Hjælp til Hijackthis log

Hent Combofix, og gem den på dit skrivebord:
http://download.bleepingcomputer.com/sUBs/combofix.exe

-- Kør så combofix.exe, og følg anvisningerne.
Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når combofix er færdig, og efter det har genstartet, skulle der gerne åbnes en logfil: combofix.txt
Indholdet af denne fil må du gerne lægge herind.

User - 06-10-21 16:49:16,21    Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\User\Skrivebord"

((((((((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\issearch.exe
C:\Programmer\F‘lles filer\Yazzle1122OinAdmin.exe
C:\Programmer\F‘lles filer\Yazzle1122OinUninstaller.exe
C:\Programmer\F‘lles filer\Yazzle1162OinAdmin.exe
C:\Programmer\F‘lles filer\Yazzle1162OinUninstaller.exe
C:\Programmer\Safety Bar
C:\WINDOWS\system32\components
C:\Programmer\F‘lles filer\{480DAEBC-095E-1030-1112-03120402002d}
C:\WINDOWS\system32\ixt1.dll

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~    Purity    ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Programmer\WNSXS~1
C:\QooBox\Purity\Programmer\WNSXS~1\r?gsvr32.exe
C:\QooBox\Purity\WINDOWS\system32\WNSXS~1
C:\QooBox\Purity\WINDOWS\system32\WNSXS~1\csrss.exe
C:\QooBox\Purity\WINDOWS\system32\WNSXS~1\W?nSxS


(((((((((((((((((((((((((((((((  Files Created from 2006-09-21 to 2006-10-21  ))))))))))))))))))))))))))))))))))


2006-10-20    23:21    83,168    --a------    C:\WINDOWS\system32\S32EVNT1.DLL
2006-10-20    23:21    82,832    --a------    C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-10-20    21:44    67,604    --a------    C:\WINDOWS\system32\ugikcntb.exe
2006-10-20    21:44    369,084    ---hs----    C:\WINDOWS\system32\hhkmp.bak1
2006-10-20    21:43    688,180    ---hs----    C:\WINDOWS\system32\pmkhh.dll
2006-10-20    21:32    131,072    --a------    C:\WINDOWS\system32\axnnbpt.dll
2006-10-20    21:31    18,432    --a------    C:\WINDOWS\system32\winccf32.dll


((((((((((((((((((((((((((((((((((((((((((((((((  Find3M Report  )))))))))))))))))))))))))))))))))))))))))))))))))))))   


2006-10-21 16:51    --------    d--------    C:\Programmer\F‘lles filer
2006-10-21 14:40    --------    d--------    C:\Programmer\Adware Away
2006-10-21 13:48    --------    d--------    C:\Programmer\Symantec AntiVirus
2006-10-21 12:59    --------    d--------    C:\Programmer\Trend Micro
2006-10-20 23:23    --------    d--------    C:\Programmer\F‘lles filer\Symantec Shared
2006-10-20 23:22    --------    d--------    C:\Programmer\Symantec
2006-10-20 23:05    --------    d--------    C:\Programmer\Notes
2006-10-20 22:16    --------    d--------    C:\Programmer\Adobe
2006-10-20 22:15    --------    d--------    C:\Documents and Settings\User\Application Data\Leadertech
2006-10-20 21:59    --------    d--------    C:\Programmer\AutoCAD 2007
2006-10-20 21:51    --------    d--------    C:\Programmer\F‘lles filer\Autodesk Shared
2006-10-20 21:51    --------    d--------    C:\Programmer\AnswerWorks 4.0
2006-10-20 21:41    --------    d--------    C:\Documents and Settings\User\Application Data\Autodesk
2006-10-10 12:02    --------    d--------    C:\Documents and Settings\User\Application Data\AdobeAUM
2006-10-07 14:45    --------    d--------    C:\Documents and Settings\User\Application Data\Adobe
2006-10-07 14:38    --------    d--h-----    C:\Programmer\InstallShield Installation Information
2006-10-07 14:38    --------    d--------    C:\Programmer\Nokia
2006-10-04 19:12    --------    d--------    C:\Programmer\eMule
2006-09-25 17:59    --------    d--------    C:\Programmer\High-Logic
2006-09-24 15:32    --------    d--------    C:\Programmer\F‘lles filer\Adobe
2006-09-13 07:06    1084416    --a------    C:\WINDOWS\system32\msxml3.dll
2006-09-10 21:28    --------    d--------    C:\Documents and Settings\User\Application Data\Nokia Multimedia Player
2006-09-10 21:20    --------    d--------    C:\Programmer\F‘lles filer\PCSuite
2006-09-10 21:19    --------    d--------    C:\Programmer\F‘lles filer\Nokia
2006-09-03 10:26    --------    d--------    C:\Programmer\MSN Messenger
2006-08-25 17:51    617472    --a------    C:\WINDOWS\system32\comctl32.dll
2006-08-24 11:18    --------    d--------    C:\Programmer\User
2006-08-21 14:27    16896    --a------    C:\WINDOWS\system32\fltlib.dll
2006-08-21 11:14    23040    --a------    C:\WINDOWS\system32\fltmc.exe
2006-08-21 11:14    128896    ---------    C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 13:59    100352    --a------    C:\WINDOWS\system32\6to4svc.dll
2006-07-29 19:32    48936    --a------    C:\WINDOWS\system32\sirenacm.dll
2006-07-27 15:26    679424    --a------    C:\WINDOWS\system32\inetcomm.dll
2006-07-21 10:27    72704    --a------    C:\WINDOWS\system32\hlink.dll


