Hejsa

Vi starter med denne:

—Hent denne fil, og pak den ud til en mappe på skrivebordet:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Dobbeltklik på filen, og lad den pakke sig ud til en mappe i roden af din harddisk (typisk: c:\SDfix)

—Genstart i fejlsikret, hvis du ikke ved hvordan så kig her:
http://www.ctrlaltdel.dk/forum/forum_posts.asp?TID=23&PN=1

—Gå så ind i mappen SDFix, som du fik oprettet tidligere. Dobbeltklik på filen RunThis.bat, for at starte værktøjet. Tryk “y” for at bekræfte, at du kører værktøjet på egen risiko. Så vil værktøjet gå i gang med at fjerne trojanservicen, og lave et par reparationer af registreringsdatabasen. På et tidspunkt vil det bede dig om at trykke en taste for at genstarte computeren. Det skal du gøre, hvorefter computeren vil genstarte efter 15 sekunder.

Genstarten vil tage lidt længere end sædvanligt, idet værktøjet skal have tid til at udføre sit arbejde. Når skrivebordet dukker op, vil værktøjet skrive “Finished”. Tryk herefter en taste for at indlæse dine skrivebordsikoner igen.

Åben så SDFix-mappen, find filen Report.txt, og kopier indholdet af denne fil herind, sammen med en ny log fra Hijackthis.

Kør SDFIX. Efter den lange genstart begyndte PC at sende mails igen

Nye logs:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:18:08, on 14-04-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
C:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Programmer\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmer\IBM\Bluetooth Software\bin\btwdins.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\Programmer\Norton AntiVirus\IWP\NPFMntor.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Programmer\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Programmer\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Programmer\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmer\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
c:\drivers\1yvu13ww\zoom\tpscrex.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\Programmer\ThinkPad\ConnectUtilities\ACTray.exe
C:\Programmer\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmer\SPAMfighter\SFAgent.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\msiexec.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmer\MSN Messenger\usnsvc.exe
C:\Programmer\Norton AntiVirus\OPScan.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\MIT NAVN\Skrivebord\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programmer\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar4.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programmer\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google; - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar4.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Programmer\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programmer\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programmer\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] “C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe”
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [ACTray] C:\Programmer\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Programmer\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] “C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM\..\Run: [SPAMfighter Agent] “C:\Programmer\SPAMfighter\SFAgent.exe” update delay 60
O4 - HKLM\..\Run: [!AVG Anti-Spyware] “C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] “C:\Programmer\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘LOKAL TJENESTE’)
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘NETVÆRKSTJENESTE’)
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18\..\RunOnce: [supportdir] cmd /c “rmdir /q /s “C:\WINDOWS\TEMP\{DC78AACC-D3E4-4D92-95E8-42AFD802B8DB}”” (User ‘SYSTEM’)
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - HKUS\.DEFAULT\..\RunOnce: [supportdir] cmd /c “rmdir /q /s “C:\WINDOWS\TEMP\{DC78AACC-D3E4-4D92-95E8-42AFD802B8DB}”” (User ‘Default user’)
O4 - Startup: Fancontrol.lnk = C:\Fancontrol\fancontrol.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send til &Bluetooth; - C:\Programmer\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Opret Foretrukken på mobil enhed - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\inetrepl.dll
O9 - Extra ‘Tools’ menuitem: Opret Foretrukken på mobil enhed… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Opdatér ThinkPad-programmer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Programmer\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144432783136
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.lenovo.com/support/access/aslibmain/content/IbmEgath.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {9B785917-E16B-4A9F-8E73-9D3346E4F0BC} (DivingPlugInX Control) - http://www.suuntosports.com/mysuunto/plugin/DivePlugIn.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://kort.htk.dk/acgm/Acgm.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Programmer\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programmer\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programmer\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmer\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programmer\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programmer\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmer\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmer\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FÆLLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\Fælles filer\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Programmer\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

—
End of file - 14125 bytes

SDFix: Version 1.78

Run by MIT NAVN - 14-04-2007 - 22:03:35,06

Microsoft Windows XP [version 5.1.2600]

Running From: C:\sdfix\SDFix

Safe Mode:
Checking Services:

Name:
EXAMPLE
Runtime

ImagePath:
\??\C:\WINDOWS\system32\main.sys
\??\C:\WINDOWS\System32\drivers\runtime.sys

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting…

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\ACCCON~1.HTM - Deleted
C:\WINDOWS\system32\6_exception.nls - Deleted
C:\WINDOWS\system32\config.exe - Deleted
C:\WINDOWS\system32\main.sys - Deleted

Could Not Remove C:\as.txt

Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

                      Final Check:

