Hjælp til Hijackthis log

Jooo - der er jo lidt af hvert *S*

Download dette fix til rodbiblioteket på din computer (som regel c:\):
http://www.atribune.org/ccount/click.php?id=4

Dobbeltklik på VundoFix.exe for at køre det. Klik på "Scan for Vundo"-knappen. Når programmet er færdig med at scanne, skal du klikke på "Remove Vundo"-knappen

Du vil så blive spurgt om du er sikker på, at du vil fjerne filerne. Her skal du klikke på "Yes". Herefter bliver dit skrivebord blankt, og fixet vil forsøge at fjerne Vundo. Når den er færdig, vil værktøjet have lov til at genstarte computeren. Det skal du acceptere.

Genstart herefter computeren, og lav en ny log med HJT, som du lægger herind. Læg også indholdet af denne fil herind: C:\vundofix.txt

Bemærk: Det er muligt at Vundofix ved første scanning finder en fil, som den ikke kan fjerne i første omgang. Så vil Vundofixet genstarte, og fortsætte efter genstarten. HVis dette sker, skal du bare følge instruktionerne ovenfor efter genstarten (startende med "Klik på Scan for Vundo-knappen")

Ok here goes :

VundoFix V6.3.19

Checking Java version...

Sun Java not detected
Scan started at 22:29:26 17-04-2007

Listing files found while scanning....

C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\lciakrxi.dll
C:\WINDOWS\system32\rmxqihsl.dll
C:\WINDOWS\system32\tstwa.bak1
C:\WINDOWS\system32\tstwa.bak2
C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\yurgsyxp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\awtst.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lciakrxi.dll
C:\WINDOWS\system32\lciakrxi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rmxqihsl.dll
C:\WINDOWS\system32\rmxqihsl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tstwa.bak1
C:\WINDOWS\system32\tstwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\tstwa.bak2
C:\WINDOWS\system32\tstwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\tstwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\yurgsyxp.dll
C:\WINDOWS\system32\yurgsyxp.dll Has been deleted!

Performing Repairs to the registry.
Done!


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:43:43, on 17-04-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Programmer\Unlocker\UnlockerAssistant.exe
C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmer\QuickTime\qttask.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programmer\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\Programmer\3M\PDNotes\PDNotes.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\PC Connectivity Solution\ServiceLayer.exe
C:\Programmer\Fælles filer\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Mozilla Firefox\firefox.exe
E:\Nyttige ting\Beskyttelse og oprydning\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} - C:\WINDOWS\system32\iifgdde.dll
O2 - BHO: (no name) - {50378F58-2A63-47F3-9F9E-7226E6238BFD} - C:\WINDOWS\system32\awtst.dll (file missing)
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [Soltek] C:\WINDOWS\system32\autorun.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmer\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programmer\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmer\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [PcSync] C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Digital Notes.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) - http://www.diaform.dk/menu/config/version5/Codebase/FormCtl.CAB
O16 - DPF: {1469FF24-47F6-11D2-8805-006008C537E3} (Adobe Mail Control) - http://www.diaform.dk/menu/config/version5/codebase/ffmail.cab
O16 - DPF: {1D381386-B2F7-4A83-AE20-B9796A68397C} (proXSign Class) - https://www.borgerblanketter.dk/bb/proXSign1.cab
O16 - DPF: {1E69721D-9104-11D3-82D3-D06650C10000} (DafoloControl Class) - http://www.diaform.dk/menu/config/version5/codebase/Dafolo.cab
O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - http://www.diaform.dk/menu/config/version5/codebase/plsspeller.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://light.gabs.dk/imageuploader/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Adobe Script Object) - http://www.diaform.dk/menu/config/version5/codebase/scriptobject.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp07.photoprintit.de/microsite/10023/defaults/activex/ImageUploader3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.diaform.dk/menu/config/version5/codebase/fontinstaller.cab
O16 - DPF: {F4F6546F-FBA9-11D1-8AFB-080009ECFDC5} (Adobe ListBox Control) - http://www.diaform.dk/menu/config/version5/codebase/listbox.cab
O20 - Winlogon Notify: iifgdde - C:\WINDOWS\SYSTEM32\iifgdde.dll
O20 - Winlogon Notify: mlljj - C:\WINDOWS\system32\mlljj.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Programmer\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8788 bytes


