Hej og velkommen.
Fjern MessengerPlus i Tilføj/fjern programmer.
Genstart og følg denne vejledning punkt 1-4.
http://www.spywarefri.dk/hjtanv.htm

Logfile of HijackThis v1.98.2
Scan saved at 17:19:49, on 31-10-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINDOWS/System32/smss.exe
C:/WINDOWS/system32/winlogon.exe
C:/WINDOWS/system32/services.exe
C:/WINDOWS/system32/lsass.exe
C:/WINDOWS/system32/svchost.exe
C:/WINDOWS/System32/svchost.exe
C:/WINDOWS/system32/LEXBCES.EXE
C:/WINDOWS/system32/spoolsv.exe
C:/WINDOWS/system32/LEXPPS.EXE
C:/PROGRA~1/Grisoft/AVG6/avgserv.exe
C:/WINDOWS/System32/nvsvc32.exe
C:/WINDOWS/System32/svchost.exe
C:/Programmer/Logitech/iTouch/iTouch.exe
C:/Programmer/Java/j2re1.4.2_03/bin/jusched.exe
C:/Programmer/iTunes/iTunesHelper.exe
C:/Programmer/QuickTime/qttask.exe
C:/Programmer/Winamp/winampa.exe
C:/PROGRA~1/Grisoft/AVG6/avgcc32.exe
C:/WINDOWS/System32/RUNDLL32.EXE
C:/WINDOWS/StartupMonitor.exe
C:/WINDOWS/System32/ctfmon.exe
C:/Programmer/Desktop Messenger/8876480/Program/BackWeb-8876480.exe
C:/Programmer/Messenger/msmsgs.exe
C:/Programmer/Spyware Doctor/spydoctor.exe
C:/Programmer/Logitech/MouseWare/system/em_exec.exe
C:/Programmer/WinZip/WZQKPICK.EXE
C:/Programmer/iPod/bin/iPodService.exe
C:/WINDOWS/explorer.exe
C:/Programmer/Internet Explorer/iexplore.exe
C:/Documents and Settings/JENS SOLGAARD/Skrivebord/hijackthis/hijackthis.exe

R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = http://tdconline.dk/
R1 - HKCU/Software/Microsoft/Internet Explorer/SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU/Software/Microsoft/Windows/CurrentVersion/Internet Settings,ProxyOverride = localhost
R0 - HKCU/Software/Microsoft/Internet Explorer/Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:/PROGRA~1/SPYBOT~1/SDHelper.dll
O3 - Toolbar: &Radio; - {8E718888-423F-11D2-876E-00A0C9082467} - C:/WINDOWS/System32/msdxm.ocx
O4 - HKLM/../Run: [zBrowser Launcher] C:/Programmer/Logitech/iTouch/iTouch.exe
O4 - HKLM/../Run: [NeroCheck] C:/WINDOWS/System32//NeroCheck.exe
O4 - HKLM/../Run: [SunJavaUpdateSched] C:/Programmer/Java/j2re1.4.2_03/bin/jusched.exe
O4 - HKLM/../Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM/../Run: [iTunesHelper] C:/Programmer/iTunes/iTunesHelper.exe
O4 - HKLM/../Run: [QuickTime Task] “C:/Programmer/QuickTime/qttask.exe” -atboottime
O4 - HKLM/../Run: [WinampAgent] C:/Programmer/Winamp/winampa.exe
O4 - HKLM/../Run: [AVG_CC] C:/PROGRA~1/Grisoft/AVG6/avgcc32.exe /STARTUP
O4 - HKLM/../Run: [nwiz] nwiz.exe /install
O4 - HKLM/../Run: [NvMediaCenter] RUNDLL32.EXE C:/WINDOWS/System32/NvMcTray.dll,NvTaskbarInit
O4 - HKLM/../Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM/../Run: [NvCplDaemon] RUNDLL32.EXE C:/WINDOWS/System32/NvCpl.dll,NvStartup
O4 - HKCU/../Run: [CTFMON.EXE] C:/WINDOWS/System32/ctfmon.exe
O4 - HKCU/../Run: [LDM] C:/Programmer/Desktop Messenger/8876480/Program/BackWeb-8876480.exe
O4 - HKCU/../Run: [MSMSGS] “C:/Programmer/Messenger/msmsgs.exe” /background
O4 - HKCU/../Run: [Spyware Doctor] “C:/Programmer/Spyware Doctor/spydoctor.exe” /Q
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:/Programmer/Desktop Messenger/8876480/Program/LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:/Programmer/Microsoft Office/Office10/OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:/Programmer/WinZip/WZQKPICK.EXE
O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:/PROGRA~1/MICROS~2/Office10/EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:/Programmer/Messenger/MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:/Programmer/Messenger/MSMSGS.EXE
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://80.199.4.57:81/kxhcm10.ocx
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.bgbank.dk/html/activex/BG/Menu.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093897580171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7AEBACC1-D7E4-4360-B520-6DA4C565B42C} (UploaderCtrl Class) - http://foto.tdconline.dk/upload-classes/Uploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.vardebib.dk/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab30149.cab

