Hej, og velkommmen til

Du skal helst downloade fra en anden PC.

———

Til 32 bit Windows, hent Farbar Recovery Scan Tool og gem den på en USB nøgle.

Sæt USB nøglen i den inficerede PC.

Start PCen op med “Advanced Boot Options” (Tryk F8 flere gange under opstart)
Vælg “Repair Your Computer”
Vælg sprog.
Vælg Bruger konto.

Så skal du vælge Kommando Prompt.

Der skriver du notepad, og trykker <Enter>

Vælg Fil menu -> Åbn og vælg “Computer”. Find drevbogstavet til din USB nøgle. Luk Notesblok.

Ved Kommando prompten skriver du e:\frst.exe

Erstat e med det rigtige bogstav.

Når Farbar Recovery Scan Tool er startet, klikker du på Scan.

Den laver FRST.txt på USB nøglen. Kopier den herind i dit næste indlæg.

Så jeg skal ikke trykke på “fix”?

Her er loggen:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 04-08-2012 10:40:07
Running from G:\
Windows Vista (TM) Home Premium Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IAAnotif] “C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe” [178712 2007-10-03] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe [102400 2007-09-07] (Synaptics, Inc.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2007-08-28] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [154136 2007-08-28] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [137752 2007-08-28] (Intel Corporation)
HKLM\...\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [81920 2008-01-22] (Cyberlink Corp.)
HKLM\...\Run: [LanguageShortcut] “C:\Program Files\CyberLink\PowerDVD\Language\Language.exe” [62760 2007-10-11] ()
HKLM\...\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe [521776 2008-01-02] (Egis Incorporated)
HKLM\...\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe [858632 2008-01-07] (Dritek System Inc.)
HKLM\...\Run: [eRecoveryService]  [x]
HKLM\...\Run: [WarReg_PopUp] C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe [303104 2008-01-28] (Acer Incorporated)
HKLM\...\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe” [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [177440 2009-08-13] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime [417792 2009-11-10] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] “C:\Program Files\Itunes\iTunesHelper.exe” [141608 2010-02-15] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] “C:\Program Files\Common Files\Java\Java Update\jusched.exe” [248040 2010-02-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe [665424 2008-12-04] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM\...\Run: []  [x]
HKLM\...\Run: [Communicator] “C:\Program Files\Microsoft Office Communicator\communicator.exe” /fromrunkey [5164120 2012-05-15] (Microsoft Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [39792 2008-10-14] (Adobe Systems Incorporated)
HKLM\...\Run: [MSC] “C:\Program Files\Microsoft Security Client\msseces.exe” -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\Penille\...\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background [3883856 2009-07-26] (Microsoft Corporation)
HKU\Penille\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKU\Penille\...\Run: [TomTomHOME.exe] “C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe” [247144 2010-05-07] (TomTom)
HKU\Penille\...\Run: [EPSON SX110 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFBE.EXE /FU “C:\Windows\TEMP\E_SB9F2.tmp” /EF “HKCU” [199680 2008-09-26] (SEIKO EPSON CORPORATION)
HKU\Penille\...\Run: [cbsrkcmd] rundll32 “C:\Users\Penille\AppData\Local\Temp\ctfmalua.dll”,CreateProcessNotify [56320 2012-08-03] (FRISK Software International)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.0.0.1 212.242.40.3 212.242.40.51
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
ShortcutTarget: Empowering Technology Launcher.lnk -> C:\Acer\Empowering Technology\eAPLauncher.exe (Acer Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Opdateringsagent.lnk
ShortcutTarget: Opdateringsagent.lnk -> C:\Program Files\Connect it\AutoUpdateSrv.exe (No File)