Remaining Services:
—————————

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“%windir%\\system32\\sessmgr.exe”=”%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019”
“C:\\Programmer\\DC++\\DCPlusPlus.exe”=“C:\\Programmer\\DC++\\DCPlusPlus.exe:*:Enabled:DC++”
“C:\\Programmer\\MySQL\\mysql\\bin\\mysqld.exe”=“C:\\Programmer\\MySQL\\mysql\\bin\\mysqld.exe:*:Enabled:mysqld”
“C:\\Programmer\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe”=“C:\\Programmer\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe:*:Enabled:Dreamweaver MX”
“C:\\WINDOWS\\system32\\inetsrv\\inetinfo.exe”=“C:\\WINDOWS\\system32\\inetsrv\\inetinfo.exe:*:Enabled:inetinfo.exe”
“C:\\Programmer\\Microsoft SQL Server\\80\\Tools\\Binn\\sqlmangr.exe”=“C:\\Programmer\\Microsoft SQL Server\\80\\Tools\\Binn\\sqlmangr.exe:*:Enabled:Service Manager”
“C:\\Programmer\\Skype\\Phone\\Skype.exe”=“C:\\Programmer\\Skype\\Phone\\Skype.exe:*:Enabled:Skype”
“C:\\Programmer\\Internet Explorer\\iexplore.exe”=“C:\\Programmer\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer”
“C:\\Programmer\\SmartFTP\\SmartFTP.exe”=“C:\\Programmer\\SmartFTP\\SmartFTP.exe:*:Enabled:SmartFTP Client”
“C:\\Programmer\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe”=“C:\\Programmer\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe:*:Enabled:ThinkVantage System Update”
“C:\\Programmer\\uTorrent\\utorrent.exe”=“C:\\Programmer\\uTorrent\\utorrent.exe:*:Enabled:µTorrent”
“C:\\Programmer\\Microsoft ActiveSync\\wcescomm.exe”=“C:\\Programmer\\Microsoft ActiveSync\\wcescomm.exe:*:Enabled:ActiveSync Connection Manager”
“C:\\Programmer\\Microsoft ActiveSync\\WCESMgr.exe”=“C:\\Programmer\\Microsoft ActiveSync\\WCESMgr.exe:*:Enabled:ActiveSync Application”
“C:\\Programmer\\SmartFTP Client 2.0\\SmartFTP.exe”=“C:\\Programmer\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0”
“C:\\Programmer\\Messenger\\msmsgs.exe”=“C:\\Programmer\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger”
“C:\\Programmer\\BitTorrent\\bittorrent.exe”=“C:\\Programmer\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent”
“C:\\Programmer\\MSN Messenger\\msnmsgr.exe”=“C:\\Programmer\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1”
“C:\\Programmer\\MSN Messenger\\livecall.exe”=“C:\\Programmer\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“%windir%\\system32\\sessmgr.exe”=”%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019”
“C:\\Programmer\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe”=“C:\\Programmer\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe:*:Enabled:ThinkVantage System Update”
“C:\\Programmer\\MSN Messenger\\msnmsgr.exe”=“C:\\Programmer\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1”
“C:\\Programmer\\MSN Messenger\\livecall.exe”=“C:\\Programmer\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)”

Remaining Files:
———————-
C:\as.txt Found

Backups Folder: - C:\sdfix\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Programmer\Smart Projects\IsoBuster\Help\AHlp.exe
C:\System Volume Information\_restore{2BB9FEE9-B27F-4B8F-A970-A1E457210B00}\RP938\A0183391.exe

                      Finished

Sikke meget dejligt fildeling du har liggende.
Det skal vi af med først, før vi fortsætter.

————————————————————————————————————
Gå i Start => Kontrolpanel => Tilføj/Fjern Programmer og afinstaller
DC++ (fuldc)
uTorrent
BitTorrent
————————————————————————————————————
Slet disse mapper:
C:\Programmer\BitTorrent\
C:\Programmer\DC++\
C:\Programmer\uTorrent\

Tøm Papirkurven.
—————————————————————————————————————
Du skal hente RootCHK igen, da der er kommet en nyere version.

http://www.uploads.ejvindh.net/rootchk.exe
Kør programmet rootchk.exe. Efter kort tid vil der dukke en logfil op, som kan findes her C:\rootlog txt. Kopier indholdet af denne log ind i tråden sammen med en ny HijackThis log.

- Udsender din PC stadig mails?

********************************* ROOTCHK-(13-04-07)-LOG, by ejvindh
15-04-2007 0:08:29,20

Driver runtime (visible) is present. Run SDFIX by AndyManchesta.
Driver runtime (visible) is present. Run COMBOFIX by sUBs.
Driver irmon (visible) is present. A rootkit scan is recommended.

********************************* ROOTCHK-LOG-end

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 00:09:04, on 15-04-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
C:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Programmer\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmer\IBM\Bluetooth Software\bin\btwdins.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\Programmer\Norton AntiVirus\IWP\NPFMntor.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Programmer\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Programmer\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Programmer\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmer\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
c:\drivers\1yvu13ww\zoom\tpscrex.exe
C:\Programmer\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\Programmer\ThinkPad\ConnectUtilities\ACTray.exe
C:\Programmer\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmer\SPAMfighter\SFAgent.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmer\MSN Messenger\usnsvc.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\MIT NAVN\Skrivebord\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programmer\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar4.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programmer\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google; - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar4.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Programmer\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programmer\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programmer\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] “C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe”
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [ACTray] C:\Programmer\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Programmer\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] “C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM\..\Run: [SPAMfighter Agent] “C:\Programmer\SPAMfighter\SFAgent.exe” update delay 60
O4 - HKLM\..\Run: [!AVG Anti-Spyware] “C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] “C:\Programmer\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘LOKAL TJENESTE’)
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘NETVÆRKSTJENESTE’)
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18\..\RunOnce: [supportdir] cmd /c “rmdir /q /s “C:\WINDOWS\TEMP\{DC78AACC-D3E4-4D92-95E8-42AFD802B8DB}”” (User ‘SYSTEM’)
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - HKUS\.DEFAULT\..\RunOnce: [supportdir] cmd /c “rmdir /q /s “C:\WINDOWS\TEMP\{DC78AACC-D3E4-4D92-95E8-42AFD802B8DB}”” (User ‘Default user’)
O4 - Startup: Fancontrol.lnk = C:\Fancontrol\fancontrol.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send til &Bluetooth; - C:\Programmer\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Opret Foretrukken på mobil enhed - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\inetrepl.dll
O9 - Extra ‘Tools’ menuitem: Opret Foretrukken på mobil enhed… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Opdatér ThinkPad-programmer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Programmer\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144432783136
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.lenovo.com/support/access/aslibmain/content/IbmEgath.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {9B785917-E16B-4A9F-8E73-9D3346E4F0BC} (DivingPlugInX Control) - http://www.suuntosports.com/mysuunto/plugin/DivePlugIn.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://kort.htk.dk/acgm/Acgm.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Programmer\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programmer\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programmer\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmer\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programmer\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programmer\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmer\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmer\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FÆLLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\Fælles filer\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Programmer\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

