Ser denne hijackthis mistænkelig ud?

Ja, i allerhøjeste grad.
Har du selv fixet noget med Hijackthis?

Ja. Men hvad skal der gøres nu?

Kør Hijackthis igen, denne gang skal du klikke på Config->Backups, marker så linierne en af gangen og klik på Restore, det gør du med alle linierne.
Kom så med en frisk hijackthislog.

Her er så den nye:

Logfile of HijackThis v1.99.1
Scan saved at 16:59:16, on 30-05-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINXP\System32\smss.exe
D:\WINXP\system32\winlogon.exe
D:\WINXP\system32\services.exe
D:\WINXP\system32\lsass.exe
D:\WINXP\system32\Ati2evxx.exe
D:\WINXP\system32\svchost.exe
D:\WINXP\System32\svchost.exe
D:\WINXP\system32\LEXBCES.EXE
D:\WINXP\system32\spoolsv.exe
D:\WINXP\system32\LEXPPS.EXE
D:\WINXP\Explorer.EXE
C:\Programmer\QuickTime\qttask.exe
D:\Programmer\Network Associates\VirusScan\avsynmgr.exe
D:\WINXP\system32\svchost.exe
D:\Programmer\Network Associates\VirusScan\VsStat.exe
D:\Programmer\Network Associates\VirusScan\Vshwin32.exe
D:\Programmer\Fælles filer\Network Associates\McShield\mcshield.exe
D:\Programmer\Network Associates\VirusScan\Webscanx.exe
D:\Programmer\Network Associates\VirusScan\Avconsol.exe
D:\WINXP\System32\svchost.exe
D:\WINXP\system32\rundll32.exe
D:\Documents and Settings\Heinrich\Skrivebord\McAfee Antivirus og VPN\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ungmor.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {C67010EC-A829-D88E-0871-FE3AF42525B5} - D:\WINXP\system32\vcgnknf.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [newname] C:\\newname22.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard22.exe
O4 - HKLM\..\Run: [AceGain LiveUpdate] E:\Programmer\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "D:\Programmer\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [WheelMouse] c:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [iKeyWorks] c:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINXP\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINXP\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\iTouch\iTouch.exe
O4 - HKCU\..\Run: [Eov] D:\Documents and Settings\Heinrich\Dokumenter\W?nSxS\r?ndll.exe
O4 - HKCU\..\Run: [Dolo] "D:\WINXP\system32\DOBE~1\rundll32.exe" -vt yazr
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Programmer\Microsoft Office\Office\OSA9.EXE
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: App Management - D:\WINXP\system32\r08s0al7edq.dll
O20 - Winlogon Notify: Hints - D:\WINXP\system32\l24qlch51f4.dll (file missing)
O20 - Winlogon Notify: Installer - D:\WINXP\system32\jtrm0791e.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINXP\system32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - D:\Programmer\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINXP\T2xzZW4\command.exe (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - D:\WINXP\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINXP\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - D:\Programmer\Fælles filer\Network Associates\McShield\mcshield.exe
O23 - Service: Network Monitor - Unknown owner - D:\Programmer\Network Monitor\netmon.exe (file missing)

-- Hent Ewido herfra (14 dages version af plus-versionen)
http://www.spywarefri.dk/downloads1/ewido-setup.exe
Installer og opdater programmet. Vent med at scanne.

-- Hent Brute Force Uninstaller, og pak det ud til sin egen mappe (c:\BFU):
http://www.merijn.org/files/bfu.zip

-- Højreklik på følgende link, og vælg "Gem som" for at downloade Alcan Remover. Gem det i samme mappe som du gemte Brute Force Uninstaller i (c:\BFU):
http://metallica.geekstogo.com/alcanshorty.bfu

Hent Look2Me-Destroyer herfra:
http://www.atribune.org/ccount/click.php?id=7
...og gem værktøjet på dit Skrivebord.

Luk alle åbne programvinduer - inklusiv Internet Explorer.

Dobbeltklik på Look2Me-Destroyer, sæt et flueben i "Run this program as a task". Du får en meddelelse om, at Look2Me-Destroyer vil lukke og åbne efter 10 sekunder - klik på OK.