((((((((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Art Plus Wallpaper Calendar"="\"C:\\Programmer\\Art Plus\\Wallpaper5\\wallpaper.exe\" /a"
"PcSync"="C:\\Programmer\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\CTStartup]
"CTStartup"="\"C:\\Programmer\\Creative\\Splash Screen\\CTEaxSpl.EXE\" /play"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"aiepk"="C:\\Programmer\\aiepk2_popupkiller\\aiepk2.exe"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"WinampAgent"="C:\\Programmer\\Winamp\\winampa.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"DAEMON Tools-1033"="\"C:\\Programmer\\D-Tools\\daemon.exe\"  -lang 1033"
"PCSuiteTrayApplication"="C:\\Programmer\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -onlytray"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotSnD"="\"C:\\Programmer\\Spybot - Search & Destroy\\SpybotSD.exe\" /autocheck"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Min aktuelle startside"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,24,03,00,00,00,\
  00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
  ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
  00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"="Trend Micro Anti-Spyware Shell Extension"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{480DAEBC-095E-1030-1112-03120402002d}"="\"C:\\Programmer\\Fælles filer\\{480DAEBC-095E-1030-1112-03120402002d}\\Update.exe\" mc-110-12-0000272"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"notepad.exe"="msmsgs.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^User^Menuen Start^Programmer^Start^Fjernsupport.lnk]
"path"="C:\\WINDOWS\\system32\\config\\systemprofile\\Menuen Start\\Programmer\\Fjernsupport.lnk"
"backup"="C:\\WINDOWS\\pss\\Fjernsupport.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\rcimlby.exe -LaunchRA"
"item"="Fjernsupport"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bmqgbhwl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="r?gsvr32"
"hkey"="HKCU"
"command"="C:\\Programmer\\W?nSxS\\r?gsvr32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Programmer\\Fælles filer\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDll32 cmicnfg"
"hkey"="HKLM"
"command"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DataLayer"
"hkey"="HKLM"
"command"="C:\\Programmer\\Fælles filer\\PCSuite\\DataLayer\\DataLayer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"C:\\Programmer\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd"
"hkey"="HKLM"
"command"="\"C:\\Programmer\\HP\\HP Software Update\\HPWuSchd.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADGJDet"
"hkey"="HKLM"
"command"="C:\\Programmer\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\La_View Mouse]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="F1Driver"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\User\\AGKNOR~1\\F1Driver.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rout]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="csrss"
"hkey"="HKCU"
"command"="\"C:\\WINDOWS\\system32\\WNSXS~1\\csrss.exe\" -vt yazb"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Programmer\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VPTray"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhh
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winccf32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]   
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-21 16:57:58.78
C:\ComboFix.txt ... 06-10-21 16:57

Hmm, det gav et fingerpeg, men jeg forventede nu noget andet også.
Nå, det er ikke altid det går som forventet. :-)

-- Hent S!Ri's SmitfraudFix.zip og pak det ud til dit Skrivebord.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Programmet pakker sig ud i en mappe, der hedder SmitfraudFix.