—
End of file - 13912 bytes

Ja, den vil stadig gerne sende en masse mails umiddelbart efter startup. Men når jeg har denyied ca 70 mail warnings, så “falder den til ro”

OK, det ser ud til at du har et par rootkits på din computer, som er mere stædige end som så. Jeg overfører derfor tråden til Rootkit-kategorien. Der gælder nogle særlige forhold for supporten i denne kategori, som du kan læse om her:

http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=29320

—Hent Combofix fra et af disse links, og gem den på dit skrivebord:
http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

— Kør så combofix.exe, som du hentede tidligere, og følg anvisningerne.
Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når combofix er færdig, og efter det har genstartet, skulle der gerne åbnes en logfil: combofix.txt
Indholdet af denne fil må du gerne lægge herind.

—Kopiér indholdet mellem de stiplede linier, ind i et notepad-vindue, og gem indholdet på skrivebordet som batchfix.bat. Når du gemmer filen, skal du sikre dig, at der under “Filtyper” står “Alle filer”:

——————
REGEDIT.exe /E temp1.txt “HKEY_Local_Machine\system\currentcontrolset\services\irmon”
REGEDIT.exe /E temp2.txt “HKEY_Local_Machine\system\Controlset001\services\irmon”
REGEDIT.exe /E temp3.txt “HKEY_Local_Machine\system\controlset002\services\irmon”
type temp1.txt>c:\irmonserv.txt
type temp2.txt>>c:\irmonserv.txt
type temp3.txt>>c:\irmonserv.txt
del temp*.txt
notepad c:\irmonserv.txt
——————
Dobbeltklik så på den fil, som du lige har lavet. Så åbnes et lille dos-vindue. Efter kort tid vil der poppe et notepad-vindue op, hvis indhold du skal lægge herind.

Bacthfix:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\irmon]
“Type”=dword:00000020
“Start”=dword:00000002
“ErrorControl”=dword:00000001
“ImagePath”=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
“DisplayName”=“Infrar›d overv†gning”
“Group”=“TDI”
“DependOnService”=hex(7):69,00,72,00,64,00,61,00,00,00,52,00,70,00,63,00,53,00,\
  73,00,00,00,54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,65,\
  00,00,00,00,00
“DependOnGroup”=hex(7):00,00
“ObjectName”=“LocalSystem”
“Description”=“Underst›tter infrar›de enheder, der er installeret p† computeren, og finder andre enheder inden for r‘kkevidde.”

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\irmon\Parameters]
“ServiceDll”=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  69,00,72,00,6d,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
“TrayEnabled”=dword:00000001

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\irmon\Security]
“Security”=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\irmon\Enum]
“0”=“Root\\LEGACY_IRMON\\0000”
“Count”=dword:00000001
“NextInstance”=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\Controlset001\services\irmon]
“Type”=dword:00000020
“Start”=dword:00000002
“ErrorControl”=dword:00000001
“ImagePath”=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
“DisplayName”=“Infrar›d overv†gning”
“Group”=“TDI”
“DependOnService”=hex(7):69,00,72,00,64,00,61,00,00,00,52,00,70,00,63,00,53,00,\
  73,00,00,00,54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,65,\
  00,00,00,00,00
“DependOnGroup”=hex(7):00,00
“ObjectName”=“LocalSystem”
“Description”=“Underst›tter infrar›de enheder, der er installeret p† computeren, og finder andre enheder inden for r‘kkevidde.”

[HKEY_LOCAL_MACHINE\system\Controlset001\services\irmon\Parameters]
“ServiceDll”=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  69,00,72,00,6d,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
“TrayEnabled”=dword:00000001

[HKEY_LOCAL_MACHINE\system\Controlset001\services\irmon\Security]
“Security”=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\system\Controlset001\services\irmon\Enum]
“0”=“Root\\LEGACY_IRMON\\0000”
“Count”=dword:00000001
“NextInstance”=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\controlset002\services\irmon]
“Type”=dword:00000020
“Start”=dword:00000002
“ErrorControl”=dword:00000001
“ImagePath”=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
“DisplayName”=“Infrar›d overv†gning”
“Group”=“TDI”
“DependOnService”=hex(7):69,00,72,00,64,00,61,00,00,00,52,00,70,00,63,00,53,00,\
  73,00,00,00,54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,65,\
  00,00,00,00,00
“DependOnGroup”=hex(7):00,00
“ObjectName”=“LocalSystem”
“Description”=“Underst›tter infrar›de enheder, der er installeret p† computeren, og finder andre enheder inden for r‘kkevidde.”