================================ Services (Whitelisted) ==================

2 Apple Mobile Device; “C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe” [144672 2009-08-28] (Apple Inc.)
2 BBSvc; C:\Program Files\Microsoft\BingBar\7.1.391.0\BBSvc.exe [193616 2012-06-11] (Microsoft Corporation.)
3 BBUpdate; C:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.exe [240208 2012-06-11] (Microsoft Corporation.)
2 BecHelperService; C:\Program Files\Connect it\BecHelperService.exe [1762176 2010-09-07] ()
2 eDataSecurity Service; “C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe” [506416 2008-01-02] (Egis Incorporated)
2 eLockService; C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe [24576 2007-10-01] (Acer Inc.)
2 eNet Service; C:\Acer\Empowering Technology\eNet\eNet Service.exe [131072 2007-12-20] (Acer Inc.)
2 eRecoveryService; C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe [57344 2007-09-10] (Acer Inc.)
2 eSettingsService; C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [24576 2007-12-19] ()
2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-20] (Microsoft Corporation)
2 MobilityService; C:\Acer\Mobility Center\MobilityService.exe -p [110592 2007-11-27] ()
2 MsMpSvc; “C:\Program Files\Microsoft Security Client\MsMpEng.exe” [11552 2012-03-26] (Microsoft Corporation)
3 MSSQL$MSSMLBIZ; “C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe” -sMSSMLBIZ [29293408 2010-12-10] (Microsoft Corporation)
3 NisSrv; “C:\Program Files\Microsoft Security Client\NisSrv.exe” [214952 2012-03-26] (Microsoft Corporation)
2 WMIService; C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [167936 2007-09-20] (acer)

========================== Drivers (Whitelisted) =============

3 ewusbnet; C:\Windows\System32\DRIVERS\ewusbnet.sys [116736 2010-09-07] (Huawei Technologies Co., Ltd.)
3 ew_hwusbdev; C:\Windows\System32\DRIVERS\ew_hwusbdev.sys [101504 2010-09-07] (Huawei Technologies Co., Ltd.)
3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49664 2006-04-12] (HP)
3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2006-04-12] (HP)
3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2006-04-12] (HP)
3 huawei_enumerator; C:\Windows\System32\DRIVERS\ew_jubusenum.sys [70656 2010-09-07] (Huawei Technologies Co., Ltd.)
3 k750bus; C:\Windows\System32\DRIVERS\k750bus.sys [55216 2005-02-11] (MCCI)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 s0017bus; C:\Windows\System32\DRIVERS\s0017bus.sys [90536 2008-10-17] (MCCI Corporation)
3 s0017mdfl; C:\Windows\System32\DRIVERS\s0017mdfl.sys [15016 2008-10-17] (MCCI Corporation)
3 s0017mdm; C:\Windows\System32\DRIVERS\s0017mdm.sys [122152 2008-10-17] (MCCI Corporation)
3 upperdev; C:\Windows\System32\DRIVERS\usbser_lowerflt.sys [8064 2008-05-02] (Windows (R) Codename Longhorn DDK provider)
3 UsbserFilt; C:\Windows\System32\DRIVERS\usbser_lowerfltj.sys [8064 2008-05-02] (Windows (R) Codename Longhorn DDK provider)
3 AVFSFilter; C:\Windows\System32\DRIVERS\avfsfilter.sys [x]
3 hwusbdev; C:\Windows\System32\DRIVERS\ewusbdev.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-08-04 10:39 - 2012-08-04 10:39 - 00000000 ____D C:\FRST
2012-08-03 07:45 - 2012-08-03 07:45 - 09231560 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2012-08-03 07:17 - 2012-08-03 07:18 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-08-03 06:57 - 2012-08-03 06:57 - 00000000 ____A C:\Windows\EEventManager.INI
2012-08-03 06:45 - 2012-08-03 07:19 - 00001912 ____A C:\Windows\epplauncher.mif
2012-08-03 06:31 - 2012-08-03 06:31 - 00000000 ____D C:\Users\Penille\AppData\Roaming\Fighters
2012-08-03 06:31 - 2012-08-03 06:31 - 00000000 ____D C:\Users\All Users\Common Toolkit Suite
2012-08-03 06:30 - 2012-08-03 06:34 - 00000000 ____D C:\Users\All Users\Fighters
2012-08-03 05:37 - 2012-08-03 05:37 - 00000000 ____D C:\Program Files\Enigma Software Group
2012-08-03 05:36 - 2012-08-03 06:30 - 00000000 ____D C:\Windows\CC1F6DA021D2425AB1B65B164A598450.TMP
2012-08-03 05:36 - 2012-08-03 05:36 - 00000000 ____D C:\Program Files\Common Files\Wise Installation Wizard
2012-08-03 05:27 - 2012-08-03 05:14 - 00407872 ____A C:\Users\Penille\Desktop\pkiller.exe
2012-08-03 04:10 - 2007-08-20 12:13 - 00172032 ____A (Intel Corporation) C:\Windows\System32\igfxres.dll
2012-08-03 03:55 - 2012-08-03 07:45 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-03 03:55 - 2012-08-03 07:45 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-03 03:55 - 2012-08-03 07:45 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-28 10:55 - 2012-08-02 02:30 - 03576578 ____H C:\Users\Penille\Desktop\~WRL0005.tmp

