RunServices: [Microsoft UMA Update] MSuma32.exe
O4 - HKLM\..\RunServices: [MS Autoloader 32] MSAuto32.exe
O4 - HKCU\..\Run: [PcSync] E:\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = E:\Programmer\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmer\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmer\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {00000000-7777-0704-0B53-2C8830E9FAEC} - http://de-url.de/cab/axload.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c9.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/movie.ocx
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} (VacPro.int_ver30) - http://advnt01.com/dialer/int_ver30.CAB
O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} (VacPro.internazionale_ver15) - http://advnt01.com/dialer/internazionale_ver15.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.power-url.de/InstallationsAssistent.ocx
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Programmer\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - E:\Programmer\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - E:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Programmer\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\FLLESF~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - E:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe

Here U go!

<theolavur>: Velkommen til Eksperten.dk iøvrigt...

Sådan gå det når du ikke har gennemført WindowsUpdate - og formegentlig heller ikke Firewall sat til ?
Læs en artikel her:
"Ubeskyttede pc’er holder i 20 minutter]":
http://forum.mib-eu.dk/forum_posts.asp?TID=44

Og der er _mange_ virus/spyware elementer i din putter...

<john_stigers> skal nok vende tilbage med en rensnings-procedure ...

Takker! Tror jeg har forsømt den lidt...!
Den kører os pænt ringe!! Sidder med den bærbare nu...!
Og nej, Firewall'n er ikk til...

... tja - den er jo et 'skole'-eksempel på hvordan det ka' gå ...

Check lige om "den bærbare" HAR gennemført WindowsUpdate - Helst ServicePack2. Samt Firewall aktiveret...
Eller skal den også igennem en HiJackThis Log + procedure bagefter - tihi ?

Det har den.. Den har det fint!:P
Og den har firewall.. Kører med ZoneAlarm 24-7...

Ja, det er en svær log denneher. Hvis det var mig, der var John, så ville jeg starte med det standard-fix, der er lavet til at fixe Nail, epolvy og dsr i ét hug. Man ser dette fix brugt her:
http://www.eksperten.dk/spm/649340

Men det er John, der fører loggen, så han bestemmer naturligvis den bedste procedure (for mange kokke fordærver maden ;-))

hmmm...
Fatter ikke jeg behynder på det når jeg ikke kan fuldføre...
ejvindh du må meget gerne overtage :)

Er den her opgave ikk lidt mere end 30 værd?? Skal jeg sætte det lidt op??

John: Alt iorden :-)

Theolavur: Der er mange forskellige ting i denne log, så nu forsøger vi at tage de fleste af dem i et generelt hug. Så laver vi en mere specialiseret rensning bagefter.

1. Hent Ewido herfra (14 dages version af plus-versionen - herefter bliver den "neddroslet" til gratis-versionen):

http://shop.element5.com/product.html?productid=531168&affiliateid=200010704 (klik på demo download)

Installer og kør Ewido - opdater programmet (men lad være med at scanne).

2. Hent Adaware her:

http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html

... og Adwares VX2 plugin her:

http://www.lavasoft.de/software/addons/vx2cleaner.shtml

Installer Adaware (under installationen bliver du spurgt om du vil opdatere og køre en fuld scanning - fjern alle tre flueben), og installer herefter VX2 plugin ved at dobbeltklikke på vx2cleaner_inst.exe (brug alle standard indstillinger)

3. Kør Adaware og opdater programmet med de nyeste opdateringer. Klik på Add-ons i den venstre kolonne. Vælg VX2 Cleaner V2.0 og klik på "Run Tool". Klik på OK - hvis programmet finder noget, så klik på "Clean". Når rensningen er overstået, så skal du klikke på "Close" og lukket programmet.

4. Genstart din computer og kør Adaware igen. Denne gang skal du klikke på "Start" og vælge "Perform smart system scan" - klik herefter på "Next". Når scanningen er gennemført, klik på "Next" - vælg alt hvad programmet finder (højreklik på en linie og vælg "Select all objects". Klik "Next", og klik "OK".

Du bliver spurgt om at køre Adaware ved genstart - klik "OK" og luk Adaware. Genstart din computer.

5. For at få et sidste sikkerhedscheck... kør en fuld scanning med Ewido - husk at opdatere programmet først. Når programmet er færdig med at scanne skal du klikke på "Save Report" (husk hvor du gemmer rapporten).