[HKEY_LOCAL_MACHINE\system\controlset002\services\irmon\Parameters]
“ServiceDll”=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  69,00,72,00,6d,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
“TrayEnabled”=dword:00000001

[HKEY_LOCAL_MACHINE\system\controlset002\services\irmon\Security]
“Security”=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

COMBOFIX:
“MIT NAVN” - 07-04-15 0:23:53   Service Pack 2
ComboFix 07-04-05.Rev3 - Running from: “C:\Documents and Settings\MIT NAVN\Skrivebord”

((((((((((((((((((((((((((((((((((((((((((((  Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\1_exception.nls

Infected copy of C:\WINDOWS\system32\winlogon.exe was found & disinfected
Restored copy from - “C:\WINDOWS\system32\dllcache\winlogon.exe”
ws2_32.dll: Adgang nægtet.

(((((((((((((((((((((((((((((((  Files Created from 2007-03-15 to 2007-04-15 ))))))))))))))))))))))))))))))))))

2007-04-13 22:33 <DIR> d————C:\Rustbfix
2007-04-13 20:34 3,968—a———C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-13 20:20 <DIR> d————C:\Programmer\CCleaner
2007-04-12 23:31 <DIR> d————C:\Programmer\SUPERAntiSpyware
2007-04-12 23:31 <DIR> d————C:\DOCUME~1\SRENEL~1\APPLIC~1\SUPERAntiSpyware.com
2007-04-12 23:31 <DIR> d————C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-04-12 23:30 <DIR> d————C:\Programmer\F‘lles filer\Wise Installation Wizard
2007-04-12 21:05 <DIR> d————C:\Programmer\Uniblue
2007-04-12 21:05 <DIR> d————C:\DOCUME~1\SRENEL~1\APPLIC~1\Uniblue
2007-04-11 20:24 3,403,852—a———C:\Temp\sysclean.com
2007-04-03 19:24 <DIR> d————C:\Programmer\SPAMfighter
2007-04-03 19:24 <DIR> d————C:\Programmer\F‘lles filer\Application
2007-04-03 19:24 <DIR> d————C:\Programmer\F‘lles filer\Ankiro
2007-04-03 19:24 <DIR> d————C:\DOCUME~1\SRENEL~1\APPLIC~1\SPAMfighter
2007-03-25 21:49 61,067—a———C:\WINDOWS\system32\drivers\ftser2k.sys
2007-03-25 21:48 47,249—a———C:\WINDOWS\system32\drivers\ftdibus.sys
2007-03-25 19:08 <DIR> d————C:\Programmer\HHD Software
2007-03-25 19:08 <DIR> d————C:\Programmer\F‘lles filer\HHD Software
2007-03-20 23:02 1,087,216—a———C:\WINDOWS\system32\zpeng24.dll
2007-03-17 08:58 <DIR> d————C:\DOCUME~1\SRENEL~1\CDCARDS


((((((((((((((((((((((((((((((((((((((((((((((((  Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-12 23:20 82944—a———C:\WINDOWS\system32\ws2_32.dll
2007-04-12 22:25————d————C:\Programmer\security task manager
2007-04-12 22:25————d————C:\Programmer\security task manager
2007-04-12 21:48 483434—a———C:\WINDOWS\system32\perfh006.dat
2007-04-12 21:48 100688—a———C:\WINDOWS\system32\perfc006.dat
2007-04-12 21:11————d————C:\Programmer\F‘lles filer\symantec shared
2007-04-06 09:39 4212—-h——- C:\WINDOWS\system32\zllictbl.dat
2007-04-01 21:42————d————C:\Programmer\opera
2007-04-01 21:42————d————C:\Programmer\opera
2007-03-29 20:35 111240—a———C:\WINDOWS\system32\gdipfontcachev1.dat
2007-03-25 20:52————d————C:\Programmer\furnish pro
2007-03-25 20:52————d————C:\Programmer\furnish pro
2007-03-25 17:46————d————C:\Programmer\google
2007-03-25 17:46————d————C:\Programmer\google
2007-03-24 18:03————d————C:\Programmer\messenger
2007-03-24 18:03————d————C:\Programmer\messenger
2007-03-21 18:07————d————C:\Programmer\dap
2007-03-21 18:07————d————C:\Programmer\dap
2007-03-19 20:00————d————C:\Programmer\hs-upload
2007-03-19 20:00————d————C:\Programmer\hs-upload
2007-03-19 19:52————d————C:\Programmer\wswin
2007-03-19 19:52————d————C:\Programmer\wswin
2007-03-18 21:20————d————C:\Programmer\editplus 2
2007-03-18 21:20————d————C:\Programmer\editplus 2
2007-03-17 15:45 292864—a———C:\WINDOWS\system32\winsrv.dll
2007-03-08 22:50————d————C:\Programmer\smartftp client 2.0 setup files
2007-03-08 22:50————d————C:\Programmer\smartftp client 2.0 setup files
2007-03-08 22:50————d————C:\Programmer\smartftp client 2.0
2007-03-08 22:50————d————C:\Programmer\smartftp client 2.0
2007-03-08 17:38 577536—a———C:\WINDOWS\system32\user32.dll
2007-03-08 17:38 40960—a———C:\WINDOWS\system32\mf3216.dll
2007-03-08 17:38 281600—a———C:\WINDOWS\system32\gdi32.dll
2007-03-08 17:35 1843584—a———C:\WINDOWS\system32\win32k.sys
2007-03-03 18:54————d————C:\Programmer\msn messenger
2007-03-03 18:54————d————C:\Programmer\msn messenger
2007-02-27 21:25————d—h——- C:\Programmer\installshield installation information
2007-02-27 21:25————d—h——- C:\Programmer\installshield installation information
2007-02-11 17:51 1093632—a———C:\WINDOWS\system32\freeimage.dll
2007-02-05 22:19 185344—a———C:\WINDOWS\system32\upnphost.dll
2007-01-19 13:53 51056—a———C:\WINDOWS\system32\sirenacm.dll