============ 3 Months Modified Files ========================

2012-08-03 12:23 - 2008-01-20 18:47 - 01407880 ____A C:\Windows\PFRO.log
2012-08-03 12:23 - 2006-11-02 05:01 - 00032590 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-03 12:23 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-03 12:23 - 2006-11-02 04:47 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-03 12:23 - 2006-11-02 04:47 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-03 12:21 - 2008-01-20 18:24 - 00279040 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-08-03 12:16 - 2006-11-02 04:52 - 00158055 ____A C:\Windows\setupact.log
2012-08-03 12:14 - 2006-11-02 02:33 - 01384028 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-03 07:45 - 2012-08-03 07:45 - 09231560 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2012-08-03 07:45 - 2012-08-03 03:55 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-03 07:45 - 2012-08-03 03:55 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-03 07:45 - 2012-08-03 03:55 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-03 07:19 - 2012-08-03 06:45 - 00001912 ____A C:\Windows\epplauncher.mif
2012-08-03 07:19 - 2008-08-15 17:58 - 01075531 ____A C:\Windows\WindowsUpdate.log
2012-08-03 06:57 - 2012-08-03 06:57 - 00000000 ____A C:\Windows\EEventManager.INI
2012-08-03 06:47 - 2006-11-02 04:47 - 00371256 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-03 06:43 - 2008-08-29 11:20 - 00001356 ____A C:\Users\Penille\AppData\Local\d3d9caps.dat
2012-08-03 05:19 - 2008-08-15 12:25 - 00096768 ____A C:\Users\Penille\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-03 05:14 - 2012-08-03 05:27 - 00407872 ____A C:\Users\Penille\Desktop\pkiller.exe
2012-08-03 03:54 - 2012-05-19 11:04 - 00000439 ____A C:\Windows\System32\Drivers\etc\hosts.ics
2012-08-02 02:30 - 2012-07-28 10:55 - 03576578 ____H C:\Users\Penille\Desktop\~WRL0005.tmp
2012-07-28 06:57 - 2006-11-02 02:23 - 00000219 ____A C:\Windows\win.ini
2012-07-28 06:50 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe

ZeroAccess:
C:\Windows\Installer\{681c730e-5659-3b37-cbe3-6ed72c7eda84}
C:\Windows\Installer\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\@
C:\Windows\Installer\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\L
C:\Windows\Installer\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\n
C:\Windows\Installer\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\U
C:\Windows\Installer\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\U\00000001.@
C:\Windows\Installer\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\U\80000000.@
C:\Windows\Installer\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\U\800000cb.@

ZeroAccess:
C:\Users\Penille\AppData\Local\{681c730e-5659-3b37-cbe3-6ed72c7eda84}
C:\Users\Penille\AppData\Local\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\@
C:\Users\Penille\AppData\Local\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\L
C:\Users\Penille\AppData\Local\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\n
C:\Users\Penille\AppData\Local\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\U
C:\Users\Penille\AppData\Local\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\U\00000001.@
C:\Users\Penille\AppData\Local\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\U\80000000.@
C:\Users\Penille\AppData\Local\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\U\800000cb.@

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 5DC3C54FC22BBB6F66C290C7C0384DF9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: “%1” %* => OK

========================= Memory info ======================

Percentage of memory in use: 20%
Total physical RAM: 2037.68 MB
Available physical RAM: 1611.82 MB
Total Pagefile: 1805.91 MB
Available Pagefile: 1675 MB
Total Virtual: 2047.88 MB
Available Virtual: 1974.31 MB

======================= Partitions =========================

1 Drive c: (ACER) (Fixed) (Total:144.17 GB) (Free:54.3 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (DATA) (Fixed) (Total:144.15 GB) (Free:136.59 GB) NTFS
4 Drive f: (PQSERVICE) (Fixed) (Total:9.76 GB) (Free:3.13 GB) FAT32
5 Drive g: () (Removable) (Total:3.73 GB) (Free:1.66 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

  Disk ###  Status     Size   Free   Dyn Gpt
————————————- ———- —- —-
  Disk 0   Online     298 GB     0 B      
  Disk 1   Online     3832 MB     0 B      