Når Look2Me-Destroyer genåbner - klik på "Scan for L2M" - dine ikoner forsvinder - klik "Remove L2M". Klik OK når du får meddelelsen "Done scanning".

Nu får du meddelelsen "Done removing infected files!. Programmet vil lukke din computer - klik OK.

Hvis din firewall vil blokere Look2Me-Destroyers adgang til nettet, så skal du lade programmet få adgang.

Hvis du får en runtime error 339, så skal du hente MSWINSCK.OCX herfra:
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
...og placere den i mappen C:\Windows\System32 .

-- Genstart i fejlsikret, hvis du ikke ved hvordan så kig her:
http://www.ctrlaltdel.dk/forum/forum_posts.asp?TID=23&PN=1

-- Klik på "Min computer", og naviger frem til c:\BFU mappen. Dobbeltklik på BFU.exe. Så åbnes "The Brute Force Uninstaller". Til højre for det øverste indtastningsfelt, skal du nu klikke på det gule mappe-ikon ("Open script file"), og navigere frem til alcanshorty.bfu, som du hentede tidligere:
c:\bfu\alcanshorty.bfu

Klik herefter på "execute", og lad programmet gøre sit arbejde. Når scriptet er færdig, klikker du på OK, og derefter på EXIT.

-- Kør en fuld scanning med Ewido, og tillad programmet at fixe de ting, som det finder. Programmet laver en lille log, som du skal kopiere herind.

Genstart normalt find filen C:\Look2Me-Destroyer.txt og kopiere indholdet herind, sammen med en frisk HijackThis log og loggen fra Ewido.

Her er så Look2ME;


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 30-05-2006 18:29:07

Infected! D:\WINXP\system32\r08s0al7edq.dll
Infected! D:\WINXP\system32\l24qlch51f4.dll
Infected! D:\WINXP\system32\jtrm0791e.dll
Infected! D:\WINXP\system32\kgrberos.dll
Infected! D:\WINXP\system32\fpj0031me.dll
Infected! D:\WINXP\system32\i2nmlc511f.dll
Infected! D:\WINXP\system32\r08s0al7edq.dll
Infected! D:\WINXP\system32\g4400ehmeh4a0.dll
Infected! D:\WINXP\system32\j24olch31f4.dll
Infected! D:\WINXP\system32\g8lm0i31e8.dll
Infected! D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP345\A0052659.dll
Infected! D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP346\A0052682.dll
Infected! D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP347\A0052695.dll
Infected! D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP348\A0052705.dll
Infected! D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP337\A0051730.dll
Infected! D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP337\A0051764.dll
Infected! D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP337\A0052029.dll
Infected! D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP338\A0052071.dll
Infected! D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP338\A0052088.dll
Infected! D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP338\A0052095.dll
Infected! D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP338\A0052099.dll
Infected! D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP338\A0052104.dll
Infected! D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP339\A0052115.dll
Infected! D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP339\A0052120.dll
Infected! D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP339\A0052122.dll
Infected! D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP344\A0052601.dll
Infected! D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP344\A0052609.dll
Infected! D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP344\A0052619.dll

Attempting to delete infected files...

Attempting to delete: D:\WINXP\system32\r08s0al7edq.dll
D:\WINXP\system32\r08s0al7edq.dll Deleted successfully!

Attempting to delete: D:\WINXP\system32\kgrberos.dll
D:\WINXP\system32\kgrberos.dll Deleted successfully!

Attempting to delete: D:\WINXP\system32\fpj0031me.dll
D:\WINXP\system32\fpj0031me.dll Deleted successfully!

Attempting to delete: D:\WINXP\system32\i2nmlc511f.dll
D:\WINXP\system32\i2nmlc511f.dll Deleted successfully!

Attempting to delete: D:\WINXP\system32\r08s0al7edq.dll
D:\WINXP\system32\r08s0al7edq.dll Deleted successfully!

Attempting to delete: D:\WINXP\system32\g4400ehmeh4a0.dll
D:\WINXP\system32\g4400ehmeh4a0.dll Deleted successfully!

