hjælp - har fået virus!

Download "Malwarebytes' Anti-Malware" her: http://www.malwarebytes.org/mbam.php
Installer programmet, start det, lav "fuld systemscanning" under fanebladet "skanner".
Bagefter klik på "vis resultater", tryk på "Fjern det valgte" og send loggen herind.

Hent http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis.
Kør HijackThis, klik på scan, kopier loggens tekst og smidt den herind. mere kommer.

http://www.ccleaner.com/ inden hijack. http://www.geekstogo.com/forum/index.php?autocom=downloads&showfile=21. inden hijack

Start programmet og vælg "select all" og derefter "empty all".
Hvis du har Firefox skal du først vælge det i menuen og derefter "select all" og "empty all".  forklaring til aftcleaner.

reinelt (Kun for at hjælpe :))
Anbefal at bruge denne guide til Ccleaner http://www.spywarefri.dk/manualer/ccleaner-manual.htm - så kan folk selv bestemmme hvad de vil have slettet, for det er ikke nødvendigt at slette alt :)

stigers: tak for info. jeg er klar over det, men i de tilfælde jeg oplever aner folk ikke hvad de savner.

jeg kender godt guiden, men tak alligevel John S. HEr er et pr. logfiler;

Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 3

22-09-2008 11:12:46
mbam-log-2008-09-22 (11-12-46).txt

Skan type: Fuldstændig skanning (C:\|)
Objekter skannet: 136582
Tid tilbagelagt: 21 minute(s), 53 second(s)

Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 0
Inficerede Registeringsdatabase Værdier: 0
Inficerede Registeringsdatabase Filer: 0
Inficerede Mapper: 0
Inficerede Filer: 0

Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)

Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Nøgler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Værdier:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Filer:
(Ingen mistænkelige filer fundet)

Inficerede Mapper:
(Ingen mistænkelige filer fundet)

Inficerede Filer:
(Ingen mistænkelige filer fundet)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:17, on 22-09-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Java\jre1.6.0_06\bin\jusched.exe
C:\Programmer\F-Secure\Common\FSM32.EXE
C:\Programmer\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programmer\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Windows Live\Messenger\MsnMsgr.Exe
C:\Programmer\Picasa2\PicasaMediaDetector.exe
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmer\Bonjour\mDNSResponder.exe
C:\Programmer\F-Secure\Anti-Virus\fsgk32st.exe
C:\Programmer\F-Secure\Common\FSMA32.EXE
C:\Programmer\F-Secure\Anti-Virus\FSGK32.EXE
C:\Programmer\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmer\F-Secure\Common\FCH32.EXE
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\F-Secure\Anti-Virus\fssm32.exe
C:\Programmer\F-Secure\Common\FAMEH32.EXE
C:\Programmer\F-Secure\Anti-Virus\fsqh.exe
C:\Programmer\F-Secure\FSAUA\program\fsaua.exe
C:\Programmer\F-Secure\Common\FNRB32.EXE
C:\Programmer\F-Secure\FWES\Program\fsdfwd.exe
C:\Programmer\F-Secure\Common\FIH32.EXE
C:\Programmer\F-Secure\FSGUI\fsguidll.exe
C:\Programmer\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programmer\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programmer\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programmer\Creative\Shared Files\CAMTRAY.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programmer\Picasa2\PicasaMediaDetector.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp2.cvusyd.dk/qp2.cab
O16 - DPF: {25C29129-E95F-4564-BFE3-000000006400} (KvikVideo 6.4) - http://www.123hjemmeside.dk/builder/pages/KvikVideo-6-4-0-0.CAB
O16 - DPF: {4445EA6A-9008-40D5-9160-035FDE5214C4} (MultiUpload Class) - http://www.123hjemmeside.dk/builder/pages/Mpu-dk-1-0-0-8.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211199343314
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1211543173328
O16 - DPF: {8C379EAB-FB26-4B71-BB5C-05B4C96E4851} (Hjemmeside.KvikFoto) - http://www.123hjemmeside.dk/builder/pages/KvikFoto-1-0-6.CAB
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programmer\Bonjour\mDNSResponder.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Programmer\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programmer\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Programmer\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programmer\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programmer\F-Secure\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe

--
End of file - 7606 bytes

Den poperup i msn som et link hvad viser linket?
jeg kan ikke se noget i hijack, men john er mere erfaren end jeg.
fin malwarelog.