6. Genstart din computer og læg en frisk HijackThis log herind, sammen med rapporten fra Ewido.

Okay, det skal jeg gøre. Men jeg kan ikke komme til at gøre det før i morgen. Men smider den der ind i morgen.

Her er hijackthis rapporten:

Logfile of HijackThis v1.99.1
Scan saved at 23:02:34, on 21-09-2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
E:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
E:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\WINDOWS\Explorer.EXE
E:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
E:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\Programmer\D-Tools\daemon.exe
E:\Programmer\MSN Apps\Updater\01.02.0002.1001\da\msnappau.exe
E:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
E:\Programmer\Fælles filer\Symantec Shared\Security Center\UsrPrmpt.exe
E:\Nokia\Nokia PC Suite 6\Launch Application 2.exe
E:\Programmer\Java\jre1.5.0_04\bin\jusched.exe
E:\Nokia\Nokia PC Suite 6\PcSync2.exe
E:\Programmer\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
E:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
E:\Programmer\Logitech\MouseWare\system\em_exec.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\FLLESF~1\PCSuite\DATALA~1\DATALA~1.EXE
E:\PROGRA~1\FLLESF~1\Nokia\MPAPI\MPAPI3s.exe
E:\PROGRA~1\FLLESF~1\PCSuite\Services\SERVIC~1.EXE
E:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
E:\Programmer\ewido\security suite\ewidoctrl.exe
E:\Programmer\ewido\security suite\ewidoguard.exe
E:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
E:\Programmer\Norton AntiVirus\IWP\NPFMntor.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\system32\pctspk.exe
E:\Programmer\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
E:\WINDOWS\System32\svchost.exe
E:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\Programmer\Norton AntiVirus\navapsvc.exe
E:\WINDOWS\System32\wuauclt.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Drivere\Ajax\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.tdconline.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.tdconline.dk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A2C1059-2E8E-46F9-9FFA-DFCF42F7E6A9} - E:\WINDOWS\System32\nvrszhcd.dll
O2 - BHO: (no name) - {54772855-A4A8-9A30-93E1-32C640D8EE28} - E:\WINDOWS\cdmagent\tjbxhnhfes.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - E:\Programmer\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Programmer\MSN Apps\MSN Toolbar\01.02.0002.1001\da\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Programmer\MSN Apps\MSN Toolbar\01.02.0002.1001\da\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] E:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Microsoft UMA Update] MSuma32.exe
O4 - HKLM\..\Run: [MS Autoloader 32] MSAuto32.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [msnappau] "E:\Programmer\MSN Apps\Updater\01.02.0002.1001\da\msnappau.exe"
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "E:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Programmer\Fælles filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] E:\PROGRA~1\FLLESF~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [qJ83rRs2] E:\WINDOWS\nmilq.exe
O4 - HKLM\..\Run: [mtlospi9] E:\WINDOWS\System32\mtlospi9.exe
O4 - HKLM\..\Run: [bO²
ùð#×y-¯Œ] E:\WINDOWS\nmilq.exe
O4 - HKLM\..\Run: [bO²
ùõö/‚E%)ßfÏNb½¾E:\Programmer\ISTsvc\istsvc.exe] E:\WINDOWS\nmilq.exe
O4 - HKLM\..\Run: [Tkmwwj] C:\Program Files\Nrbijc\Qmnl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Programmer\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\RunServices: [Microsoft UMA Update] MSuma32.exe
O4 - HKLM\..\RunServices: [MS Autoloader 32] MSAuto32.exe
O4 - HKCU\..\Run: [PcSync] E:\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = E:\Programmer\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmer\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmer\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c9.cab
O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} (VacPro.int_ver30) - http://advnt01.com/dialer/int_ver30.CAB
O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} (VacPro.internazionale_ver15) - http://advnt01.com/dialer/internazionale_ver15.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.power-url.de/InstallationsAssistent.ocx
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - E:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Programmer\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Programmer\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - E:\Programmer\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - E:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Programmer\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\FLLESF~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe


Og Ewido rapporten:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:            22:57:16, 21-09-2005
+ Report-Checksum:        490BB041

+ Scan result:

