Problemer med spyware

Det ser ud som om du både kører Norton OG avg???

Hvis du spørger mig hvad du skal fjerne, så siger jeg Norton.

Uanset om du spørger mig eller ej, siger jeg også UD med Norton.
Men det ligner nu bare de sædvanlige rester, programmet kan ikke fjerne noget, det kan ikke blokere for noget, og de kan f.g.m. heller ikke lave en Uninstaller der virker!!!

Hent og kør disse:
ftp://ftp.symantec.com/public/english_us_canada/linked_files/tsgen/SymNRT.exe
Herefter downloader du denne fil, dobbeltklikker den og siger ja til at tilføje værdierne i reg-basen:
ftp://ftp.symantec.com/public/english_us_canada/linked_files/tsgen/SYMMSICLEANUP.reg
Efter en genstart burde alt Norton være fjernet.

Så over til rensningen:
1. Hent FixWareout fra et af disse links:

http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

2. Gem filen på dit Skrivebord og dobbeltklik på den. Klik Next -> Install og check, at der er et flueben i "Run fixit" - klik herefter på Finish. Fixet vil nu starte, og du skal blot følge instruktionerne. Du vil blive bedt om at genstarte din computer - gør venligst det. Genstarten vil tage lidt længere tid end normalt...

3. Når dit system genstarter skal du fortsat følge den vejledning, der gives på skærmen. Når fixet er færdigt vil der åbnes en log (report.txt), som du skal gemme og lægge herind i næste post.

4. Kør herefter HijackThis - klik på "Do a systemscan only", og sæt et flueben ud for følgende linier - luk øvrige programvinduer - klik "Fix checked":

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {B41B464C-29D5-6D17-B2CC-3ACBC2C4ADB8} - (no file)
R3 - URLSearchHook: (no name) - {29C2D3CE-AD4B-C888-26AD-DBAF0F937262} - (no file)
O2 - BHO: (no name) - {87D98AA8-3555-4B85-A31C-D4FF35F6641A} - C:\WINDOWS\system32\confmspd.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [MSTCPDLL] StartCpl.exe
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P and now I post my Hijack log] C:\WINDOWS\system32\warez.exe
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKLM\..\Run: [iesetupdll] br0ken.exe
O4 - HKLM\..\Run: [FLKPT] TRPT.exe
O4 - HKLM\..\Run: [jemcj.exe] C:\WINDOWS\system32\jemcj.exe
O4 - HKCU\..\Run: [scanSYS] typeconf.exe
O4 - HKCU\..\Run: [StartCpl] Bogobot.exe
O4 - HKCU\..\Run: [XTermInit] ___.exe
O4 - HKCU\..\Run: [media64] TorontoMail.exe
O4 - HKCU\..\Run: [sysmon12] newbreed.exe
O4 - HKCU\..\Run: [ActionScr] Uint32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CC1A3ED-19B2-463D-BC4A-58CB61EBFA36}: NameServer = 85.255.115.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{860B76F8-8EA8-4EB2-AC77-22C294DD4F11}: NameServer = 85.255.115.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CAF8B05-E934-4246-ABFF-FCF9AC7307F9}: NameServer = 85.255.115.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DF69FCF-E67E-44FC-A9FF-87BA8429E376}: NameServer = 85.255.115.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F5CB7CE-E9D4-4682-A9AE-ADA95C0FB3F2}: NameServer = 85.255.115.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0F025D4-DEBD-4390-95C9-08850D618F50}: NameServer = 85.255.115.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{F603E70B-3F5D-48E3-967F-80C3CC707A67}: NameServer = 85.255.115.38
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.103
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CC1A3ED-19B2-463D-BC4A-58CB61EBFA36}: NameServer = 85.255.115.38
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.103

5. Luk HJT og klik på OK for at fortsætte. Genstart din computer, og kopier indholdet af C:\fixwareout\report.txt herind sammen med en frisk HijackThis log.

Her er rapporten:

