Hijackthis - Hjælp please

Den er grim, den der. Der er Aurora, VX2, og andet "godt". Var det min maskine blev den formateret. Jeg kan godt lave en rensnings procedure til dig, men jeg vil klart anbefale en format.

Hvis du trods alt vil gøre forsøget, så hent disse værktøjer:

CWShredder her http://www.trendmicro.com/cwshredder/

Hent Spysweeper prøveversion her: http://www.spywarefri.dk/downloads1.htm
Installer og opdater det (check for definition update)

Derefter, tryk på Options.

sæt prik i- sweep all folders on selected drive (s)

fjern flueben ved-don´t sweep systemrestore folder.

sæt flueben ved- sweep for Rootkits

Luk programmet

Genstart til fejlsikret tilstand (Tryk f8 flere gange under opstart).

Start Spysweeper. Så popper der en boks op fra Spysweeper, der trykker du på NO

Kør så et Sweep. Når scanningen er færdig, tryk på- next-select all-next-finish. Luk programmet.

Kør CWShredder, klik FIX, og når den er færdig klik EXIT.

Genstart til normaltilstand.

Hent Ewido herfra (14 dages version af plus-versionen - herefter bliver den "neddroslet" til gratis-versionen):

http://www.spywarefri.dk/downloads1/ewido-setup.exe

Installer og kør Ewido - opdater programmet (men lad være med at scanne).

Hent Ad-aware her:

http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html

... og Adwares VX2 plugin her:

http://www.lavasoft.de/software/addons/vx2cleaner.shtml

Installer Adaware (under installationen bliver du spurgt om du vil opdatere og køre en fuld scanning - fjern alle tre flueben), og installer herefter VX2 plugin ved at dobbeltklikke på vx2cleaner_inst.exe (brug alle standard indstillinger)

Kør Adaware og opdater programmet med de nyeste opdateringer. Klik på Add-ons i den venstre kolonne. Vælg VX2 Cleaner V2.0 og klik på "Run Tool". Klik på OK - hvis programmet finder noget, så klik på "Clean". Når rensningen er overstået, så skal du klikke på "Close" og lukket programmet.

Genstart din computer og kør Adaware igen. Denne gang skal du klikke på "Start" og vælge "Perform smart system scan" - klik herefter på "Next". Når scanningen er gennemført, klik på "Next" - vælg alt hvad programmet finder (højreklik på en linie og vælg "Select all objects". Klik "Next", og klik "OK".

Du bliver spurgt om at køre Adaware ved genstart - klik "OK" og luk Adaware. Genstart din computer.

For at få et sidste sikkerhedscheck... kør en fuld scanning med Ewido - husk at opdatere programmet først. Når programmet er færdig med at scanne skal du klikke på "Save Report" (husk hvor du gemmer rapporten).

Genstart din computer og læg en frisk HijackThis log herind, sammen med rapporten fra Ewido. Så ser vi hvordan det ser ud.

Hej igen,

Okay det var en størren omgang. tak for din hjælp ;-)

Her er de to rapporter:

---------------------------------------------------------
ewido security suite - Scanningsrapport
---------------------------------------------------------

+ Oprettet den:            16:35:19, 19-11-2005
+ Rapport-Checksum:        8FD7C683