Efter genstarten meldte AVG antispyware med det samme, at den havdefundet en redialer eller sådan noget lignende, og Avast meldte fundet af en Trojaner

Øjjj - der blev ædt en del; lige efter bogen *S*. Havde bare forventet lidt mere; det tar' vi så manuelt ->

2. Runde

Kør en scanning med Hijackthis,
Du får herunder nogle filer, som du skal fixe. Det, du skal gøre, er at sætte et flueben ud for disse filer. Når du har gjort det, så lukker du alle andre vinduer ned. Det er meget vigtigt at det eneste vindue, som er åbent er HijackThis vinduet. Husk også at lukke dette vindue, når du har markeret filerne. Nu må du fixe. Klik på Fix checked.

Det er disse, som skal fixes:

O2 - BHO: (no name) - {3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} - C:\WINDOWS\system32\iifgdde.dll
O2 - BHO: (no name) - {50378F58-2A63-47F3-9F9E-7226E6238BFD} - C:\WINDOWS\system32\awtst.dll (file missing)
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O20 - Winlogon Notify: iifgdde - C:\WINDOWS\SYSTEM32\iifgdde.dll
O20 - Winlogon Notify: mlljj - C:\WINDOWS\system32\mlljj.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Programmer\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe

For at kunne se alle filer og mapper, så følg denne vejledning:
http://www.spywareinfo.dk/tip-og-tricks/mappeindstillinger.htm

Genstart i fejlsikret tilstand http://www.spywareinfo.dk/#/htm/fejlsikret_tilstand.htm

Søg og slet de markerede filer/mapper hvis de stadig findes. Ellers fortsætter du bare vejledningen. De kan være røget i fixet.

C:\WINDOWS\system32\iifgdde.dll
C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\rpcc.dll

Genstart, kør en ny scanning med hijackthis, og kopier en frisk log herind til tjek.

------------------------------------------------------------------------

Jeg kunne ikke finde nogen af de 4 filer!! Men det virker til at der stadig er noget galt.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:46:27, on 18-04-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Unlocker\UnlockerAssistant.exe
C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmer\3M\PDNotes\PDNotes.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\Programmer\PC Connectivity Solution\ServiceLayer.exe
C:\Programmer\Mozilla Firefox\firefox.exe
C:\Programmer\Fælles filer\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
E:\Nyttige ting\Beskyttelse og oprydning\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [Soltek] C:\WINDOWS\system32\autorun.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmer\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programmer\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmer\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [PcSync] C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Digital Notes.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) - http://www.diaform.dk/menu/config/version5/Codebase/FormCtl.CAB
O16 - DPF: {1469FF24-47F6-11D2-8805-006008C537E3} (Adobe Mail Control) - http://www.diaform.dk/menu/config/version5/codebase/ffmail.cab
O16 - DPF: {1D381386-B2F7-4A83-AE20-B9796A68397C} (proXSign Class) - https://www.borgerblanketter.dk/bb/proXSign1.cab
O16 - DPF: {1E69721D-9104-11D3-82D3-D06650C10000} (DafoloControl Class) - http://www.diaform.dk/menu/config/version5/codebase/Dafolo.cab
O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - http://www.diaform.dk/menu/config/version5/codebase/plsspeller.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://light.gabs.dk/imageuploader/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Adobe Script Object) - http://www.diaform.dk/menu/config/version5/codebase/scriptobject.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp07.photoprintit.de/microsite/10023/defaults/activex/ImageUploader3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.diaform.dk/menu/config/version5/codebase/fontinstaller.cab
O16 - DPF: {F4F6546F-FBA9-11D1-8AFB-080009ECFDC5} (Adobe ListBox Control) - http://www.diaform.dk/menu/config/version5/codebase/listbox.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7545 bytes

... inden jeg evt. tager det næste skyts igang...
"...at der stadig er noget galt..." - hvordan det ?



RegBase oprydning kan anbefales ->
RegCleaner http://www.ccleaner.com/ + http://www.spywarefri.dk/manualer/ccleaner-manual.htm (Specielt punktet [Problemer]...)

Fraklik Yahoo Toolbar under instalationen !!!
Fraklik Yahoo Toolbar under instalationen !!!
Fraklik Yahoo Toolbar under instalationen !!!