Der er nu ikke så meget slemt i den log. Så tilsyneladende har afinstallationen kommet det meste til livs. Men jeg anbefaler dog nedenstående procedure:

Først opretter du en mappe til HijackThis. Derved har vi styr på backup filer. Kommer du til at fixe noget forkert, kan vi altid gendanne.

Dernæst skal du hente følgende engangsantivirusscanner fra Kaspersky (den skal vi bruge senere):
http://www.spywareinfo.dk/download/mwav.exe  - det skal ikke installeres, men kan køres direkte.

Genstart i fejlsikret tilstand (tryk F8 gentagne gange inden Windows booter op). Herfra køre du så Hijackthis. Du får herunder nogle filer, som du skal fixe. Det, du skal gøre, er at sætte et flueben ud for disse filer. Det er meget vigtigt at det eneste vindue, som er åbent er HijackThis vinduet. Klik på Fix checked

O4 - HKCU/../Run: [LDM] C:/Programmer/Desktop Messenger/8876480/Program/BackWeb-8876480.exe

Derudover anbefaler jeg at du også fixer nedenstående. De er ikke decideret fejl, men komponenter som ikke er nødvendige, at have kørende konstant og ligger herved blot og suger ressourcer unødigt:

O4 - HKLM/../Run: [NeroCheck] C:/WINDOWS/System32//NeroCheck.exe
O4 - HKLM/../Run: [SunJavaUpdateSched] C:/Programmer/Java/j2re1.4.2_03/bin/jusched.exe
O4 - HKLM/../Run: [QuickTime Task] “C:/Programmer/QuickTime/qttask.exe” -atboottime
O4 - HKLM/../Run: [WinampAgent] C:/Programmer/Winamp/winampa.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:/Programmer/Desktop Messenger/8876480/Program/LDMConf.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:/Programmer/WinZip/WZQKPICK.EXE

Luk HijackThis. Men forbliv i fejlsikret tilstand.

Vi skal kunne se dine skjulte filer for at finde det snavs, der skal slettes manuelt (stadig fra fejlsikret tilstand af):
Åbn en tilfældig mappe, klik på Funktioner -> Mappeindstillinger -> Vis.
Fjern flueben ved “Skjul beskyttede operativsystemfiler”.
Fjern flueben ved “Skjul filtypenavne for kendte filtyper”.
Sæt prik i “Vis skjulte filer og mapper”.

Søg efter følgende filer og slet dem med fed skrift (stadig fra fejlsikret tilstand af):

C:/Programmer/Desktop Messenger/8876480/Program/BackWeb-8876480.exe

C:/Programmer/QuickTime/qttask.exe
C:/Programmer/Desktop Messenger/8876480/Program/LDMConf.exe
[Disse to bør kun slettes, hvis du har valgt at fixe dem]

Kør nu Engangsantivirusscanneren fra Kaspersky, mwav.exe; programmet pakker sig selv ud og starter med det samme.
Sæt flueben i følgende: ”Memory”, ”Starup Folders”, ”Drive”, ”Registry”, ”System Folders” og ”Services”
Sæt prik i følgende: ”All Local Drives” og ”Scan All Files”
Klik nu på knappen ”Scan”

Gå nu i stifinder og find mappen c:/windows/temp – og slet alt indholdet.

Dernæst (stadig fra fejlsikret tilstand af) skal vi i ”disk oprydning”. Start -> Alle Programmer -> Tilbehør -> System værktøj; Diskoprydning.
Lad den rense alle dine drev.

Genstart PC i normal tilstand.

Dit system skulle gerne være rent nu. Oplever du herefter stadig problemer?