+ Scanningsresultat:
    HKU\S-1-5-21-3675102018-2720323857-2207708166-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{52FE5233-367C-4EFB-BDD7-0BE4D212C107} -> Spyware.Begin2Search : Renset med backup
    HKU\S-1-5-21-3675102018-2720323857-2207708166-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{52FE5233-367C-4EFB-BDD7-0BE4D212C107} -> Spyware.Begin2Search : Renset med backup
    C:\A-Privat\Jarl\SW\ (PC) - Adobe Acrobat Reader 7.0 Crack.zip/(PC) - Adobe Acrobat Reader 7.0 Crack [ppa-10001].exe -> Dialer.Generic : Renset med backup
    C:\A-Privat\Jarl\SW\Adobe Acrobat Reader 7.0 Crack.exe -> Spyware.Beginto.a : Renset med backup
    C:\A-Privat\Jarl\SW\Adobe Acrobat Reader 7.0 Crack.rar/adobe acrobat reader 7.0_crack.exe -> Spyware.Beginto.a : Renset med backup
    C:\Documents and Settings\Jarl Christensen\Cookies\jarl christensen@com[2].txt -> Spyware.Cookie.Com : Renset med backup
    C:\Documents and Settings\Jarl Christensen\Cookies\jarl christensen@ilead.itrack[2].txt -> Spyware.Cookie.Itrack : Renset med backup
    C:\Documents and Settings\Jarl Christensen\Cookies\jarl christensen@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Renset med backup
    C:\Documents and Settings\Jarl Christensen\Lokale indstillinger\Temp\Cookies\jarl christensen@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Renset med backup
    C:\Documents and Settings\Jarl Christensen\Lokale indstillinger\Temp\Cookies\jarl christensen@com[2].txt -> Spyware.Cookie.Com : Renset med backup
    C:\Documents and Settings\Line Rosengaard\Cookies\line rosengaard@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Renset med backup
    C:\Documents and Settings\Line Rosengaard\Cookies\line rosengaard@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Renset med backup
    C:\Documents and Settings\Line Rosengaard\Cookies\line rosengaard@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Renset med backup
    C:\Documents and Settings\N2C\Cookies\n2c@com[1].txt -> Spyware.Cookie.Com : Renset med backup
    C:\Documents and Settings\N2C\Cookies\n2c@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Renset med backup
    C:\Documents and Settings\N2C\Cookies\n2c@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Renset med backup
    C:\Documents and Settings\N2C\Cookies\n2c@ehg-nokiafin.hitbox[2].txt -> Spyware.Cookie.Hitbox : Renset med backup
    C:\Documents and Settings\N2C\Cookies\n2c@ehg-sgi.hitbox[1].txt -> Spyware.Cookie.Hitbox : Renset med backup
    C:\Documents and Settings\N2C\Cookies\n2c@ehg-sonyeu.hitbox[2].txt -> Spyware.Cookie.Hitbox : Renset med backup
    C:\Documents and Settings\N2C\Cookies\n2c@hitbox[1].txt -> Spyware.Cookie.Hitbox : Renset med backup
    C:\Documents and Settings\N2C\Cookies\n2c@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Renset med backup
    C:\Documents and Settings\N2C\Cookies\n2c@phg.hitbox[2].txt -> Spyware.Cookie.Hitbox : Renset med backup
    C:\Documents and Settings\N2C\Cookies\n2c@track.commissionpartner[2].txt -> Spyware.Cookie.Commissionpartner : Renset med backup
    C:\Documents and Settings\N2C\Lokale indstillinger\Temporary Internet Files\Content.IE5\OP4D6VCH\aurora[1].exe -> Adware.BetterInternet : Renset med backup
    C:\Documents and Settings\N2C\Lokale indstillinger\Temporary Internet Files\Content.IE5\OP4D6VCH\aurora[2].exe -> Trojan.Spybi : Renset med backup
    C:\Documents and Settings\N2C\Lokale indstillinger\Temporary Internet Files\Content.IE5\SPIB4LAN\input[1].htm.mwt -> Not-A-Virus.Exploit.HTML.DragDrop : Renset med backup
    C:\Documents and Settings\Push it!\Cookies\push it!@com[2].txt -> Spyware.Cookie.Com : Renset med backup
    C:\Documents and Settings\Push it!\Cookies\push it!@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Renset med backup
    C:\Documents and Settings\Push it!\Cookies\push it!@ehg-nokiafin.hitbox[1].txt -> Spyware.Cookie.Hitbox : Renset med backup
    C:\Documents and Settings\Push it!\Cookies\push it!@hitbox[1].txt -> Spyware.Cookie.Hitbox : Renset med backup
    C:\Documents and Settings\Push it!\Cookies\push it!@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Renset med backup
    C:\Documents and Settings\Push it!\Lokale indstillinger\Temp\Rar$EX00.791\crack.exe -> TrojanDownloader.Small.bws : Renset med backup
    C:\Documents and Settings\Push it!\Lokale indstillinger\Temporary Internet Files\Content.IE5\6XIG94A8\kl[1].txt -> TrojanDropper.Agent.abo : Renset med backup
    C:\Documents and Settings\Push it!\Lokale indstillinger\Temporary Internet Files\Content.IE5\7247V501\tool3[1].txt -> TrojanDownloader.Small.bwr : Renset med backup
    C:\Documents and Settings\Push it!\Lokale indstillinger\Temporary Internet Files\Content.IE5\H2XBZEC6\latest[1].exe -> Trojan.Crypt.l : Renset med backup
    C:\Documents and Settings\Push it!\Lokale indstillinger\Temporary Internet Files\Content.IE5\LJ2KNZLQ\paytime[1].txt -> Spyware.Hijacker.Generic : Renset med backup
    C:\Documents and Settings\Push it!\Lokale indstillinger\Temporary Internet Files\Content.IE5\LRJRPH0E\PDF-XChange_SDK_End_User_Files_v1[1].01.zip/crack.exe -> TrojanDownloader.Small.bws : Renset med backup
    C:\Program Files\SpySheriff\heur002.dll -> Adware.SpySheriff : Renset med backup
    C:\Program Files\SpySheriff\IESecurity.dll -> Spyware.SpywareNo : Renset med backup
    C:\Program Files\SpySheriff\ProcMon.dll -> Adware.SpySheriff : Renset med backup
    C:\Program Files\SpySheriff\Uninstall.exe -> Adware.SpySheriff : Renset med backup
    C:\WINDOWS\kl.exe -> TrojanDropper.Agent.abo : Renset med backup
    C:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Renset med backup
    C:\WINDOWS\system32\sysvcs.exe -> Trojan.Crypt.l : Renset med backup
    C:\WINDOWS\Temp\adobe acrobat reader 7.0_crack.exe -> Spyware.Beginto.a : Renset med backup
    C:\WINDOWS\Temp\Cookies\jarl christensen@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Renset med backup
    C:\WINDOWS\Temp\Cookies\jarl christensen@atdmt[1].txt -> Spyware.Cookie.Atdmt : Renset med backup
    C:\WINDOWS\Temp\Cookies\jarl christensen@server.iad.liveperson[2].txt -> Spyware.Cookie.Liveperson : Renset med backup
    C:\WINDOWS\Temp\Cookies\jarl christensen@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Renset med backup
    C:\WINDOWS\tool3.exe -> TrojanDownloader.Small.bwr : Renset med backup