Af og til åbner den et nyt vindue når jeg er på nettet, og den gjorde det også lige før.  Der kommer ikke noget specifikt i vindues, bare en besked "IE kan ikke finde adressen" eller sådan noget lignende. Lige for 2 sek. siden åbnede den et vindue i denne adr. http://www.thespywareremoversite.com/

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 18:41:35, on 18-04-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Unlocker\UnlockerAssistant.exe
C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmer\3M\PDNotes\PDNotes.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\Programmer\PC Connectivity Solution\ServiceLayer.exe
C:\Programmer\Mozilla Firefox\firefox.exe
C:\Programmer\Fælles filer\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\System32\svchost.exe
E:\Nyttige ting\Beskyttelse og oprydning\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [Soltek] C:\WINDOWS\system32\autorun.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmer\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programmer\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmer\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [PcSync] C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Digital Notes.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) - http://www.diaform.dk/menu/config/version5/Codebase/FormCtl.CAB
O16 - DPF: {1469FF24-47F6-11D2-8805-006008C537E3} (Adobe Mail Control) - http://www.diaform.dk/menu/config/version5/codebase/ffmail.cab
O16 - DPF: {1D381386-B2F7-4A83-AE20-B9796A68397C} (proXSign Class) - https://www.borgerblanketter.dk/bb/proXSign1.cab
O16 - DPF: {1E69721D-9104-11D3-82D3-D06650C10000} (DafoloControl Class) - http://www.diaform.dk/menu/config/version5/codebase/Dafolo.cab
O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - http://www.diaform.dk/menu/config/version5/codebase/plsspeller.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://light.gabs.dk/imageuploader/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Adobe Script Object) - http://www.diaform.dk/menu/config/version5/codebase/scriptobject.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp07.photoprintit.de/microsite/10023/defaults/activex/ImageUploader3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.diaform.dk/menu/config/version5/codebase/fontinstaller.cab
O16 - DPF: {F4F6546F-FBA9-11D1-8AFB-080009ECFDC5} (Adobe ListBox Control) - http://www.diaform.dk/menu/config/version5/codebase/listbox.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7512 bytes

...og nu åbnede et vindue med denne adr. :  http://www.broadcaster.com/video/index.php?show=trated&bcsrtkr=a85d2&utm_campaign=Traffic&utm_source=Adon_for&utm_medium=popunder

Gennemfør de resterende (AVG, rootchk) procedurer herfra ->
http://www.spywarefri.dk/forum/links/hjtanv.htm

********************************* ROOTCHK-(13-04-07)-LOG, by ejvindh
18-04-2007 22:07:27,37

Driver Ntio256 (visible) is present. A rootkit scan is recommended.

********************************* ROOTCHK-LOG-end


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:    22:00:35 18-04-2007

+ Scan result:   



C:\System Volume Information\_restore{F4608D63-28DC-4BD3-A464-DB7D23C88575}\RP504\A0120125.exe -> Dropper.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4608D63-28DC-4BD3-A464-DB7D23C88575}\RP505\A0120168.exe -> Hijacker.Agent.is : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4608D63-28DC-4BD3-A464-DB7D23C88575}\RP506\A0124133.exe -> Hijacker.Agent.is : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4608D63-28DC-4BD3-A464-DB7D23C88575}\RP506\A0128163.exe -> Hijacker.Agent.is : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4608D63-28DC-4BD3-A464-DB7D23C88575}\RP504\A0120129.exe -> Not-A-Virus.Downloader.Win32.WinFixer.m : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/rpcc.dll -> Proxy.Dlena.ce : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4608D63-28DC-4BD3-A464-DB7D23C88575}\RP506\A0130168.dll -> Proxy.Dlena.ce : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F4608D63-28DC-4BD3-A464-DB7D23C88575}\RP506\A0130177.dll -> Proxy.Dlena.ce : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts -> Proxy.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\core.sys -> Rootkit.Agent.eq : Cleaned with backup (quarantined).