Hej igen.
Virusscanneren fandt 33 filer inficeret med TrojanDownloader.swizzer.br
Skal mappeindstillingerne føres tilbage til de oprindelige indstillinger???
Der er stadig problemer med startsiden i internet explorer på den ene brugerkonti.den skifter selv over til en tal/bogstavkombination.
Logfilen er den seneste der er oprettet .
    tak for idaLogfile of HijackThis v1.98.2
Scan saved at 23:08:54, on 31-10-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINDOWS/System32/smss.exe
C:/WINDOWS/system32/winlogon.exe
C:/WINDOWS/system32/services.exe
C:/WINDOWS/system32/lsass.exe
C:/WINDOWS/system32/svchost.exe
C:/WINDOWS/System32/svchost.exe
C:/WINDOWS/system32/LEXBCES.EXE
C:/WINDOWS/system32/LEXPPS.EXE
C:/WINDOWS/system32/spoolsv.exe
C:/WINDOWS/Explorer.EXE
C:/Programmer/Logitech/iTouch/iTouch.exe
C:/Programmer/iTunes/iTunesHelper.exe
C:/PROGRA~1/Grisoft/AVG6/avgcc32.exe
C:/WINDOWS/System32/RUNDLL32.EXE
C:/WINDOWS/StartupMonitor.exe
C:/WINDOWS/System32/ctfmon.exe
C:/Programmer/Messenger/msmsgs.exe
C:/Programmer/Spyware Doctor/spydoctor.exe
C:/PROGRA~1/Grisoft/AVG6/avgserv.exe
C:/WINDOWS/System32/nvsvc32.exe
C:/WINDOWS/System32/svchost.exe
C:/Programmer/Logitech/MouseWare/system/em_exec.exe
C:/Programmer/iPod/bin/iPodService.exe
C:/Documents and Settings/JENS SOLGAARD/Skrivebord/hijackthis/hijackthis.exe

R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = http://tdconline.dk/
R1 - HKCU/Software/Microsoft/Internet Explorer/SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU/Software/Microsoft/Windows/CurrentVersion/Internet Settings,ProxyOverride = localhost
R0 - HKCU/Software/Microsoft/Internet Explorer/Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:/PROGRA~1/SPYBOT~1/SDHelper.dll
O3 - Toolbar: &Radio; - {8E718888-423F-11D2-876E-00A0C9082467} - C:/WINDOWS/System32/msdxm.ocx
O4 - HKLM/../Run: [zBrowser Launcher] C:/Programmer/Logitech/iTouch/iTouch.exe
O4 - HKLM/../Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM/../Run: [iTunesHelper] C:/Programmer/iTunes/iTunesHelper.exe
O4 - HKLM/../Run: [AVG_CC] C:/PROGRA~1/Grisoft/AVG6/avgcc32.exe /STARTUP
O4 - HKLM/../Run: [nwiz] nwiz.exe /install
O4 - HKLM/../Run: [NvMediaCenter] RUNDLL32.EXE C:/WINDOWS/System32/NvMcTray.dll,NvTaskbarInit
O4 - HKLM/../Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM/../Run: [NvCplDaemon] RUNDLL32.EXE C:/WINDOWS/System32/NvCpl.dll,NvStartup
O4 - HKCU/../Run: [CTFMON.EXE] C:/WINDOWS/System32/ctfmon.exe
O4 - HKCU/../Run: [MSMSGS] “C:/Programmer/Messenger/msmsgs.exe” /background
O4 - HKCU/../Run: [Spyware Doctor] “C:/Programmer/Spyware Doctor/spydoctor.exe” /Q
O4 - Global Startup: Microsoft Office.lnk = C:/Programmer/Microsoft Office/Office10/OSA.EXE
O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:/PROGRA~1/MICROS~2/Office10/EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:/Programmer/Messenger/MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:/Programmer/Messenger/MSMSGS.EXE
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://80.199.4.57:81/kxhcm10.ocx
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.bgbank.dk/html/activex/BG/Menu.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093897580171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7AEBACC1-D7E4-4360-B520-6DA4C565B42C} (UploaderCtrl Class) - http://foto.tdconline.dk/upload-classes/Uploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.vardebib.dk/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab30149.cab

g.

Siden problemerne er gældende for begge jeres brugerkonti, så skal jeg også se en HijackThis lavet fra begge jeres brugerkonti. Jeg gætter på, at de to ovenstående Hijackthis logs er fra samme brugerkonto?!

Ovenstående er log ren!

Da vi er færdige med den ene log, kan du godt sætte mappeindstillingerne tilbage igen, så den ikke længere viser skjulte filer.