((((((((((((((((((((((((((((((((((((((((((  Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
“CTFMON.EXE”=“C:\\WINDOWS\\system32\\ctfmon.exe”
“MsnMsgr”=”\“C:\\Programmer\\MSN Messenger\\MsnMsgr.Exe\” /background”
“SUPERAntiSpyware”=“C:\\Programmer\\SUPERAntiSpyware\\SUPERAntiSpyware.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“S3TRAY2”=“S3Tray2.exe”
“SynTPLpr”=“C:\\Programmer\\Synaptics\\SynTP\\SynTPLpr.exe”
“SynTPEnh”=“C:\\Programmer\\Synaptics\\SynTP\\SynTPEnh.exe”
“TpShocks”=“TpShocks.exe”
“TPHOTKEY”=“C:\\PROGRA~1\\ThinkPad\\PkgMgr\\HOTKEY\\TPHKMGR.exe”
“BMMLREF”=“C:\\Programmer\\ThinkPad\\Utilities\\BMMLREF.EXE”
“TPKMAPHELPER”=“C:\\Programmer\\ThinkPad\\Utilities\\TpKmapAp.exe -helper”
“TP4EX”=“tp4ex.exe”
“EZEJMNAP”=“C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe”
“ATIPTA”=“C:\\Programmer\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe”
“dla”=“C:\\WINDOWS\\system32\\dla\\tfswctrl.exe”
“Logitech Utility”=“Logi_MwX.Exe”
“zBrowser Launcher”=“C:\\Programmer\\Logitech\\iTouch\\iTouch.exe”
“SoundMAXPnP”=“C:\\Programmer\\Analog Devices\\SoundMAX\\SMax4PNP.exe”
“SoundMAX”=“C:\\Programmer\\Analog Devices\\SoundMAX\\Smax4.exe /tray”
“PRONoMgrWired”=“C:\\Programmer\\Intel\\PROSetWired\\NCS\\PROSet\\PRONoMgr.exe”
“Synchronization Manager”=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,\
  73,74,65,6d,33,32,5c,6d,6f,62,73,79,6e,63,2e,65,78,65,20,2f,6c,6f,67,6f,6e,\
  00
“UserFaultCheck”=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
  6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
“ccApp”=”\“C:\\Programmer\\Fælles filer\\Symantec Shared\\ccApp.exe\”“
“Symantec NetDriver Monitor”=“C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer”
“TPKBDLED”=“C:\\WINDOWS\\system32\\TpScrLk.exe”
“ACTray”=“C:\\Programmer\\ThinkPad\\ConnectUtilities\\ACTray.exe”
“ACWLIcon”=“C:\\Programmer\\ThinkPad\\ConnectUtilities\\ACWLIcon.exe”
“ZoneAlarm Client”=”\“C:\\Programmer\\Zone Labs\\ZoneAlarm\\zlclient.exe\”“
“SPAMfighter Agent”=”\“C:\\Programmer\\SPAMfighter\\SFAgent.exe\” update delay 60”
“!AVG Anti-Spyware”=”\“C:\\Programmer\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\” /minimized”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
“Installed”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
“Installed”=“1”
“NoChange”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
“Installed”=“1”

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
“supportdir”=“cmd /c \“rmdir /q /s \“C:\\WINDOWS\\TEMP\\{DC78AACC-D3E4-4D92-95E8-42AFD802B8DB}\”\”“