::Rapport slut

----------------------

Logfile of HijackThis v1.99.1
Scan saved at 16:39:14, on 19-11-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmer\Java\jre1.5.0_05\bin\jusched.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programmer\NavNT\vptray.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\Programmer\Picasa2\PicasaMediaDetector.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Programmer\NavNT\defwatch.exe
C:\Programmer\Webroot\Shredder\spshredder.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\ewido\security suite\ewidoguard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\NavNT\rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\Programmer\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
C:\Programmer\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jarl Christensen\Skrivebord\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programmer\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Programmer\NavNT\vptray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmer\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programmer\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [pdfSaver3] "C:\Programmer\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [Spam Shredder] C:\Programmer\Webroot\Shredder\spshredder.exe -tray
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {89A312AE-8D21-42B1-848B-FD8E27F9A2A9} (PrimeInk for Web Applications Signing Component) - https://webreg.dk/web.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\lvn2095oe.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmFybCBDaHJpc3RlbnNlbg\command.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Programmer\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmer\NavNT\rtvscan.exe
O23 - Service: SmartLinkService (SLService) -  - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programmer\Webroot\Spy Sweeper\WRSSSDK.exe

Det ser jo meget bedre ud. Det sidste er forhåbentligt kun oprydning.

Gå i Start/Kør, skriv: cmd

I det sorte DOS vindue skriver du: sc delete cmdService

og taster <enter>


Kør en scanning med HijackThis, så du kan se alle filer. Luk alle vinduer, sæt flueben udfor disse filer, og klik fix checked.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\lvn2095oe.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmFybCBDaHJpc3RlbnNlbg\command.exe (file missing)



Slet mapper og filer i fejlsikret tilstand. (nogle er måske væk)

Mapper:

C:\WINDOWS\SmFybCBDaHJpc3RlbnNlbg

filer:

C:\windows\timessquare.exe
c:\secure32.html

Genstart, og så vil jeg foreslå at du kører disse to onlinescannere:

http://www.pandasoftware.com/products/activescan.htm

http://housecall.trendmicro.com/

Hent så lige dette oprydnings program. Installer programmet, kør det, og klik "Cleanup"
http://www.greyknight17.com/spy/CleanUp.exe

Kom så lige med en frisk log, og fortæl hvordan det kører.

forevernewbie:
Kan jeg ikke få dig til at kigge på en log i dette spørgsmål:
http://exp.dk/spm/665772

Ok. Kigger på den.