I tilfælde af virus inficering eller mistanke om virusinficering er det altid en god ide, at lade en alternativ scanner kigge systemet igennem. En alternativ teknologi eller søgeteknik kan ofte finde tilbageblivende virus spor eller rester.  Nedenfor har jeg listet to fremragende online antivirusscannere, som i øvrigt er gratis. Kør en scan med en af dem, eller gerne begge to. Og på den profil vi har renset.

http://www.pandasoftware.com/activescan/com/default.asp
http://dk.trendmicro-europe.com/consumer/products/housecall_pre.php?
[Scanneren fra Trend Micro har brug for Sun Java Plug-in. De fleste systemer har den allerede, men hvis I ikke har den endnu, så kan den hentes herfra, som et installationsprogram: ]http://java.sun.com/webapps/download/AutoDL?BundleId=9723]

Hej igen.
Angående brugerkontoen vi fixede igår,virker alting næsten normal igen.Det eneste jeg lige kan se er når internet explorer starter
op, kommer der en dialogbox fra spyboot BLOKERET DOWNLOAD AF DOUBLECLICK.
På den næste bruger konto (der er fem ialt)forsvinder startsiden
hele tiden og erstattes af en lang tal/bogstavkombination.Hvis
man holder curseren i bunden af siden står der
http://AD.DOUBLECLICK.NET/CLICK;H=V3|3|B6|3|0|*|B6;11274254;0-0;0;9669874;1_468|60;7228321|72  (mere kan jeg ikke se)
Her er så logen fra den næste konto.
Skal den også hentes fra fejlsikker tilstand med filindstillingen åben??????Logfile of HijackThis v1.98.2
Scan saved at 18:22:20, on 01-11-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINDOWS/System32/smss.exe
C:/WINDOWS/system32/winlogon.exe
C:/WINDOWS/system32/services.exe
C:/WINDOWS/system32/lsass.exe
C:/WINDOWS/system32/svchost.exe
C:/WINDOWS/System32/svchost.exe
C:/WINDOWS/system32/LEXBCES.EXE
C:/WINDOWS/system32/spoolsv.exe
C:/WINDOWS/system32/LEXPPS.EXE
C:/PROGRA~1/Grisoft/AVG6/avgserv.exe
C:/WINDOWS/System32/nvsvc32.exe
C:/WINDOWS/System32/svchost.exe
C:/Programmer/iPod/bin/iPodService.exe
C:/WINDOWS/system32/winlogon.exe
C:/WINDOWS/system32/winlogon.exe
C:/WINDOWS/Explorer.EXE
C:/Programmer/Logitech/iTouch/iTouch.exe
C:/PROGRA~1/Grisoft/AVG6/avgcc32.exe
C:/WINDOWS/System32/RUNDLL32.EXE
C:/WINDOWS/StartupMonitor.exe
C:/WINDOWS/System32/ctfmon.exe
C:/Programmer/Messenger/msmsgs.exe
c:/progra~1/intern~1/iexplore.exe
C:/Programmer/Logitech/MouseWare/system/em_exec.exe
C:/Programmer/Internet Explorer/iexplore.exe
C:/Documents and Settings/MARGIT SOLGAARD/Skrivebord/hijackthis-ms/hijackthis.exe

R1 - HKCU/Software/Microsoft/Internet Explorer/Main,Search Bar = http://www.lcljknvrwttwrgldqblm.com/pUlDn3GTb957S49R_HSUvED0KjIZarv72TWcV99Bb7YhnDglMa6ZdRNhi174jHby.asp
R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = http://www.botrvvqcsprevzdzbidegp.com/pUlDn3GTb96B_6ZAoVQgTFeIG_dZS3sLFGcOGDBnOxI.htm
R1 - HKCU/Software/Microsoft/Windows/CurrentVersion/Internet Settings,ProxyOverride = localhost
R0 - HKCU/Software/Microsoft/Internet Explorer/Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:/PROGRA~1/SPYBOT~1/SDHelper.dll
O3 - Toolbar: &Radio; - {8E718888-423F-11D2-876E-00A0C9082467} - C:/WINDOWS/System32/msdxm.ocx
O4 - HKLM/../Run: [zBrowser Launcher] C:/Programmer/Logitech/iTouch/iTouch.exe
O4 - HKLM/../Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM/../Run: [iTunesHelper] C:/Programmer/iTunes/iTunesHelper.exe
O4 - HKLM/../Run: [AVG_CC] C:/PROGRA~1/Grisoft/AVG6/avgcc32.exe /STARTUP
O4 - HKLM/../Run: [nwiz] nwiz.exe /install
O4 - HKLM/../Run: [NvMediaCenter] RUNDLL32.EXE C:/WINDOWS/System32/NvMcTray.dll,NvTaskbarInit
O4 - HKLM/../Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM/../Run: [NvCplDaemon] RUNDLL32.EXE C:/WINDOWS/System32/NvCpl.dll,NvStartup
O4 - HKCU/../Run: [CTFMON.EXE] C:/WINDOWS/System32/ctfmon.exe
O4 - HKCU/../Run: [LDM] C:/Programmer/Desktop Messenger/8876480/Program/BackWeb-8876480.exe
O4 - HKCU/../Run: [MSMSGS] “C:/Programmer/Messenger/msmsgs.exe” /background
O4 - HKCU/../Run: [RULESIXTH] C:/DOCUME~1/MARGIT~1/APPLIC~1/Plussign/Obj 01.exe
O4 - Global Startup: Microsoft Office.lnk = C:/Programmer/Microsoft Office/Office10/OSA.EXE
O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:/PROGRA~1/MICROS~2/Office10/EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:/Programmer/Messenger/MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:/Programmer/Messenger/MSMSGS.EXE
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://80.199.4.57:81/kxhcm10.ocx
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.bgbank.dk/html/activex/BG/Menu.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093897580171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7AEBACC1-D7E4-4360-B520-6DA4C565B42C} (UploaderCtrl Class) - http://foto.tdconline.dk/upload-classes/Uploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.vardebib.dk/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab30149.cab