    HKLM\SOFTWARE\Classes\.s3d -> Spyware.BrilliantDigital : Cleaned with backup
    HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Spyware.WinAd : Cleaned with backup
    HKLM\SOFTWARE\Classes\MediaAccX.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
    HKLM\SOFTWARE\PerfectNav -> Spyware.KeenValue : Cleaned with backup
    HKLM\SOFTWARE\PerfectNav\BHO -> Spyware.KeenValue : Cleaned with backup
    HKLM\SOFTWARE\PerfectNav\BHO\HomePage -> Spyware.KeenValue : Cleaned with backup
    HKLM\SOFTWARE\PerfectNav\BHO\RedirectURLS -> Spyware.KeenValue : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1053 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1074 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_2 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_3 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_2630 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_2631 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_2632 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_2290 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4492 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4496 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4543 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_4 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0\Seqn_1053 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0\Seqn_1068 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0\Seqn_1074 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_2 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_3 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0\Seqn_1053 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0\Seqn_1068 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0\Seqn_1074 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_2 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_3 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_2630 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_2631 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1116 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1524 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1553 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1641 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_1 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_2 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_3 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_3\Seqn_1785 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_4 -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services\Queue -> Spyware.Cydoor : Cleaned with backup
    HKU\S-1-5-21-1454471165-854245398-1343024091-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services\Status -> Spyware.Cydoor : Cleaned with backup
    C:\program files\altnet\download manager\altnetuninstall.exe -> Spyware.Altnet : Cleaned with backup
    C:\program files\altnet\download manager\asm.exe -> Spyware.Altnet : Cleaned with backup
    C:\program files\altnet\download manager\asmend.exe -> Spyware.Altnet : Cleaned with backup
    C:\program files\altnet\download manager\asmps.dll -> Spyware.Altnet : Cleaned with backup
    C:\program files\altnet\Points Manager\Points Manager.exe -> Spyware.Altnet : Cleaned with backup
    C:\program files\altnet\Points Manager\setup.cab/PMuninstall.bde -> Spyware.Altnet : Cleaned with backup
    E:\Documents and Settings\Dagur Halfdanarson\Cookies\dagur halfdanarson@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
    E:\Documents and Settings\Dagur Halfdanarson\Cookies\dagur halfdanarson@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    E:\Documents and Settings\Dagur Halfdanarson\Cookies\dagur halfdanarson@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
    E:\Documents and Settings\Dagur Halfdanarson\Lokale indstillinger\Temp\180sainstaller.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
    E:\Documents and Settings\Dagur Halfdanarson\Lokale indstillinger\Temp\180sainstaller.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
    E:\Documents and Settings\Dagur Halfdanarson\Lokale indstillinger\Temp\D2748\aurora.exe -> Adware.BetterInternet : Cleaned with backup
    E:\Documents and Settings\Dagur Halfdanarson\Lokale indstillinger\Temp\DelAFE.tmp -> TrojanDownloader.Small.asf : Cleaned with backup
    E:\Documents and Settings\Dagur Halfdanarson\Lokale indstillinger\Temp\nstB09.EXE -> Spyware.SmartPops : Cleaned with backup
    E:\Documents and Settings\Dagur Halfdanarson\Lokale indstillinger\Temp\resC23.tmp -> Spyware.180Solutions : Cleaned with backup
    E:\Documents and Settings\Dagur Halfdanarson\Lokale indstillinger\Temp\ysb.dll -> Spyware.YourSiteBar : Cleaned with backup
    E:\Documents and Settings\Dagur Halfdanarson\Lokale indstillinger\Temporary Internet Files\Content.IE5\53VLBXFC\ibar[1].js -> TrojanDownloader.IstBar.ad : Cleaned with backup
    E:\Documents and Settings\Dagur Halfdanarson\Lokale indstillinger\Temporary Internet Files\Content.IE5\TPRUTXX7\ysb[1].dll -> Spyware.YourSiteBar : Cleaned with backup
    E:\Program Files\Altnet\Download Manager\asm.exe -> Spyware.Altnet : Cleaned with backup
    E:\Program Files\Altnet\Download Manager\asmps.dll -> Spyware.Altnet : Cleaned with backup
    E:\Program Files\Internet Optimizer\optimize.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
    E:\Program Files\Internet Optimizer\update\rogue.exe -> Trojan.Small.cy : Cleaned with backup
    E:\Program Files\Media Gateway\MediaGateway.exe -> Spyware.WinAD : Cleaned with backup
    E:\Programmer\filesubmit\shrek2catttm.zip\NNEZTA388.exe -> Spyware.NewDotNet : Cleaned with backup
    E:\Programmer\Kazaa\TopSearch.dll -> Spyware.Altnet : Cleaned with backup
    E:\Programmer\MyWay\myBar\2.bin\MYBAR.DLL -> Spyware.MyWay : Cleaned with backup
    E:\temp\bundle_cdt1006.exe -> Adware.Saha : Cleaned with backup
    E:\WINDOWS\Downloaded Program Files\clientax.dll -> Spyware.180Solutions : Cleaned with backup
    E:\WINDOWS\Downloaded Program Files\internazionale_ver15.ocx -> Dialer.Generic : Cleaned with backup
    E:\WINDOWS\Downloaded Program Files\int_ver30.ocx -> Dialer.Generic : Cleaned with backup
    E:\WINDOWS\Downloaded Program Files\lsp_.dll -> Adware.SAHA : Cleaned with backup
    E:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup
    E:\WINDOWS\Downloaded Program Files\movie.ocx -> TrojanDownloader.Agent.ex : Cleaned with backup
    E:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
    E:\WINDOWS\Downloaded Program Files\SAHAgent_.exe -> Adware.SAHA : Cleaned with backup
    E:\WINDOWS\iLookup -> Adware.eZula : Cleaned with backup
    E:\WINDOWS\iLookup\TTIL.exe -> Adware.eZula : Cleaned with backup
    E:\WINDOWS\NDNuninstall6_30.exe -> Spyware.NewDotNet : Cleaned with backup
    E:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup
    E:\WINDOWS\SSK3_B5.exe -> TrojanDropper.Small.qn : Cleaned with backup
    E:\WINDOWS\ucmoreiex.exe/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
    E:\WINDOWS\ucmoreiex.exe/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup


::Report End

Du har godt nok mange slags infektioner på denne computer. En del af dem røg i det første fix, men der er en del tilbage endnu. Majsmarken har nævnt én grund til at det er gået så galt (manglende opdateringer). En anden grund kan meget vel være, at du bruger P2P-netværk. P2P-klienterne KAN i sig selv godt være rene for snavs, men de programmer, der deles ad denne vej, har ofte noget "ekstra" tilføjet -- nemlig virus og spyware. Dertil kommer så, at du har valgt én af de mest spyware-befængte klienter -- Kazaa. Den vil jeg meget anbefale dig at få afinstalleret. Det har jeg derfor indkorporeret i følgende procedure.

Download denne fil, og udpak den til en mappe på skrivebordet:
http://downloads.subratam.org/kazaabegone.zip

Download og gem denne scanner på skrivebordet. Du skal ikke aktivere det endnu.
http://www.spywareinfo.dk/download/mwav.exe

Gå ind i kontrolpanel-tilføj/fjern programmer, og se om du kan få lov til at afinstallere følgende programmer:
Kazaa
Altnet
Internet Optimizer
Media Gateway
Myway (eller Mysearch)

Hvis det ikke lykkes at afinstallere Kazaa på denne måde, så dobbeltklik på Kazaabegone.exe, som du hentede tidligere. Vælg "Search and destroy all installed components", og klik på OK. Luk programmet.

Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4A2C1059-2E8E-46F9-9FFA-DFCF42F7E6A9} - E:\WINDOWS\System32\nvrszhcd.dll
O2 - BHO: (no name) - {54772855-A4A8-9A30-93E1-32C640D8EE28} - E:\WINDOWS\cdmagent\tjbxhnhfes.dll (file missing)
O4 - HKLM\..\Run: [Microsoft UMA Update] MSuma32.exe
O4 - HKLM\..\Run: [MS Autoloader 32] MSAuto32.exe
O4 - HKLM\..\Run: [qJ83rRs2] E:\WINDOWS\nmilq.exe
O4 - HKLM\..\Run: [mtlospi9] E:\WINDOWS\System32\mtlospi9.exe
O4 - HKLM\..\Run: [bO²
ùð#×y-¯Œ] E:\WINDOWS\nmilq.exe
O4 - HKLM\..\Run: [bO²
ùõö/‚E%)ßfÏNb½¾E:\Programmer\ISTsvc\istsvc.exe] E:\WINDOWS\nmilq.exe
O4 - HKLM\..\Run: [Tkmwwj] C:\Program Files\Nrbijc\Qmnl.exe
O4 - HKLM\..\RunServices: [Microsoft UMA Update] MSuma32.exe
O4 - HKLM\..\RunServices: [MS Autoloader 32] MSAuto32.exe
O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} (VacPro.int_ver30) - http://advnt01.com/dialer/int_ver30.CAB
O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} (VacPro.internazionale_ver15) - http://advnt01.com/dialer/internazionale_ver15.CAB
O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.power-url.de/InstallationsAssistent.ocx

