CIO Tech Eksperten IT-JOB IT-Kurser Events Podcast Søg

Log ind eller opret profil

Du kan også logge ind via nedenstående tjenester

dufaux Nybegynder

28. november 2008 - 11:32 Der er 16 kommentarer

Antivirus 2009

Jeg blev i går inficeret med denne djævel, men tror dog, ved hjælp af en masse gode indlæg herinde, at jeg har fået bugt med den. Jeg har bl.a. lige kørt SUPERAntispyware. Jeg kunne dog godt bruge et klogt hovede, der kunne kigge min log fil igennem...

På forhånd mange tak og hvor er det stort, der er nogen der har viden og overskud til at hjælpe os uvidende og nødlidte!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:38, on 28-11-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.61.130.01
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar2.dll
O2 - BHO: (no name) - {d6e14769-7523-4351-8cff-ff823c27f3b1} - C:\WINDOWS\system32\kagohaku.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmer\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmer\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CPQHotKeys] hotkeysvc.exe
O4 - HKLM\..\Run: [CTHelper] cthelper.exe
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FÆLLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [duveketeta] Rundll32.exe "C:\WINDOWS\system32\yetubiyi.dll",s
O4 - HKLM\..\RunServices: [CPQHotKeys] hotkeysvc.exe
O4 - HKLM\..\RunServices: [CTHelper] cthelper.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CPQHotKeys] hotkeysvc.exe
O4 - HKCU\..\Run: [CTHelper] cthelper.exe
O4 - HKCU\..\Run: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [EPSON Stylus DX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE /FU "C:\WINDOWS\TEMP\E_SBB.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunServices: [CPQHotKeys] hotkeysvc.exe
O4 - HKCU\..\RunServices: [CTHelper] cthelper.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [duveketeta] Rundll32.exe "C:\WINDOWS\system32\yetubiyi.dll",s (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Programmer\PartyGaming\PartyGammon\RunBackGammon.exe
O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Programmer\PartyGaming\PartyGammon\RunBackGammon.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Programmer\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Programmer\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Programmer\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Programmer\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {07D09E9E-C667-45DD-B035-217BC2A61A3B} (ActiveX sikkerhedssoftware Control) - https://www.djs-netbank.dk/package/sdc/external/activex/ActiveXSikkerhedssoftware-prod-1.20.cab
O16 - DPF: {1D381386-B2F7-4A83-AE20-B9796A68397C} (proXSign Class) - https://www.borgerblanketter.dk/bb/proXSign1.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe
O16 - DPF: {D3426292-3750-4D80-9D0F-2816F61A6D15} (SpeedTest Control) - http://81.19.245.211/speedtest/SpeedTest_2.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4409/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab
O16 - DPF: {F9408298-9658-482C-8B02-93F09A80225F} - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-0104.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{91859C05-DF0C-4104-85A3-532636FF9FAA}: NameServer = 62.61.130.1,62.61.131.1
O20 - AppInit_DLLs: C:\WINDOWS\system32\yepogofa.dll c:\windows\system32\lebapide.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Programmer\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: Spyware Doctor Service (sdCoreService) - Unknown owner - C:\Programmer\Spyware Doctor\swdsvc.exe (file missing)

--
End of file - 10431 bytes

Synes godt om

Computer Hjælp (Gratis) Mester

28. november 2008 - 11:35 #1

Joooo - der er (stadig) en del mistænkelige elementer... ->

Hent og instalér CCleaner http://www.ccleaner.com/ + http://www.spywarefri.dk/manualer/ccleaner-manual.htm
Under installationen får du tilbudt [Yahoo Toolbar]. Du kan sige ja eller *NEJ* til den.
Lad programmet foretage en oprydning...

--------

Hent Malwarebytes Anti-Malware herfra:
http://www.besttechie.net/tools/mbam-setup.exe
Eller herfra ->
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

Installer programmet - når det er gjort skal du lade programmet opdatere sig. Herefter åbner et vindue, hvor du skal flytte prikken til "Kør et fuldstændigt systemscan" - klik på Skan Knappen - lad programmet arbejde. Når det er færdig (det tager lidt tid afhængig af hvor meget du har på computeren).
Derefter - Tryk på "Vis resultater" knappen efter scanningen - og herefter tryk på "Fjern det valgte" - nu åbnes log'en og du skal gemme den et sted, hvor du kan finde den igen.
Kopier indholdet herind sammen med en frisk log fra HiJackThis...

Synes godt om

dufaux Nybegynder

28. november 2008 - 13:15 #2

Hej igen og tusind tak for dit hurtige svar.

Hermed sender jeg log fra scanningen samt en frisk log fra HijackThis:

Malwarebytes' Anti-Malware 1.30
Database version: 1430
Windows 5.1.2600 Service Pack 3

28-11-2008 13:06:22
mbam-log-2008-11-28 (13-05-39).txt

Skan type: Fuldstændig skanning (C:\|D:\|E:\|)
Objekter skannet: 158183
Tid tilbagelagt: 30 minute(s), 7 second(s)

Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 6
Inficerede Registeringsdatabase Værdier: 1
Inficerede Registeringsdatabase Filer: 1
Inficerede Mapper: 0
Inficerede Filer: 9

Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)

Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Nøgler:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d6e14769-7523-4351-8cff-ff823c27f3b1} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{d6e14769-7523-4351-8cff-ff823c27f3b1} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000020040000} (Trojan.Dialer) -> No action taken.