Herunder er der nogle filer, som du skal fixe. Sæt en vinge ud for disse filer. Når du har gjort det, så lukker du alle andre vinduer ned.

Fix disse med HijackThis:

R1 - HKCU/Software/Microsoft/Internet Explorer/Main,Search Bar = http://www.lcljknvrwttwrgldqblm.com/pUlDn3GTb957S49R_HSUvED0KjIZarv72TWcV99Bb7YhnDglMa6ZdRNhi174jHby.asp
R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = http://www.botrvvqcsprevzdzbidegp.com/pUlDn3GTb96B_6ZAoVQgTFeIG_dZS3sLFGcOGDBnOxI.htm

O4 - HKCU/../Run: [LDM] C:/Programmer/Desktop Messenger/8876480/Program/BackWeb-8876480.exe
O4 - HKCU/../Run: [RULESIXTH] C:/DOCUME~1/MARGIT~1/APPLIC~1/Plussign/Obj 01.exe

——
Åbn en mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved “Skjul beskyttede operativsystemfiler”.
Fjern flueben ved “Skjul filtypenavne for kendte filtyper”.
Sæt prik i “Vis skjulte filer og mapper”.
——

Genstart i fejlsikret tilstand (F8 i opstart).  Find og slet:

C:/DOCUME~1/MARGIT~1/APPLIC~1/Plussign/ >>>> mappen Plussign

Genstart almindeligt og send en ny log herind til tjek – tak.

Logfile of HijackThis v1.98.2
Scan saved at 20:04:48, on 01-11-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINDOWS/System32/smss.exe
C:/WINDOWS/system32/winlogon.exe
C:/WINDOWS/system32/services.exe
C:/WINDOWS/system32/lsass.exe
C:/WINDOWS/system32/svchost.exe
C:/WINDOWS/System32/svchost.exe
C:/WINDOWS/system32/LEXBCES.EXE
C:/WINDOWS/system32/LEXPPS.EXE
C:/WINDOWS/system32/spoolsv.exe
C:/PROGRA~1/Grisoft/AVG6/avgserv.exe
C:/WINDOWS/System32/nvsvc32.exe
C:/WINDOWS/System32/svchost.exe
C:/WINDOWS/System32/wuauclt.exe
C:/WINDOWS/Explorer.EXE
C:/Programmer/Logitech/iTouch/iTouch.exe
C:/Programmer/iTunes/iTunesHelper.exe
C:/PROGRA~1/Grisoft/AVG6/avgcc32.exe
C:/WINDOWS/System32/RUNDLL32.EXE
C:/WINDOWS/StartupMonitor.exe
C:/WINDOWS/System32/ctfmon.exe
C:/Programmer/Messenger/msmsgs.exe
C:/Programmer/iPod/bin/iPodService.exe
C:/Programmer/Logitech/MouseWare/system/em_exec.exe
C:/Documents and Settings/MARGIT SOLGAARD/Skrivebord/hijackthis-ms/hijackthis.exe