Hej forevernewbie,

Det var en større mundfuld. Tusinde tak for din hjælp. Den sætter jeg virkelig pris på. Hvis jeg er 'clean', så må du have en god weekend ;-)

--------

Logfile of HijackThis v1.99.1
Scan saved at 21:22:24, on 19-11-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Programmer\NavNT\defwatch.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\ewido\security suite\ewidoguard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\NavNT\rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\Programmer\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmer\Java\jre1.5.0_05\bin\jusched.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programmer\NavNT\vptray.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\Programmer\Picasa2\PicasaMediaDetector.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Programmer\Webroot\Shredder\spshredder.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Jarl Christensen\Skrivebord\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programmer\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Programmer\NavNT\vptray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmer\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programmer\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [pdfSaver3] "C:\Programmer\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [Spam Shredder] C:\Programmer\Webroot\Shredder\spshredder.exe -tray
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {89A312AE-8D21-42B1-848B-FD8E27F9A2A9} (PrimeInk for Web Applications Signing Component) - https://webreg.dk/web.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Programmer\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmer\NavNT\rtvscan.exe
O23 - Service: SmartLinkService (SLService) -  - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programmer\Webroot\Spy Sweeper\WRSSSDK.exe

Der er desværre lidt tilbage endnu, men det kan være beskyttelsen i dine spywarescannere som "holder" på det, så dem må du lige lukke ned imens vi snupper det sidste.

Lad os så lige lave et (forhåbentlig) sidste tjek.


Hent L2mfix.exe fra et af disse steder:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Gem filen på dit Skrivebord og dobbeltklik på l2mfix.exe. Klik på Install knappen og følg instruktionerne. Åben herefter den nye mappe der er dannet på dit Skrivebord (l2mfix). Dobbeltklik på l2mfix.bat og vælg option 1 (Run Find log) ved at taste "1" og "Enter". Din computer bliver nu scannet - efter et par minutter åbnes en tekstfil i Notesblok. Kopier indholdet herind.

NB: Du må ikke køre option 2 eller andre af filerne i l2mfix mappen, før du er blevet bedt om det.


Hent og dobbeltklik på smitRem.exe

http://noahdfear.geekstogo.com/click%20counter/click.php?id=1

Programmet pakker sig ud til mappen smitRem.

Genstart i fejlsikret.

Åbn mappen smitRem, og dobbeltklik på RunThis.bat (Følg vejledningen i vinduet.)


Klik på Start->Kontrolpanel->Skærm->Skrivebord->Tilpas Skrivebordet->Web fjern flueben i Security Info og View my Active desktop as a web page (Fortæl lige hvis de hedder noget andet).



Kør HijackThis, og fix disse linier:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html


Genstart og kom med en frisk Hijackthislog. Find smitfiles.txt via Start/Søg. Kopier også denne log ind.

Hermed.Jeg foretager de næste skridt nu.