Attempting to delete: D:\WINXP\system32\j24olch31f4.dll
D:\WINXP\system32\j24olch31f4.dll Deleted successfully!

Attempting to delete: D:\WINXP\system32\g8lm0i31e8.dll
D:\WINXP\system32\g8lm0i31e8.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP345\A0052659.dll
D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP345\A0052659.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP346\A0052682.dll
D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP346\A0052682.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP347\A0052695.dll
D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP347\A0052695.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP348\A0052705.dll
D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP348\A0052705.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP337\A0051730.dll
D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP337\A0051730.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP337\A0051764.dll
D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP337\A0051764.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP337\A0052029.dll
D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP337\A0052029.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP338\A0052071.dll
D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP338\A0052071.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP338\A0052088.dll
D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP338\A0052088.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP338\A0052095.dll
D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP338\A0052095.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP338\A0052099.dll
D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP338\A0052099.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP338\A0052104.dll
D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP338\A0052104.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP339\A0052115.dll
D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP339\A0052115.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP339\A0052120.dll
D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP339\A0052120.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP339\A0052122.dll
D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP339\A0052122.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP344\A0052601.dll
D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP344\A0052601.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP344\A0052609.dll
D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP344\A0052609.dll Deleted successfully!

Attempting to delete: D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP344\A0052619.dll
D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP344\A0052619.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{59AF7A13-D222-4037-9D89-9F40290248FE}"
HKCR\Clsid\{59AF7A13-D222-4037-9D89-9F40290248FE}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{10FB653E-07B4-47C4-B450-E4C14B5EE004}"
HKCR\Clsid\{10FB653E-07B4-47C4-B450-E4C14B5EE004}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BBE6F8BB-061C-426F-80E0-AE218A1CEADA}"
HKCR\Clsid\{BBE6F8BB-061C-426F-80E0-AE218A1CEADA}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administratorer - Succeeded



Ewido;

---------------------------------------------------------
ewido anti-malware - Scanningsrapport
---------------------------------------------------------

+ Oprettet den:            21:09:24, 30-05-2006
+ Rapport-Checksum:        4D2B33F6