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\snimd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\nlcalik
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\obemd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BDC9CE6E19A8-2C59-C0D4-1930-20592ADA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8CBDCBBD5E5F-2F09-D244-3B91-DA4525D7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B6F4B1FE1B90-49D9-AD94-1E0C-E1B5ED43{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6E3695809893-704B-6564-3531-D530CE13{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4610B87765FB-DF88-1A94-9FC2-B961D07B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A6C5AD5E9B10-71BB-C3B4-B086-78E37509{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DE4B56DB3374-0828-30B4-62D2-D6455D12{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9549B36675CE-20CB-FE14-4F7A-C7EEA0BE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2A2B453381A4-709A-7ED4-0A6C-6A740EF7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2285483348C9-63F9-84D4-6F21-161153E9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E2645D8E5FC1-D9A9-5FE4-1DF8-3D6280AA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}23474490D8D6-A0BA-B4E4-85D7-0E255122{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F813D12CFADC-35C9-63E4-2B97-B2059952{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}715F5010759A-39A9-6E84-7A57-9FF839F4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2B715A0F24D6-226B-8C84-BDD7-3DE45093{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E223D3DDABF6-1199-D334-571A-0D4871EE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}452D498E9FFA-6BC9-6C24-DDDF-7A2D36E2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AF578386FD68-757B-61C4-72CB-4796FCBB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}59F2D8A35352-3208-5524-CC1B-6066995E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}38E2B10CFA0A-55E8-9AC4-5AAF-E278B08E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}91A05064AEE3-68DB-B9D4-201E-B5E8C048{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}24D322461522-6D2B-C584-125F-BC94A950{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B48B225366E4-4368-2534-CB8D-62718823{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B5703D1C0DB5-400A-B784-BED8-D8876131{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E3903E5C7569-A2F8-4EF4-240B-1E224C9A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CE7098EDA733-0F2A-6834-4ADD-FE8D04FA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6BD7B9278B25-4568-99F4-88FF-49C92963{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3E9599423264-9A9A-2004-E9B6-4B472ECC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}56D135397C7B-2F69-7A34-579D-DA675E12{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C1713BFA0FEF-84B8-B8E4-BA8E-C989495B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}75091D855ECF-EA7B-60C4-B34A-3DB79DB9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0D73724D14B4-5019-6AF4-591A-50F8E7B6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}138C1E68C60D-989B-67E4-C392-52A40EAD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AED9305E4ACF-93CB-DE84-5E06-B8D74053{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}355565C4314C-40FA-24A4-BF0D-D9461F2F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5289CF23CFA7-7C1B-D5C4-5914-3D619975{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AEDA8A29A307-A139-3B44-6C17-5CC58507{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F277401C47A4-EB08-AE14-C46F-D687FE69{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B93E5450B46E-61B9-DD14-6950-9C4776BB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D91A40427F9F-0939-BCC4-FB5E-CE4BA001{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2537625EC9F9-7DAB-C534-1970-5A8606FF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AF24D8B11B48-9169-9F24-E0E5-88887C04{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}54A872B4DFBE-0A28-92A4-6EDE-7AC26668{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4C12743CB10F-BA08-73F4-21DA-79F60B72{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3080820C5833-210B-7884-E91F-82574D34{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8E78F09A56A5-A8EB-E3E4-B4CA-B5B48E88{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6EE77974C875-1FEB-2054-1034-FBBB79A5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EDAAF02AA8E8-1D1B-DB94-E29D-8A1C9C72{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F6B984165982-DE29-22F4-F599-E2F4A84B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}32A4CA2D16D2-6D89-BE84-34AB-109A5874{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AAA647CEB0E8-F0B8-CFE4-1FF7-554DE130{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A0B60237F8D3-625A-0E64-E1ED-C4025595{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}46D0B72FB330-95F8-C394-489E-812528C2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}43EAA75D3174-88B8-8664-1831-D4D883F8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B98E552DB3B5-33F9-FCD4-F010-C91E933A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}27CB40EEED6D-C8A9-1F94-6307-DA6CFC90{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1C9EE1E45A9E-7C6B-1C74-877F-DC98DE45{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}33B4E688D6C9-14B9-ECE4-68F6-20D082AE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}27F714639F2E-858B-C304-867D-354E63CC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}62BEE9E7A953-CDB8-A6F4-BF4F-29AAF79A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4B2DBBD3C844-2FF8-3184-F215-A7CBB1C1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}91EDCAF019FE-1D08-0504-E09C-FF65A034{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ADCCF8052B1F-C6BB-5E94-4585-63140F23{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F2740E07ABAB-F4EA-6F84-12B7-2A4E08EC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8B9CD2D00632-3B98-1BD4-2BBD-3DD9784C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FB157774D8CF-67A9-C834-C29F-A3A6C397{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}98D192CDFF47-8A7B-E904-99C3-5CD811B9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1F9F3904BE5C-C258-E274-F2BF-62B2070D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1357A91AE78E-2689-B0B4-BFA5-A98E43BA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}971369268CEB-4C68-C4D4-93FE-2A6E9117{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}453F3A4FFD71-4259-1B94-3044-93EFF6DC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DF7D7AA47253-469A-F534-2B7A-27F55BD7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}430FBDAD4303-EDF8-24F4-9DAB-58DCFABE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BB162C39D01A-43F9-B154-2140-99067E21{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1FB895BEA08B-BD2B-9724-5F23-D34A8A58{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8A56EBF3F37A-AEBB-8814-6761-E3042FBC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5D17E07C884A-415B-8EF4-C8D2-68B0F99C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F08C705B7E09-4118-3024-46F2-ED672A48{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6C270F66BD95-ED68-5D14-08D4-4D117617{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AD910D3B29A3-2848-F