Inficerede Registeringsdatabase Værdier:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\duveketeta (Trojan.Agent) -> No action taken.

Inficerede Registeringsdatabase Filer:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.

Inficerede Mapper:
(Ingen mistænkelige filer fundet)

Inficerede Filer:
C:\WINDOWS\SYSTEM32\yulugezu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\uzeguluy.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\pabewisa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\asiwebap.ini2 (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\kagohaku.dll (Trojan.BHO.H) -> No action taken.
C:\System Volume Information\_restore{6048404E-B36D-4950-851C-FF5C772B95CD}\RP1396\A0130658.CPL (Rogue.XPantivirus) -> No action taken.
C:\WINDOWS\SYSTEM32\yetubiyi.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\SYSTEM32\~.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Administrator\Skrivebord\lsass.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:15:07, on 28-11-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.61.130.01
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar2.dll
O2 - BHO: (no name) - {d6e14769-7523-4351-8cff-ff823c27f3b1} - C:\WINDOWS\system32\kagohaku.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmer\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmer\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CPQHotKeys] hotkeysvc.exe
O4 - HKLM\..\Run: [CTHelper] cthelper.exe
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FÆLLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [duveketeta] Rundll32.exe "C:\WINDOWS\system32\yetubiyi.dll",s
O4 - HKLM\..\RunServices: [CPQHotKeys] hotkeysvc.exe
O4 - HKLM\..\RunServices: [CTHelper] cthelper.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CPQHotKeys] hotkeysvc.exe
O4 - HKCU\..\Run: [CTHelper] cthelper.exe
O4 - HKCU\..\Run: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [EPSON Stylus DX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE /FU "C:\WINDOWS\TEMP\E_SBB.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunServices: [CPQHotKeys] hotkeysvc.exe
O4 - HKCU\..\RunServices: [CTHelper] cthelper.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [duveketeta] Rundll32.exe "C:\WINDOWS\system32\yetubiyi.dll",s (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Programmer\PartyGaming\PartyGammon\RunBackGammon.exe
O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Programmer\PartyGaming\PartyGammon\RunBackGammon.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Programmer\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Programmer\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Programmer\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Programmer\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {07D09E9E-C667-45DD-B035-217BC2A61A3B} (ActiveX sikkerhedssoftware Control) - https://www.djs-netbank.dk/package/sdc/external/activex/ActiveXSikkerhedssoftware-prod-1.20.cab
O16 - DPF: {1D381386-B2F7-4A83-AE20-B9796A68397C} (proXSign Class) - https://www.borgerblanketter.dk/bb/proXSign1.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe
O16 - DPF: {D3426292-3750-4D80-9D0F-2816F61A6D15} (SpeedTest Control) - http://81.19.245.211/speedtest/SpeedTest_2.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4409/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab
O16 - DPF: {F9408298-9658-482C-8B02-93F09A80225F} - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-0104.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{91859C05-DF0C-4104-85A3-532636FF9FAA}: NameServer = 62.61.130.1,62.61.131.1
O20 - AppInit_DLLs: C:\WINDOWS\system32\yepogofa.dll c:\windows\system32\lebapide.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Programmer\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: Spyware Doctor Service (sdCoreService) - Unknown owner - C:\Programmer\Spyware Doctor\swdsvc.exe (file missing)

--
End of file - 10446 bytes

Synes godt om

Computer Hjælp (Gratis) Mester

28. november 2008 - 13:55 #3

Om igen med [Malwarebytes' Anti-Malware]

" -> No action taken." ???

Citat: Tryk på "Vis resultater" knappen efter scanningen - og herefter tryk på "Fjern det valgte" - ...

Synes godt om

f-arn Guru

28. november 2008 - 13:55 #4

Scan med mbam igen og husk "Fjern det valgte"

Synes godt om

Computer Hjælp (Gratis) Mester

28. november 2008 - 13:56 #5

... incl NY log fra HiJackThis ...

Synes godt om

dufaux Nybegynder

29. november 2008 - 11:29 #6

hej igen

hermed log fra Malewarebytes og HijackThis

Malwarebytes' Anti-Malware 1.30
Database version: 1430
Windows 5.1.2600 Service Pack 3

29-11-2008 01:04:01
mbam-log-2008-11-29 (01-04-01).txt

Skan type: Fuldstændig skanning (C:\|D:\|E:\|)
Objekter skannet: 159091
Tid tilbagelagt: 36 minute(s), 19 second(s)

Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 2
Inficerede Registeringsdatabase Nøgler: 3
Inficerede Registeringsdatabase Værdier: 5
Inficerede Registeringsdatabase Filer: 2
Inficerede Mapper: 0
Inficerede Filer: 5

Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)

Inficerede Hukommelses Moduler:
C:\WINDOWS\SYSTEM32\jewipaje.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\SYSTEM32\bikehizi.dll (Trojan.BHO) -> Delete on reboot.