R1 - HKCU/Software/Microsoft/Internet Explorer/Main,Search Bar = http://www.yeklwvuyeuoluboawmabws.com/pUlDn3GTb957S49R_HSUvED0KjIZarv72TWcV99Bb7aMKx/b5QG5PxNhi174jHby.htm
R1 - HKCU/Software/Microsoft/Windows/CurrentVersion/Internet Settings,ProxyOverride = localhost
R0 - HKCU/Software/Microsoft/Internet Explorer/Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:/PROGRA~1/SPYBOT~1/SDHelper.dll
O3 - Toolbar: &Radio; - {8E718888-423F-11D2-876E-00A0C9082467} - C:/WINDOWS/System32/msdxm.ocx
O4 - HKLM/../Run: [zBrowser Launcher] C:/Programmer/Logitech/iTouch/iTouch.exe
O4 - HKLM/../Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM/../Run: [iTunesHelper] C:/Programmer/iTunes/iTunesHelper.exe
O4 - HKLM/../Run: [AVG_CC] C:/PROGRA~1/Grisoft/AVG6/avgcc32.exe /STARTUP
O4 - HKLM/../Run: [nwiz] nwiz.exe /install
O4 - HKLM/../Run: [NvMediaCenter] RUNDLL32.EXE C:/WINDOWS/System32/NvMcTray.dll,NvTaskbarInit
O4 - HKLM/../Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM/../Run: [NvCplDaemon] RUNDLL32.EXE C:/WINDOWS/System32/NvCpl.dll,NvStartup
O4 - HKCU/../Run: [CTFMON.EXE] C:/WINDOWS/System32/ctfmon.exe
O4 - HKCU/../Run: [MSMSGS] “C:/Programmer/Messenger/msmsgs.exe” /background
O4 - Global Startup: Microsoft Office.lnk = C:/Programmer/Microsoft Office/Office10/OSA.EXE
O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:/PROGRA~1/MICROS~2/Office10/EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:/Programmer/Messenger/MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:/Programmer/Messenger/MSMSGS.EXE
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://80.199.4.57:81/kxhcm10.ocx
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.bgbank.dk/html/activex/BG/Menu.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093897580171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7AEBACC1-D7E4-4360-B520-6DA4C565B42C} (UploaderCtrl Class) - http://foto.tdconline.dk/upload-classes/Uploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.vardebib.dk/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab30149.cab

Hej disk

Det er nu ikke helt i orden endnu.

Du skal køre en ny scanning med hijackthis og fixe disse:

R1 - HKCU/Software/Microsoft/Internet Explorer/Main,Search Bar = http://www.yeklwvuyeuoluboawmabws.com/pUlDn3GTb957S49R_HSUvED0KjIZarv72TWcV99Bb7aMKx/b5QG5PxNhi174jHby.htm

Den herover kan være slem at komme af med. Fix, genstart, fix genstart, bliv ved til du kan se den er væk.

O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:/PROGRA~1/MICROS~2/Office10/EXCEL.EXE/3000

O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://80.199.4.57:81/kxhcm10.ocx
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.vardebib.dk/activex/AxisCamControl.cab

Genstart, og så en sidste log herind til tjek.

Hej igen.
R1-HKCU FORSVANDT I FØRSTE FORSØG. HER ER DEN NYE LOG.
Logfile of HijackThis v1.98.2
Scan saved at 21:19:44, on 01-11-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINDOWS/System32/smss.exe
C:/WINDOWS/system32/winlogon.exe
C:/WINDOWS/system32/services.exe
C:/WINDOWS/system32/lsass.exe
C:/WINDOWS/system32/svchost.exe
C:/WINDOWS/System32/svchost.exe
C:/WINDOWS/system32/LEXBCES.EXE
C:/WINDOWS/system32/spoolsv.exe
C:/WINDOWS/system32/LEXPPS.EXE
C:/WINDOWS/Explorer.EXE
C:/PROGRA~1/Grisoft/AVG6/avgserv.exe
C:/WINDOWS/System32/nvsvc32.exe
C:/WINDOWS/System32/svchost.exe
C:/Programmer/Logitech/iTouch/iTouch.exe
C:/Programmer/iTunes/iTunesHelper.exe
C:/PROGRA~1/Grisoft/AVG6/avgcc32.exe
C:/WINDOWS/System32/RUNDLL32.EXE
C:/WINDOWS/StartupMonitor.exe
C:/WINDOWS/System32/ctfmon.exe
C:/Programmer/Messenger/msmsgs.exe
C:/Programmer/Logitech/MouseWare/system/em_exec.exe
C:/Programmer/Internet Explorer/iexplore.exe
C:/Programmer/iPod/bin/iPodService.exe
C:/WINDOWS/System32/wuauclt.exe
C:/Documents and Settings/MARGIT SOLGAARD/Skrivebord/hijackthis-ms/hijackthis.exe

