Trojan horse Swizzor.8.

Jeg vil foreslå at du starter med denne vejledning http://www.eksperten.dk/artikler/954 og så ser det ud til at du har en cracked download-accelerator  - stoler du på den?  ;)

Du bør ændre navnet på HijackThis.exe til fx. nogetandet.exe næste gang du kører den, fordi nogen programmer kan 'gemme' sig for HijackThis.exe.

For øvrigt bør du lige tjekke om din java er up-to-date http://java.com/en/download/installed.jsp - tryk på 'verify'

okay indtil videre tak. skrive såsnart jeg har lavet ændringerne.

Hej igen.

Har gjort som anviste plus fuldt den guide der var linket til.

Her sender jeg loggene ind fra guiden.

Superantispyware log:

SUPERAntiSpyware Scan Log
Generated 01/12/2007 at 06:22 PM

Application Version : 3.3.1020

Core Rules Database Version : 3163
Trace Rules Database Version: 1175

Scan type      : Complete Scan
Total Scan Time : 00:08:18

Memory items scanned      : 187
Memory threats detected  : 0
Registry items scanned    : 4854
Registry threats detected : 17
File items scanned        : 2426
File threats detected    : 16

Adware.Lop-Gen
    [blah dale] C:\DOCUME~1\ADMIN\APPLIC~1\CDROMC~1\AUDIO BUILD.EXE
    C:\DOCUME~1\ADMIN\APPLIC~1\CDROMC~1\AUDIO BUILD.EXE
    C:\DOCUMENTS AND SETTINGS\ADMIN\APPLICATION DATA\CDROM CITY\AUDIO BUILD.EXE
    C:\DOCUMENTS AND SETTINGS\ADMIN\APPLICATION DATA\CDROM CITY\ELSEMEALFLAG.EXE
    C:\DOCUMENTS AND SETTINGS\ADMIN\LOKALE INDSTILLINGER\TEMP\BISD.EXE
    C:\WINDOWS\Prefetch\AUDIO BUILD.EXE-292307F5.pf

Adware.MyGlobalSearchBar
    HKLM\Software\Classes\CLSID\{37B85A21-692B-4205-9CAD-2626E4993404}
    HKCR\CLSID\{37B85A21-692B-4205-9CAD-2626E4993404}
    HKCR\CLSID\{37B85A21-692B-4205-9CAD-2626E4993404}
    HKCR\CLSID\{37B85A21-692B-4205-9CAD-2626E4993404}\InprocServer32
    HKCR\CLSID\{37B85A21-692B-4205-9CAD-2626E4993404}\InprocServer32#ThreadingModel
    HKCR\CLSID\{37B85A21-692B-4205-9CAD-2626E4993404}\Programmable
    HKCR\CLSID\{37B85A21-692B-4205-9CAD-2626E4993404}\TypeLib
    C:\Programmer\MyGlobalSearch\bar\2.bin\MGSBAR.DLL
    HKLM\Software\Classes\CLSID\{37B85A29-692B-4205-9CAD-2626E4993404}
    HKCR\CLSID\{37B85A29-692B-4205-9CAD-2626E4993404}
    HKCR\CLSID\{37B85A29-692B-4205-9CAD-2626E4993404}
    HKCR\CLSID\{37B85A29-692B-4205-9CAD-2626E4993404}\InprocServer32
    HKCR\CLSID\{37B85A29-692B-4205-9CAD-2626E4993404}\InprocServer32#ThreadingModel
    HKCR\CLSID\{37B85A29-692B-4205-9CAD-2626E4993404}\Programmable
    HKCR\CLSID\{37B85A29-692B-4205-9CAD-2626E4993404}\TypeLib

Adware.Tracking Cookie
    C:\Documents and Settings\admin\Cookies\admin@adtech[2].txt
    C:\Documents and Settings\CA\Cookies\ca@ads.beamfile[1].txt
    C:\Documents and Settings\CA\Cookies\ca@atwola[1].txt
    C:\Documents and Settings\CA\Cookies\ca@cts.metricsdirect[1].txt
    C:\Documents and Settings\CA\Cookies\ca@e2.emediate[2].txt
    C:\Documents and Settings\CA\Cookies\ca@indextools[2].txt
    C:\Documents and Settings\CA\Cookies\ca@macromedia[1].txt
    C:\Documents and Settings\CA\Cookies\ca@media.licenseacquisition[1].txt
    C:\Documents and Settings\CA\Cookies\ca@track.adform[1].txt
    C:\Documents and Settings\CA\Cookies\ca@yourmedia[1].txt