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\system32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read            BUILTIN\Brugere
(ID-IO) ALLOW  Read            BUILTIN\Brugere
(ID-NI) ALLOW  Full access     BUILTIN\Administratorer
(ID-IO) ALLOW  Full access     BUILTIN\Administratorer
(ID-NI) ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access     NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access     CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1C0FCC46-5156-FD9F-8932-20DE78531471}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Egenskabsark for multimediefiler"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM-scannerstyring"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Sikkerhedsside"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Egenskabsside for OLE-dokumentfil"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Gr‘nsefladeudvidelse til deling"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Kontrolpanel-udvidelse til sk‘rmkort"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Kontrolpanel-udvidelse til sk‘rm"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Kontrolpanel-udvidelse til sk‘rmpanorering"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security-side"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilitetsside"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Udvidelsen Diskcopy"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Gr‘nsefladeudvidelser til Microsoft Windows-netv‘rksobjekter"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM-sk‘rmstyring"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM-printerstyring"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Gr‘nsefladeudvidelser til filkomprimering"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Gr‘nsefladeudvidelse til webudskrift"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Kontekstmenu til kryptering"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Rejsetaske"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal-ikon"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-profil"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Sikkerhedsside"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Gr‘nsefladeudvidelse til deling"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO-filtype"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto signeringsfiltype"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Netv‘rksforbindelser"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Netv‘rksforbindelser"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scannere og kameraer"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scannere og kameraer"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scannere og kameraer"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scannere og kameraer"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scannere og kameraer"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell-udvidelser til Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft-dataforbindelse"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Planlagte opgaver"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Proceslinje og menuen Start"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="S›g"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hj‘lp og support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hj‘lp og support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="K›r..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internettet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administration"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="V‘rkt›jslinje til Microsoft Internet"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Webs›gning"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Redigeringsboks til adresse"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft URL-oversigtstjeneste"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Oversigt"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Velkomstbillede til Internet Explorer 4-suiten"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internettet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX-cachemappe"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Programstyring"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Opt‘lling af installerede programmer"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Udpakning af miniaturer til GDI+-filer"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Dokumentinfo om miniaturehandler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Udpakning af HTML-miniaturer"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Guiden Webudgivelse"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestil billedudskrift over World Wide Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objekt til guiden Webudgivelse"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Guiden F† et Passport"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Brugerkonti"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Mappen Offlinefiler"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Efter &personer..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{2F603045-309F-11CF-9774-0020AFD0CFF6}"="Synaptics Control Panel"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"="{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
"{D66DC78C-4F61-447F-942B-3FB6980118CF}"="{D66DC78C-4F61-447F-942B-3FB6980118CF}"
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}"="SnagIt"
"{CF74B903-3389-469c-B3B6-0204D204FCBD}"="SnagIt Shell Extension"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Kanalfil"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Genvej til kanal"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{A26694EF-8A7C-4705-9D73-E61E2BAA4026}"=""
"{F9F10821-BEA0-453F-9B19-E8D970DF5D8B}"=""
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{AC260338-4574-4158-ABFB-F4D2C11F7DB1}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A26694EF-8A7C-4705-9D73-E61E2BAA4026}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{A26694EF-8A7C-4705-9D73-E61E2BAA4026}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A26694EF-8A7C-4705-9D73-E61E2BAA4026}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A26694EF-8A7C-4705-9D73-E61E2BAA4026}\InprocServer32]
@="C:\\WINDOWS\\system32\\ijagehlp.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
  browseui.dll  Sat  3 Sep 2005  1.05.16  A....      1.019.904  996,00 K
  cdfview.dll    Sat  3 Sep 2005  1.05.16  A....        151.552  148,00 K
  cdosys.dll    Sat 10 Sep 2005  2.55.14  A....      2.067.968    1,97 M
  danim.dll      Sat  3 Sep 2005  1.05.16  A....      1.055.744    1,00 M
  dxtrans.dll    Sat  3 Sep 2005  1.05.16  A....        205.312  200,50 K
  extmgr.dll    Sat  3 Sep 2005  1.05.16  .....        55.808    54,50 K
  gdi32.dll      Thu  6 Oct 2005  4.18.32  A....        280.064  273,50 K
  gwfspi~1.dll  Mon 29 Aug 2005  12.27.06  A....        23.304    22,76 K
  iepeers.dll    Sat  3 Sep 2005  1.05.16  A....        251.392  245,50 K
  inseng.dll    Sat  3 Sep 2005  1.05.16  A....        96.768    94,50 K
  legitc~1.dll  Mon 29 Aug 2005  12.27.12  A....        520.968  508,76 K
  linkinfo.dll  Thu  1 Sep 2005  2.43.26  A....        19.968    19,50 K
  msctl32.dll    Sat 19 Nov 2005  8.33.02  A....        37.888    37,00 K
  mshtml.dll    Tue  4 Oct 2005  16.27.36  A....      3.013.120    2,87 M
  mshtmled.dll  Sat  3 Sep 2005  1.05.18  A....        448.512  438,00 K
  msrating.dll  Sat  3 Sep 2005  1.05.18  A....        146.432  143,00 K
  mstime.dll    Sat  3 Sep 2005  1.05.18  A....        530.432  518,00 K
  netman.dll    Mon 22 Aug 2005  19.35.38  A....        197.632  193,00 K
  pngfilt.dll    Sat  3 Sep 2005  1.05.18  A....        39.424    38,50 K
  quartz.dll    Tue 30 Aug 2005  4.55.56  A....      1.291.264    1,23 M
  shdocvw.dll    Sat  3 Sep 2005  1.05.18  A....      1.483.776    1,41 M
  shell32.dll    Fri 23 Sep 2005  4.07.22  A....      8.462.336    8,07 M
  shlwapi.dll    Sat  3 Sep 2005  1.05.18  A....        473.600  462,50 K
  umpnpmgr.dll  Tue 23 Aug 2005  4.39.58  A....        124.416  121,50 K
  urlmon.dll    Sat  3 Sep 2005  1.05.18  A....        605.696  591,50 K
  wininet.dll    Sat  3 Sep 2005  1.05.18  A....        659.968  644,50 K
  winsrv.dll    Thu  1 Sep 2005  2.43.26  A....        291.840  285,00 K
  wrlogo~1.dll  Wed 16 Nov 2005  14.38.16  A....        492.544  481,00 K
  wrlzma.dll    Wed 16 Nov 2005  14.38.12  A....        17.920    17,50 K
  zlbw.dll      Sat 19 Nov 2005  8.33.48  A....        46.592    45,50 K