Jeg kan ikke helt huske hvad linket henviser til, men den tog ihvertfald kontrol over pceren. Der stod også i malware at der var 3 backdoor programmer, kan det muligvis være dem? Hvilke virus programmer ud over f.secure ville du anbefale, således at der kan undgås ligende tilfælde??

du skal kun have et virusprogram, men der er flere gratis programmer bl. avg,avast,antivir
men det er en smag sag, hvad man foretrækker. malwarebytes. ccleaner bruges så ofte man har lyst,
men lad os lige se om john har nogen bemærkningermed hijack.

hmmm....

Kør lige denne gennem - gør præcist som der står:

Hent dette program: http://www.ctrlaltdel.dk/SWF_hent.exe og gem det på skrivebordet. Herefter dobbeltklikker du på det (SWF_hent.exe). Du skal måske tillade programmet at hente filer fra nettet!

Programmet henter nødvendige rense-programmer. Når programmerne er hentet, vil der være en mappe på skrivebordet med navnet "Spywarefri". Heri ligger programmerne sammen med en kort vejledning - hvis vejledningen ikke åbner automatisk så dobbeltklik på "SWF_vejledning.html".

Venligst følg vejledningen og kopier logfilerne herind i forum.

Der er stadig snavs i loggen, men det er bedst hvis man fixer det udenom Hijackthis!

Malwarebytes' Anti-Malware 1.28
Database version: 1198
Windows 5.1.2600 Service Pack 3

23-09-2008 14:58:04
mbam-log-2008-09-23 (14-58-04).txt

Skan type: Fuldstændig skanning (C:\|)
Objekter skannet: 133501
Tid tilbagelagt: 23 minute(s), 34 second(s)

Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 0
Inficerede Registeringsdatabase Værdier: 0
Inficerede Registeringsdatabase Filer: 0
Inficerede Mapper: 0
Inficerede Filer: 1

Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)

Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Nøgler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Værdier:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Filer:
(Ingen mistænkelige filer fundet)

Inficerede Mapper:
(Ingen mistænkelige filer fundet)

Inficerede Filer:
C:\WINDOWS\system32\drivers\ftelxnj.0ys (Trojan.FakeAlert) -> Quarantined and deleted successfully.

ComboFix 08-09-20.05 - Steen  Allan Nielsen 2008-09-23 14:59:22.1 - FAT32x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1030.18.615 [GMT 2:00]
Running from: C:\Documents and Settings\Steen  Allan Nielsen\Skrivebord\Spywarefri\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((  Files Created from 2008-08-23 to 2008-09-23  )))))))))))))))))))))))))))))))
.

2008-12-15 19:06 . 2008-12-15 19:06    <DIR>    d--------    C:\Documents and Settings\Steen  Allan Nielsen\Application Data\Malwarebytes
2008-12-15 18:07 . 2008-12-15 18:07    <DIR>    d--------    C:\Documents and Settings\Steen  Allan Nielsen\Application Data\AVS4YOU
2008-12-15 17:44 . 2007-02-27 19:36    974,848    --a------    C:\WINDOWS\system32\mfc70.dll
2008-12-15 17:44 . 2007-02-27 19:36    487,424    --a------    C:\WINDOWS\system32\msvcp70.dll
2008-12-15 17:44 . 2007-02-27 19:36    344,064    --a------    C:\WINDOWS\system32\msvcr70.dll
2008-12-15 17:44 . 2007-02-27 19:36    24,576    --a------    C:\WINDOWS\system32\msxml3a.dll
2008-09-22 17:18 . 2008-09-22 17:18    268    --ah-----    C:\sqmdata08.sqm
2008-09-22 17:18 . 2008-09-22 17:18    244    --ah-----    C:\sqmnoopt08.sqm
2008-09-14 16:43 . 2008-09-14 16:43    <DIR>    d--------    C:\Documents and Settings\LocalService\Skrivebord
2008-08-24 10:15 . 2008-08-24 10:15    <DIR>    d--hs----    C:\FOUND.003