Adware.MyWay
    HKCR\CLSID\{014DA6C9-189F-421A-88CD-07CFE51CFF10}
    HKCR\CLSID\{014DA6C9-189F-421A-88CD-07CFE51CFF10}\InprocServer32


Dr.Web log:

pqwnkihp.exe;C:\Documents and Settings\admin\Application Data\cdrom city;Adware.Kaffid;Renamed.;
ErrorSafeFreeInstall_dk[1].exe;C:\Documents and Settings\CA\Lokale indstillinger\Temporary Internet Files\Content.IE5\T0ZC9SBF;Trojan.DownLoader.10963;Deleted.;
A0007311.DLL;C:\System Volume Information\_restore{0D2ADAA5-6364-4898-BB96-FB54C55C2C75}\RP122;Adware.Msearch;Renamed.;
A0007426.DLL;C:\System Volume Information\_restore{0D2ADAA5-6364-4898-BB96-FB54C55C2C75}\RP124;Adware.Msearch;Renamed.;
A0008953.exe;C:\System Volume Information\_restore{0D2ADAA5-6364-4898-BB96-FB54C55C2C75}\RP143;Adware.Kaffid;Renamed.;
A0009826.exe;C:\System Volume Information\_restore{0D2ADAA5-6364-4898-BB96-FB54C55C2C75}\RP156;Adware.Kaffid;Renamed.;
pqwnkihp.#xe;C:\Documents and Settings\admin\Application Data\cdrom city;Adware.Kaffid;Renamed.;
A0007311.#LL;C:\System Volume Information\_restore{0D2ADAA5-6364-4898-BB96-FB54C55C2C75}\RP122;Adware.Msearch;Renamed.;
A0007426.#LL;C:\System Volume Information\_restore{0D2ADAA5-6364-4898-BB96-FB54C55C2C75}\RP124;Adware.Msearch;Renamed.;
A0008953.#xe;C:\System Volume Information\_restore{0D2ADAA5-6364-4898-BB96-FB54C55C2C75}\RP143;Adware.Kaffid;Renamed.;
A0009826.#xe;C:\System Volume Information\_restore{0D2ADAA5-6364-4898-BB96-FB54C55C2C75}\RP156;Adware.Kaffid;Renamed.;


Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 18:33:25, on 12-01-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Programmer\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\Programmer\Hijack This\scanmeddennefil.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - C:\Programmer\Internet.Download.Accelerator.v5.0.5.Cracked-SSG\IDA\idaiehlp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Programmer\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmer\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [TV Now] C:\Programmer\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Programmer\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [pdfw] C:\Programmer\Amic Utilities\PDF Writer Pro\pdfwload.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Programmer\Internet.Download.Accelerator.v5.0.5.Cracked-SSG\IDA\ida.exe -autorun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Programmer\OpenOffice.org 2.1\program\quickstart.exe
O8 - Extra context menu item: Download ALL with IDA - C:\Programmer\Internet.Download.Accelerator.v5.0.5.Cracked-SSG\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Programmer\Internet.Download.Accelerator.v5.0.5.Cracked-SSG\IDA\idaie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Programmer\Internet.Download.Accelerator.v5.0.5.Cracked-SSG\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Programmer\Internet.Download.Accelerator.v5.0.5.Cracked-SSG\IDA\ida.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SuperAntiSpyWare\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Programmer\HPQ\Notebook Utilities\HPWirelessMgr.exe

Den ser ren ud bortset fra de linier med C:\Programmer\Internet.Download.Accelerator.v5.0.5.Cracked-SSG\IDA\ida.exe
men den kender du vel selv og ved om du vil have den eller ej?
Er du i tvivl kan du uploade exe-filen til en onlinescanner http://virusscan.jotti.org/

Til sidst bør du rense med Ccleaner http://www.spywarefri.dk/manualer/ccleaner-manual.htm og lige fortælle om du stadig har nogen problemer.

Respons? Lægger et svar, som du bare afviser, hvis mit input ikke kunne bruges.

Tak for hjælpen. Det ser ud til og virke:) Point er selvfølgelig dine....