6B4-489A-D013FB12{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}816A57DC9B9E-388B-1B74-93AD-16B03F45{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E015DDB6EE85-13D8-2784-5B0B-40063151{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C04256013718-7EEB-2364-236C-68DAC83A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CC7825FC1B62-FF79-C954-9696-A7581987{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}880A1C632FB4-E00A-4EB4-A015-4B3D8D05{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}582606187AC5-255B-56D4-471B-ADCD5DD3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}360E86FBD040-1C39-BD44-3A13-C3D38FA1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7C0D8BB85B86-3028-D874-2CF0-C4E4D0B2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}62FD5CB1A0D3-9DCA-03C4-33E0-9D9C3A61{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6257D90B166E-1C68-D344-F2EE-3AC8613B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9C197661F798-D8B8-5904-DFFE-DDC7CDEF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5A6E55DBE849-F189-9744-DF4B-9C403884{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1F4CE638BF05-B0D8-7C44-7275-2E1DF2A7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4F2B0C4C15A3-299B-C0E4-3F0B-B265FA8B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F2550CA91CFD-B2AA-FB04-FF17-8D266A39{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BEB2953695B1-3ECB-9264-DDE8-AEFDB282{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8AB9C92559C1-B0B9-2BB4-725E-052D0F19{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5295B99473BD-E0E9-F2C4-D1E9-AA708D7C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1207231D8948-2E8B-C774-2D23-E643566E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}39FD834AABB8-0B3B-38A4-3824-BC8F44C5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6AF667F0748F-21B9-1F54-2FF0-664C4BC1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AB8143B7B40C-B79A-18F4-FD2E-59C8C250{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CE47F78FEE45-04FA-0954-7B75-1D1F78AD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C638AAA960C3-B779-E994-A84F-43FA5998{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A4165A402684-5DC8-4344-59A1-6C8C01DD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5EDA7D2D5703-403B-9724-E92E-D4572F53{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4FF6E148D36B-02EB-04B4-7B1B-F1FCBD89{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}63CAB5D7AEF4-980B-2504-BDB9-0B504FA7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CE64E08E5CE8-EF98-4E94-52BF-DB6C1DC4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E367D02E1425-878B-4454-0E21-82B4F3D1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}15DC8222909C-4AB8-A464-0E52-C2D83334{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E8FC4FEC0935-6F49-DAF4-8D60-669C4A8D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2FEC4ACE133B-0F18-54C4-FF1F-A2362B54{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DE4F0B0DF2DB-7AD8-8A04-15EB-38F0C587{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EF267E5CDD4F-2EFB-A734-2605-EC3833F6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F96C138D8434-C1E9-AAB4-561C-6E0A62A5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F1D48C34A2E6-CBF9-9104-CB51-3BD46CDE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}56AF33A690BA-B99B-7164-92CB-922D2D0D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B03C96C9B14B-8BD8-8964-A31D-16AD516B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1F6A8BA3D132-53D8-89C4-0332-7776F60F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D9CF3AACA7BC-EDD9-FE44-4C3A-88BB95C3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B8383397C4AB-2D7A-3E44-0EDE-6EB7A4FB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}98E97AF39CC6-F9F9-4DF4-3735-83817E8A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1B412DF43B51-89D9-A514-54A8-CEF75676{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1A66535FF584-BC1B-B9D4-08C0-C88A4A30{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B2A5AACEA021-1728-A7D4-76C9-B372CADE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}34CBE0422660-C46B-7D44-E6C5-67EAFC1E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}64E374311770-9A59-A2E4-4652-8C391FFB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}484728A141FB-723A-8964-B3D4-AB658EF4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EA6460ACC9EF-8C88-DCF4-11CE-B02FB76E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4B8A749F68F5-B159-D224-B230-30037253{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xutmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1E3323B114D4-F79B-6AD4-1CED-6592C7E9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FC99464EC24B-E6AA-98F4-2364-73C50382{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9AE59503BA3A-260B-2614-5CBA-6A9DEFF2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}50B0A3D2FB9B-A6BA-76A4-2B66-09C4FA99{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9E29167F786E-1D18-A844-EE07-C0C1A774{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}29973E18E8C2-AD29-41F4-8DE8-FA7B39BF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3B09325E08FC-19C9-8564-B706-95056C13{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}67B3EB98DDF1-AABA-E184-7224-7246D1C7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6B0556625F0E-9B3A-FEF4-AF9E-478B40F4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}09719BD082D7-798B-44E4-D1CA-C5BBB206{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1A993AF8BDA2-784B-E524-325F-8F68C935{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AFD7BDD8171C-D5F8-8284-4795-2F0A2486{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2DD9EFC74467-446B-6294-97C3-3EB0A459{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4FFD005D4FBF-E329-4464-EE50-84AD72B2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E3EB8538DF24-742B-D1B4-F2B7-D24F22F4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E2274A4C69DD-3D6A-4BC4-96AC-759F1E40{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E79E83B3C715-3DC8-CA74-13F9-61C1039F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}10BBDA6FBE70-1D4B-BF74-60DB-2418184E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E397CE618577-E0C8-6484-800C-FFB99FF5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A7BAC62A73BA-4579-C7C4-BDB1-7583FDC3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}56CEE762098C-DDE9-A694-FF38-0673D2FC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}170DB70B673E-4B78-E0B4-8240-8F285986{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7B1EFC6E8090-599B-5E34-1B24-78D64C02{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5CDB2F8692C2-3B99-CC24-A02E-B9A47C3C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0612906F58E9-4C59-5484-0CC6-F6FBAB95{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B7C48A3D3F65-1D39-B174-70D6-A2A277A6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}222758B4B83B-5E6A-5A54-191C-4DFC8ECC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nlcalik
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Random Runs removed from HKLM
"dmebo.exe"=-
"dmtux.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\DMINSE~1.REN
* csr.exe  C:\WINDOWS\System32\CSCII.EXE