Inficerede Registeringsdatabase Nøgler:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Inficerede Registeringsdatabase Værdier:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\31281644 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm321b25d8 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\duveketeta (Trojan.Agent) -> Quarantined and deleted successfully.

Inficerede Registeringsdatabase Filer:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\bikehizi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\bikehizi.dll -> Quarantined and deleted successfully.

Inficerede Mapper:
(Ingen mistænkelige filer fundet)

Inficerede Filer:
C:\WINDOWS\SYSTEM32\jewipaje.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ejapiwej.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\SYSTEM32\bikehizi.dll (Trojan.BHO) -> Delete on reboot.
C:\System Volume Information\_restore{6048404E-B36D-4950-851C-FF5C772B95CD}\RP1396\A0131073.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6048404E-B36D-4950-851C-FF5C772B95CD}\RP1396\A0131075.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:45, on 29-11-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.61.130.01
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar2.dll
O2 - BHO: (no name) - {d6e14769-7523-4351-8cff-ff823c27f3b1} - C:\WINDOWS\system32\kagohaku.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmer\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmer\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CPQHotKeys] hotkeysvc.exe
O4 - HKLM\..\Run: [CTHelper] cthelper.exe
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FÆLLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunServices: [CPQHotKeys] hotkeysvc.exe
O4 - HKLM\..\RunServices: [CTHelper] cthelper.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CPQHotKeys] hotkeysvc.exe
O4 - HKCU\..\Run: [CTHelper] cthelper.exe
O4 - HKCU\..\Run: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [EPSON Stylus DX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE /FU "C:\WINDOWS\TEMP\E_SBB.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunServices: [CPQHotKeys] hotkeysvc.exe
O4 - HKCU\..\RunServices: [CTHelper] cthelper.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Programmer\PartyGaming\PartyGammon\RunBackGammon.exe
O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Programmer\PartyGaming\PartyGammon\RunBackGammon.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Programmer\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Programmer\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Programmer\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Programmer\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {07D09E9E-C667-45DD-B035-217BC2A61A3B} (ActiveX sikkerhedssoftware Control) - https://www.djs-netbank.dk/package/sdc/external/activex/ActiveXSikkerhedssoftware-prod-1.20.cab
O16 - DPF: {1D381386-B2F7-4A83-AE20-B9796A68397C} (proXSign Class) - https://www.borgerblanketter.dk/bb/proXSign1.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe
O16 - DPF: {D3426292-3750-4D80-9D0F-2816F61A6D15} (SpeedTest Control) - http://81.19.245.211/speedtest/SpeedTest_2.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4409/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab
O16 - DPF: {F9408298-9658-482C-8B02-93F09A80225F} - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-0104.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{91859C05-DF0C-4104-85A3-532636FF9FAA}: NameServer = 62.61.130.1,62.61.131.1
O20 - AppInit_DLLs: c:\windows\system32\lebapide.dll c:\windows\system32\dokanisu.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Programmer\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: Spyware Doctor Service (sdCoreService) - Unknown owner - C:\Programmer\Spyware Doctor\swdsvc.exe (file missing)

--
End of file - 10368 bytes

Håber det var bedre :o)

Synes godt om

fromsej Praktikant

29. november 2008 - 11:34 #7

Der er mindst tre orm/trojans til stede i loggen, men det klarer kariselarry, regner jeg med.
(Hint:Combofix - Hint 2:De ligger tre steder i O4)
Om der er flere ved jeg ikke på siddende r*v. ;-)

Synes godt om

dufaux Nybegynder

29. november 2008 - 11:40 #8

Det var dog Sørens, men jeg sætter min lid til Karise larry, det lader til hun er gud på dette område :o)

Jeg kører lige SUPERantispyware igen, det kan være den kan finde de sidste. Tusind tak for kigget og kommentaren :o)

duf

Synes godt om

fromsej Praktikant

29. november 2008 - 12:04 #9

Det var nok bedre at gå i gang med Combofix.

Hent Combofix, og gem den på dit skrivebord:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

-- Kør så combofix.exe, og følg anvisningerne.
Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når combofix er færdig, og efter det har genstartet, skulle der gerne åbnes en logfil: combofix.txt
Indholdet af denne fil må du gerne lægge herind.

Synes godt om

dufaux Nybegynder

29. november 2008 - 12:51 #10

Her er logfilen fra Combofix. Jeg skal en tur i byen nu, så svarer først i aften, hvis der er andet jeg kan gøre for at afhjælpe min stakkels pc :o)

ComboFix 08-11-28.03 - ulrik 2008-11-29 12:33:43.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1030.18.300 [GMT 1:00]
Kører fra: c:\documents and settings\ulrik\Skrivebord\ComboFix.exe
* Dannede nyt systemgendannelsespunkt

[COLOR=RED][B]advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !![/B][/COLOR]
.

((((((((((((((((((((((((((((((((((((((( Andet, der er slettet )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\start.exe
c:\windows\system32\newuwiyo.dll
c:\windows\system32\open.ico
c:\windows\Web\default.htt

.
((((((((((((((((((((((((((((( Filer skabt fra 2008-10-28 til 2008-11-29 )))))))))))))))))))))))))))))))))))
.