30 items found:  30 files, 0 directories.
  Total of file sizes:  24.112.144 bytes    22,99 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Disken i drev C er SYSTEM
Diskens serienummer er 0849-1329

Indhold af C:\WINDOWS\System32

20-11-2005  08:32    <DIR>          dllcache
24-10-2002  14:34    <DIR>          Microsoft
              0 fil(er)                0 byte
              2 mappe(r)  46.992.568.320 byte ledig

Jeg kan ikke tage livet af de to R1'ere?

------

Logfile of HijackThis v1.99.1
Scan saved at 09:30:32, on 20-11-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Programmer\NavNT\defwatch.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\ewido\security suite\ewidoguard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\NavNT\rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\Programmer\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmer\Java\jre1.5.0_05\bin\jusched.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programmer\NavNT\vptray.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\Programmer\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Programmer\Webroot\Shredder\spshredder.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
C:\Programmer\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Jarl Christensen\Skrivebord\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programmer\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Programmer\NavNT\vptray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmer\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programmer\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [pdfSaver3] "C:\Programmer\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [Spam Shredder] C:\Programmer\Webroot\Shredder\spshredder.exe -tray
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {89A312AE-8D21-42B1-848B-FD8E27F9A2A9} (PrimeInk for Web Applications Signing Component) - https://webreg.dk/web.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Programmer\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmer\NavNT\rtvscan.exe
O23 - Service: SmartLinkService (SLService) -  - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programmer\Webroot\Spy Sweeper\WRSSSDK.exe

Jeg lovede heller ikke at det ville blive nemt ;)

Nå, men der kom lidt mere skidt frem i lyset. Du skal en tur i registreringsdatabasen. Du kan se her, hvordan du "manøvrerer" der http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=3441 Husk at lave backup.

Klik dig frem til denne nøgle og slet den. Dobbelttjek at det er den rigtige. Hvis den ikke vil slettes, så højreklik på den, og tag fuld kontrol.

HKEY_CLASSES_ROOT\CLSID\{A26694EF-8A7C-4705-9D73-E61E2BAA4026}


For at kunne se alle filer og mapper, gør du dette http://www.spywareinfo.dk/#/tip-og-tricks/mappeindstillinger.htm


Slet disse filer i fejlsikret:

msctl32.dll
wrlogo~1.dll (forkortet navn. Tjek med datoen: Wed 16 Nov 2005  14.38.16 )
wrlzma.dll
zlbw.dll
c:\secure32.html

Fix igen:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

Genstart til normaltilstand, og kom med en ny HijackThis log. Jeg afventer også loggen fra SmitRem.

Vær helt sikker på at dine spywarescannere ikke starter op med Windows, og evt. "beskytter" start og søge side.

