Tjek af HJT

Jeg ser på det - et øjeblik.

Jeg ser på den...

ÆV - <levich> kom 'først' *S* ...

Hmm, det er ikke noget at se - jeg foreslår en scanning med AVG Anti-Spyware, da det lyder som om du har spyware.

Læs alle punkterne inden du gør noget.
Gem evt. denne vejledning som en tekstfil på skrivebordet vha. Notepad.

(1)
Hent AVG Anti-Spyware her: http://www.grisoft.com/doc/downloads-products/us/crp/0?prd=triasw
Installer programmer og opdater det, men vent med at scanne.

(2)
Hent AFT-cleaner her: http://www.geekstogo.com/forum/index.php?autocom=downloads&showfile=21
Start programmet og vælg "select all" og derefter "empty all".
Hvis du har Firefox skal du først vælge det i menuen og derefter "select all" og "empty all".

(3)
Start AVG Anti-Spyware, vælg fanebladet "scanner" og klik på "complete system scan".
Bagefter klik "apply all actions", "save report", "save report as" og gem logfil, f.eks. på skrivebordet.

(4)
Genstart computeren normalt, og send loggen fra AVG Anti-Spyware herind.

karise_larry -> Jeg er begyndt at være lidt mere aktiv på eksperten.dk, men nok kun en kortere periode. Jeg kan kun sige, at det er en fornøjelse at "arbejde sammen med dig", hvis man kan kalde det det :-)

Kobler mig lige på, det kunne være Smitfraud eller Vundo.

Your Are Wellcome !

Jeg kunne så ikke vælge Bagefter klik "apply all actions", "save report", "save report as" og gem logfil, f.eks. på skrivebordet..

Men den fandt disse filer som den rensede:

- Trojan horse Agent. JNI
- Trojan horse Agent. JNI

Dog kom disse filer over i "Virus Vault"

- Trojan horse Agent. JNI
- Trojan horde Delf.DOQ
- Trojan horse Agent. JNI

For mig virker det som "almindelige" spyware, hvilket så gerne skulle være væk nu.
Er popup-meddelelsen væk?

Det skal jeg ikke kunne sige dig, da det ikke er hele tiden den popper up, det sker lidt tilfældigt, så kan ikke sige om det har hjulpet endnu

hvad med de filer, som den ikke kunne rense?

Se side 32-33 i manualen her:
http://free3.grisoft.cz/filedir/doc/AVG_Anti-Spyware/User_manual/avg_asw_uma_en_75_8.pdf

Under quarentine kan du først vælge "select all" derefter "remove finally", men du kan også lade dem være under quarentine indtil du er sikker på, at filerne ikke indeholder noget vigtigt.

Af ren nysgerrighed.

Hent Combofix, og gem den på dit skrivebord:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

-- Kør så combofix.exe, og følg anvisningerne.
Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når combofix er færdig, og efter det har genstartet, skulle der gerne åbnes en logfil: combofix.txt
Indholdet af denne fil må du gerne lægge herind.

ComboFix 08-03-04.2 - Administrator 2008-03-04 17:07:13.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1030.18.1521 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Skrivebord\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((  Files Created from 2008-02-04 to 2008-03-04  )))))))))))))))))))))))))))))))
.