»»»»» Misc files
* thequicklink  C:\WINDOWS\System32\{06856~1.DLL

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSCII.EXE      51.234 2006-07-04     
C:\WINDOWS\SYSTEM32\DMTUX.EXE      44.071 2004-08-27
Other suspects
Directory of C:\WINDOWS\system32
{068563FB-1A25-4B69-8A25-4D0D49ACB295}.dll
{59BABF6F-6CC0-4845-95C4-9E85F6092160}.exe
{C3C74A9B-E20A-42CC-99B3-2C2968F2BDC5}.exe
{CF2D3760-83FF-496A-9EDD-C890267EEC65}.exe
{5FF99BFF-C008-4846-8C0E-775816EC793E}.exe
{E4818142-BD06-47FB-B4D1-07EBF6ADBB01}.exe
{F9301C16-9F31-47AC-8CD3-517C3B38E97E}.exe
{04E1F957-CA69-4CB4-A6D3-DD96C4A4722E}.exe
{4F22F42D-7B2F-4B1D-B247-42FD8358BE3E}.exe
{2B27DA48-05EE-4644-923E-FBF4D500DFF4}.exe
{954A0BE3-3C79-4926-B644-76447CFE9DD2}.exe
{FB93B7AF-8ED8-4F14-92DA-2C8E81E37992}.exe
{477A1C0C-70EE-448A-81D1-E687F76192E9}.exe
{99AF4C90-66B2-4A67-AB6A-B9BF2D3A0B05}.exe
{E1CFAE76-5C6E-44D7-B64C-0662240EBC43}.exe
{03A4A88C-0C80-4D9B-B1CB-485FF53566A1}.exe
{793C6A3A-F92C-438C-9A76-FC8D477751BF}.exe
{C4879DD3-DBB2-4DB1-89B3-23600D2DC9B8}.exe
{CE80E4A2-7B21-48F6-AE4F-BABA70E0472F}.exe
{32F04136-5854-49E5-BB6C-F1B2508FCCDA}.exe
{430A56FF-C90E-4050-80D1-EF910FACDE19}.exe
{1C1BBC7A-512F-4813-8FF2-448C3DBBD2B4}.exe
{B48A4F2E-995F-4F22-92ED-289561489B6F}.exe
{86662CA7-EDE6-4A29-82A0-EBFD4B278A45}.exe
{40C78888-5E0E-42F9-9619-84B11B8D42FA}.exe
{F2F1649D-D0FB-4A42-AF04-C4134C565553}.exe
{35047D8B-60E5-48ED-BC39-FCA4E5039DEA}.exe
{DAE04A25-293C-4E76-B989-D06C86E1C831}.exe
{6B7E8F05-A195-4FA6-9105-4B41D42737D0}.exe
{9BD97BD3-A43B-4C06-B7AE-FCE558D19057}.exe
{B594989C-E8AB-4E8B-8B48-FEF0AFB3171C}.exe
{21E576AD-D975-43A7-96F2-B7C793531D65}.exe
{CCE274B4-6B9E-4002-A9A9-4623249959E3}.exe
{36929C94-FF88-4F99-8654-52B8729B7DB6}.exe
{AF40D8EF-DDA4-4386-A2F0-337ADE8907EC}.exe
{A9C422E1-B042-4FE4-8F2A-9657C5E3093E}.exe
{1316788D-8DEB-487B-A004-5BD0C1D3075B}.exe
{32881726-D8BC-4352-8634-4E663522B84B}.exe
{059A49CB-F521-485C-B2D6-225164223D42}.exe
{840C8E5B-E102-4D9B-BD86-3EEA46050A19}.exe
{E80B872E-FAA5-4CA9-8E55-A0AFC01B2E83}.exe
{E5996606-B1CC-4255-8023-25353A8D2F95}.exe
{BBCF6974-BC27-4C16-B757-86DF683875FA}.exe
{2E63D2A7-FDDD-42C6-9CB6-AFF9E894D254}.exe
{EE1784D0-A175-433D-9911-6FBADD3D322E}.exe
{39054ED3-7DDB-48C8-B622-6D42F0A517B2}.exe
{4F938FF9-75A7-48E6-9A93-A9570105F517}.exe
{2599502B-79B2-4E36-9C53-CDAFC21D318F}.exe
{221552E0-7D58-4E4B-AB0A-6D8D09447432}.exe
{AA0826D3-8FD1-4EF5-9A9D-1CF5E8D5462E}.exe
{9E351161-12F6-4D48-9F36-9C8433845822}.exe
{7FE047A6-C6A0-4DE7-A907-4A183354B2A2}.exe
{EB0AEE7C-A7F4-41EF-BC02-EC57663B9459}.exe
{21D5546D-2D26-4B03-8280-4733BD65B4ED}.exe
{90573E87-680B-4B3C-BB17-01B9E5DA5C6A}.exe
{B70D169B-2CF9-49A1-88FD-BF56778B0164}.exe
{31EC035D-1353-4656-B407-3989085963E6}.exe
{34DE5B1E-C0E1-49DA-9D94-09B1EF1B4F6B}.exe
{7D5254AD-19B3-442D-90F2-F5E5DBBCDBC8}.exe

----------------------------------------------------------------------
Og Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 23:23:37, on 14-07-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Programmer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programmer\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\SlySoft\AnyDVD\AnyDVD.exe
C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Spyware Doctor\swdoctor.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\Logitech\SetPoint\KEM.exe
C:\Programmer\SetWeb\SetWeb.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Käthe og Uffe\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{CB1D2FB9-376B-4521-860C-3253F9EDB3C8}.dll (file missing)
O4 - HKLM\..\Run: [Genvej til egenskabsside for High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmer\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [ParisM] WhatsNewBot.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [AnyDVD] "C:\Programmer\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ogwgd.exe] C:\WINDOWS\system32\ogwgd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programmer\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\KEM.exe
O4 - Global Startup: SetWeb.lnk = C:\Programmer\SetWeb\SetWeb.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152645085734
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CC1A3ED-19B2-463D-BC4A-58CB61EBFA36}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{860B76F8-8EA8-4EB2-AC77-22C294DD4F11}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CAF8B05-E934-4246-ABFF-FCF9AC7307F9}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DF69FCF-E67E-44FC-A9FF-87BA8429E376}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F5CB7CE-E9D4-4682-A9AE-ADA95C0FB3F2}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0F025D4-DEBD-4390-95C9-08850D618F50}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{F603E70B-3F5D-48E3-967F-80C3CC707A67}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.103
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CC1A3ED-19B2-463D-BC4A-58CB61EBFA36}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.103
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pinnacle Systems tvtv Spooler (EpgSpooler) - Unknown owner - c:\progra~1\pinnacle\mediac~1\epgspo~2.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe

Åbn Stifinder, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".
Brug af Start->Søg.
Klik på "Skift søgefunktioner for filer og mapper"
Sæt prik i "Avanceret" og klik OK.
Klik på "Alle filer og mapper"
Klik på "Flere avancerede indstillinger"
Sæt flueben i de tre øverste.
Søg så efter WhatsNewBot.exe, når du har fundet den, skriver du den fulde sti op, den hedder sikkert C:\windows\system32\WhatsNewBot.exe
Men uanset, skal du skrive linien ind i det Avenger skal slette, skriv den ind lige under "Files to delete:", så snupper Avenger også den.
Finder du ikke filen, så bare fortsæt vejledningen.