::Report end


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:07:07, on 18-04-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Programmer\Unlocker\UnlockerAssistant.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmer\3M\PDNotes\PDNotes.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\Programmer\PC Connectivity Solution\ServiceLayer.exe
C:\Programmer\Fælles filer\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
E:\Nyttige ting\Beskyttelse og oprydning\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [Soltek] C:\WINDOWS\system32\autorun.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmer\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programmer\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmer\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [PcSync] C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Digital Notes.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) - http://www.diaform.dk/menu/config/version5/Codebase/FormCtl.CAB
O16 - DPF: {1469FF24-47F6-11D2-8805-006008C537E3} (Adobe Mail Control) - http://www.diaform.dk/menu/config/version5/codebase/ffmail.cab
O16 - DPF: {1D381386-B2F7-4A83-AE20-B9796A68397C} (proXSign Class) - https://www.borgerblanketter.dk/bb/proXSign1.cab
O16 - DPF: {1E69721D-9104-11D3-82D3-D06650C10000} (DafoloControl Class) - http://www.diaform.dk/menu/config/version5/codebase/Dafolo.cab
O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - http://www.diaform.dk/menu/config/version5/codebase/plsspeller.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://light.gabs.dk/imageuploader/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Adobe Script Object) - http://www.diaform.dk/menu/config/version5/codebase/scriptobject.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp07.photoprintit.de/microsite/10023/defaults/activex/ImageUploader3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.diaform.dk/menu/config/version5/codebase/fontinstaller.cab
O16 - DPF: {F4F6546F-FBA9-11D1-8AFB-080009ECFDC5} (Adobe ListBox Control) - http://www.diaform.dk/menu/config/version5/codebase/listbox.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7559 bytes

Hmm  det havde da været rart med en melding på min sidste log her...........

(Sorry - næsten glemt... StandBy)

Yes please :)

(Har 'pinget' en "rootkit" ekspert...)

dr1_larry har bedt mig tage over her. Jeg vil foreslå at du følger den vejledning jeg lagde til dig her: http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=37339#282048

Tak, jeg går igang med det samme.

Den får du her :

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-21 15:05:31
Windows 5.1.2600 Service Pack 2


---- User code sections - GMER 1.0.12 ----

.text  C:\WINDOWS\explorer.exe[1468] SHELL32.dll!SHFileOperationW                                7CA6FD0A 5 Bytes  JMP 100010DE C:\Programmer\Unlocker\UnlockerHook.dll

---- Devices - GMER 1.0.12 ----

Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ                                                  FFB28778
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL                                        FFB47778
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ                                                  FFB28778
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL                                        FFB47778
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL                          FF93E420
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL                          FF93E420
Device  \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_INTERNAL_DEVICE_CONTROL                FF93E420
Device  \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_INTERNAL_DEVICE_CONTROL                FF93E420
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_INTERNAL_DEVICE_CONTROL                FF93E420
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_INTERNAL_DEVICE_CONTROL                FF93E420
Device  \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ                                                  FFB28778
Device  \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL                                        FFB47778
Device  \Driver\Cdrom \Device\CdRom3 IRP_MJ_READ                                                  FFB28778
Device  \Driver\Cdrom \Device\CdRom3 IRP_MJ_DEVICE_CONTROL                                        FFB47778
Device  \Driver\axvodka \Device\Scsi\axvodka1 IRP_MJ_INTERNAL_DEVICE_CONTROL                      FFAF75B8
Device  \Driver\axvodka \Device\Scsi\axvodka1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL  FFAF75B8

---- EOF - GMER 1.0.12 ----

-- Hent Avenger her:
http://swandog46.geekstogo.com/avenger.zip

-- Hent VirtumundoBeGone, gem det på skrivebordet:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

-- Luk alle kørende programmer, også Internetvinduer, dobbeltklik på VirtumundoBeGone.exe på skrivebordet, læs intro-informationen, klik så på Continue, klik på Start.
Når den spørger om du vil fortsætte, klik på Yes for at køre fixet.
Klik så på Save log.

-- Det sker sommetider at fixet afslutter med "BSOD"(blå skærm og frosset PC) så skal du bare genstarte på Resetknappen.

-- Der kommer en tekstfil på dit skrivebord der hedder VBG.TXT åbn den og kopier teksten herind.

-- Pak Avenger-programmet ud og dobbeltklik på avenger.exe

-- Sæt en prik i "Input Script Manually" og klik på Luppen - nu dukker der et lille vindue op, hvor du skal kopiere indholdet mellem de stiplede linier ind:

-----------------------------
Files to delete:
C:\WINDOWS\system32\iifgdde.dll
C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\rpcc.dll

drivers to unload:
Ntio256
-----------------------------

-- Klik på Trafiklyset i Avenger. Programmet vil opfordre dig til at genstarte computeren straks, hvilket du skal gøre. Programmet vil lukke din computer, slette filerne og starte computeren igen.