-- Hent Ewido herfra (14 dages version af plus-versionen)
http://www.spywarefri.dk/downloads1/ewido-setup.exe
Installer og opdater programmet, men vent med at scanne.

-- Genstart i fejlsikret, hvis du ikke ved hvordan så kig her:
http://www.ctrlaltdel.dk/forum/forum_posts.asp?TID=23&PN=1

-- Åbn mappen SmitfraudFix som du fik på Skrivebordet, og dobbeltklik på SmitfraudFix.cmd og tast 2 - svar ja til at rense (y=yes). Lad programmet gennemføre en rensning. Det vil også checke om systemfilen wininet.dll er inficeret. Hvis den er det, vil du blive bedt om tilladelse til at erstatte den med en anden. Her skal du vælge "Yes", ved at taste "y".

Programmet bliver muligvis nødt til at genstarte undervejs. Herefter vil der dukke en liste med resultaterne af rensningen op . Kopiér denne liste ind i tråden.

-- Kør en fuld scanning med Ewido, og tillad programmet at fixe de ting, som det finder. Programmet laver en lille log, som du skal kopiere herind.

-- Genstart og læg en frisk Hijackthislog herind, sammen med loggen fra Ewido og loggen fra SmitfraudFix (C:\rapport.txt).

NB: Filen "process.exe" som ligger i dette værktøj bliver af visse antivirus-programmer identificeret som "RiskTool". Det har dog ikke noget på sig!

Logfile of HijackThis v1.99.1
Scan saved at 19:33:50, on 21-10-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Sygate\SPF\smc.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Symantec AntiVirus\DefWatch.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\aiepk2_popupkiller\aiepk2.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programmer\Winamp\winampa.exe
C:\Programmer\D-Tools\daemon.exe
C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmer\Art Plus\Wallpaper5\wallpaper.exe
C:\PROGRA~1\FLLESF~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\FLLESF~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmer\Trend Micro\Tmas\Tmas.exe
C:\Programmer\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Programmer\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\User\Skrivebord\hijackthis.exe

O1 - Hosts: 172.16.65.250 aplic
O1 - Hosts: 172.16.128.200 aplic-virum
O1 - Hosts: 172.16.128.201 aplic-virum1
O1 - Hosts: 172.16.128.71 PC-SCEM
O1 - Hosts: 172.16.128.40 Concorde
O1 - Hosts: 172.16.128.50 virum2
O1 - Hosts: 172.16.128.54 Virum1
O1 - Hosts: 172.16.128.53 BKfax1
O1 - Hosts: 172.16.128.55 Virum_admin
O1 - Hosts: 172.16.128.101 Vakselo
O1 - Hosts: 172.16.128.74 Esbjerg_1
O1 - Hosts: 172.16.128.2 Virum-1
O1 - Hosts: 172.16.128.5 Virum_data
O1 - Hosts: 172.16.128.19 virum_cl1
O1 - Hosts: 172.16.128.18 virum_cl2 BK_NDS-TREE
O1 - Hosts: 172.16.128.99 virum_sql
O1 - Hosts: 172.16.200.73 CadVirum Vircl_ca04_server
O1 - Hosts: 172.16.200.72 SagerVirum Vircl_SA04_server
O1 - Hosts: 172.16.200.71 UsersVirum Vircl_us04_server
O1 - Hosts: 195.249.206.4 bk_web www.birch-krogboe.dk
O4 - HKLM\..\Run: [aiepk] C:\Programmer\aiepk2_popupkiller\aiepk2.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Art Plus Wallpaper Calendar] "C:\Programmer\Art Plus\Wallpaper5\wallpaper.exe" /a
O4 - HKCU\..\Run: [PcSync] C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Programmer\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.geograf.com/viewer/mgaxctrl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmer\Fælles filer\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmer\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmer\Fælles filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (Omega 1.6693) (Q) (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmer\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmer\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmer\Symantec AntiVirus\Rtvscan.exe