-- Hent Avenger her:
http://swandog46.geekstogo.com/avenger.zip

-- Pak Avenger-programmet ud og dobbeltklik på avenger.exe

-- Sæt en prik i "Input Script Manually" og klik på Luppen - nu dukker der et lille vindue op, hvor du skal kopiere hele indholdet mellem de stiplede linier ind:

-----------------------------
Files to delete:
C:\WINDOWS\SYSTEM32\CSCII.EXE     
C:\WINDOWS\SYSTEM32\DMTUX.EXE
C:\WINDOWS\system32\ogwgd.exe
C:\WINDOWS\system32\nvsvcd.exe
C:\WINDOWS\SYSTEM32\{068563FB-1A25-4B69-8A25-4D0D49ACB295}.dll
C:\WINDOWS\SYSTEM32\{59BABF6F-6CC0-4845-95C4-9E85F6092160}.exe
C:\WINDOWS\SYSTEM32\{C3C74A9B-E20A-42CC-99B3-2C2968F2BDC5}.exe
C:\WINDOWS\SYSTEM32\{CF2D3760-83FF-496A-9EDD-C890267EEC65}.exe
C:\WINDOWS\SYSTEM32\{5FF99BFF-C008-4846-8C0E-775816EC793E}.exe
C:\WINDOWS\SYSTEM32\{E4818142-BD06-47FB-B4D1-07EBF6ADBB01}.exe
C:\WINDOWS\SYSTEM32\{F9301C16-9F31-47AC-8CD3-517C3B38E97E}.exe
C:\WINDOWS\SYSTEM32\{04E1F957-CA69-4CB4-A6D3-DD96C4A4722E}.exe
C:\WINDOWS\SYSTEM32\{4F22F42D-7B2F-4B1D-B247-42FD8358BE3E}.exe
C:\WINDOWS\SYSTEM32\{2B27DA48-05EE-4644-923E-FBF4D500DFF4}.exe
C:\WINDOWS\SYSTEM32\{954A0BE3-3C79-4926-B644-76447CFE9DD2}.exe
C:\WINDOWS\SYSTEM32\{FB93B7AF-8ED8-4F14-92DA-2C8E81E37992}.exe
C:\WINDOWS\SYSTEM32\{477A1C0C-70EE-448A-81D1-E687F76192E9}.exe
C:\WINDOWS\SYSTEM32\{99AF4C90-66B2-4A67-AB6A-B9BF2D3A0B05}.exe
C:\WINDOWS\SYSTEM32\{E1CFAE76-5C6E-44D7-B64C-0662240EBC43}.exe
C:\WINDOWS\SYSTEM32\{03A4A88C-0C80-4D9B-B1CB-485FF53566A1}.exe
C:\WINDOWS\SYSTEM32\{793C6A3A-F92C-438C-9A76-FC8D477751BF}.exe
C:\WINDOWS\SYSTEM32\{C4879DD3-DBB2-4DB1-89B3-23600D2DC9B8}.exe
C:\WINDOWS\SYSTEM32\{CE80E4A2-7B21-48F6-AE4F-BABA70E0472F}.exe
C:\WINDOWS\SYSTEM32\{32F04136-5854-49E5-BB6C-F1B2508FCCDA}.exe
C:\WINDOWS\SYSTEM32\{430A56FF-C90E-4050-80D1-EF910FACDE19}.exe
C:\WINDOWS\SYSTEM32\{1C1BBC7A-512F-4813-8FF2-448C3DBBD2B4}.exe
C:\WINDOWS\SYSTEM32\{B48A4F2E-995F-4F22-92ED-289561489B6F}.exe
C:\WINDOWS\SYSTEM32\{86662CA7-EDE6-4A29-82A0-EBFD4B278A45}.exe
C:\WINDOWS\SYSTEM32\{40C78888-5E0E-42F9-9619-84B11B8D42FA}.exe
C:\WINDOWS\SYSTEM32\{F2F1649D-D0FB-4A42-AF04-C4134C565553}.exe
C:\WINDOWS\SYSTEM32\{35047D8B-60E5-48ED-BC39-FCA4E5039DEA}.exe
C:\WINDOWS\SYSTEM32\{DAE04A25-293C-4E76-B989-D06C86E1C831}.exe
C:\WINDOWS\SYSTEM32\{6B7E8F05-A195-4FA6-9105-4B41D42737D0}.exe
C:\WINDOWS\SYSTEM32\{9BD97BD3-A43B-4C06-B7AE-FCE558D19057}.exe
C:\WINDOWS\SYSTEM32\{B594989C-E8AB-4E8B-8B48-FEF0AFB3171C}.exe
C:\WINDOWS\SYSTEM32\{21E576AD-D975-43A7-96F2-B7C793531D65}.exe
C:\WINDOWS\SYSTEM32\{CCE274B4-6B9E-4002-A9A9-4623249959E3}.exe
C:\WINDOWS\SYSTEM32\{36929C94-FF88-4F99-8654-52B8729B7DB6}.exe
C:\WINDOWS\SYSTEM32\{AF40D8EF-DDA4-4386-A2F0-337ADE8907EC}.exe
C:\WINDOWS\SYSTEM32\{A9C422E1-B042-4FE4-8F2A-9657C5E3093E}.exe
C:\WINDOWS\SYSTEM32\{1316788D-8DEB-487B-A004-5BD0C1D3075B}.exe
C:\WINDOWS\SYSTEM32\{32881726-D8BC-4352-8634-4E663522B84B}.exe
C:\WINDOWS\SYSTEM32\{059A49CB-F521-485C-B2D6-225164223D42}.exe
C:\WINDOWS\SYSTEM32\{840C8E5B-E102-4D9B-BD86-3EEA46050A19}.exe
C:\WINDOWS\SYSTEM32\{E80B872E-FAA5-4CA9-8E55-A0AFC01B2E83}.exe
C:\WINDOWS\SYSTEM32\{E5996606-B1CC-4255-8023-25353A8D2F95}.exe
C:\WINDOWS\SYSTEM32\{BBCF6974-BC27-4C16-B757-86DF683875FA}.exe
C:\WINDOWS\SYSTEM32\{2E63D2A7-FDDD-42C6-9CB6-AFF9E894D254}.exe
C:\WINDOWS\SYSTEM32\{EE1784D0-A175-433D-9911-6FBADD3D322E}.exe
C:\WINDOWS\SYSTEM32\{39054ED3-7DDB-48C8-B622-6D42F0A517B2}.exe
C:\WINDOWS\SYSTEM32\{4F938FF9-75A7-48E6-9A93-A9570105F517}.exe
C:\WINDOWS\SYSTEM32\{2599502B-79B2-4E36-9C53-CDAFC21D318F}.exe
C:\WINDOWS\SYSTEM32\{221552E0-7D58-4E4B-AB0A-6D8D09447432}.exe
C:\WINDOWS\SYSTEM32\{AA0826D3-8FD1-4EF5-9A9D-1CF5E8D5462E}.exe
C:\WINDOWS\SYSTEM32\{9E351161-12F6-4D48-9F36-9C8433845822}.exe
C:\WINDOWS\SYSTEM32\{7FE047A6-C6A0-4DE7-A907-4A183354B2A2}.exe
C:\WINDOWS\SYSTEM32\{EB0AEE7C-A7F4-41EF-BC02-EC57663B9459}.exe
C:\WINDOWS\SYSTEM32\{21D5546D-2D26-4B03-8280-4733BD65B4ED}.exe
C:\WINDOWS\SYSTEM32\{90573E87-680B-4B3C-BB17-01B9E5DA5C6A}.exe
C:\WINDOWS\SYSTEM32\{B70D169B-2CF9-49A1-88FD-BF56778B0164}.exe
C:\WINDOWS\SYSTEM32\{31EC035D-1353-4656-B407-3989085963E6}.exe
C:\WINDOWS\SYSTEM32\{34DE5B1E-C0E1-49DA-9D94-09B1EF1B4F6B}.exe
C:\WINDOWS\SYSTEM32\{7D5254AD-19B3-442D-90F2-F5E5DBBCDBC8}.exe
-----------------------------