Hej igen,

Har været hængt op på jobbet. Her er loggen fra SmitRem:
Arbjeder på de andre trin...

smitRem © log file
    version 2.7

    by noahdfear


Microsoft Windows XP [version 5.1.2600]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

zlbw.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

winstall.exe

~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



  Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)

Okay. Jeg afventer bare din næste HijackThis log.

Har slettet: HKEY_CLASSES_ROOT\CLSID\{A26694EF-8A7C-4705-9D73-E61E2BAA4026}.

Min maskine 'går ned' / fryser i fejlsikret tilstand. Der kommer det der Microsoft fejlvindue, hvor den spørger om jeg vil sende en fejlrapport?
Det sker hver gang jeg ønsker at gå ind i stifinderen for, at finde og slette de filer du nævner.

Er det for risikabelt at slette filerne, uden at være i fejlsikret tilstand?

Drop stifinder, og slet bare filerne i normaltilstand, hvis du kan. De ligger allesammen i system32.

Jeg kan ikke slette WRLogonNtf.dll...

... og en Logfile:

-----

Logfile of HijackThis v1.99.1
Scan saved at 21:36:10, on 21-11-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Programmer\NavNT\defwatch.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\ewido\security suite\ewidoguard.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\NavNT\rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\Programmer\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmer\Java\jre1.5.0_05\bin\jusched.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programmer\NavNT\vptray.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\Programmer\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Programmer\Webroot\Shredder\spshredder.exe
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
C:\Programmer\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Jarl Christensen\Skrivebord\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programmer\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Programmer\NavNT\vptray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmer\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programmer\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [pdfSaver3] "C:\Programmer\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [Spam Shredder] C:\Programmer\Webroot\Shredder\spshredder.exe -tray
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {89A312AE-8D21-42B1-848B-FD8E27F9A2A9} (PrimeInk for Web Applications Signing Component) - https://webreg.dk/web.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Programmer\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmer\NavNT\rtvscan.exe
O23 - Service: SmartLinkService (SLService) -  - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programmer\Webroot\Spy Sweeper\WRSSSDK.exe

Den skal slet ikke slettes, finder jeg lige ud af. Heller ikke wrlzma.dll
. De er begge en del af Spysweeper. Det er en fejl fra min side. Beklager. De var begge vist som mistænkelige, og af nyere dato. Derfor fejlen. zlbw.dll
blev slettet af SmitRem fixet, så det er kun c:\secure32.html du mangler at slette.

Okay. Jeg fik vist taget livet af wrlzma.dll. Skal jeg gøre noget der?

Det er lidt mærkeligt. Jeg kan ikke findec c:\secure32.html?

Hmm, den infektion gemmer sig godt. Prøv lige at hente silentruners her http://www.silentrunners.org/Silent%20Runners.vbs Dobbeltklik scriptet, og vent til den siger loggen er færdig, og læg loggen her ind.

Okay. Kan simpelthen ikke nå at se hvor filen gemmes???

Øhh, forstået hvordan ? Scriptet eller loggen ? Loggen skulle lægge sig ved siden af scriptet, og hedder "startup programs". Scriptet hedder "silent runners". Kan du bruge stifinder i normaltilstand ?

Det er log filen, jeg ikke kan lokalisere. Der laves en logfil automatisk, og den lægges et eller andet sted på c: drevet?

Ja jeg kunne bruge stifinderen i normaltilstand, så filerne er slettet.

Prøv at søge på den med stifinder. Den hedder startup programs.

Hej igen,

Her er den ;-)