2008-11-28 12:06 . 2008-11-28 12:06 <DIR> d-------- c:\programmer\Malwarebytes' Anti-Malware
2008-11-28 12:06 . 2008-11-28 12:06 <DIR> d-------- c:\documents and settings\ulrik\Application Data\Malwarebytes
2008-11-28 12:06 . 2008-11-28 12:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-28 12:06 . 2008-10-22 16:10 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-11-28 12:06 . 2008-10-22 16:10 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-11-28 11:56 . 2008-11-28 11:56 <DIR> d-------- c:\programmer\CCleaner
2008-11-28 11:34 . 2008-11-28 11:34 <DIR> d-------- C:\Contents
2008-11-28 10:58 . 2008-11-28 10:58 1,564,723 ---hs---- c:\windows\SYSTEM32\asiwebap.tmp
2008-11-28 10:51 . 2008-11-28 10:51 <DIR> d-------- c:\programmer\SUPERAntiSpyware
2008-11-28 10:51 . 2008-11-28 10:51 <DIR> d-------- c:\documents and settings\ulrik\Application Data\SUPERAntiSpyware.com
2008-11-28 10:51 . 2008-11-28 10:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-28 09:59 . 2008-11-28 09:59 <DIR> d-------- c:\programmer\Trend Micro
2008-11-28 00:17 . 2008-11-28 00:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-14 09:56 . 2006-10-22 15:06 208,896 --a------ c:\windows\SYSTEM32\NVUNINST.EXE
2008-11-14 09:54 . 2008-11-14 09:54 <DIR> d-------- c:\programmer\SystemRequirementsLab
2008-11-14 00:11 . 2008-11-14 00:11 <DIR> d--hs---- C:\FOUND.014
2008-11-12 09:41 . 2008-11-12 09:45 0 --a------ c:\documents and settings\ulrik\temp.dat
2008-11-12 08:43 . 2008-09-04 18:17 1,106,944 --------- c:\windows\SYSTEM32\dllcache\msxml3.dll
2008-11-12 08:43 . 2008-10-24 12:21 455,296 --------- c:\windows\SYSTEM32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-17 14:10 --------- d-----w c:\documents and settings\ulrik\Application Data\Printer Info Cache
2008-10-17 13:22 --------- d-----w c:\documents and settings\ulrik\Application Data\U3
2008-10-16 20:16 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-16 13:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\SYSTEM32\dllcache\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\SYSTEM32\dllcache\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\SYSTEM32\dllcache\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\SYSTEM32\dllcache\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\SYSTEM32\dllcache\cdm.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 13:09 51,224 ----a-w c:\windows\SYSTEM32\dllcache\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\SYSTEM32\dllcache\wups.dll
2008-10-15 17:37 337,408 ------w c:\windows\SYSTEM32\dllcache\netapi32.dll
2008-10-03 18:12 6,066,176 ------w c:\windows\SYSTEM32\dllcache\ieframe.dll
2008-09-15 16:27 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-15 16:27 1,846,400 ------w c:\windows\SYSTEM32\dllcache\win32k.sys
2008-09-10 01:15 1,307,648 ----a-w c:\windows\SYSTEM32\msxml6.dll
2008-09-10 01:15 1,307,648 ------w c:\windows\SYSTEM32\dllcache\msxml6.dll
2008-09-08 11:41 333,824 ------w c:\windows\SYSTEM32\dllcache\srv.sys
2008-09-04 17:17 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll
2006-11-15 17:59 20,064 ----a-w c:\documents and settings\ulrik\Application Data\GDIPFONTCACHEV1.DAT
2003-12-24 15:06 266 --sh--w c:\programmer\desktop.ini
2003-12-24 15:06 10,984 ---h--w c:\programmer\folder.htt
2005-08-09 18:59 104 --sh--r c:\windows\SYSTEM32\B52BE76F2D.sys
2007-08-07 10:27 7,674 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((( Start steder i reg.basen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-04-14 18:05 8472576 --a------ c:\windows\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EPSON Stylus DX8400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE" [2007-04-12 182272]
"msnmsgr"="c:\programmer\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"SUPERAntiSpyware"="c:\programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\programmer\Fælles filer\Real\Update_OB\realsched.exe" [2004-09-12 180269]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ISUSPM Startup"="c:\progra~1\FÆLLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-11-16 226224]
"ISUSScheduler"="c:\programmer\Fælles filer\InstallShield\UpdateService\issch.exe" [2006-11-16 86960]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\SYSTEM32\nwiz.exe]
"PD0620 STISvc"="P0620Pin.dll" [2005-05-10 c:\windows\SYSTEM32\P0620Pin.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menuen Start\Programmer\Start\
Microsoft Office.lnk - c:\programmer\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Adobe Reader Hurtigstart.lnk - c:\programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmer\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\programmer\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-2.0.3-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-1.9.4.5086-to-1.10.0.5195-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-1.9.0-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enGB-patch-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Ulrik\\tdchasti.exe"=
"c:\\Programmer\\Messenger\\MSMSGS.EXE"=
"c:\\Programmer\\eMule\\EMULE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmer\\MSN Messenger\\msnmsgr.exe"=
"c:\\Programmer\\MSN Messenger\\livecall.exe"=
"c:\\Programmer\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet-netværkskort;c:\windows\system32\DRIVERS\AN983.sys [2003-12-24 36224]
S4 hpt3xx;hpt3xx; []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
Indhold af mappen 'Planlagte Opgaver'