2008-03-03 17:16 . 2008-03-04 14:30    <DIR>    d--------    C:\WINDOWS\system32\drivers\Avg
2008-03-03 17:16 . 2008-03-03 17:16    <DIR>    d--------    C:\Programmer\AVG
2008-03-03 17:16 . 2008-03-03 17:16    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\avg8
2008-03-03 17:16 . 2008-03-03 17:16    96,520    --a------    C:\WINDOWS\system32\drivers\avgldx86.sys
2008-03-03 17:16 . 2008-03-03 17:16    74,376    --a------    C:\WINDOWS\system32\drivers\avgtdix.sys
2008-03-03 17:16 . 2008-03-03 17:16    12,424    --a------    C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-03-03 17:16 . 2008-03-03 17:16    10,520    --a------    C:\WINDOWS\system32\avgrsstx.dll
2008-02-19 18:30 . 2008-02-19 18:30    <DIR>    d--------    C:\Programmer\TVAnts
2008-02-19 18:28 . 2008-02-19 18:28    360,832    --a------    C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-02-19 18:24 . 2008-02-19 18:24    <DIR>    d--------    C:\WINDOWS\system32\PPLive
2008-02-19 18:24 . 2008-02-19 18:24    <DIR>    d--------    C:\Documents and Settings\Administrator\Application Data\PPLive
2008-02-19 18:23 . 2008-02-19 18:33    <DIR>    d--------    C:\Programmer\PPLive
2008-02-16 03:30 . 2008-02-16 03:30    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-02-09 14:52 . 2008-02-09 14:52    <DIR>    d--------    C:\Documents and Settings\Administrator\Application Data\InstallShield Installation Information
2008-02-09 14:42 . 2008-02-09 14:42    <DIR>    d--------    C:\Programmer\Unreal Tournament 3
2008-02-09 14:41 . 2008-02-09 14:41    <DIR>    d--------    C:\WINDOWS\system32\AGEIA
2008-02-09 14:41 . 2008-02-09 14:41    <DIR>    d--------    C:\Programmer\AGEIA Technologies
2008-02-09 01:12 . 2008-02-09 01:12    <DIR>    d--------    C:\WINDOWS\Sun
2008-02-09 01:11 . 2008-02-09 01:11    <DIR>    d--------    C:\Programmer\Fælles filer\Java
2008-02-06 18:29 . 2008-02-06 18:29    244    --ah-----    C:\sqmnoopt16.sqm
2008-02-06 18:29 . 2008-02-06 18:29    232    --ah-----    C:\sqmdata16.sqm
2008-02-05 15:53 . 2008-02-05 15:53    244    --ah-----    C:\sqmnoopt15.sqm
2008-02-05 15:53 . 2008-02-05 15:53    232    --ah-----    C:\sqmdata15.sqm
2008-02-04 21:36 . 2008-02-04 21:36    244    --ah-----    C:\sqmnoopt14.sqm
2008-02-04 21:36 . 2008-02-04 21:36    232    --ah-----    C:\sqmdata14.sqm
2008-02-04 12:33 . 2008-02-04 12:33    244    --ah-----    C:\sqmnoopt13.sqm
2008-02-04 12:33 . 2008-02-04 12:33    232    --ah-----    C:\sqmdata13.sqm

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 13:29    ---------    d-----w    C:\Programmer\Steam
2008-02-19 17:28    360,832    ----a-w    C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-02-19 17:23    ---------    d-----w    C:\Programmer\MSN Messenger
2008-02-19 16:41    ---------    d-----w    C:\Programmer\Winamp
2008-02-19 14:28    ---------    d-----w    C:\Documents and Settings\Administrator\Application Data\Azureus
2008-02-11 00:19    ---------    d-----w    C:\Programmer\World of Warcraft
2008-02-09 13:41    ---------    d-----w    C:\Programmer\Fælles filer\Wise Installation Wizard
2008-02-09 00:12    ---------    d-----w    C:\Programmer\Java
2008-01-30 22:34    ---------    d-----w    C:\Documents and Settings\Administrator\Application Data\teamspeak2
2008-01-30 22:07    ---------    d--h--w    C:\Programmer\InstallShield Installation Information
2008-01-30 22:07    ---------    d-----w    C:\Programmer\Java Web Start
2008-01-18 17:14    ---------    d-----w    C:\Programmer\Azureus
2008-01-10 16:01    ---------    d-----w    C:\Programmer\SystemRequirementsLab
2007-12-16 00:44    22,328    ----a-w    C:\Documents and Settings\Administrator\Application Data\PnkBstrK.sys
2007-12-07 00:47    667,648    ----a-w    C:\WINDOWS\system32\wininet.dll
2007-12-04 18:41    550,912    ------w    C:\WINDOWS\system32\oleaut32.dll
.