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 19:00    ---------    d-----w    C:\Programmer\sixteen tons entertainment
2008-12-15 17:06    ---------    d-----w    C:\Programmer\Malwarebytes' Anti-Malware
2008-12-15 17:06    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-15 16:07    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-12-15 15:44    ---------    d-----w    C:\Programmer\Fælles filer\AVSMedia
2008-12-15 15:44    ---------    d-----w    C:\Programmer\AVS4YOU
2008-09-09 22:04    38,528    ----a-w    C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 22:03    17,200    ----a-w    C:\WINDOWS\system32\drivers\mbam.sys
2008-08-15 14:12    ---------    d-----w    C:\Documents and Settings\Steen  Allan Nielsen\Application Data\SmartFTP
2008-08-15 14:11    ---------    d-----w    C:\Programmer\SmartFTP Client 3.0 Setup Files
2008-08-15 14:11    ---------    d-----w    C:\Programmer\SmartFTP Client
2008-08-14 16:42    ---------    d-----w    C:\Programmer\GameSpy Arcade
2008-08-14 16:36    ---------    d-----w    C:\Programmer\EA GAMES
2008-08-05 22:19    107,888    ----a-w    C:\WINDOWS\system32\CmdLineExt.dll
2008-07-30 10:25    151,771    ----a-w    C:\WINDOWS\HAM Uninstaller.exe
2008-07-28 18:47    ---------    d-----w    C:\Documents and Settings\Steen  Allan Nielsen\Application Data\Creative
2008-07-28 18:43    ---------    d-----w    C:\Programmer\ArcSoft
2008-07-28 18:41    ---------    d-----w    C:\Programmer\Creative
2008-07-27 15:57    ---------    d-----w    C:\Programmer\123Video
2008-07-21 10:03    60,416    ----a-w    C:\WINDOWS\ALCFDRTM.EXE
2008-07-18 20:10    94,920    ----a-w    C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 20:10    94,920    ----a-w    C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10    53,448    ----a-w    C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10    53,448    ----a-w    C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 20:10    45,768    ----a-w    C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10    36,552    ----a-w    C:\WINDOWS\system32\wups.dll
2008-07-18 20:10    36,552    ----a-w    C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 20:09    563,912    ----a-w    C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09    563,912    ----a-w    C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 20:09    325,832    ----a-w    C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09    325,832    ----a-w    C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 20:09    205,000    ----a-w    C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09    205,000    ----a-w    C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 20:09    1,811,656    ----a-w    C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:09    1,811,656    ----a-w    C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-18 20:07    270,880    ----a-w    C:\WINDOWS\system32\mucltui.dll
2008-07-18 20:07    210,976    ----a-w    C:\WINDOWS\system32\muweb.dll
2008-07-07 20:29    253,952    ----a-w    C:\WINDOWS\system32\es.dll
2008-07-07 20:29    253,952    ------w    C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:44    74,240    ----a-w    C:\WINDOWS\system32\mscms.dll
2008-06-24 16:44    74,240    ------w    C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 08:33    3,592,192    ------w    C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20    13,824    ------w    C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-23 09:19    70,656    ------w    C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:19    625,664    ------w    C:\WINDOWS\system32\dllcache\iexplore.exe
.

(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="C:\Programmer\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Picasa Media Detector"="C:\Programmer\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Programmer\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"F-Secure Manager"="C:\Programmer\F-Secure\Common\FSM32.EXE" [2007-08-27 182952]
"F-Secure TNB"="C:\Programmer\F-Secure\FSGUI\TNBUtil.exe" [2007-08-27 895600]
"QuickTime Task"="C:\Programmer\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="C:\Programmer\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Creative WebCam Tray"="C:\Programmer\Creative\Shared Files\CAMTRAY.EXE" [2004-07-30 245760]
"SoundMan"="SOUNDMAN.EXE" [2004-06-17 C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2004-06-17 C:\WINDOWS\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.vp31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmer\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programmer\\Bonjour\\mDNSResponder.exe"=
"C:\\Programmer\\iTunes\\iTunes.exe"=
"C:\\Programmer\\Windows Live\\Messenger\\MsnMsgr.Exe"=
"C:\\Programmer\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Programmer\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Programmer\\GameSpy Arcade\\Aphex.exe"=
"C:\\Programmer\\SmartFTP Client\\SmartFTP.exe"=
"C:\\WINDOWS\\System32\\dpvsetup.exe"=