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^Adobe Reader Synchronizer.lnk]
“path”=“C:\\Documents and Settings\\All Users\\Menuen Start\\Programmer\\Start\\Adobe Reader Synchronizer.lnk”
“backup”=“C:\\WINDOWS\\pss\\Adobe Reader Synchronizer.lnkCommon Startup”
“location”=“Common Startup”
“command”=“C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\ADOBEC~1.EXE “
“item”=“Adobe Reader Synchronizer”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^BTTray.lnk]
“backup”=“C:\\WINDOWS\\pss\\BTTray.lnkCommon Startup”
“location”=“Common Startup”
“command”=“C:\\PROGRA~1\\IBM\\BLUETO~1\\BTTray.exe “
“item”=“BTTray”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^Service Manager.lnk]
“backup”=“C:\\WINDOWS\\pss\\Service Manager.lnkCommon Startup”
“location”=“Common Startup”
“command”=“C:\\PROGRA~1\\MICROS~3\\80\\Tools\\Binn\\sqlmangr.exe /n”
“item”=“Service Manager”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^MIT NAVN^Menuen Start^Programmer^Start^fancontrol.exe]
“path”=“c:\\fancontrol\\fancontrol.exe”
“backup”=“C:\\WINDOWS\\pss\\fancontrol.exeStartup”
“location”=“Startup”
“command”=“c:\\fancontrol\\fancontrol.exe”
“item”=“fancontrol”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
“key”=“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”
“item”=“apdproxy”
“hkey”=“HKLM”
“command”=”\“C:\\Programmer\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\”“
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlockAds]
“key”=“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”
“item”=”“
“hkey”=“HKCU”
“command”=”“
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
“key”=“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”
“item”=“DataLayer”
“hkey”=“HKLM”
“command”=“C:\\Programmer\\Fælles filer\\PCSuite\\DataLayer\\DataLayer.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
“key”=“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”
“item”=“WCESCOMM”
“hkey”=“HKCU”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HeavyWeatherPublisher]
“key”=“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”
“item”=“HeavyWeatherPublisher”
“hkey”=“HKCU”
“command”=“C:\\HeavyWeather\\HeavyWeatherPublisher.exe -minimized”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
“key”=“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”
“item”=“ibmmessages”
“hkey”=“HKLM”
“command”=“C:\\Programmer\\IBM\\Messages By IBM\\ibmmessages.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
“key”=“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”
“item”=“NeroCheck”
“hkey”=“HKLM”
“command”=“C:\\WINDOWS\\system32\\NeroCheck.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
“key”=“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”
“item”=“LaunchApplication”
“hkey”=“HKLM”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
“key”=“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”
“item”=“PcSync2”
“hkey”=“HKCU”
“command”=“C:\\Programmer\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pop-Up-Blocker]
“key”=“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”
“item”=”“
“hkey”=“HKCU”
“command”=”“
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
“key”=“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”
“item”=“qttask”
“hkey”=“HKLM”
“command”=”\“C:\\Programmer\\QuickTime\\qttask.exe\” -atboottime”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TransparentIcons]
“key”=“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”
“item”=”“
“hkey”=“HKCU”
“command”=”“
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]
“key”=“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”
“item”=“gain_trickler_3202”
“hkey”=“HKLM”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak-XP]
“key”=“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”
“item”=”“
“hkey”=“HKCU”
“command”=”“
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_Start]
“key”=“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”
“item”=“ucstartup”
“hkey”=“HKLM”
“command”=“C:\\IBMTools\\Updater\\ucstartup.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
“key”=“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”
“item”=“sgtray”
“hkey”=“HKLM”
“command”=”\“c:\\Programmer\\Fælles filer\\Sonic\\Update Manager\\sgtray.exe\” /r”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“RDSessMgr”=dword:00000003
“MySql”=dword:00000002
“MSSQLServerADHelper”=dword:00000003
“MSSQLSERVER”=dword:00000003
“mnmsrvc”=dword:00000003
“W3SVC”=dword:00000002
“IISADMIN”=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”=”“
“{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“AVG Anti-Spyware 7.5”

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“DisableRegistryTools”=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoBandCustomize”=dword:00000000
“NoMovingBands”=dword:00000000
“NoCloseDragDropBands”=dword:00000000
“NoSetTaskbar”=dword:00000000
“NoToolbarsOnTaskbar”=dword:00000000
“NoSaveSettings”=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
“SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll”

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
  Authentication Packages REG_MULTI_SZ   msv1_0\0\0
  Security Packages REG_MULTI_SZ   kerberos\0msv1_0\0schannel\0wdigest\0\0
  Notification Packages REG_MULTI_SZ   scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ   Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ   DnsCache\0\0
rpcss REG_MULTI_SZ   RpcSs\0\0
imgsvc REG_MULTI_SZ   StiSvc\0\0
termsvcs REG_MULTI_SZ   TermService\0\0
bthsvcs REG_MULTI_SZ   BthServ\0\0
HTTPFilter REG_MULTI_SZ   HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ   DcomLaunch\0TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_WINIO

Contents of the ‘Scheduled Tasks’ folder
C:\WINDOWS\tasks\BMMTask.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - MIT NAVN.job
C:\WINDOWS\tasks\Uniblue SpyEraser.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-15 0:39:06
C:\ComboFix-quarantined-files.txt ... 07-04-15 00:39

Efter seneste genstart har den ikke forsøgt at sende mail - endnu

Det ser ud til at Combofix også fik gjort kål på en del af infektionen. Men der er en enkelt entry, som gør, at jeg synes du skal lave en scanning mere.

—Download Rootkit Unhooker herfra:
http://rku.xell.ru/?l=e&a=dl
Installér programmet. Kør så RKU. Klik på Setup-Settings-“Use Extended mode”. Du vil så blive bedt om at genstarte, hvilket du skal gøre. Kør så Rootkit Unhooker igen, klik på fanebladet “Report”, klik på knappen “Scan”. Lad programmet skanne færdig, klik på “File-Save Report”, og gem rapporten et sted, hvor du kan finde den igen. Læg indholdet af denne rapport herind.

INdtil videre opfører PC sig ordentligt.

Link til Unhooker virker ikke, men fandt den et andet sted. Desværre får jeg en “Uhandled exception” når den når til “Code Hooks Detecktor” og programmet lukker ned. Har prøvet at starte scan igen, men med samme resutlat. Kan sende skærmdump hvis interesse.