+ Scanningsresultat:
    C:\WINDOWS\drsmartload46a.exe -> Downloader.Adload.bq : Renset med backup
    C:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP339\A0052111.exe -> Downloader.VB.ada : Renset med backup
    C:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP339\A0052112.exe -> Hijacker.VB.no : Renset med backup
    C:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP339\A0052113.exe -> Backdoor.VB.ary : Renset med backup
    C:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP347\A0052692.exe -> Hijacker.VB.ly : Renset med backup
    C:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP347\A0052693.exe -> Hijacker.VB.ly : Renset med backup
    C:\drsmartload45a.exe -> Downloader.Adload.bo : Renset med backup
    D:\WINXP\system32\vcgnknf.dll -> Adware.PurityScan : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\Cookies\heinrich@burstnet[2].txt -> TrackingCookie.Burstnet : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\Cookies\heinrich@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\Cookies\heinrich@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\Cookies\heinrich@doubleclick[1].txt -> TrackingCookie.Doubleclick : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\Cookies\heinrich@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\Cookies\heinrich@adtech[2].txt -> TrackingCookie.Adtech : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\Cookies\heinrich@overture[2].txt -> TrackingCookie.Overture : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\Cookies\heinrich@mediaplex[1].txt -> TrackingCookie.Mediaplex : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\Cookies\heinrich@advertising[1].txt -> TrackingCookie.Advertising : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\Cookies\heinrich@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\Cookies\heinrich@atdmt[2].txt -> TrackingCookie.Atdmt : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\Cookies\heinrich@questionmarket[1].txt -> TrackingCookie.Questionmarket : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\Cookies\heinrich@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\Cookies\heinrich@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\Cookies\heinrich@casalemedia[1].txt -> TrackingCookie.Casalemedia : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\Cookies\heinrich@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\Cookies\heinrich@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\temp.fr5C0E -> Adware.Look2Me : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\temp.fr32E7 -> Adware.Look2Me : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\temp.frE4F5 -> Adware.WebHancer : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\temp.fr9095 -> Adware.CommAd : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\temp.frAB2F -> Adware.CommAd : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\temp.fr9E7C -> Adware.WebHancer : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\temp.fr2E2B -> Adware.Look2Me : Renset med backup
    D:\Documents and Settings\Heinrich\Lokale indstillinger\Temp\temp.fr6991 -> Adware.WebHancer : Renset med backup
    D:\Documents and Settings\Heinrich\Dokumenter\WіnSxS\rυndll.exe -> Trojan.ValueaAd : Renset med backup
    D:\Documents and Settings\Heinrich\Cookies\heinrich@ilead.itrack[2].txt -> TrackingCookie.Itrack : Renset med backup
    D:\Documents and Settings\Heinrich\Cookies\heinrich@com[1].txt -> TrackingCookie.Com : Renset med backup
    D:\Documents and Settings\Heinrich\Cookies\heinrich@burstnet[2].txt -> TrackingCookie.Burstnet : Renset med backup
    D:\Documents and Settings\Heinrich\Cookies\heinrich@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Renset med backup
    D:\Documents and Settings\Heinrich\Cookies\heinrich@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Renset med backup
    D:\Programmer\whInstall -> Adware.Webhancer : Renset med backup
    D:\Programmer\whInstall\license.txt -> Adware.Webhancer : Renset med backup
    D:\Programmer\whInstall\readme.txt -> Adware.Webhancer : Renset med backup
    D:\Programmer\whInstall\whAgent.ini -> Adware.Webhancer : Renset med backup
    D:\Programmer\webHancer\Programs\whinstaller.exe -> Adware.WebHancer : Renset med backup
    D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP348\A0052734.dll -> Adware.Look2Me : Renset med backup
    D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP348\A0052735.dll -> Adware.Look2Me : Fejl under renselse
    D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP348\A0052736.dll -> Adware.Look2Me : Renset med backup
    D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP348\A0052737.dll -> Adware.Look2Me : Renset med backup
    D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP348\A0052738.dll -> Adware.Look2Me : Renset med backup
    D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP348\A0052739.dll -> Adware.Look2Me : Renset med backup
    D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP337\A0051725.exe -> Adware.WebHancer : Renset med backup
    D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP337\A0051726.dll -> Adware.WebHancer : Renset med backup
    D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP337\A0051727.exe -> Adware.WebHancer : Renset med backup
    D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP337\A0051729.DLL -> Adware.WebHancer : Renset med backup
    D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP338\A0052079.exe -> Adware.WebHancer : Renset med backup
    D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP338\A0052080.dll -> Adware.WebHancer : Renset med backup
    D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP338\A0052087.dll -> Adware.WebHancer : Renset med backup
    D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP338\A0052089.DLL -> Adware.CommAd : Renset med backup
    D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP338\A0052090.EXE -> Adware.CommAd : Renset med backup
    D:\System Volume Information\_restore{BA2490AA-8F35-461B-AFC8-8BDCB32E2178}\RP339\A0052127.DLL -> Adware.Look2Me : Renset med backup


::Rapport slut

Og den nye Hijack;