2008-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmer\Apple Software Update\SoftwareUpdate.exe []
.
- - - - TOMME GENVEJE FJERNET - - - -

BHO-{d6e14769-7523-4351-8cff-ff823c27f3b1} - c:\windows\system32\kagohaku.dll
HKCU-Run-CPQHotKeys - hotkeysvc.exe
HKCU-Run-CTHelper - cthelper.exe
HKCU-Run-PcSync - PCsync.exe
HKCU-RunServices-CPQHotKeys - hotkeysvc.exe
HKCU-RunServices-CTHelper - cthelper.exe
HKCU-RunServices-PcSync - PCsync.exe
HKLM-Run-CPQHotKeys - hotkeysvc.exe
HKLM-Run-CTHelper - cthelper.exe
HKLM-Run-PcSync - PCsync.exe
HKLM-RunServices-CPQHotKeys - hotkeysvc.exe
HKLM-RunServices-CTHelper - cthelper.exe
HKLM-RunServices-PcSync - PCsync.exe

.
------- Yderligere scanning -------
.
uStart Page = hxxp://www.google.dk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar =
uInternet Settings,ProxyServer = 62.61.130.01
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - c:\programmer\PartyGaming\PartyGammon\RunBackGammon.exe
IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\programmer\PartyGaming\PartyCasino\RunCasino.exe
IE: {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - c:\programmer\PartyGaming\PartyBingo\RunBingo.exe
IE: {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - c:\programmer\PartyGaming\PartyGammon\RunBackGammon.exe -
IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\programmer\PartyGaming\PartyCasino\RunCasino.exe -
IE: {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - c:\programmer\PartyGaming\PartyBingo\RunBingo.exe -
TCP: {91859C05-DF0C-4104-85A3-532636FF9FAA} = 62.61.130.1,62.61.131.1

O16 -: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
c:\windows\Downloaded Program Files\Internet Explorer Classes for Java.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\Rawflow.ocx - O16 -: {029FDBA6-3547-11D7-AA4C-0050BF051A00}
hxxp://downol.dr.dk/download/netradio/Rawflow.cab

c:\windows\Downloaded Program Files\EBJSecurity_2.dll - c:\windows\Downloaded Program Files\ActiveXSikkerhedssoftware.ocx
c:\windows\Downloaded Program Files\EBJSecurity_3.dll
O16 -: {07D09E9E-C667-45DD-B035-217BC2A61A3B}
hxxps://www.djs-netbank.dk/package/sdc/external/activex/ActiveXSikkerhedssoftware-prod-1.20.cab
c:\windows\Downloaded Program Files\comp.inf

c:\windows\Downloaded Program Files\nproXSign1.dll - O16 -: {1D381386-B2F7-4A83-AE20-B9796A68397C}
hxxps://www.borgerblanketter.dk/bb/proXSign1.cab
c:\windows\Downloaded Program Files\proXSign1.inf

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd

O16 -: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} - hxxps://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe

O16 -: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} - hxxps://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe

c:\windows\Downloaded Program Files\SpeedTestProj1.ocx - O16 -: {D3426292-3750-4D80-9D0F-2816F61A6D15}
hxxp://81.19.245.211/speedtest/SpeedTest_2.cab

O16 -: {F9408298-9658-482C-8B02-93F09A80225F} - hxxps://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-0104.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 12:45:32
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanner skjulte processer ...

scanner skjulte autostarter ...

scanner skjulte filer ...

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
--------------------- DLLs startet under kørende Processer ---------------------

- - - - - - - > 'winlogon.exe'(396)
c:\programmer\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Andre kørende processer ------------------------
.
c:\programmer\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
c:\windows\SYSTEM32\NVSVC32.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\programmer\internet explorer\iexplore.exe
.
**************************************************************************
.
Gennemført tid: 2008-11-29 12:49:23 - maskinen blev genstartet
ComboFix-quarantined-files.txt 2008-11-29 11:49:20

Pre-Kørsel: 28.179.955.712 byte ledig
Post-Kørsel: 28,211,150,848 byte ledig

230 --- E O F --- 2008-11-13 09:24:15

Synes godt om

Computer Hjælp (Gratis) Mester

29. november 2008 - 17:53 #11

Lige en hurtig -> Sådan går det let når man 'leger' med P2P programmer -> *SUK*
c:\\Programmer\\eMule\\EMULE.EXE"
c:\\Programmer\\LimeWire\\LimeWire.exe"

Afinstaller

* eMule
* Limewire

Grrrrr... Det er jo lige meget hvor meget folk har på af sikkerhed/opdateringer. Hvis de først begynder at 'lege' med P2P programmer - eller retterer relutater derfra - så er det lige vidt !!!
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=40284
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=47308

via
[Start][Indstilninger][Kontrolpanel][Tilføj/fjern programmer]

Genstart for at fuldføre afinstalationen...