------- Sigcheck -------

64af914216535bc450f85253462d6f24  C:\WINDOWS\system32\drivers\tcpip.sys
-c----w          360,576 2007-01-23 12:10:49  C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
-c--a-w          360,832 2008-02-19 17:28:17  C:\WINDOWS\system32\dllcache\TCPIP.SYS
----a-w          360,832 2008-02-19 17:28:17  C:\WINDOWS\system32\drivers\TCPIP.SYS
.
(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-26 12:53 15360]
"Creative Detector"="C:\Programmer\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 17:23 102400]
"MsnMsgr"="C:\Programmer\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:55 5674352]
"Steam"="c:\programmer\steam\steam.exe" [2007-11-30 13:52 1266936]
"DAEMON Tools"="C:\Programmer\DAEMON Tools\daemon.exe" [2007-04-03 23:29 165784]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programmer\Fælles filer\Nero\Lib\NMBgMonitor.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-02-23 04:25 7774208]
"nwiz"="nwiz.exe" [2007-02-23 04:25 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-02-23 04:25 81920]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 10:21 16270848 C:\WINDOWS\RTHDCPL.exe]
"CTDVDDET"="C:\Programmer\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 00:00 45056]
"RCSystem"="C:\Programmer\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 17:25 49152]
"AudioDrvEmulator"="C:\Programmer\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 17:25 49152]
"VolPanel"="C:\Programmer\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 10:34 122880]
"CTHelper"="CTHELPER.EXE" [2005-08-08 07:10 16384 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-08 07:10 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"WinampAgent"="C:\Programmer\Winamp\winampa.exe" [2007-05-14 23:22 35328]
"GrooveMonitor"="C:\Programmer\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47 31016]
"NBKeyScan"="C:\Programmer\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-03-03 17:16 1171712]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-26 12:53 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Programmer\Fælles filer\Nero\Lib\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmer\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programmer\\Steam\\Steam.exe"=
"C:\\Programmer\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Programmer\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Programmer\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"C:\\Programmer\\Steam\\steamapps\\pungrotten_micheal\\counter-strike\\hl.exe"=
"C:\\Programmer\\Ubisoft\\Gearbox Software\\BrothersInArmsEiB\\System\\EiB.exe"=
"C:\\Programmer\\mIRC\\mirc.exe"=
"C:\\Programmer\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Programmer\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Programmer\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Programmer\\Azureus\\Azureus.exe"=
"C:\\Programmer\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Programmer\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Programmer\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Programmer\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Programmer\\Diablo II\\Diablo II.exe"=
"C:\\Programmer\\SopCast\\adv\\SopAdver.exe"=
"C:\\Programmer\\SopCast\\SopCast.exe"=
"C:\\Programmer\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Programmer\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Programmer\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\Programmer\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"C:\\Programmer\\PPLive\\PPLive.exe"=
"C:\\Programmer\\TVAnts\\Tvants.exe"=
"C:\\Programmer\\Messenger\\msmsgs.exe"=
"C:\\Programmer\\AVG\\AVG8\\avgupd.exe"=
"C:\\Programmer\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-03-03 17:16]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-03-03 17:16]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-03-03 17:16]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-03-03 17:16]
R2 NMSAccessU;NMSAccessU;C:\Programmer\CDBurnerXP\NMSAccessU.exe [2007-05-04 08:27]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2005-08-08 06:54]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 17:09:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-04 17:10:09
.
2008-02-23 15:56:46    --- E O F --- 

Andre programmer jeg skal køre, nu jeg er igang? :)

her er ny HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:43:25, on 04-03-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programmer\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Programmer\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Programmer\Winamp\winampa.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Programmer\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Creative\MediaSource\Detector\CTDetect.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Programmer\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\programmer\steam\steam.exe
C:\Programmer\DAEMON Tools\daemon.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Programmer\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\VentriloMIX\TeamSpeakRC2 2.0.32.60.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Skrivebord\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmer\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Programmer\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Programmer\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Programmer\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Programmer\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Programmer\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmer\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programmer\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Programmer\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\programmer\steam\steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programmer\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Programmer\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Programmer\PPLive\PPLive.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmer\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NMSAccessU - Unknown owner - C:\Programmer\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7440 bytes

Afinstaller Azureus i Tilføj/Fjern programmer.
Drop fildeling >> http://spywarefri.dk/forum/topic.asp?TOPIC_ID=40284

Start Hijackthis igen, klik på Do a system Scan only, sæt flueben ved disse to linier:
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
Luk alle andre vinduer, klik på Fix checked, når den er færdig, genstart.
Kom med en frisk Hijackthislog, så vi kan se om det er væk.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:06:20, on 05-03-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programmer\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Programmer\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Programmer\Winamp\winampa.exe
C:\Programmer\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Creative\MediaSource\Detector\CTDetect.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\programmer\steam\steam.exe
C:\Programmer\DAEMON Tools\daemon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Programmer\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\Administrator\Skrivebord\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmer\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Programmer\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Programmer\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Programmer\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Programmer\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Programmer\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmer\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programmer\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Programmer\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\programmer\steam\steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programmer\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Programmer\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Programmer\PPLive\PPLive.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmer\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NMSAccessU - Unknown owner - C:\Programmer\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7293 bytes
-------------

Det skal lige siges, at når jeg starter pc'en op, så popper AVG op med virus error til: Trojan horde Delf.DOQ

Hijackthisloggen er ren.
fortæller AVG, hvor den finder den trojan?