Partitions of Disk 0:
===============

  Partition ###  Type         Size   Offset
——————- ———————————- ———-
  Partition 1   OEM           10 GB 1024 KB
  Partition 2   Primary         144 GB   10 GB
  Partition 3   Primary         144 GB   154 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

  Volume ###  Ltr Label     Fs   Type     Size   Status   Info
——————- —————- ——- ————————- ————- ————
* Volume 4   F   PQSERVICE   FAT32 Partition   10 GB Healthy   Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

  Volume ###  Ltr Label     Fs   Type     Size   Status   Info
——————- —————- ——- ————————- ————- ————
* Volume 1   C   ACER       NTFS   Partition   144 GB Healthy        

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

  Volume ###  Ltr Label     Fs   Type     Size   Status   Info
——————- —————- ——- ————————- ————- ————
* Volume 2   D   DATA       NTFS   Partition   144 GB Healthy        

==================================================================================

Partitions of Disk 1:
===============

  Partition ###  Type         Size   Offset
——————- ———————————- ———-
  Partition 1   Primary       3832 MB   64 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

  Volume ###  Ltr Label     Fs   Type     Size   Status   Info
——————- —————- ——- ————————- ————- ————
* Volume 3   G           FAT32 Removable   3832 MB Healthy        

==================================================================================

==========================================================

Last Boot: 2012-08-03 07:19

======================= End Of Log ==========================

Start PCen som da du lavede FRST.txt.

Start FRST.

Skriv nedenstående i boksen efter “Search:”.

services.exe

Klik på Search File(s) knappen, og kopier loggen (Search.txt) herind.

Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-08-04 11:15:12
Running from G:\

================== Search: “services.exe” ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:24] - [2008-01-20 18:24] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\System32\services.exe
[2008-01-20 18:24] - [2012-08-03 12:21] - 0279040 ____A (Microsoft Corporation) 5DC3C54FC22BBB6F66C290C7C0384DF9

C:\Windows\SoftwareDistribution\Download\15d05090e6f876555f2419af621dda9f\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-09-25 06:43] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

=== End Of Search ===

Jeg vedhæfter Fixlist.txt. Gem den på din USB nøgle.

Start PCen op med Kommando prompt. (Som før)

Ved Kommando prompten starter du FRST (Farbar Recovery Scan Tool) og klikker på FIX (og venter til den er færdig)

Den laver Fixlog.txt, som du skal kopiere herind i dit næste indlæg.

Luk Farbar Recovery Scan Tool, og genstart PCen.

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-08-04 12:29:26 Run:1
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
HKEY_USERS\Penille\Software\Microsoft\Windows\CurrentVersion\Run\\cbsrkcmd Value deleted successfully.
C:\Users\Penille\AppData\Local\Temp\ctfmalua.dll moved successfully.
C:\Users\Penille\Desktop\pkiller.exe moved successfully.
C:\Users\Penille\Desktop\~WRL0005.tmp moved successfully.

========================= Folder: C:\Windows\CC1F6DA021D2425AB1B65B164A598450.TMP ========================

2012-08-03 06:30 - 2012-08-03 06:30 - 0027499 ____A (Altiris) C:\Windows\CC1F6DA021D2425AB1B65B164A598450.TMP\WiseCustomCall.dll
2012-08-03 06:30 - 2012-08-03 06:30 - 0179526 ____A (Enigma Software Group USA, LLC) C:\Windows\CC1F6DA021D2425AB1B65B164A598450.TMP\WiseCustomCalla.dll
2012-08-03 06:30 - 2012-08-03 06:30 - 0176545 ____A (Enigma Software Group USA, LLC) C:\Windows\CC1F6DA021D2425AB1B65B164A598450.TMP\WiseCustomCalla17.dll
2012-08-03 06:30 - 2012-08-03 06:30 - 0179526 ____A (Enigma Software Group USA, LLC) C:\Windows\CC1F6DA021D2425AB1B65B164A598450.TMP\WiseCustomCalla18.exe
2012-08-03 06:30 - 2012-08-03 06:30 - 0176035 ____A (Enigma Software Group USA, LLC) C:\Windows\CC1F6DA021D2425AB1B65B164A598450.TMP\WiseCustomCalla19.dll
2012-08-03 06:30 - 2012-08-03 06:30 - 0176035 ____A (Enigma Software Group USA, LLC) C:\Windows\CC1F6DA021D2425AB1B65B164A598450.TMP\WiseCustomCalla2.dll
2012-08-03 06:30 - 2012-08-03 06:30 - 0175992 ____A (Enigma Software Group USA, LLC) C:\Windows\CC1F6DA021D2425AB1B65B164A598450.TMP\WiseCustomCalla20.dll
2012-08-03 06:30 - 2012-08-03 06:30 - 0180696 ____A (Enigma Software Group USA, LLC) C:\Windows\CC1F6DA021D2425AB1B65B164A598450.TMP\WiseCustomCalla21.dll
2012-08-03 05:36 - 2012-08-03 05:36 - 0180696 ____A (Enigma Software Group USA, LLC) C:\Windows\CC1F6DA021D2425AB1B65B164A598450.TMP\WiseCustomCalla21.exe
2012-08-03 06:30 - 2012-08-03 06:30 - 0007930 ____A () C:\Windows\CC1F6DA021D2425AB1B65B164A598450.TMP\WiseData.ini