Logfile of HijackThis v1.99.1
Scan saved at 21:18:31, on 30-05-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINXP\System32\smss.exe
D:\WINXP\system32\winlogon.exe
D:\WINXP\system32\services.exe
D:\WINXP\system32\lsass.exe
D:\WINXP\system32\Ati2evxx.exe
D:\WINXP\system32\svchost.exe
D:\WINXP\System32\svchost.exe
D:\WINXP\system32\LEXBCES.EXE
D:\WINXP\system32\spoolsv.exe
D:\WINXP\system32\LEXPPS.EXE
D:\WINXP\Explorer.EXE
C:\Programmer\QuickTime\qttask.exe
D:\Programmer\Lexmark X1100 Series\lxbkbmgr.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
D:\Programmer\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
D:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe
C:\Programmer\iTouch\iTouch.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
D:\Programmer\Network Associates\VirusScan\avsynmgr.exe
D:\WINXP\system32\crypserv.exe
c:\Programmer\spyware\security suite\ewidoctrl.exe
c:\Programmer\spyware\security suite\ewidoguard.exe
D:\Programmer\Network Associates\VirusScan\VsStat.exe
D:\Programmer\Network Associates\VirusScan\Vshwin32.exe
D:\WINXP\system32\svchost.exe
D:\Programmer\Network Associates\VirusScan\Avconsol.exe
D:\Programmer\Network Associates\VirusScan\Webscanx.exe
D:\Programmer\Fælles filer\Network Associates\McShield\mcshield.exe
D:\WINXP\system32\wuauclt.exe
D:\WINXP\System32\svchost.exe
D:\Documents and Settings\Heinrich\Skrivebord\McAfee Antivirus og VPN\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ungmor.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {C67010EC-A829-D88E-0871-FE3AF42525B5} - D:\WINXP\system32\vcgnknf.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AceGain LiveUpdate] E:\Programmer\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "D:\Programmer\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [WheelMouse] c:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [iKeyWorks] c:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINXP\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINXP\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\iTouch\iTouch.exe
O4 - HKCU\..\Run: [Eov] D:\Documents and Settings\Heinrich\Dokumenter\W?nSxS\r?ndll.exe
O4 - HKCU\..\Run: [Dolo] "D:\WINXP\system32\DOBE~1\rundll32.exe" -vt yazr
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Programmer\Microsoft Office\Office\OSA9.EXE
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINXP\system32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - D:\Programmer\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - D:\WINXP\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - c:\Programmer\spyware\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - c:\Programmer\spyware\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINXP\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - D:\Programmer\Fælles filer\Network Associates\McShield\mcshield.exe

Det tog da det rå, men der er mere endnu.

Download og gem denne scanner på skrivebordet. Du skal ikke aktivere den endnu.
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Kig denne vejledning grundigt igennem.
http://fromsej.dk/Vejledninger/html/drweb.html
---------------------------------------
Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked, genstart i fejlsikret (tryk på <F8> under opstarten), slet mapper og filer listet længere nede.

R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {C67010EC-A829-D88E-0871-FE3AF42525B5} - D:\WINXP\system32\vcgnknf.dll (file missing)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Eov] D:\Documents and Settings\Heinrich\Dokumenter\W?nSxS\r?ndll.exe
O4 - HKCU\..\Run: [Dolo] "D:\WINXP\system32\DOBE~1\rundll32.exe" -vt yazr

---------------------------------------
Sletning af \mapper\ og filer:
Åbn Stifinder, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".
Brug af Start->Søg.
Klik på "Skift søgefunktioner for filer og mapper"
Sæt prik i "Avanceret" og klik OK.
Klik på "Alle filer og mapper"
Klik på "Flere avancerede indstillinger"
Sæt flueben i de tre øverste.
-------------------
Mapper:
D:\Documents and Settings\Heinrich\Dokumenter\W?nSxS\r?ndll.exe
D:\WINXP\system32\DOBE~1\
-------------------
Filer:
<Ingen>
---------------------------------------
Dobbeltklik på drweb-cureit.exe, den vil køre en expressscan, det siger du ja til.
Når den skriver Done nederst til venstre, skal du klikke på Options->Change settings.
Skift til fanebladet Scan, fjern fluebenet ved Heuristic analysis.
Skift til fanebladet Actions, her skal alle punkter under Malware sættes til Rename.
Klik så på det eller de drev du vil have scannet, der kommer en rød prik for at vise det/de er valgt.

Klik så på den grønne pil ovre til højre på siden, så starter scanningen.
Første gang Dr.Web finder noget, klik "Yes to All", så fjerner den hvad den finder.
Klik så på Start->Søg, find filen CureIt.log kopier det nederste af teksten herind, startende med:
Scan statistics.
---------------------------------------
Genstart normalt og kom med en frisk Hijackthislog.

Lukker...

Selv tak, det var da så hyggeligt at bruge tid på at hjælpe.

K L A P H A T !