Nej, så prøver vi med Gmer i stedet:

—Download Gmer-rootkit scanner, og pak den ud til skrivebordet:
http://www.young-andersen.dk/gamer/gamer.zip
Start med at omdøbe programmet gmer.exe (fx til abc.exe). Kør programmet, klik på fanebladet “Rootkit”, og klik på “Scan”. Imens der scannes, bør du afbryde netforbindelsen, lukke alle åbne programmer, og undlade at bruge computeren til andre ting. Du bør heller ikke klikke på andre ting i Gmer-scanneren. Når scanningen er færdig, skal du klikke på “Copy”. Så dukker et vindue op, som fortæller at resultatet af rootkit-scanningen er blevet lagt ind i udklipsholderen. Du kan herefter gå ind i denne tråd, og kopiere indholdet herind, ved at stille dig i indtastningsfeltet, og trykke ctrl-v.

I nogle tilfælde er logfilen så lang, at den ikke kan være i en enkelt post. Så må du lægge den af flere omgange.

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-16 19:43:02
Windows 5.1.2600 Service Pack 2

——System - GMER 1.0.12——

SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwConnectPort
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwCreateFile
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwCreateKey
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwCreatePort
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwCreateProcess
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwCreateProcessEx
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwCreateSection
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwCreateWaitablePort
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwDeleteFile
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwDeleteKey
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwDeleteValueKey
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwDuplicateObject
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwLoadDriver
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwLoadKey
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwMapViewOfSection
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwOpenFile
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwOpenProcess
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwOpenThread
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwReplaceKey
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwRequestWaitReplyPort
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwRestoreKey
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwSecureConnectPort
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwSetInformationFile
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwSetSystemInformation
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwSetValueKey
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwTerminateProcess
SSDT     \SystemRoot\System32\vsdatant.sys                                                                 ZwUnloadDriver

INT 0x20 srescan.sys                                                                               F73B29B0

——Kernel code sections - GMER 1.0.12——

.text   ntoskrnl.exe!_abnormal_termination + 104                                                           804E2760 12 Bytes [ F0, 71, CC, BA, 80, D4, CC, ... ]
.text   ntoskrnl.exe!_abnormal_termination + 465                                                           804E2AC1 3 Bytes [ 15, CC, BA ]
?      srescan.sys                                                                               Den angivne fil blev ikke fundet.
.text   ntoskrnl.exe!_abnormal_termination + 104                                                           804E2760 12 Bytes [ F0, 71, CC, BA, 80, D4, CC, ... ]
.text   ntoskrnl.exe!_abnormal_termination + 465                                                           804E2AC1 3 Bytes [ 15, CC, BA ]

——User code sections - GMER 1.0.12——

.text   C:\WINDOWS\system32\ZoneLabs\vsmon.exe[296] ntdll.dll!KiFastSystemCall + 2                                     7C90EB8D 2 Bytes [ CD, 20 ]
.text   C:\Programmer\MSN Messenger\msnmsgr.exe[3792] kernel32.dll!SetUnhandledExceptionFilter                             7C84479D 5 Bytes JMP 004DE392 C:\Programmer\MSN Messenger\MsnMsgr.Exe

——Devices - GMER 1.0.12——

Device   \Driver\Tcpip \Device\Ip IRP_MJ_CREATE                                                             [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE                                                             [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL                                                       [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL                                                 [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP                                                             [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE                                                             [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE                                                             [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL                                                       [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL                                                 [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP                                                           [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\Udp IRP_MJ_CREATE                                                             [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE                                                             [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL                                                       [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL                                                 [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP                                                           [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE                                                           [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE                                                           [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL                                                     [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL                                               [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP                                                           [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE                                                       [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE                                                       [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL                                                 [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL                                           [BACD88A0] vsdatant.sys
Device   \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP                                                       [BACD88A0] vsdatant.sys
Device   \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL                                   [B88C9175] tfsnifs.sys
Device   \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL                                   [B88C9175] tfsnifs.sys
Device   \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_FILE_SYSTEM_CONTROL                                       [B88C9175] tfsnifs.sys
Device   \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL                                     [B88C9175] tfsnifs.sys
Device   \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL                                   [B88C9175] tfsnifs.sys
Device   \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL                                                     [B88C92ED] tfsnifs.sys

——Registry - GMER 1.0.12——

Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel             Apartment
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@                      C:\WINDOWS\System32\OLE32.DLL
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel             Apartment
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@                      C:\WINDOWS\System32\OLE32.DLL
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel             Apartment
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@                      C:\WINDOWS\System32\OLE32.DLL
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel             Apartment
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@                      C:\WINDOWS\System32\OLE32.DLL
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x6B 0x65 0x49 0x6A ...
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel             Apartment
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@                      C:\WINDOWS\System32\OLE32.DLL
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel             Apartment
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@                      C:\WINDOWS\System32\OLE32.DLL
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel             Apartment
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@                      C:\WINDOWS\System32\OLE32.DLL
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel             Apartment
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@                      C:\WINDOWS\System32\OLE32.DLL
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel             Apartment
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@                      C:\WINDOWS\System32\OLE32.DLL
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xB2 0x46 0x9A 0xE2 ...
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel             Apartment
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@                      C:\WINDOWS\System32\OLE32.DLL
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel             Apartment
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@                      C:\WINDOWS\System32\OLE32.DLL
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel             Apartment
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@                      C:\WINDOWS\System32\OLE32.DLL
Reg     \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...
Reg     \Registry\MACHINE\SOFTWARE\Microsoft\Shared Tools\                                                   