-- Efter genstarten vil der dukke et notepad-vindue op, med en log for Avengers handlinger. Den må du gerne lægge ind i dit næste svar.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hprwrwbk

*******************

Script file located at: \??\C:\Documents and Settings\wavinsvn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\iifgdde.dll not found!
Deletion of file C:\WINDOWS\system32\iifgdde.dll failed!

Could not process line:
C:\WINDOWS\system32\iifgdde.dll
Status: 0xc0000034



File C:\WINDOWS\system32\mlljj.dll not found!
Deletion of file C:\WINDOWS\system32\mlljj.dll failed!

Could not process line:
C:\WINDOWS\system32\mlljj.dll
Status: 0xc0000034



File C:\WINDOWS\system32\rpcc.dll not found!
Deletion of file C:\WINDOWS\system32\rpcc.dll failed!

Could not process line:
C:\WINDOWS\system32\rpcc.dll
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\Ntio256 not found!
Unload of driver Ntio256 failed!

Could not process line:
Ntio256
Status: 0xc0000034


Completed script processing.

*******************

Finished!  Terminate.


[04/21/2007, 20:58:55] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\rasmus\Skrivebord\VirtumundoBeGone.exe" )
[04/21/2007, 20:59:01] - Detected System Information:
[04/21/2007, 20:59:01] -  Windows Version: 5.1.2600, Service Pack 2
[04/21/2007, 20:59:01] -  Current Username: rasmus (Admin)
[04/21/2007, 20:59:01] -  Windows is in NORMAL mode.
[04/21/2007, 20:59:01] - Searching for Browser Helper Objects:
[04/21/2007, 20:59:01] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/21/2007, 20:59:01] -  BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/21/2007, 20:59:01] - Finished Searching Browser Helper Objects
[04/21/2007, 20:59:01] - Finishing up...
[04/21/2007, 20:59:01] - Nothing found! Exiting...

Der var ikke meget gevinst der. Prøv lige at køre en tur med Combofix:

-- Hent Combofix fra et af disse links, og gem den på dit skrivebord:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

--  Kør så combofix.exe, som du hentede tidligere, og følg anvisningerne.
Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når combofix er færdig, og efter det har genstartet, skulle der gerne åbnes en logfil: combofix.txt
Indholdet af denne fil må du gerne lægge herind.

-- Hvordan kører computeren i øvrigt?

"rasmus" - 07-04-22  8:16:15    Service Pack 2 
ComboFix 07-04-21.2V - Running from: C:\Documents and Settings\rasmus\Skrivebord\


((((((((((((((((((((((((((((((((((((((((((((((((((  V Log  )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\nrmvgkps.dll


* * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((  Files Created from 2007-03-22 to 2007-04-22  ))))))))))))))))))))))))))))))))))