====== End of Folder: ======
C:\Windows\Installer\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\U\800000cb.@ moved successfully.
C:\Windows\Installer\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\U\80000000.@ moved successfully.
C:\Windows\Installer\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\U\80000000.@ not found.
C:\Windows\Installer\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\U\00000001.@ moved successfully.
C:\Windows\Installer\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\U moved successfully.
C:\Windows\Installer\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\n moved successfully.
C:\Windows\Installer\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\L moved successfully.
C:\Windows\Installer\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\@ moved successfully.
C:\Windows\Installer\{681c730e-5659-3b37-cbe3-6ed72c7eda84} moved successfully.
C:\Users\Penille\AppData\Local\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\U\800000cb.@ moved successfully.
C:\Users\Penille\AppData\Local\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\U\80000000.@ moved successfully.
C:\Users\Penille\AppData\Local\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\U\00000001.@ moved successfully.
C:\Users\Penille\AppData\Local\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\U moved successfully.
C:\Users\Penille\AppData\Local\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\n moved successfully.
C:\Users\Penille\AppData\Local\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\L moved successfully.
C:\Users\Penille\AppData\Local\{681c730e-5659-3b37-cbe3-6ed72c7eda84}\@ moved successfully.
C:\Users\Penille\AppData\Local\{681c730e-5659-3b37-cbe3-6ed72c7eda84} moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

Hent og gem ComboFix på dit skrivebord. <- Vigtigt

Kør så ComboFix og følg anvisningerne.

Da ComboFix kan konflikte med dine sikkerhedsprogrammer, er det vigtigt at du deaktiverer dem. <- Vigtigt

Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når ComboFix er færdig, og efter det (muligvis) har genstartet, skulle der gerne åbnes en logfil: ComboFix.txt
Indholdet af denne fil må du gerne lægge herind.

Den kan findes her: C:\ComboFix.txt

Får du noget der ligner denne fejl.

Der blev forsøgt en ugyldig handling på en registreringsdatabasenøgle, som er blevet mærket til sletning

Så genstart, en gang mere, det burde løse det.

på den syge computer?

Ja - kan den ikke starte nu

ok. jo den popop er i hvert fald ikke kommet endnu! 

Peteboot - 04.08.2012 13:17:01

ok. jo den popop er i hvert fald ikke kommet endnu! 

hvor mange stage er der lige! -.-’

hvor mange stage er der lige! -.-’

Sådan, der kom ingen fejl under kørslen.

Her er loggen!