SmitFraudFix v2.112

Scan done at 17:59:34,78, 21-10-2006
Run from C:\Documents and Settings\User\Skrivebord\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\casino.ico Deleted
C:\WINDOWS\system32\games.ico Deleted
C:\WINDOWS\system32\mobile.ico Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\perfcii.ini Deleted
C:\WINDOWS\system32\pharm2.ico Deleted
C:\WINDOWS\system32\scanner.ico Deleted
C:\DOCUME~1\User\FORETR~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\MENUEN~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\MENUEN~1\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------------------------------------------
ewido anti-malware - Scanningsrapport
---------------------------------------------------------

+ Oprettet den:            19:23:26, 21-10-2006
+ Rapport-Checksum:        4021DDE6

+ Scanningsresultat:
    HKU\S-1-5-21-1004336348-688789844-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{052B12F7-86FA-4921-8482-26C42316B522} -> Adware.Generic : Renset med backup
    HKU\S-1-5-21-1004336348-688789844-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A43385F0-7113-496D-96D7-B9B550E3FCCA} -> Adware.Isearch : Renset med backup
    C:\Documents and Settings\User\Cookies\user@adtech[2].txt -> TrackingCookie.Adtech : Renset med backup
    C:\Documents and Settings\User\Cookies\user@as1.falkag[1].txt -> TrackingCookie.Falkag : Renset med backup
    C:\Documents and Settings\User\Cookies\user@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Renset med backup
    C:\Documents and Settings\User\Cookies\user@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Renset med backup
    C:\WINDOWS\Downloaded Program Files\UWA6PK_0001_N73M1204NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.f : Renset med backup
    C:\WINDOWS\system32\LogFiles\P5031400.so -> Dropper.Small.zj : Renset med backup
    C:\WINDOWS\system32\SpOrder.dll -> Adware.WinAntiVirus : Renset med backup
    C:\WINDOWS\system32\urroxtl.dll_tobedeleted -> Not-A-Virus.Hoax.Win32.Renos.ds : Renset med backup


::Rapport slut

Hmm, der er altså stadig indikationer på Vundo i loggen, vi prøver et værktøj mere.
Men hjulpet har det da.

Download dette fix til rodbiblioteket på din computer (som regel c:\):
http://www.atribune.org/ccount/click.php?id=4

Dobbeltklik på VundoFix.exe for at køre det. Klik på "Scan for Vundo"-knappen. Når programmet er færdig med at scanne, skal du klikke på "Remove Vundo"-knappen

Du vil så blive spurgt om du er sikker på, at du vil fjerne filerne. Her skal du klikke på "Yes". Herefter bliver dit skrivebord blankt, og fixet vil forsøge at fjerne Vundo. Når den er færdig, vil værktøjet have lov til at genstarte computeren. Det skal du acceptere.

Genstart herefter computeren, og lav en ny log med HJT, som du lægger herind. Læg også indholdet af denne fil herind: C:\vundofix.txt

Bemærk: Det er muligt at Vundofix ved første scanning finder en fil, som den ikke kan fjerne i første omgang. Så vil Vundofixet genstarte, og fortsætte efter genstarten. HVis dette sker, skal du bare følge instruktionerne ovenfor efter genstarten (startende med "Klik på Scan for Vundo-knappen")