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2007-08-27 60272]
R1 F-Secure HIPS;F-Secure HIPS;C:\Programmer\F-Secure\HIPS\fshs.sys [2007-08-27 70768]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Programmer\F-Secure\Anti-Virus\minifilter\fsgk.sys [2007-08-27 62064]
S0 lwcwkr;lwcwkr;C:\WINDOWS\system32\drivers\ftelxnj.sys [ ]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\PLCNDIS5.SYS [2002-09-10 17018]
S4 F-Secure Filter;F-Secure File System Filter;C:\Programmer\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2007-08-27 39792]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Programmer\F-Secure\Anti-Virus\Win2K\FSrec.sys [2007-08-27 25200]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local

O16 -: {25C29129-E95F-4564-BFE3-000000006400} - hxxp://www.123hjemmeside.dk/builder/pages/KvikVideo-6-4-0-0.CAB
C:\WINDOWS\Downloaded Program Files\VEAX.INF

O16 -: {4445EA6A-9008-40D5-9160-035FDE5214C4} - hxxp://www.123hjemmeside.dk/builder/pages/Mpu-dk-1-0-0-8.cab
C:\WINDOWS\Downloaded Program Files\MPU-DK.INF

O16 -: {8C379EAB-FB26-4B71-BB5C-05B4C96E4851} - hxxp://www.123hjemmeside.dk/builder/pages/KvikFoto-1-0-6.CAB
C:\WINDOWS\Downloaded Program Files\KvikFoto-1-0-6.INF
C:\WINDOWS\system32\Decenc32.dll
C:\WINDOWS\system32\ijl11.dll
C:\WINDOWS\Downloaded Program Files\KvikFoto-1-0-6.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-23 15:01:07
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-23 15:01:54
ComboFix-quarantined-files.txt  2008-09-23 13:01:48

Pre-Run: 170.937.778.176 byte ledig
Post-Run: 171,109,089,280 byte ledig

145    --- E O F ---    2008-09-10 12:37:33

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:03:30, on 23-09-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmer\Java\jre1.6.0_06\bin\jusched.exe
C:\Programmer\F-Secure\Common\FSM32.EXE
C:\Programmer\iTunes\iTunesHelper.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Picasa2\PicasaMediaDetector.exe
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmer\Bonjour\mDNSResponder.exe
C:\Programmer\F-Secure\Anti-Virus\fsgk32st.exe
C:\Programmer\F-Secure\Anti-Virus\FSGK32.EXE
C:\Programmer\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmer\F-Secure\Common\FSMB32.EXE
C:\Programmer\F-Secure\Common\FCH32.EXE
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\F-Secure\Common\FAMEH32.EXE
C:\Programmer\F-Secure\Anti-Virus\fsqh.exe
C:\Programmer\F-Secure\Common\FNRB32.EXE
C:\Programmer\F-Secure\Anti-Virus\fssm32.exe
C:\Programmer\F-Secure\FSAUA\program\fsaua.exe
C:\Programmer\F-Secure\Common\FIH32.EXE
C:\Programmer\F-Secure\FSGUI\fsguidll.exe
C:\Programmer\F-Secure\FWES\Program\fsdfwd.exe
C:\Programmer\F-Secure\Anti-Virus\fsav32.exe
C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programmer\Java\jre1.6.0_06\bin\jucheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Steen  Allan Nielsen\Skrivebord\Spywarefri\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programmer\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programmer\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programmer\Creative\Shared Files\CAMTRAY.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programmer\Picasa2\PicasaMediaDetector.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp2.cvusyd.dk/qp2.cab
O16 - DPF: {25C29129-E95F-4564-BFE3-000000006400} (KvikVideo 6.4) - http://www.123hjemmeside.dk/builder/pages/KvikVideo-6-4-0-0.CAB
O16 - DPF: {4445EA6A-9008-40D5-9160-035FDE5214C4} (MultiUpload Class) - http://www.123hjemmeside.dk/builder/pages/Mpu-dk-1-0-0-8.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211199343314
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1211543173328
O16 - DPF: {8C379EAB-FB26-4B71-BB5C-05B4C96E4851} (Hjemmeside.KvikFoto) - http://www.123hjemmeside.dk/builder/pages/KvikFoto-1-0-6.CAB
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programmer\Bonjour\mDNSResponder.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Programmer\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programmer\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Programmer\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programmer\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programmer\F-Secure\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe

--
End of file - 7202 bytes

Her er de alle samme. Og tak for hjælpen indtil videre!

velbekommen men john kikker på hijack. hvordan kører maskinen?

Der er ikke mere at komme efter :)

Tak, for hjælpen i to!

velbekommen

Anytime :)