ComboFix 12-08-04.02 - Penille 04-08-2012 13:17:38.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.45.1030.18.2038.1035 [GMT 2:00]
Kører fra: c:\users\Penille\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((  Andet, der er slettet   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Save
c:\program files\Save\SaveUninst.exe
c:\users\Penille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\Temp\log.txt
.
Inficeret kopi af c:\windows\system32\user32.dll blev fundet og desinficeret
Genskabt kopi fra - c:\combofix\HarddiskVolumeShadowCopy9_!Windows!System32!user32.dll
.
.
(((((((((((((((((((((((((((((  Filer skabt fra 2012-07-04 til 2012-08-04 )))))))))))))))))))))))))))))))))))
.
.
2012-08-04 18:39 . 2012-08-04 18:40   ————  d——-w-  C:\FRST
2012-08-03 15:45 . 2012-08-03 15:45   9231560   ——a-w-  c:\windows\system32\FlashPlayerInstaller.exe
2012-08-03 15:25 . 2012-08-03 20:21   56200   ——a-w-  c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7469B0E3-644F-4B62-8FBA-9910E13D475E}\offreg.dll
2012-08-03 15:21 . 2012-02-09 12:17   713784   ——a-w-  c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-08-03 15:21 . 2012-02-09 12:17   713784   ——a-w-  c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1FB56E1A-5EE6-4D10-943E-637F8AF1B94F}\gapaengine.dll
2012-08-03 15:21 . 2012-07-16 00:41   6891424   ———w-  c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7469B0E3-644F-4B62-8FBA-9910E13D475E}\mpengine.dll
2012-08-03 15:17 . 2012-08-03 15:18   ————  d——-w-  c:\program files\Microsoft Security Client
2012-08-03 14:31 . 2012-08-03 14:31   ————  d——-w-  c:\users\Penille\AppData\Roaming\Fighters
2012-08-03 14:31 . 2012-08-03 14:31   ————  d——-w-  c:\programdata\Common Toolkit Suite
2012-08-03 14:30 . 2012-08-03 14:34   ————  d——-w-  c:\programdata\Fighters
2012-08-03 13:37 . 2012-08-03 13:37   ————  d——-w-  c:\program files\Enigma Software Group
2012-08-03 13:36 . 2012-08-03 14:30   ————  d——-w-  c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP
2012-08-03 13:36 . 2012-08-03 13:36   ————  d——-w-  c:\program files\Common Files\Wise Installation Wizard
2012-08-03 12:10 . 2007-08-20 20:13   172032   ——a-w-  c:\windows\system32\igfxres.dll
2012-08-03 11:55 . 2012-08-03 15:45   70344   ——a-w-  c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-03 11:55 . 2012-08-03 15:45   426184   ——a-w-  c:\windows\system32\FlashPlayerApp.exe
2012-07-28 14:43 . 2012-07-28 14:43   8281168   ——a-w-  c:\programdata\Microsoft\BingBar\BBSvc\7.1.391.0oemBingBarSetup-Partner.EXE
.
.
.
((((((((((((((((((((((((((((((((((((((((  Find3M Rapport   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-29 08:44 . 2012-08-03 11:06   6891424   ———w-  c:\programdata\Microsoft\Windows Defender\Definition Updates\{97DBD60C-BC2D-458D-A09A-6DCE2569CDEE}\mpengine.dll
.
.
(((((((((((((((((((((((((((((((((((  Start steder i reg.basen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@=”{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}”
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 00:00   39472   ——a-w-  c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Sidebar”=“c:\program files\Windows Sidebar\sidebar.exe” [2008-01-21 1233920]
“ehTray.exe”=“c:\windows\ehome\ehTray.exe” [2008-01-21 125952]
“TomTomHOME.exe”=“c:\program files\TomTom HOME 2\TomTomHOMERunner.exe” [2010-05-07 247144]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IAAnotif”=“c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe” [2007-10-03 178712]
“RtHDVCpl”=“RtHDVCpl.exe” [2008-01-08 4853760]
“SynTPStart”=“c:\program files\Synaptics\SynTP\SynTPStart.exe” [2007-09-07 102400]
“IgfxTray”=“c:\windows\system32\igfxtray.exe” [2007-08-28 141848]
“HotKeysCmds”=“c:\windows\system32\hkcmd.exe” [2007-08-28 154136]
“Persistence”=“c:\windows\system32\igfxpers.exe” [2007-08-28 137752]
“RemoteControl”=“c:\program files\CyberLink\PowerDVD\PDVDServ.exe” [2008-01-22 81920]
“LanguageShortcut”=“c:\program files\CyberLink\PowerDVD\Language\Language.exe” [2007-10-11 62760]
“eDataSecurity Loader”=“c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe” [2008-01-02 521776]
“LManager”=“c:\progra~1\LAUNCH~1\LManager.exe” [2008-01-07 858632]
“WarReg_PopUp”=“c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe” [2008-01-29 303104]
“GrooveMonitor”=“c:\program files\Microsoft Office\Office12\GrooveMonitor.exe” [2009-02-26 30040]
“AppleSyncNotifier”=“c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe” [2009-08-13 177440]
“QuickTime Task”=“c:\program files\QuickTime\QTTask.exe” [2009-11-10 417792]
“iTunesHelper”=“c:\program files\Itunes\iTunesHelper.exe” [2010-02-15 141608]