-- Klik på Trafiklyset i Avenger. Programmet vil opfordre dig til at genstarte computeren straks, hvilket du skal gøre. Programmet vil lukke din computer, slette filerne og starte computeren igen.

-- Efter genstarten vil der dukke et notepad-vindue op, med en log for Avengers handlinger. Den må du gerne lægge ind i dit næste svar.

-- Kør Hijackthis, vælg "Do a system scan only", sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked.

O4 - HKLM\..\Run: [ParisM] WhatsNewBot.exe
O4 - HKLM\..\Run: [ogwgd.exe] C:\WINDOWS\system32\ogwgd.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CC1A3ED-19B2-463D-BC4A-58CB61EBFA36}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{860B76F8-8EA8-4EB2-AC77-22C294DD4F11}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CAF8B05-E934-4246-ABFF-FCF9AC7307F9}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DF69FCF-E67E-44FC-A9FF-87BA8429E376}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F5CB7CE-E9D4-4682-A9AE-ADA95C0FB3F2}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0F025D4-DEBD-4390-95C9-08850D618F50}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{F603E70B-3F5D-48E3-967F-80C3CC707A67}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.103
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CC1A3ED-19B2-463D-BC4A-58CB61EBFA36}: NameServer = 85.255.115.38,85.255.112.103
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe

Genstart computeren, og lav en ny log med Hijackthis, som du lægger herind sammen med loggen fra Avenger.

Hejsa, Du må undskylde ventetiden, men der er lige et arb. i vejen...
Jeg prøvede at køre Avenger, men den kom ud hver gang og sagde at det
var en valid script file...med fejlkode 1813

Så prøvede jeg at slette filerne manuelt og det gik også ok.
Jeg har så kørt en ny fixwareout og hijackthis som jeg vedlægger her:

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
...

Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\DMINSE~1.REN
* csr.exe  C:\WINDOWS\System32\CSLKE.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSLKE.EXE      51.228 2006-07-14     
C:\WINDOWS\SYSTEM32\DMZGE.EXE      61.971 2004-08-27
Other suspects
Directory of C:\WINDOWS\system32