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Programmer\Messenger\msmsgs.exe" /background" [MS]
"pdfSaver3" = ""C:\Programmer\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"" ["Tracker Software Products Ltd."]
"Spam Shredder" = "C:\Programmer\Webroot\Shredder\spshredder.exe -tray" ["Webroot Software Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"SunJavaUpdateSched" = "C:\Programmer\Java\jre1.5.0_05\bin\jusched.exe" ["Sun Microsystems, Inc."]
"Microsoft Works Update Detection" = "C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"vptray" = "C:\Programmer\NavNT\vptray.exe" ["Symantec Corporation"]
"SynTPLpr" = "C:\Programmer\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Programmer\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"pdfSaver3" = (empty string)
"Picasa Media Detector" = "C:\Programmer\Picasa2\PicasaMediaDetector.exe" [null data]
"gcasServ" = ""C:\Programmer\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"QuickTime Task" = ""C:\Programmer\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SpySweeper" = ""C:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Kontrolpanel-udvidelse til skærmpanorering"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal-ikon"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Fælles filer\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\WinRAR\rarext.dll" [null data]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = "SnagIt"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\TechSmith\SnagIt 7\SnagItIEAddin.dll" ["TechSmith Corporation"]
"{CF74B903-3389-469c-B3B6-0204D204FCBD}" = "SnagIt Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\TechSmith\SnagIt 7\SnagItShellExt.dll" ["TechSmith Corporation"]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "SsiEfr.e" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" [null data]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Fælles filer\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\ewido\security suite\context.dll" ["ewido networks"]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Fælles filer\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\TechSmith\SnagIt 7\SnagItShellExt.dll" ["TechSmith Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\ewido\security suite\context.dll" ["ewido networks"]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\TechSmith\SnagIt 7\SnagItShellExt.dll" ["TechSmith Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Fælles filer\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Jarl Christensen" & "All Users" startup folders:
------------------------------------------------------------------

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start
"Adobe Reader Hurtigstart" -> shortcut to: "C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = "SnagIt" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\TechSmith\SnagIt 7\SnagItIEAddin.dll" ["TechSmith Corporation"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\programmer\google\googletoolbar1.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Java\jre1.5.0_05\bin\npjpi150_05.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programmer\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
BrSplService, Brother XP spl Service, "C:\WINDOWS\System32\brsvc01a.exe" ["brother Industries Ltd"]
DefWatch, DefWatch, "C:\Programmer\NavNT\defwatch.exe" ["Symantec Corporation"]
ewido security suite control, ewido security suite control, "C:\Programmer\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Programmer\ewido\security suite\ewidoguard.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Norton AntiVirus Client, Norton AntiVirus Server, "C:\Programmer\NavNT\rtvscan.exe" ["Symantec Corporation"]
SmartLinkService, SLService, "slserv.exe" [" "]
Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Programmer\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
PDF-XChange\Driver = "C:\WINDOWS\system32\pxc25pm.dll" ["Tracker Software"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
  use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 49 seconds, including 18 seconds for message boxes)

Der var ikke noget at komme efter, desværre. Vi må søge videre. Det bliver lidt "bøvlet", men det er nødvendigt.

Hent datfind.bat ned til skrivebordet http://virus-protect.net/datfindbat.html

Åbn et stykke tomt notesblok.

Dobbeltklik datfind.bat, som åbner en log. Kopier det øverste af loggen, samt alle filer fra NOVEMBER måned (og kun dem) over i det notesblok du selv åbnede.

Luk datfind.bat´s log, og tast <enter> En ny log åbner fra datfind.bat. Gentag ovenstående procedure.

Luk datfind.bat´s log, og tast <enter> En ny log åbner fra datfind.bat. Gentag ovenstående procedure.

Luk datfind.bat´s log, og tast <enter> En ny log åbner fra datfind.bat. Gentag ovenstående procedure.


De oplysninger du nu har samlet sammen i din notesblok, kopierer du her ind.


Så kører du en scanning med denne onlinescanner, Panda http://www.pandasoftware.com/products/activescan.htm

Den kan lave en log, hvis den finder noget. Kopier også denne log ind.

Hej forevernewbie,

Beklager det sene svar. Har været ude at rejse med arbejdet. Jeg blev nødt til at formatere maskinen i weekenden. Den fryste totalt.

Du har været en stor hjælp, og jeg har installeret de programmer du nævnte på den nu rene maskine.

Det var dog ærgeligt du måtte formatere, men skidtet er ofte destruktivt, så det bliver desværre løsningen i flere tilfælde. Men ok, så har du ihvertfald en ren maskine.

Du får lige en god beskyttelsespakke http://www.spywarefri.dk/manualer/sikkerhedspakke.htm

Kan du ikke lige 'svare', så du kan få dine fortjente points?
Tak for beskyttelsepakken...

God jul!

Vi tabte jo desværre denne kamp mod skidtet, så jeg syntes at du skal spare dine point.

Tak for den flotte karma. Den værdsætter jeg mere end point :)

Også god jul til dig.