2007-04-21 21:05    <DIR>    d--------    C:\avenger
2007-04-20 10:01    <DIR>    d--------    C:\WINDOWS\system32\drivers\UMDF
2007-04-19 10:21    3,968    --a------    C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-19 10:18    35,367    --a------    C:\cc_20070419_1018.reg
2007-04-18 20:04    36,886    --a------    C:\cc_20070418_2004.reg
2007-04-17 22:43    490,520    ---hs----    C:\WINDOWS\system32\jjllm.bak1
2007-04-17 22:43    281,172    --ahs----    C:\WINDOWS\system32\mlljj.dll.vir
2007-04-17 22:29    <DIR>    d--------    C:\VundoFix Backups
2007-04-17 22:28    97,280    --a------    C:\VundoFix.exe
2007-04-16 08:17    26,714    --a------    C:\WINDOWS\system32\iifgdde.dll.vir
2007-04-16 08:11    <DIR>    d--------    C:\WINDOWS\Web Download
2007-04-11 14:00    <DIR>    d--------    C:\Programmer\iPod
2007-04-11 13:59    <DIR>    d--------    C:\Programmer\iTunes
2007-04-11 13:58    <DIR>    d--------    C:\Programmer\QuickTime
2007-04-11 13:58    <DIR>    d--------    C:\Programmer\Apple Software Update
2007-04-11 13:57    <DIR>    d--------    C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-04-09 17:20    <DIR>    d--------    C:\Programmer\Nero
2007-04-09 17:20    <DIR>    d--------    C:\Programmer\F‘lles filer\Ahead
2007-04-09 17:20    <DIR>    d--------    C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-04-09 15:46    <DIR>    d--------    C:\Programmer\Ahead
2007-04-09 13:35    <DIR>    d--------    C:\Programmer\MSXML 4.0
2007-04-09 10:50    <DIR>    d--------    C:\DOCUME~1\rasmus\APPLIC~1\Ahead
2007-04-09 10:09    <DIR>    d--------    C:\I386
2007-04-09 09:51    105,102    --a------    C:\cc_20070409_0951.reg
2007-04-09 09:32    <DIR>    d--------    C:\Programmer\CCleaner
2007-04-07 11:31    69,632    --a------    C:\WINDOWS\Alcmtr.exe
2007-04-07 10:16    <DIR>    d--------    C:\DOCUME~1\rasmus\APPLIC~1\GlarySoft
2007-04-07 10:10    <DIR>    d--------    C:\Programmer\Registry Repair
2007-04-06 23:06    9,715,200    --a------    C:\WINDOWS\RTLCPL.exe
2007-04-06 23:06    4,395,008    --a------    C:\WINDOWS\system32\drivers\RtkHDAud.sys
2007-04-06 23:06    2,808,832    --a------    C:\WINDOWS\alcwzrd.exe
2007-04-06 23:06    2,157,568    --a------    C:\WINDOWS\MicCal.exe
2007-04-06 23:06    16,126,464    --a------    C:\WINDOWS\RTHDCPL.exe
2007-04-06 23:06    1,822,720    --a------    C:\WINDOWS\SkyTel.exe
2007-04-06 23:06    1,191,936    --a------    C:\WINDOWS\RtlUpd.exe
2007-04-06 23:06    <DIR>    d--------    C:\WINDOWS\system32\RTCOM
2007-04-06 23:05    520,192    --a------    C:\WINDOWS\RtlExUpd.dll
2007-04-06 23:05    315,392    --a------    C:\WINDOWS\HideWin.exe
2007-04-06 23:05    <DIR>    d--------    C:\Programmer\Realtek
2007-04-04 14:35    43,176    --a------    C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-04 14:35    26,888    --a------    C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-04 14:35    23,416    --a------    C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-04 14:34    94,552    --a------    C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-04 14:34    90,112    --a------    C:\WINDOWS\system32\AVASTSS.scr
2007-04-04 14:34    85,952    --a------    C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-04 14:34    733,824    --a------    C:\WINDOWS\system32\aswBoot.exe
2007-04-04 14:34    <DIR>    d--------    C:\Programmer\Alwil Software
2007-03-24 17:59    <DIR>    d--------    C:\Programmer\Surreal
2007-03-23 14:50    35,040    --a------    C:\DOCUME~1\rasmus\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((((((((((((((  Find3M Report  )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-21 21:49    24    --a------    C:\WINDOWS\system32\dvcstatebkp-{00000002-00000000-0000000e-00001102-00000002-80651102}.dat
2007-04-21 21:49    24    --a------    C:\WINDOWS\system32\dvcstate-{00000002-00000000-0000000e-00001102-00000002-80651102}.dat
2007-04-21 20:53    --------    d--------    C:\DOCUME~1\rasmus\APPLIC~1\utorrent
2007-04-20 10:03    --------    d--------    C:\Programmer\windows media connect 2
2007-04-16 12:54    --------    d--------    C:\Programmer\spywareblaster
2007-04-09 16:36    --------    d--h-----    C:\Programmer\installshield installation information
2007-04-09 13:10    --------    d--------    C:\Programmer\windows nt
2007-04-09 13:10    --------    d--------    C:\Programmer\movie maker
2007-04-09 13:10    --------    d--------    C:\Programmer\messenger
2007-04-06 19:07    --------    d--------    C:\Programmer\copystar
2007-04-04 14:29    --------    d--------    C:\Programmer\picasa2
2007-04-04 14:29    --------    d--------    C:\Programmer\pc connectivity solution
2007-03-30 17:02    --------    d--------    C:\Programmer\dc++
2007-03-25 09:03    73258    --a------    C:\WINDOWS\system32\perfc006.dat
2007-03-25 09:03    415362    --a------    C:\WINDOWS\system32\perfh006.dat
2007-03-17 15:45    292864    --a------    C:\WINDOWS\system32\winsrv.dll
2007-03-14 19:27    972336    --a------    C:\WINDOWS\unrecode.exe
2007-03-14 19:20    133168    --a------    C:\WINDOWS\system32\drivers\imagesrv.sys
2007-03-14 19:20    11568    --a------    C:\WINDOWS\system32\drivers\imagedrv.sys
2007-03-14 19:19    972336    --a------    C:\WINDOWS\unnerobackitup.exe
2007-03-14 19:19    95864    --a------    C:\WINDOWS\system32\neroco.dll
2007-03-12 13:51    972336    --a------    C:\WINDOWS\unneromediahome.exe
2007-03-08 17:38    577536    --a------    C:\WINDOWS\system32\user32.dll
2007-03-08 17:38    40960    --a------    C:\WINDOWS\system32\mf3216.dll
2007-03-08 17:38    281600    --a------    C:\WINDOWS\system32\gdi32.dll
2007-03-08 17:35    1843584    --a------    C:\WINDOWS\system32\win32k.sys
2007-03-03 15:41    --------    d--------    C:\Programmer\karolines
2007-03-03 15:40    --------    d--------    C:\Programmer\borland
2007-02-28 20:53    972336    --a------    C:\WINDOWS\unnerovision.exe
2007-02-28 15:41    972336    --a------    C:\WINDOWS\unneroshowtime.exe
2007-02-25 09:04    --------    d--------    C:\Programmer\timetool
2007-02-05 22:19    185344    --a------    C:\WINDOWS\system32\upnphost.dll
2007-02-01 06:56    823296    --a------    C:\WINDOWS\system32\divx_xx0c.dll
2007-02-01 06:56    823296    --a------    C:\WINDOWS\system32\divx_xx07.dll
2007-02-01 06:56    802816    --a------    C:\WINDOWS\system32\divx_xx11.dll
2007-02-01 06:56    639066    --a------    C:\WINDOWS\system32\divx.dll
2007-01-31 23:27    524288    --a------    C:\WINDOWS\system32\divxsm.exe
2007-01-31 01:15    118784    --a------    C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-01-30 07:03    3596288    --a------    C:\WINDOWS\system32\qt-dx331.dll
2007-01-30 07:03    200704    --a------    C:\WINDOWS\system32\ssldivx.dll
2007-01-30 07:03    129784    ---------    C:\WINDOWS\system32\pxafs.dll
2007-01-30 07:03    118520    ---------    C:\WINDOWS\system32\pxinsi64.exe
2007-01-30 07:03    116472    ---------    C:\WINDOWS\system32\pxcpyi64.exe
2007-01-30 07:03    1044480    --a------    C:\WINDOWS\system32\libdivx.dll
2007-01-30 06:56    73728    --a------    C:\WINDOWS\system32\dpl100.dll
2007-01-30 06:56    593920    --a------    C:\WINDOWS\system32\dpugui11.dll
2007-01-30 06:56    57344    --a------    C:\WINDOWS\system32\dpv11.dll
2007-01-30 06:56    53248    --a------    C:\WINDOWS\system32\dpugui10.dll
2007-01-30 06:56    344064    --a------    C:\WINDOWS\system32\dpus11.dll
2007-01-30 06:56    294912    --a------    C:\WINDOWS\system32\dpu11.dll
2007-01-30 06:56    294912    --a------    C:\WINDOWS\system32\dpu10.dll
2007-01-30 06:56    196608    --a------    C:\WINDOWS\system32\dtu100.dll