——Files - GMER 1.0.12——

ADS     C:\System Volume Information\_restore{2BB9FEE9-B27F-4B8F-A970-A1E457210B00}\RP958\A0192710.dll:fork2                  
ADS     C:\WINDOWS\system32\ws2_32.dll:fork2                                                              

——EOF - GMER 1.0.12——

Gmer-loggen ser stort set fin ud. Dog vil jeg gerne lige have dig til at gøre følgende:

Kør Gmer igen, og lad den lave en scanning. Højreklik herefter på disse linier, og vælg “Delete file”:

ADS C:\System Volume Information\_restore{2BB9FEE9-B27F-4B8F-A970-A1E457210B00}\RP958\A0192710.dll:fork2
ADS C:\WINDOWS\system32\ws2_32.dll:fork2

Derudover vil jeg også gerne have dig til at checke ws2_32.dll (normalt en legal systemfil) for at se om den er blevet hijacket:

Prøv at gå ind på følgende hjemmeside:
http://www.virustotal.com/en/indexx.html

Klik på Gennemse, og klik dig så frem til C:\WINDOWS\system32\ws2_32.dll

Klik så Send. Så vil siden efter lidt tid begynde at scanne filen. Under scanningen vil der øverst på siden stå “STATUS: SCANNING”. Når scanningen er færdig, vil der stå “STATUS: FINISHED”. Kopier resultatet af scanningen herind i tråden (du kan markere teksten med musen, højreklikke på det markerede, og vælge “kopier”; herefter kan du paste indholdet herind).

Antivirus Version Update Result
AhnLab-V3 2007.4.18.0 04.17.2007 no virus found
AntiVir 7.3.1.53 04.17.2007 no virus found
Authentium 4.93.8 04.16.2007 no virus found
Avast 4.7.981.0 04.17.2007 no virus found
AVG 7.5.0.447 04.17.2007 no virus found
BitDefender 7.2 04.17.2007 no virus found
CAT-QuickHeal 9.00 04.17.2007 no virus found
ClamAV devel-20070312 04.17.2007 no virus found
DrWeb 4.33 04.17.2007 no virus found
eSafe 7.0.15.0 04.17.2007 no virus found
eTrust-Vet 30.7.3574 04.17.2007 no virus found
Ewido 4.0 04.17.2007 no virus found
FileAdvisor 1 04.17.2007 No threat detected
Fortinet 2.85.0.0 04.17.2007 no virus found
F-Prot 4.3.2.48 04.17.2007 no virus found
F-Secure 6.70.13030.0 04.17.2007 no virus found
Ikarus T3.1.1.5 04.17.2007 no virus found
Kaspersky 4.0.2.24 04.17.2007 no virus found
McAfee 5010 04.16.2007 no virus found
Microsoft 1.2405 04.17.2007 no virus found
NOD32v2 2198 04.17.2007 no virus found
Norman 5.80.02 04.17.2007 no virus found
Panda 9.0.0.4 04.17.2007 no virus found
Prevx1 V2 04.17.2007 no virus found
Sophos 4.16.0 04.16.2007 no virus found
Sunbelt 2.2.907.0 04.14.2007 no virus found
Symantec 10 04.17.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.3 04.17.2007 no virus found
VirusBuster 4.3.7:9 04.17.2007 no virus found
Webwasher-Gateway 6.0.1 04.17.2007 no virus found

Aditional Information
File size: 82944 bytes
MD5: 3c83a9029bc93e4cdcf7975decfdae5d
SHA1: 2706ed311fd8850cae5462fed040930f8b9771dd

Det ser jo fint ud. Så har jeg ikke mere at trætte dig med. Køre computeren også tilfredsstillende?

For at gøre arbejdet helt færdig:
Det kan være en god ide og rydde op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.spywarefri.dk/virusscannere.htm#alle) - genstart din computer - aktiver systemgendannelse.
Og så kan det også være en god ide at skjule dine systemfiler og -mapper igen, så du ikke ved en fejl kommer til at slette en vigtig fil. Det gør du samme sted, hvor du satte det til at vise alle filer, denne gang vælger du bare: Vis ikke skjulte filer og mapper.

Det kan også være en god ide at få renset ud i dine midlertidige filer. Det kan gøres på en hurtig og nem måde med denne fil
http://www.spywareinfo.dk/download/cleantempxp2k.bat
—————————————-

For at forhindre gentagelser, vil jeg anbefale dig at lægge nogle små programmer ind, som forhindrer spyware i at komme ind i første omgang. Du finder links og gode råd her:
http://www.spywarefri.dk/manualer/sikkerhedspakke.htm

Jeg vil også foreslå, at du læser disse artikler om hvordan du kan undgå at blive inficeret i fremtiden:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414
http://www.ejvindh.net/viewtopic.php?t=37

Hej Spywarefri.

I skal have 1000000 tak for hjælpen, hårdføre indsats og super tålmodighed - uden Jer var der kun Format c: tilbage )

Jeg vil klart anbefale Jeres services hvor jeg end måtte finde det interessant!!

Absolut Weltklasse!!

Sørene

Velbekomme, tak for de pæne ord.

Jeg låser tråden, får du brug for os igen, er du velkommen til at oprette et nyt spørgsmål.