---------------------------------------

Synes godt om

fromsej Praktikant

30. november 2008 - 09:13 #12

Hent Ccleaner her:(Hvis du ikke allerede har kørt den)
http://www.filehippo.com/download_ccleaner/
Installer Ccleaner, husk at fjerne fluebenet udfor installation af Yahoo toolbar.
Start programmet, fjern fluebenet i cookies.
Klik på kør Cleaner og lad den fjerne hvad den finder.
Klik så på Register ovre i venstre side (den blå terning), klik på Skan efter problemer, når den er færdig, klik på Udbedre valgte problemer, lav evt. en backup af registreringsdatabasen, klik så på udbedre alle valgte problemer.
Klik på OK, klik på Luk når den er færdig.
Genstart.
---------------------------------------
Åbn et Notesblokvindue, kopiér indholdet mellem de bølgede linier ind i dokumentet, og gem indholdet i samme mappe, som Combofix ligger med navnet CFScript.txt. Når du gemmer, skal du sikre, at der under "filtyper" står "alle filer".

~~~~~~~~~~~~~~~~~~~~~~~~~~

Killall::
Snapshot::
File::
c:\windows\SYSTEM32\asiwebap.tmp
C:\Windows\System32\hotkeysvc.exe
C:\Windows\System32\PCsync.exe
C:\Windows\System32\cthelper.exe
Folder::
c:\Programmer\eMule
c:\Programmer\LimeWire

~~~~~~~~~~~~~~~~~~~~~~~~~~
Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du "giver slip" med musen.
http://www.fromsej.saknet.dk/billeder/cfscript.gif
Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
---------------------------------------
Vi skal se en frisk hijackthislog, samt den nye combofixlog.

Synes godt om

dufaux Nybegynder

30. november 2008 - 10:59 #13

Jeg er helt bevist om p2p programmerne og havde helt glemt jeg havde dem. Det er begge ca. ver.1.0 versioner da de er flere år gamle. De er nu afinstalleret.

Til FromSej: Jeg har kørt en Ccleaner, men gør det gerne igen...

Ny HijackThis log følger:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:41, on 30-11-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.61.130.01
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmer\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmer\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FÆLLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus DX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE /FU "C:\WINDOWS\TEMP\E_SBB.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Programmer\PartyGaming\PartyGammon\RunBackGammon.exe
O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Programmer\PartyGaming\PartyGammon\RunBackGammon.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Programmer\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Programmer\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Programmer\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Programmer\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {07D09E9E-C667-45DD-B035-217BC2A61A3B} (ActiveX sikkerhedssoftware Control) - https://www.djs-netbank.dk/package/sdc/external/activex/ActiveXSikkerhedssoftware-prod-1.20.cab
O16 - DPF: {1D381386-B2F7-4A83-AE20-B9796A68397C} (proXSign Class) - https://www.borgerblanketter.dk/bb/proXSign1.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe
O16 - DPF: {D3426292-3750-4D80-9D0F-2816F61A6D15} (SpeedTest Control) - http://81.19.245.211/speedtest/SpeedTest_2.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4409/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab
O16 - DPF: {F9408298-9658-482C-8B02-93F09A80225F} - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-0104.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{91859C05-DF0C-4104-85A3-532636FF9FAA}: NameServer = 62.61.130.1,62.61.131.1
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Programmer\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: Spyware Doctor Service (sdCoreService) - Unknown owner - C:\Programmer\Spyware Doctor\swdsvc.exe (file missing)

--
End of file - 9329 bytes

Synes godt om

fromsej Praktikant

30. november 2008 - 12:00 #14

Har du kørt Combofix efter min vejledning?
Dette indlæg - 30/11-2008 09:13:40

Synes godt om

dufaux Nybegynder

30. november 2008 - 12:55 #15

Fromsej: Så har jeg gjort som du skrev. Hermed log fil fra Combofik og ny HijackThis log...

ComboFix 08-11-29.03 - ulrik 2008-11-30 12:32:33.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1030.18.289 [GMT 1:00]
Kører fra: c:\documents and settings\ulrik\Skrivebord\combofix\ComboFix.exe
Kommandoer benyttet :: c:\documents and settings\ulrik\Skrivebord\combofix\CFScript.txt..txt
* Dannede nyt systemgendannelsespunkt

[COLOR=RED][B]advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !![/B][/COLOR]

FILE ::
c:\windows\SYSTEM32\asiwebap.tmp
c:\windows\System32\cthelper.exe
c:\windows\System32\hotkeysvc.exe
c:\windows\System32\PCsync.exe
.

((((((((((((((((((((((((((((((((((((((( Andet, der er slettet )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SYSTEM32\asiwebap.tmp

.
((((((((((((((((((((((((((((( Filer skabt fra 2008-10-28 til 2008-11-30 )))))))))))))))))))))))))))))))))))
.