R1 - HKCU/Software/Microsoft/Windows/CurrentVersion/Internet Settings,ProxyOverride = localhost
R0 - HKCU/Software/Microsoft/Internet Explorer/Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:/PROGRA~1/SPYBOT~1/SDHelper.dll
O3 - Toolbar: &Radio; - {8E718888-423F-11D2-876E-00A0C9082467} - C:/WINDOWS/System32/msdxm.ocx
O4 - HKLM/../Run: [zBrowser Launcher] C:/Programmer/Logitech/iTouch/iTouch.exe
O4 - HKLM/../Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM/../Run: [iTunesHelper] C:/Programmer/iTunes/iTunesHelper.exe
O4 - HKLM/../Run: [AVG_CC] C:/PROGRA~1/Grisoft/AVG6/avgcc32.exe /STARTUP
O4 - HKLM/../Run: [nwiz] nwiz.exe /install
O4 - HKLM/../Run: [NvMediaCenter] RUNDLL32.EXE C:/WINDOWS/System32/NvMcTray.dll,NvTaskbarInit
O4 - HKLM/../Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM/../Run: [NvCplDaemon] RUNDLL32.EXE C:/WINDOWS/System32/NvCpl.dll,NvStartup
O4 - HKCU/../Run: [CTFMON.EXE] C:/WINDOWS/System32/ctfmon.exe
O4 - HKCU/../Run: [MSMSGS] “C:/Programmer/Messenger/msmsgs.exe” /background
O4 - Global Startup: Microsoft Office.lnk = C:/Programmer/Microsoft Office/Office10/OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:/Programmer/Messenger/MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:/Programmer/Messenger/MSMSGS.EXE
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.bgbank.dk/html/activex/BG/Menu.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093897580171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7AEBACC1-D7E4-4360-B520-6DA4C565B42C} (UploaderCtrl Class) - http://foto.tdconline.dk/upload-classes/Uploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab30149.cab

Hej disk

Det var dejligt, nu ser det jo helt godt ud, din log er ren.

Efter sådan en tur er det altid en god ide og rydde op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.spywarefri.dk/virusscannere.htm#alle) - genstart din computer - aktiver systemgendannelse.

Derefter skal du have renset browser cachen

1. Klik på Funktioner - Internetindstillinger

2. Under midlertidige filer, klik på Slet cookies

3. Under midlertidige filer, klik på slet filer – sæt flueben i slet alt offline indhold

4. Under Oversigten, klik på ryd oversigten

5. Klik på ok.

Tøm din papirkurv.

Lidt råd med på vejen herfra skal du da også have.
For at sikre din pc fremover ville det være en god idé at bruge nogle af programmerne fra vores lille pakke som du kan se her:
http://www.spywarefri.dk/pakken.htm

Især vil jeg anbefale Spybot/og eller Ad-aware, SpywareBlaster, IE Privacy Keeper/el. EmtyTempFolder, IE-Spyad og SpywareGuard som minimum. De er alle gratis, fylder ikke meget, sløver ikke din pc og konflikter ikke med dine andre programmer

Ønsker du ikke mange små prg. så kan du i stedet købe et prg. som Spy Sweeper. Den ligger også i pakken, hvor du kan læse lidt mere. Der ligger også et link til dansk manual. Jeg kan varmt anbefale dette prg. Installer og så gerne SpywareBlaster som vil stå godt til Spy Sweeper.

Hej igen.

Jeg var lige inde og se på den første brugerkonti vi kiggede på igår.
Spywaredoctor viste at den havde fundet 2 infectioner .Det drejede sig om slotchbar og altnet software som betegnes som meget farlig/farlig.Hvad betyder det jeg omtalte i en af de foregående indlæg angående meddelelsen [blokeret download af doubleclick]???
Jeg medsender lige en log fra denne brugerkonti