Hent denne scanner.
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Genstart i fejlsikret(tryk <F8> ved opstart).
Dobbeltklik på drweb-cureit.exe, klik på Start - i den boks der popper op, den vil køre en expressscan, det siger du OK til.
Første gang Dr.Web finder noget, klik "Yes to All", så fjerner den hvad den finder.
Når den skriver Done nederst til venstre, skal du klikke på Options->Change settings.
Tryk på fanebladet Scan, fjern fluebenet ved Heuristic analysis.
Skift til fanebladet Actions, her skal alle punkter under Malware sættes til Rename.
Tryk på - Anvend. Luk Actions - fanebladet ved at trykke på det firkantede kryds i øverste højre hjørne.
Tryk på Scan - fanen. Flyt så prikken i Express Scan ned til Complete Scan,tyk så på den grønne pil til pil til højre så starter scanningen.
Første gang Dr.Web finder noget, klik "Yes to All", så fjerner den hvad den finder.
Når scanningen er færdig, gå op i file &#8211; Tryk på- Save Report list. Gem filen på skrivebordet.

Genstart normalt, dobbeltklik på drweb.csv og kopier teksten fra den herind.

mirc.chm\ctcp_events.htm    C:\Programmer\mIRC\mirc.chm    IRC.Generic.32   
mirc.chm    C:\Programmer\mIRC    Archive contains infected objects   
mirc.exe    C:\Programmer\mIRC    Program.mIRC.621    Renamed.
NetTools.dll    C:\Programmer\PPLive    Adware.Winad.origin    Renamed.
A0019871.exe    C:\System Volume Information\_restore{70774B51-A96B-483E-BB36-DE5CC109C2B1}\RP252    Adware.SaveNow    Renamed.
A0020977.exe    C:\System Volume Information\_restore{70774B51-A96B-483E-BB36-DE5CC109C2B1}\RP255    Program.mIRC.621    Renamed.
A0020978.dll    C:\System Volume Information\_restore{70774B51-A96B-483E-BB36-DE5CC109C2B1}\RP255    Adware.Winad.origin    Renamed.


AVG poppede lige op med: PUP infection - Potentially harmfull program HackTool.AB
Fundet i: c:\system Volume Information\_restore{70774B51-A96B-483E-BB36-DE5CC109C2B1}\RP242\A001954.exe

mens den som den altid finder når jeg starter op, bliver fundet i: c:\system Volume Information\_restore{70774B51-A96B-483E-BB36-DE5CC109C2B1}\RP252\A0019870.exe

Det er en fornøjelse at vinde et væddemål. ;-)
(Jeg væddede med mig selv om at den lå i Systemgendannelse)

Din log er ren. Hvis dine problemer er væk, så er det tid til lidt oprydning. Hent denne lille fil og gem den i roden af dit C-drev (C:\SWF_oprydning.exe):

http://www.ctrlaltdel.dk/SWF_oprydning.exe

Dobbeltklik på SWF_oprydning.exe og følg vejledningen som programmet giver (de programmer vi har bedt dig om at hente, vil blive fjernet). Når programmet er færdigt med at rydde op vil Notesblok åbne en log så du kan se, hvad der er blevet fjernet.

Genstart din computer for at afslutte oprydningen....

Når det er gjort skal du rydde op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.ctrlaltdel.dk/forum/forum_posts.asp?TID=4&PN=1) - vent et par minutter - aktiver systemgendannelse. Gå herefter i Start -> Programmer -> Tilbehør -> Systemværktøjer -> Systemgendannelse og lav et systemgendannelsespunkt, så du har det at vende tilbage til, hvis noget går galt.

Du får et par gode råd om sikker surfing med på vejen:

http://www.spywarefri.dk/manualer/sikkerhedspakke.htm

God fornøjelse

Der er ikke poppet noget om endnu, så smid du lige et svar fromsej!

Det kommer her. :-)

Håber det er i orden at du deler med Levich, da han jo gjorde forarbejdet :)

Det er fint med mig. :-)
Tak for point.