2008-11-28 12:06 . 2008-11-28 12:06 <DIR> d-------- c:\programmer\Malwarebytes' Anti-Malware
2008-11-28 12:06 . 2008-11-28 12:06 <DIR> d-------- c:\documents and settings\ulrik\Application Data\Malwarebytes
2008-11-28 12:06 . 2008-11-28 12:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-28 12:06 . 2008-10-22 16:10 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-11-28 12:06 . 2008-10-22 16:10 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-11-28 11:56 . 2008-11-28 11:56 <DIR> d-------- c:\programmer\CCleaner
2008-11-28 11:34 . 2008-11-28 11:34 <DIR> d-------- C:\Contents
2008-11-28 10:51 . 2008-11-28 10:51 <DIR> d-------- c:\programmer\SUPERAntiSpyware
2008-11-28 10:51 . 2008-11-28 10:51 <DIR> d-------- c:\documents and settings\ulrik\Application Data\SUPERAntiSpyware.com
2008-11-28 10:51 . 2008-11-28 10:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-28 09:59 . 2008-11-28 09:59 <DIR> d-------- c:\programmer\Trend Micro
2008-11-28 00:17 . 2008-11-28 00:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-14 09:56 . 2006-10-22 15:06 208,896 --a------ c:\windows\SYSTEM32\NVUNINST.EXE
2008-11-14 09:54 . 2008-11-14 09:54 <DIR> d-------- c:\programmer\SystemRequirementsLab
2008-11-14 00:11 . 2008-11-14 00:11 <DIR> d--hs---- C:\FOUND.014
2008-11-12 09:41 . 2008-11-12 09:45 0 --a------ c:\documents and settings\ulrik\temp.dat
2008-11-12 08:43 . 2008-09-04 18:17 1,106,944 --------- c:\windows\SYSTEM32\dllcache\msxml3.dll
2008-11-12 08:43 . 2008-10-24 12:21 455,296 --------- c:\windows\SYSTEM32\dllcache\mrxsmb.sys
2008-10-24 09:15 . 2008-10-15 18:37 337,408 --------- c:\windows\SYSTEM32\dllcache\netapi32.dll
2008-10-23 09:23 . 2008-10-23 09:23 <DIR> d--hs---- C:\FOUND.013
2008-10-17 15:10 . 2008-10-17 15:10 <DIR> d-------- c:\documents and settings\ulrik\Application Data\Printer Info Cache
2008-10-17 14:22 . 2008-10-17 14:22 <DIR> d-------- c:\documents and settings\ulrik\Application Data\U3
2008-10-16 21:16 . 2008-10-16 21:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2008-10-15 09:23 . 2008-09-08 12:41 333,824 --------- c:\windows\SYSTEM32\dllcache\srv.sys
2008-10-15 09:22 . 2008-08-14 15:25 2,191,744 --------- c:\windows\SYSTEM32\dllcache\ntoskrnl.exe
2008-10-15 09:22 . 2008-08-14 15:25 2,147,840 --------- c:\windows\SYSTEM32\dllcache\ntkrnlmp.exe
2008-10-15 09:22 . 2008-08-14 15:25 2,068,608 --------- c:\windows\SYSTEM32\dllcache\ntkrnlpa.exe
2008-10-15 09:22 . 2008-08-14 15:25 2,026,496 --------- c:\windows\SYSTEM32\dllcache\ntkrpamp.exe
2008-10-15 09:22 . 2008-09-15 17:27 1,846,400 --------- c:\windows\SYSTEM32\dllcache\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 13:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\SYSTEM32\dllcache\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\SYSTEM32\dllcache\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\SYSTEM32\dllcache\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\SYSTEM32\dllcache\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\SYSTEM32\dllcache\cdm.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 13:09 51,224 ----a-w c:\windows\SYSTEM32\dllcache\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\SYSTEM32\dllcache\wups.dll
2008-10-03 18:12 6,066,176 ------w c:\windows\SYSTEM32\dllcache\ieframe.dll
2008-09-15 16:27 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-10 01:15 1,307,648 ----a-w c:\windows\SYSTEM32\msxml6.dll
2008-09-10 01:15 1,307,648 ------w c:\windows\SYSTEM32\dllcache\msxml6.dll
2008-09-04 17:17 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll
2008-08-27 10:27 3,593,216 ------w c:\windows\SYSTEM32\dllcache\mshtml.dll
2008-08-25 09:38 13,824 ------w c:\windows\SYSTEM32\dllcache\ieudinit.exe
2008-08-25 09:36 70,656 ------w c:\windows\SYSTEM32\dllcache\ie4uinit.exe
2008-08-23 06:56 635,848 ------w c:\windows\SYSTEM32\dllcache\iexplore.exe
2008-08-23 06:54 161,792 ------w c:\windows\SYSTEM32\dllcache\ieakui.dll
2008-08-14 14:25 2,191,744 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2008-08-14 14:25 2,068,608 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2008-08-14 11:04 138,496 ------w c:\windows\SYSTEM32\dllcache\afd.sys
2006-11-15 17:59 20,064 ----a-w c:\documents and settings\ulrik\Application Data\GDIPFONTCACHEV1.DAT
2003-12-24 15:06 266 --sh--w c:\programmer\desktop.ini
2003-12-24 15:06 10,984 ---h--w c:\programmer\folder.htt
2005-08-09 18:59 104 --sh--r c:\windows\SYSTEM32\B52BE76F2D.sys
2007-08-07 10:27 7,674 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((( Start steder i reg.basen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-04-14 18:05 8472576 --a------ c:\windows\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EPSON Stylus DX8400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE" [2007-04-12 182272]
"msnmsgr"="c:\programmer\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"SUPERAntiSpyware"="c:\programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\programmer\Fælles filer\Real\Update_OB\realsched.exe" [2004-09-12 180269]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ISUSPM Startup"="c:\progra~1\FÆLLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-11-16 226224]
"ISUSScheduler"="c:\programmer\Fælles filer\InstallShield\UpdateService\issch.exe" [2006-11-16 86960]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\SYSTEM32\nwiz.exe]
"PD0620 STISvc"="P0620Pin.dll" [2005-05-10 c:\windows\SYSTEM32\P0620Pin.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menuen Start\Programmer\Start\
Microsoft Office.lnk - c:\programmer\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Adobe Reader Hurtigstart.lnk - c:\programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmer\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\programmer\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-2.0.3-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-1.9.4.5086-to-1.10.0.5195-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-1.9.0-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enGB-patch-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enGB-downloader.exe"=
"c:\\Programmer\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Ulrik\\tdchasti.exe"=
"c:\\Programmer\\Messenger\\MSMSGS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmer\\MSN Messenger\\msnmsgr.exe"=
"c:\\Programmer\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet-netværkskort;c:\windows\system32\DRIVERS\AN983.sys [2003-12-24 36224]
S4 hpt3xx;hpt3xx; []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
Indhold af mappen 'Planlagte Opgaver'