“SunJavaUpdateSched”=“c:\program files\Common Files\Java\Java Update\jusched.exe” [2010-02-18 248040]
“EEventManager”=“c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe” [2008-12-04 665424]
“HP Software Update”=“c:\program files\Hp\HP Software Update\HPWuSchd2.exe” [2008-12-08 54576]
“Communicator”=“c:\program files\Microsoft Office Communicator\communicator.exe” [2012-05-15 5164120]
“Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-10-15 39792]
“MSC”=“c:\program files\Microsoft Security Client\msseces.exe” [2012-03-26 931200]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-4-21 535336]
Opdateringsagent.lnk - c:\program files\Connect it\AutoUpdateSrv.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“EnableLUA”= 0 (0x0)
“EnableUIADesktopToggle”= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“aux”=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@=“Service”
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@=“Service”
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusOverride”=dword:00000001
“FirewallOverride”=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
“DisableMonitoring”=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
.
.
—- Andre Services/Drivers i Hukommelsen—-
.
*NewlyCreated* - WS2IFSL
.
Indhold af mappen ‘Planlagte Opgaver’
.
2012-08-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-03 11:55]
.
.
———- Yderligere scanning———-
.
uStart Page = hxxp://www.google.dk/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://da.intl.acer.yahoo.com
mSearch Bar = hxxp://www.mirarsearch.com/?useie5=1&q=
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver; - c:\windows\system32\GPhotos.scr/200
IE: E&ksporter; til Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: danid.dk
Trusted Zone: danid.dk
TCP: DhcpNameServer = 10.0.0.1 212.242.40.3 212.242.40.51
.
- - - - TOMME GENVEJE FJERNET - - - -
.
HKLM-Run-eRecoveryService - (no file)
AddRemove-Save - c:\program files\Save\SaveUninst.exe
.
.
.
**************************************************************************
scanner skjulte processer ... 
.
scanner skjulte autostarter ...
.
scanner skjulte filer ... 
.
scanning gennemført med succes
skjulte filer:
.
**************************************************************************
.
——————————- LÅSTE REGISTRERINGS NØGLER——————————-
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
.
——————————- DLLs startet under kørende Processer——————————-
.
- - - - - - - > ‘Explorer.exe’(844)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\acer\Empowering Technology\EPOWER\SysHook.dll
.
————————————Andre kørende processer————————————
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft\BingBar\7.1.391.0\BBSvc.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Connect it\BecHelperService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Connect it\LoggerServer.exe
c:\acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\TomTom HOME 2\TomTomHOMEService.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\conime.exe
c:\windows\RtHDVCpl.exe
c:\program files\Launch Manager\LManager.exe
c:\program files\Epson Software\Event Manager\EEventManager.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\windows\ehome\ehmsas.exe
c:\acer\Empowering Technology\ENET\ENMTRAY.EXE
c:\acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
c:\acer\Empowering Technology\eRecovery\ERAGENT.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\igfxext.exe
.
**************************************************************************
.
Gennemført tid: 2012-08-04 13:40:36 - maskinen blev genstartet
ComboFix-quarantined-files.txt 2012-08-04 11:40
.
Pre-Kørsel: 58.122.649.600 byte ledig
Post-Kørsel: 58.612.678.656 byte ledig
.
- - End Of File - - 3A39F70CDB7F6D9FCAEB4D75761C0840

Jeg siger mange tak for hjælpen! Det virker som det skal nu!

1000 tak! 

Velbekomme - men vi er nu ikke færdige

Download OTL af OldTimer og gem den på dit skrivebord.

Start OTL

Vista og Windows 7 - højreklik på filen - Kør som Administrator.

Øverst sætter du flueben i “Scan All Users”

I boksen “Custom Scans/Fixes” kopierer du det fremhævede ind.

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
user32.dll*
igfxres.dll
/md5stop
%systemroot%\*. /rp /s
%systemroot%\*. /mp /s
CREATERESTOREPOINT

Luk alle åbne vinduer og klik på “Quick Scan”  og lad programmet køre.

Det vil give to logfiler på skrivebordet, OTL.txt og Extras.txt.

Så kopier følgende ind i dit næste indlæg (i rækkefølge):

Indholdet af OTL.txt
Indholdet af Extras.txt

Da de er forholdsvis lange, kan du blive nødt til at sende dem i flere indlæg.