-----------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:21:37, on 16-07-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Programmer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programmer\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\SlySoft\AnyDVD\AnyDVD.exe
C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Spyware Doctor\swdoctor.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\Logitech\SetPoint\KEM.exe
C:\Programmer\SetWeb\SetWeb.exe
C:\Programmer\Logitech\SetPoint\KHALMNPR.EXE
C:\Documents and Settings\Käthe og Uffe\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Genvej til egenskabsside for High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmer\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [AnyDVD] "C:\Programmer\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [jgkrf.exe] C:\WINDOWS\system32\jgkrf.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programmer\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\KEM.exe
O4 - Global Startup: SetWeb.lnk = C:\Programmer\SetWeb\SetWeb.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152645085734
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CC1A3ED-19B2-463D-BC4A-58CB61EBFA36}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{860B76F8-8EA8-4EB2-AC77-22C294DD4F11}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CAF8B05-E934-4246-ABFF-FCF9AC7307F9}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DF69FCF-E67E-44FC-A9FF-87BA8429E376}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F5CB7CE-E9D4-4682-A9AE-ADA95C0FB3F2}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0F025D4-DEBD-4390-95C9-08850D618F50}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{F603E70B-3F5D-48E3-967F-80C3CC707A67}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.103
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CC1A3ED-19B2-463D-BC4A-58CB61EBFA36}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.103
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pinnacle Systems tvtv Spooler (EpgSpooler) - Unknown owner - c:\progra~1\pinnacle\mediac~1\epgspo~2.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Download Killbox til skrivebordet:
http://www.thespykiller.co.uk/files/killbox.exe

Start Killbox sæt et mærke i - replace on reboot.Prik i - Use dummy
Tryk på - unregister dll before deleting

Kopier nedenstående linjer ind, en efter en

C:\WINDOWS\SYSTEM32\CSLKE.EXE     
C:\WINDOWS\SYSTEM32\DMZGE.EXE
C:\WINDOWS\system32\jgkrf.exe

Klik på knappen med det røde kryds efter hver fil, du vil blive spurgt om du vil genstarte, sig nej indtil du har kopieret den sidste, så genstarter du.

Kør så Hijackthis igen og fix: (Hvis de er der)
O4 - HKLM\..\Run: [jgkrf.exe] C:\WINDOWS\system32\jgkrf.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CC1A3ED-19B2-463D-BC4A-58CB61EBFA36}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{860B76F8-8EA8-4EB2-AC77-22C294DD4F11}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CAF8B05-E934-4246-ABFF-FCF9AC7307F9}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DF69FCF-E67E-44FC-A9FF-87BA8429E376}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F5CB7CE-E9D4-4682-A9AE-ADA95C0FB3F2}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0F025D4-DEBD-4390-95C9-08850D618F50}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{F603E70B-3F5D-48E3-967F-80C3CC707A67}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.103
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CC1A3ED-19B2-463D-BC4A-58CB61EBFA36}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.103


Genstart, kom med en log både fra Fixwareout og Hijackthis.

Her er et par friske:

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
...

Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\DMINSE~1.REN

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects
Directory of C:\WINDOWS\system32

-------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 23:23:23, on 16-07-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Programmer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programmer\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\SlySoft\AnyDVD\AnyDVD.exe
C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Spyware Doctor\swdoctor.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\Logitech\SetPoint\KEM.exe
C:\Programmer\SetWeb\SetWeb.exe
C:\Programmer\Logitech\SetPoint\KHALMNPR.EXE
C:\Documents and Settings\Käthe og Uffe\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Genvej til egenskabsside for High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmer\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [AnyDVD] "C:\Programmer\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [dqxao.exe] C:\WINDOWS\system32\dqxao.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programmer\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\KEM.exe
O4 - Global Startup: SetWeb.lnk = C:\Programmer\SetWeb\SetWeb.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152645085734
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CC1A3ED-19B2-463D-BC4A-58CB61EBFA36}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{860B76F8-8EA8-4EB2-AC77-22C294DD4F11}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CAF8B05-E934-4246-ABFF-FCF9AC7307F9}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DF69FCF-E67E-44FC-A9FF-87BA8429E376}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F5CB7CE-E9D4-4682-A9AE-ADA95C0FB3F2}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0F025D4-DEBD-4390-95C9-08850D618F50}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{F603E70B-3F5D-48E3-967F-80C3CC707A67}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.103
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CC1A3ED-19B2-463D-BC4A-58CB61EBFA36}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.103
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pinnacle Systems tvtv Spooler (EpgSpooler) - Unknown owner - c:\progra~1\pinnacle\mediac~1\epgspo~2.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Det var s.tans.
Du er nødt til at finde og slette disse:
C:\WINDOWS\SYSTEM32\DMINSE~1.REN
C:\WINDOWS\system32\dqxao.exe
Tryk på <Ctrl><Alt><Delete>, skift til fanebladet Processer, find dqxao.exe højreklik på den og vælg at Afslutte proces, der kommer en advarsel, her klikker du bare Ja, så burde du kunne slette filen.

Fix så disse med hijackthis, husk alle andre vinduer skal være lukkede.
O4 - HKLM\..\Run: [dqxao.exe] C:\WINDOWS\system32\dqxao.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CC1A3ED-19B2-463D-BC4A-58CB61EBFA36}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{860B76F8-8EA8-4EB2-AC77-22C294DD4F11}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CAF8B05-E934-4246-ABFF-FCF9AC7307F9}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DF69FCF-E67E-44FC-A9FF-87BA8429E376}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F5CB7CE-E9D4-4682-A9AE-ADA95C0FB3F2}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0F025D4-DEBD-4390-95C9-08850D618F50}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{F603E70B-3F5D-48E3-967F-80C3CC707A67}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.103
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CC1A3ED-19B2-463D-BC4A-58CB61EBFA36}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.103

Genstart og to friske logs.

Her er de 2 nye. Filerne fik jeg slettet.

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
...

Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects
Directory of C:\WINDOWS\system32

--------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 23:17:56, on 17-07-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Programmer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programmer\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\SlySoft\AnyDVD\AnyDVD.exe
C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Spyware Doctor\swdoctor.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\Logitech\SetPoint\KEM.exe
C:\Programmer\SetWeb\SetWeb.exe
C:\Programmer\Logitech\SetPoint\KHALMNPR.EXE
C:\Documents and Settings\Käthe og Uffe\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Genvej til egenskabsside for High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmer\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [AnyDVD] "C:\Programmer\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ctwhv.exe] C:\WINDOWS\system32\ctwhv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programmer\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\KEM.exe
O4 - Global Startup: SetWeb.lnk = C:\Programmer\SetWeb\SetWeb.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152645085734
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CC1A3ED-19B2-463D-BC4A-58CB61EBFA36}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{860B76F8-8EA8-4EB2-AC77-22C294DD4F11}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CAF8B05-E934-4246-ABFF-FCF9AC7307F9}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DF69FCF-E67E-44FC-A9FF-87BA8429E376}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F5CB7CE-E9D4-4682-A9AE-ADA95C0FB3F2}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0F025D4-DEBD-4390-95C9-08850D618F50}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{F603E70B-3F5D-48E3-967F-80C3CC707A67}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.103
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CC1A3ED-19B2-463D-BC4A-58CB61EBFA36}: NameServer = 85.255.115.38,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.103
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pinnacle Systems tvtv Spooler (EpgSpooler) - Unknown owner - c:\progra~1\pinnacle\mediac~1\epgspo~2.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Jeg hader den infektion, den har åbenbart bidt sig godt fast denne gang.

Hent denne scanner.
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Gem den i C:\drweb så har du styr på den.

Hent Spysweeper prøveversion her: http://www.spywarefri.dk/downloads1.htm
Installer og opdater det (check for definition update)

Derefter, tryk på Options.

sæt prik i- sweep all folders on selected drive (s)

fjern flueben ved-don´t sweep systemrestore folder.

sæt flueben ved- sweep for Rootkits

Luk programmet.


Så lukker du computeren, og lader den være i ca. 30 sekunder. Så starter du op i fejlsikret tilstand (Tryk f8 flere gange under opstart). Vælg med piletasterne fejlsikret tilstand og tast <enter>


Start Spysweeper. Så popper der en boks op fra Spysweeper, der trykker du på NO

Kør så en Sweep. Når scanningen er færdig, tryk på- next-select all-next-finish. Luk programmet.

Genstart i fejlsikret en gang til.
Dobbeltklik på drweb-cureit.exe, den vil køre en expressscan, det siger du ja til.
Når den skriver Done nederst til venstre, skal du klikke på Options->Change settings.
Skift til fanebladet Scan, fjern fluebenet ved Heuristic analysis.
Skift til fanebladet Actions, her skal alle punkter under Malware sættes til Rename.
Klik så på det eller de drev du vil have scannet, der kommer en rød prik for at vise det/de er valgt.

Klik så på den grønne pil ovre til højre på siden, så starter scanningen.
Første gang Dr.Web finder noget, klik "Yes to All", så fjerner den hvad den finder.
Klik så på Start->Søg, find filen drweb32w.log kopier det nederste af teksten herind, startende med:
Scan statistics.
Når scanningen er færdig, gå op i file – Tryk på- Save Report list.
Så ligger der en en fil der her hedder "drweb.csv" på skrivebordet.
Luk Programmet.

Genstart normalt, dobbeltklik på drweb.csv og kopier teksten fra den herind.

Vi skal også se en frisk Hijackthislog.

Jeg vender lige tilbage imorgen, da jeg er på indtil da.

Hej Igen,

Jeg har fulgt din tekst og kørt de forskellige programmer.
Jeg kan ikke finde den rapport fra dr.web, men jeg har vedlagt en ny hijackthis.
Det ser ud til at det har hjulpet udfra den.

Logfile of HijackThis v1.99.1
Scan saved at 12:57:37, on 21-07-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Programmer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programmer\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Programmer\SlySoft\AnyDVD\AnyDVD.exe
C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmer\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Spyware Doctor\swdoctor.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\Logitech\SetPoint\KEM.exe
C:\Programmer\SetWeb\SetWeb.exe
C:\Programmer\Logitech\SetPoint\KHALMNPR.EXE
C:\Programmer\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Käthe og Uffe\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Genvej til egenskabsside for High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Programmer\Fælles filer\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmer\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmer\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [AnyDVD] "C:\Programmer\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Programmer\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programmer\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\KEM.exe
O4 - Global Startup: SetWeb.lnk = C:\Programmer\SetWeb\SetWeb.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152645085734
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pinnacle Systems tvtv Spooler (EpgSpooler) - Unknown owner - c:\progra~1\pinnacle\mediac~1\epgspo~2.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe

Det hjalp rigtig meget.*S*
Fix denne, så er loggen ren, vi behøver ikke se flere.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
Skulle den dukke op igen, så bare lad den være, det er ikke på nogen måde kritisk.

Du bør lige deaktivere systemgendannelse, genstarte og genaktivere samt sætte filvisning til normal.
http://spywarefri.dk/virusscannere.htm#alle - Systemgendannelse.
Åbn en mappe, klik på Funktioner >Mappeindstillinger >Vis.
Sæt flueben ved "Skjul beskyttede operativsystemfiler".
Sæt flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis ikke skjulte filer og mapper".

For at holde den ren kan du kigge på vores pakke til formålet.
http://www.spywarefri.dk/manualer/sikkerhedspakke.htm
Som minimum anbefaler jeg Spywareblaster, IE-Spyad og IE Privacy Keeper.
Hvis du afinstallerer SpySweeper når prøvetiden er ovre, skal du supplere med Spywareguard.
Et par artikler om sikker surfing finder du her:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414
http://fromsej.dk/html/avoid.html
Mvh:
Fromsej/Team Spywarefri.

Super! Tak for det.

Velbekomme, tak for point. :-)