((((((((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}    C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Soltek"="C:\\WINDOWS\\system32\\autorun.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"zBrowser Launcher"="C:\\Programmer\\Logitech\\iTouch\\iTouch.exe"
"WINDVDPatch"="CTHELPER.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"Jet Detection"="C:\\Programmer\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe"
"CTStartup"="C:\\Programmer\\Creative\\Splash Screen\\CTEaxSpl.EXE /run"
"HP Software Update"="C:\\Programmer\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb08.exe"
"UnlockerAssistant"="\"C:\\Programmer\\Unlocker\\UnlockerAssistant.exe\""
"PCSuiteTrayApplication"="C:\\Programmer\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -startup"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"!AVG Anti-Spyware"="\"C:\\Programmer\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Programmer\\Messenger\\msmsgs.exe\" /background"
"PopUpStopperFreeEdition"="\"C:\\PROGRA~1\\PANICW~1\\POP-UP~1\\PSFree.exe\""
"PcSync"="C:\\Programmer\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\CTStartup]
"CTStartup"="\"C:\\Programmer\\Creative\\Splash Screen\\CTEaxSpl.EXE\" /play"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"="C:\\Programmer\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{3E71DC86-4A5C-4C71-A185-EBE9AC2EB607}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
  Authentication Packages    REG_MULTI_SZ      msv1_0\0\0
  Security Packages    REG_MULTI_SZ      kerberos\0msv1_0\0schannel\0wdigest\0\0
  Notification Packages    REG_MULTI_SZ      scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter    REG_MULTI_SZ      HTTPFilter\0\0
LocalService    REG_MULTI_SZ      Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService    REG_MULTI_SZ      DnsCache\0\0
DcomLaunch    REG_MULTI_SZ      DcomLaunch\0TermService\0\0
rpcss    REG_MULTI_SZ      RpcSs\0\0
imgsvc    REG_MULTI_SZ      StiSvc\0\0
termsvcs    REG_MULTI_SZ      TermService\0\0
WudfServiceGroup    REG_MULTI_SZ      WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-22 08:19:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  CTStartup = C:\Programmer\Creative\Splash Screen\CTEaxSpl.EXE /run??????h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????>7???6~??6~????????\???\???????????U?6~??6~\???\?????????`??????C@?\???\??????s????\??????s\????>7?A??s?>7??C@?x???`|?w\?????@