2008-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmer\Apple Software Update\SoftwareUpdate.exe []
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-30 12:48:32
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanner skjulte processer ...

scanner skjulte autostarter ...

scanner skjulte filer ...

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
--------------------- DLLs startet under kørende Processer ---------------------

- - - - - - - > 'winlogon.exe'(400)
c:\programmer\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Andre kørende processer ------------------------
.
c:\programmer\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
c:\windows\SYSTEM32\NVSVC32.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Gennemført tid: 2008-11-30 12:51:37 - maskinen blev genstartet
ComboFix-quarantined-files.txt 2008-11-30 11:51:34
ComboFix2.txt 2008-11-29 11:49:28

Pre-Kørsel: 30.318.362.624 byte ledig
Post-Kørsel: 30,315,085,824 byte ledig

189 --- E O F --- 2008-11-13 09:24:15

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:43, on 30-11-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.61.130.01
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmer\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmer\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FÆLLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus DX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE /FU "C:\WINDOWS\TEMP\E_SBB.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Programmer\PartyGaming\PartyGammon\RunBackGammon.exe
O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Programmer\PartyGaming\PartyGammon\RunBackGammon.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Programmer\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Programmer\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Programmer\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Programmer\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {07D09E9E-C667-45DD-B035-217BC2A61A3B} (ActiveX sikkerhedssoftware Control) - https://www.djs-netbank.dk/package/sdc/external/activex/ActiveXSikkerhedssoftware-prod-1.20.cab
O16 - DPF: {1D381386-B2F7-4A83-AE20-B9796A68397C} (proXSign Class) - https://www.borgerblanketter.dk/bb/proXSign1.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe
O16 - DPF: {D3426292-3750-4D80-9D0F-2816F61A6D15} (SpeedTest Control) - http://81.19.245.211/speedtest/SpeedTest_2.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4409/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab
O16 - DPF: {F9408298-9658-482C-8B02-93F09A80225F} - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-0104.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{91859C05-DF0C-4104-85A3-532636FF9FAA}: NameServer = 62.61.130.1,62.61.131.1
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Programmer\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: Spyware Doctor Service (sdCoreService) - Unknown owner - C:\Programmer\Spyware Doctor\swdsvc.exe (file missing)

--
End of file - 9302 bytes

Synes godt om

applezine Nybegynder

02. december 2008 - 09:03 #16

Malwarebytes burde være mere end rigeligt til at fjerne Antivirus 2009. (Gjorde jeg netop i går).

Og crapcleaner hjælper stortset intet hvis virussen er godt inde i maskinen, da det meste kommer igen når man går på nettet.

Afinstaller alt antivirus, combofix m.m ... spyware* (doctor osv).

Installer antivir, windows defender, malwarebytes og aktiver windows firewall. Genstart. Opdater antivir og malwarebytes. Genstart. Luk nettet. Kør en quick scan med malwarebytes og fjern alt den finder. Genstart. Du skulle nu gerne være clean.

Synes godt om

Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Følg dette spørgsmål

Opret Preview

Flere spørgsmål fra Virus kategorien

Titel	Indlæg	Oprettet	Seneste aktivitet
Anbefaling af antivirusprogram med firewall Af OnePlusFan i Virus	23	07/05/202421:02	13/05/202419:48
trusler Af gerhardpet i Virus	4	26/01/202410:02	27/01/202408:32
Kan ikke fjerne virus Af mik28 i Virus	16	09/01/202416:37	10/01/202419:59
virusscanning Af JetteD i Virus	2	10/11/202312:55	10/11/202316:36
Google ser ud til at være malware, lyder advarsel på alle vore mobiler! Af vbr i Virus	9	30/10/202312:12	15/12/202310:17

Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester

Alle kategorier på Eksperten

Seneste artiklerRSS