Logfile of HijackThis v1.99.1
Scan saved at 22:31:04, on 21-10-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Symantec AntiVirus\DefWatch.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Symantec AntiVirus\Rtvscan.exe
C:\Programmer\aiepk2_popupkiller\aiepk2.exe
C:\Programmer\Winamp\winampa.exe
C:\Programmer\D-Tools\daemon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\FLLESF~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmer\Art Plus\Wallpaper5\wallpaper.exe
C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\FLLESF~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmer\Trend Micro\Tmas\Tmas.exe
C:\Programmer\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Programmer\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Skrivebord\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
O1 - Hosts: 172.16.65.250 aplic
O1 - Hosts: 172.16.128.200 aplic-virum
O1 - Hosts: 172.16.128.201 aplic-virum1
O1 - Hosts: 172.16.128.71 PC-SCEM
O1 - Hosts: 172.16.128.40 Concorde
O1 - Hosts: 172.16.128.50 virum2
O1 - Hosts: 172.16.128.54 Virum1
O1 - Hosts: 172.16.128.53 BKfax1
O1 - Hosts: 172.16.128.55 Virum_admin
O1 - Hosts: 172.16.128.101 Vakselo
O1 - Hosts: 172.16.128.74 Esbjerg_1
O1 - Hosts: 172.16.128.2 Virum-1
O1 - Hosts: 172.16.128.5 Virum_data
O1 - Hosts: 172.16.128.19 virum_cl1
O1 - Hosts: 172.16.128.18 virum_cl2 BK_NDS-TREE
O1 - Hosts: 172.16.128.99 virum_sql
O1 - Hosts: 172.16.200.73 CadVirum Vircl_ca04_server
O1 - Hosts: 172.16.200.72 SagerVirum Vircl_SA04_server
O1 - Hosts: 172.16.200.71 UsersVirum Vircl_us04_server
O1 - Hosts: 195.249.206.4 bk_web www.birch-krogboe.dk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {100ED552-5806-413C-A015-0A27D744ACB4} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\qvcwkshr.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B0108DE8-6479-17F0-7163-1874E3DA79C7} - C:\WINDOWS\system32\axnnbpt.dll
O4 - HKLM\..\Run: [aiepk] C:\Programmer\aiepk2_popupkiller\aiepk2.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Art Plus Wallpaper Calendar] "C:\Programmer\Art Plus\Wallpaper5\wallpaper.exe" /a
O4 - HKCU\..\Run: [PcSync] C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Programmer\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.geograf.com/viewer/mgaxctrl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winccf32 - winccf32.dll (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmer\Fælles filer\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmer\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmer\Fælles filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (Omega 1.6693) (Q) (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmer\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmer\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmer\Symantec AntiVirus\Rtvscan.exe

VundoFix V6.2.6

Checking Java version...

Sun Java not detected
Scan started at 21:44:25 21-10-2006

Listing files found while scanning....

C:\WINDOWS\system32\pmkhh.dll
C:\WINDOWS\system32\hhkmp.ini
C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\hhkmp.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pmkhh.dll
C:\WINDOWS\system32\pmkhh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhkmp.ini
C:\WINDOWS\system32\hhkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\hhkmp.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Bingo.*S*

Hent Avenger her:
http://swandog46.geekstogo.com/avenger.zip

Pak Avenger-programmet ud og dobbeltklik på avenger.exe

Sæt en prik i "Input Script Manually" og klik på Luppen - nu dukker der et lille vindue op, hvor du skal kopiere HELE indholdet mellem de stiplede linier ind:

-------------------------------
Files to delete:
C:\WINDOWS\system32\axnnbpt.dll
C:\WINDOWS\system32\hhkmp.tmp
-------------------------------

Klik på Trafiklyset i Avenger. Programmet vil opfordre dig til at genstarte computeren straks, hvilket du skal gøre. Programmet vil lukke din computer, slette filerne og starte computeren igen.

Efter genstarten vil der dukke et notepad-vindue op, med en log for Avengers handlinger. Den må du gerne lægge ind i dit næste svar.

Kør Hijackthis, vælg "Do a system scan only", sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked.