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-22  8:19:25
C:\ComboFix-quarantined-files.txt ... 07-04-22 08:19





[code]
07-04-17 22:43      123972    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\nrmvgkps.dll.vir


Mappetr‘
Diskenhedens serienummer er DC7D-DE00
C:\QOOBOX
\---Quarantine
    +---C
    |  \---WINDOWS
    |      \---system32
    |              nrmvgkps.dll.vir
    |             
    \---Registry_backups
[/code]


Sådan der!!

Jeg synes den kører som den skal, og har ikke registreret nogle urelmæssigheder

Men om der stadig er nowet skjult snavs kan jeg ikke bedømme

Det ser også rigtig fornuftigt ud. Som oprydning synes jeg du skal slette et par filer:

Som indledning hertil skal du have slået "Udvidet filvisning" til:
Åbn en mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

-- Slet herefter følgende (hvis du kan finde dem):
C:\WINDOWS\system32\jjllm.bak1
C:\WINDOWS\system32\mlljj.dll.vir
C:\WINDOWS\system32\iifgdde.dll.vir

-- Derudover synes jeg lige som et check, at du skal køre Rootchk igen, og hvis den finder noget, så lægge resultatet herind.

********************************* ROOTCHK-(13-04-07)-LOG, by ejvindh
23-04-2007 17:05:24,84

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end

De 3 filer i system32 fik jeg også slettet, skal jeg slå det med at vise de skjulte filer til igen ?

Ja, nu ser det ud til at computeren er blevet ren.

For at gøre arbejdet helt færdig:
Det kan være en god ide og rydde op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.spywarefri.dk/virusscannere.htm#alle) - genstart din computer - aktiver systemgendannelse.
Og så kan det også være en god ide at skjule dine systemfiler og -mapper igen, så du ikke ved en fejl kommer til at slette en vigtig fil. Det gør du samme sted, hvor du satte det til at vise alle filer, denne gang vælger du bare: Vis ikke skjulte filer og mapper.

Det kan også være en god ide at få renset ud i dine midlertidige filer. Det kan gøres på en hurtig og nem måde med denne fil
www.spywareinfo.dk/download/cleantempxp2k.bat
---------------------------

For at forhindre gentagelser, vil jeg anbefale dig at lægge nogle små programmer ind, som forhindrer spyware i at komme ind i første omgang. Du finder links og gode råd her:
http://www.spywarefri.dk/manualer/sikkerhedspakke.htm

Jeg vil også foreslå, at du læser disse artikler om hvordan du kan undgå at blive inficeret i fremtiden:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414
http://www.ejvindh.net/viewtopic.php?t=37

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

dr1_larry har også hjulpet til med rensningen, så det vil være rimeligt at han også får en andel i pointene :-)

Ping...

En lille 'smule' ...

Helt enig og sådan blev det også.

Mange tak til jer begge for en super hjælp, og jeg vil naturligvis følge de råd givet her til sidst også.

Mange tak til jer begge

Du er velkommen :-)