Sletning af filer og mapper:
Åbn en mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

Genstart i fejlsikret (tryk på <F8> under opstarten), slet mapper og filer listet herunder (nogle af dem er muligvis allerede blevet slettet af Hijackthis).
-------------------
Mapper:
E:\WINDOWS\cdmagent\
E:\Programmer\ISTsvc\
C:\Program Files\Nrbijc\
E:\Programmer\Kazaa\
C:\program files\altnet\
E:\Program Files\Internet Optimizer\
E:\Program Files\Media Gateway\
E:\Programmer\MyWay\
-------------------
Filer:
E:\WINDOWS\System32\nvrszhcd.dll
E:\WINDOWS\nmilq.exe
E:\WINDOWS\System32\mtlospi9.exe

Søg efter disse 2 filer, og slet dem (ligger sandsynligvis i e:\windows\System32)
MSuma32.exe
MSAuto32.exe
---------------------------------------
Kør en ny fuld scanning med Ewido. Programmet laver en lille log, som du skal kopiere herind i dit næste svar.

Klik på mwav.exe som du hentede, programmet pakker sig selv ud og starter.
Sæt flueben i følgende:
Memory, Startup folders, drive, Registry, System folders og Services.
Sæt prik i følgende:
All local drives og Scan all files

Klik på scan clean. Det kan godt tage lang tid (nogle timer), men den er også meget effektiv.
Genstart til normal tilstand, lav en ny HJT-log, som du sender herind til check.

Gjorde somd ud sagde. men kunne ikke finde alle tingene selv om jeg søgte og ledte...
Men her en ny hjt log..
Og en ewido log..

Logfile of HijackThis v1.99.1
Scan saved at 00:17:37, on 25-09-2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
E:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
E:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\WINDOWS\Explorer.EXE
E:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\Programmer\D-Tools\daemon.exe
E:\Programmer\MSN Apps\Updater\01.02.0002.1001\da\msnappau.exe
E:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
E:\Programmer\Fælles filer\Symantec Shared\Security Center\UsrPrmpt.exe
E:\Nokia\Nokia PC Suite 6\Launch Application 2.exe
E:\Programmer\Java\jre1.5.0_04\bin\jusched.exe
E:\Nokia\Nokia PC Suite 6\PcSync2.exe
E:\Programmer\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
E:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
E:\Programmer\Logitech\MouseWare\system\em_exec.exe
E:\PROGRA~1\FLLESF~1\PCSuite\DATALA~1\DATALA~1.EXE
E:\PROGRA~1\FLLESF~1\Nokia\MPAPI\MPAPI3s.exe
E:\Programmer\ewido\security suite\ewidoctrl.exe
E:\PROGRA~1\FLLESF~1\PCSuite\Services\SERVIC~1.EXE
E:\Programmer\ewido\security suite\ewidoguard.exe
E:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
E:\Programmer\Norton AntiVirus\navapsvc.exe
E:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
E:\Programmer\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
E:\Programmer\Norton AntiVirus\IWP\NPFMntor.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\system32\pctspk.exe
E:\WINDOWS\System32\svchost.exe
E:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\Programmer\Internet Explorer\iexplore.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Documents and Settings\Dagur Halfdanarson\Skrivebord\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.tdconline.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.tdconline.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - E:\Programmer\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Programmer\MSN Apps\MSN Toolbar\01.02.0002.1001\da\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Programmer\MSN Apps\MSN Toolbar\01.02.0002.1001\da\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] E:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [msnappau] "E:\Programmer\MSN Apps\Updater\01.02.0002.1001\da\msnappau.exe"
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "E:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Programmer\Fælles filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] E:\PROGRA~1\FLLESF~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Programmer\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [PcSync] E:\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = E:\Programmer\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmer\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmer\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c9.cab
O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} (VacPro.internazionale_ver15) - http://advnt01.com/dialer/internazionale_ver15.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - E:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Programmer\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Programmer\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - E:\Programmer\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - E:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Programmer\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\FLLESF~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe


Ewido:

---------------------------------------------------------
ewido security suite - Scanningsrapport
---------------------------------------------------------

+ Oprettet den:            18:30:57, 24-09-2005
+ Rapport-Checksum:        4DC84AEF

+ Scanningsresultat:
    E:\Documents and Settings\Dagur Halfdanarson\Cookies\dagur halfdanarson@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Renset med backup
    E:\Documents and Settings\Dagur Halfdanarson\Cookies\dagur halfdanarson@adtech[1].txt -> Spyware.Cookie.Adtech : Renset med backup
    E:\WINDOWS\rjsahis.exe -> Adware.BetterInternet : Renset med backup


::Rapport slut

Det er ikke unormalt at man ikke kan finde alle tingene. Nogle gange lykkes det for HJT selv at slette filerne.

Din log er ren. Jeg må indrømme, at jeg en overgang tvivlede på, at det ville være muligt. Du får her en afskeds-salut, som jeg vil anbefale dig at tage et grundigt kig på, idet det i længden vil være bedre at forebygge, end at helbrede...

For at gøre arbejdet helt færdig:
Det kan være en god ide og rydde op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.spywarefri.dk/virusscannere.htm#alle) - genstart din computer - aktiver systemgendannelse.
Og så kan det også være en god ide at skjule dine systemfiler og -mapper igen, så du ikke ved en fejl kommer til at slette en vigtig fil. Det gør du samme sted, hvor du satte det til at vise alle filer, denne gang vælger du bare: Vis ikke skjulte filer og mapper.

Du kan også rense browser cachen (hvis du bruger IE-explorer)
1. Klik på Funktioner - Internetindstillinger
2. Under midlertidige filer, klik på Slet cookies
3. Under midlertidige filer, klik på slet filer – sæt flueben i slet alt offline indhold
4. Under Oversigten, klik på ryd oversigten
5. Klik på ok.
Tøm din papirkurv.
---------------------------

For at forhindre gentagelser, vil jeg anbefale dig at lægge nogle små programmer ind, som forhindrer spyware i at komme ind i første omgang. Som minimum vil jeg anbefale at lægge Spywareguard, Spywareblaster og IE-spyad ind. Alle programmer kan du finde links til herfra:
http://www.spywarefri.dk/manualer/sikkerhedspakke.htm

Alle computere bør beskyttet af en firewall. Link og vejledning til en god og gratis firewall finder du her:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=9706

Det kan også være en god ide at sørge for at alle Windows-opdateringer er lagt ind. Jeg vil også anbefale (nu hvor computeren er renset for snavs) at lægge Service Pack 2 ind, idet computeren bliver meget mere sikker ved det. Der har ganske vist været nogle problemer med den, men på nedenstående link er nogle tips til hvordan man undgår de fleste af problemerne:
http://windowsupdate.microsoft.com/
Undgå problemer med SP2: http://www.hcma.dk/tips&tricks.htm#sp1mm
(Inden du installerer Sp2 kan du nøjes med bare at følge pkt. 1-4. Bliver der problemer kan du hente hjælp i de links som angives efterfølgende)

Hvis du ikke vil have sp2 ind, så læg i det mindste sp1 ind og alle efterfølgende sikkerhedsrettelser.
SP1 & SP2 kan evt. findes som løse filer her:
http://intern.sdu.dk/it-service/tjenester/ftphotel/ftpindhold/
Hvis kun SP1 lægges ind, bør denne samling af sikkerhedsrettelser også lægges ind (husk at vælge sprog efter dit styresystem):
http://www.microsoft.com/downloads/details.aspx?FamilyId=D531BF00-D7BE-48E3-ABCC-961602BD72C2&displaylang=da

Lidt råd om sikker surfing:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414

Tusind takker!
Det lyder godt at den er blevet god igen, kan os nemt mærke en forskel!!!
Men skal nok gennemgå alt hvad du har sagt!

Mvh TheOlavur

Det lyder dejligt. Jeg takker for point :-)