O2 - BHO: (no name) - {100ED552-5806-413C-A015-0A27D744ACB4} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\qvcwkshr.dll (file missing)
O2 - BHO: (no name) - {B0108DE8-6479-17F0-7163-1874E3DA79C7} - C:\WINDOWS\system32\axnnbpt.dll
O20 - Winlogon Notify: winccf32 - winccf32.dll (file missing)

Genstart computeren, og lav en ny log med Hijackthis, som du lægger herind sammen med loggen fra Avenger.

Logfile of HijackThis v1.99.1
Scan saved at 12:28:23, on 22-10-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Symantec AntiVirus\DefWatch.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Symantec AntiVirus\Rtvscan.exe
C:\Programmer\aiepk2_popupkiller\aiepk2.exe
C:\Programmer\Winamp\winampa.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programmer\D-Tools\daemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmer\Art Plus\Wallpaper5\wallpaper.exe
C:\PROGRA~1\FLLESF~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\FLLESF~1\Nokia\MPAPI\MPAPI3s.exe
C:\Documents and Settings\User\Skrivebord\hijackthis.exe
C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmer\Trend Micro\Tmas\Tmas.exe
C:\Programmer\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
O1 - Hosts: 172.16.65.250 aplic
O1 - Hosts: 172.16.128.200 aplic-virum
O1 - Hosts: 172.16.128.201 aplic-virum1
O1 - Hosts: 172.16.128.71 PC-SCEM
O1 - Hosts: 172.16.128.40 Concorde
O1 - Hosts: 172.16.128.50 virum2
O1 - Hosts: 172.16.128.54 Virum1
O1 - Hosts: 172.16.128.53 BKfax1
O1 - Hosts: 172.16.128.55 Virum_admin
O1 - Hosts: 172.16.128.101 Vakselo
O1 - Hosts: 172.16.128.74 Esbjerg_1
O1 - Hosts: 172.16.128.2 Virum-1
O1 - Hosts: 172.16.128.5 Virum_data
O1 - Hosts: 172.16.128.19 virum_cl1
O1 - Hosts: 172.16.128.18 virum_cl2 BK_NDS-TREE
O1 - Hosts: 172.16.128.99 virum_sql
O1 - Hosts: 172.16.200.73 CadVirum Vircl_ca04_server
O1 - Hosts: 172.16.200.72 SagerVirum Vircl_SA04_server
O1 - Hosts: 172.16.200.71 UsersVirum Vircl_us04_server
O1 - Hosts: 195.249.206.4 bk_web www.birch-krogboe.dk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [aiepk] C:\Programmer\aiepk2_popupkiller\aiepk2.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Art Plus Wallpaper Calendar] "C:\Programmer\Art Plus\Wallpaper5\wallpaper.exe" /a
O4 - HKCU\..\Run: [PcSync] C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Programmer\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.geograf.com/viewer/mgaxctrl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmer\Fælles filer\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmer\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmer\Fælles filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (Omega 1.6693) (Q) (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmer\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmer\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmer\Symantec AntiVirus\Rtvscan.exe

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hlagqkdd

*******************

Script file located at: \??\C:\WINDOWS\system32\exirrarj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\axnnbpt.dll deleted successfully.


File C:\WINDOWS\system32\hhkmp.tmp not found!
Deletion of file C:\WINDOWS\system32\hhkmp.tmp failed!

Could not process line:
C:\WINDOWS\system32\hhkmp.tmp
Status: 0xc0000034


Completed script processing.

*******************

Finished!  Terminate.

Så er din log ren, vi behøver ikke se flere.
Du bør lige deaktivere systemgendannelse, genstarte og genaktivere den.
http://spywarefri.dk/virusscannere.htm#alle - Systemgendannelse.

For at holde den ren kan du kigge på vores pakke til formålet.
http://www.spywarefri.dk/manualer/sikkerhedspakke.htm
Som minimum anbefaler jeg Spywareguard, Spywareblaster, IE-Spyad og IE Privacy Keeper.
Et par artikler om sikker surfing finder du her:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414
http://fromsej.dk/html/avoid.html
Mvh:
Fromsej/Team Spywarefri.

Det er bare super! mange tak

Velbekomme, tak for point. :-)