Logfile of HijackThis v1.98.2
Scan saved at 22:30:12, on 01-11-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:/WINDOWS/System32/smss.exe
C:/WINDOWS/system32/winlogon.exe
C:/WINDOWS/system32/services.exe
C:/WINDOWS/system32/lsass.exe
C:/WINDOWS/system32/svchost.exe
C:/WINDOWS/System32/svchost.exe
C:/WINDOWS/system32/LEXBCES.EXE
C:/WINDOWS/system32/spoolsv.exe
C:/PROGRA~1/Grisoft/AVG6/avgserv.exe
C:/WINDOWS/System32/nvsvc32.exe
C:/WINDOWS/System32/svchost.exe
C:/WINDOWS/Explorer.EXE
C:/Programmer/Logitech/iTouch/iTouch.exe
C:/Programmer/iTunes/iTunesHelper.exe
C:/PROGRA~1/Grisoft/AVG6/avgcc32.exe
C:/WINDOWS/System32/RUNDLL32.EXE
C:/WINDOWS/StartupMonitor.exe
C:/WINDOWS/System32/lexpps.exe
C:/WINDOWS/System32/ctfmon.exe
C:/Programmer/Messenger/msmsgs.exe
C:/Programmer/Spyware Doctor/spydoctor.exe
C:/Programmer/iPod/bin/iPodService.exe
C:/Programmer/Logitech/MouseWare/system/em_exec.exe
C:/Programmer/Internet Explorer/iexplore.exe
C:/Documents and Settings/JENS SOLGAARD/Skrivebord/hijackthis/hijackthis.exe

R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = http://tdconline.dk/
R1 - HKCU/Software/Microsoft/Internet Explorer/SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU/Software/Microsoft/Windows/CurrentVersion/Internet Settings,ProxyOverride = localhost
R0 - HKCU/Software/Microsoft/Internet Explorer/Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:/PROGRA~1/SPYBOT~1/SDHelper.dll
O3 - Toolbar: &Radio; - {8E718888-423F-11D2-876E-00A0C9082467} - C:/WINDOWS/System32/msdxm.ocx
O4 - HKLM/../Run: [zBrowser Launcher] C:/Programmer/Logitech/iTouch/iTouch.exe
O4 - HKLM/../Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM/../Run: [iTunesHelper] C:/Programmer/iTunes/iTunesHelper.exe
O4 - HKLM/../Run: [AVG_CC] C:/PROGRA~1/Grisoft/AVG6/avgcc32.exe /STARTUP
O4 - HKLM/../Run: [nwiz] nwiz.exe /install
O4 - HKLM/../Run: [NvMediaCenter] RUNDLL32.EXE C:/WINDOWS/System32/NvMcTray.dll,NvTaskbarInit
O4 - HKLM/../Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM/../Run: [NvCplDaemon] RUNDLL32.EXE C:/WINDOWS/System32/NvCpl.dll,NvStartup
O4 - HKCU/../Run: [CTFMON.EXE] C:/WINDOWS/System32/ctfmon.exe
O4 - HKCU/../Run: [MSMSGS] “C:/Programmer/Messenger/msmsgs.exe” /background
O4 - HKCU/../Run: [Spyware Doctor] “C:/Programmer/Spyware Doctor/spydoctor.exe” /Q
O4 - Global Startup: Microsoft Office.lnk = C:/Programmer/Microsoft Office/Office10/OSA.EXE
O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:/PROGRA~1/MICROS~2/Office10/EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:/Programmer/Messenger/MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:/Programmer/Messenger/MSMSGS.EXE
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.bgbank.dk/html/activex/BG/Menu.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093897580171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7AEBACC1-D7E4-4360-B520-6DA4C565B42C} (UploaderCtrl Class) - http://foto.tdconline.dk/upload-classes/Uploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab30149.cab

Hej disk

Der er også lidt her som skal fixes:

R1 - HKCU/Software/Microsoft/Internet Explorer/SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com

O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:/PROGRA~1/MICROS~2/Office10/EXCEL.EXE/3000

Du bør så gå i tilføj/fjern programmer og afinstallere Spyware Doctor. Vi kan ikke rigtig sige med garanti, at den ikke kommer med false og el/spy til dig. Så længe vi ikke er sikre, anbefaler vi ikke programmet. Dem du har fået i pakkeløsningen, er alle programmer, som vi kan stå inde for.

[blokeret download af doubleclick], godt for det er snavs, som så ikke er kommet ind på din computer. Ie-Spyad blokerer også for doubleclick mm. faktisk på mere end 5000 URL adresser.

Hej igen.
Lige et spørgsmål ang. brugerkonti.Vi har nu fixet de to af de fem brugerkonti.Skal de tre sidste konti også ses efter i sømmene (eller filerne) .Der er nu installeret norman antivirus + div. progammer i har anbefalet og der bliver tilsluttet en router med firewall.
Hvis alt er ok kan vi slutte tråden her.Mange tak for hjælpen,donationen følger senere. Hej.[:D]:)

Vi er nok nødt til at hele møllen igennem med de sidste tre brugere.
Kom med logfilerne en bruger af gangen, den gør vi så færdig, inden vi tager den næste.