---

Hej
Så er den fandme gal igen : starter altid op med chskdsk og firewall override:
Logfile of HijackThis v1.99.1
Scan saved at 12:48:26, on 05-04-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmer\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\Java\jre1.5.0_11\bin\jusched.exe
C:\Programmer\LClock\LClock.exe
C:\Programmer\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\Maplom\Maplom.exe
C:\Programmer\SPAMfighter\SFAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe
D:\progra~1\valve\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmer\Fælles filer\Ahead\lib\NMBgMonitor.exe
C:\Programmer\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Programmer\Windows Media Player\WMPNSCFG.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Fælles filer\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\wscntfy.exe
D:\download\sikkerhed\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Programmer\Desktop Sidebar\sbhelp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar4.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Programmer\Copernic Desktop Search 2\DesktopSearchBand2526.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Programmer\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [LClock] C:\Programmer\LClock\LClock.exe
O4 - HKLM\..\Run: [WINCINEMAMGR] C:\Programmer\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programmer\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Programmer\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Maplom] C:\Programmer\Maplom\Maplom.exe
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Programmer\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [Steam] "d:\progra~1\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Programmer\TuneUp Utilities 2006\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [LClock] C:\Programmer\LClock\lclock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Programmer\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programmer\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmer\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetBehaviour.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Programmer\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Programmer\Desktop Sidebar\sbhelp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: 84379234 - Unknown owner - C:\WINDOWS\system32\84379234.EXE (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programmer\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\PC Connectivity Solution\ServiceLayer.exe

---

O23 - Service: 84379234 - Unknown owner - C:\WINDOWS\system32\84379234.EXE (file missing)

Den kan jeg ikke finde noget om, så vi må hellere tjekke lidt:


Hent Combofix, og gem den på dit skrivebord:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Kør så combofix.exe, og følg vejledningen i vinduet.

Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når combofix er færdig, og efter det har genstartet, skulle der gerne åbnes en logfil: combofix.txt som kan findes her-C:\combofix.txt

Har du installeret nye programmer fornylig ?

---

undskyld ventetiden - påskefrokost
Ja virtual earth og virtualclonedrive
"tommy olsen" - 07-04-06 13:08:09 Service Pack 2
ComboFix 07-04-05 - Running from: "D:\download\sikkerhed"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\84379234.DLL


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm
-------\LEGACY_MCHINJDRV
-------\LEGACY_WINDOWS_LOG


((((((((((((((((((((((((((((((( Files Created from 2007-03-06 to 2007-04-06 ))))))))))))))))))))))))))))))))))


2007-04-05 00:09   <DIR>   d--------   C:\Programmer\Virtual Earth 3D
2007-04-04 23:41   <DIR>   d--------   C:\Programmer\ScanSoft
2007-04-04 23:26   <DIR>   d--------   C:\Programmer\PC Connectivity Solution
2007-04-04 23:20   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Installations
2007-04-04 21:04   2,297,552   --a------   C:\WINDOWS\system32\d3dx9_26.dll
2007-04-04 19:54   22,848   --a------   C:\WINDOWS\system32\drivers\LwUsbHid.sys
2007-04-04 16:30   <DIR>   d--------   C:\DOCUME~1\TOMMYO~1\APPLIC~1\Nokia Multimedia Player
2007-04-04 16:23   8,192   --a------   C:\WINDOWS\system32\wshirda.dll
2007-04-04 16:23   27,648   --a------   C:\WINDOWS\system32\irmon.dll
2007-04-04 16:23   153,088   --a------   C:\WINDOWS\system32\irftp.exe
2007-04-04 16:19   <DIR>   d--------   C:\DOCUME~1\NETWOR~1\Dokumenter
2007-04-04 11:44   1   --a------   C:\WINDOWS\system32\index.dat
2007-04-03 23:04   14,122   --a------   C:\WINDOWS\system32\B23FD116.exe
2007-04-02 21:01   <DIR>   d--------   C:\WINDOWS\SxsCaPendDel
2007-04-02 18:23   <DIR>   d--------   C:\Programmer\F‘lles filer\Ankiro
2007-04-02 18:22   <DIR>   d--------   C:\Programmer\SPAMfighter
2007-04-02 18:22   <DIR>   d--------   C:\Programmer\F‘lles filer\Application
2007-04-02 18:22   <DIR>   d--------   C:\DOCUME~1\TOMMYO~1\APPLIC~1\SPAMfighter
2007-03-11 20:06   <DIR>   d--------   C:\Programmer\CDBurnerXP Pro 3
2007-03-11 15:38   58,904   --a------   C:\WINDOWS\system32\sysfolderazipcnt.dll
2007-03-11 15:38   58,904   --a------   C:\WINDOWS\system32\azipcontmn.dll
2007-03-11 15:38   <DIR>   d--------   C:\Programmer\AlphaZIP
2007-03-10 21:14   <DIR>   d--------   C:\Programmer\Red Kawa
2007-03-10 21:10   <DIR>   d--------   C:\Programmer\Videora
2007-03-10 21:10   <DIR>   d--------   C:\Programmer\BitComet
2007-03-10 21:07   <DIR>   d--------   C:\Programmer\Boilsoft MP4 Converter
2007-03-10 20:55   81,920   --a------   C:\WINDOWS\system32\viscomwave.dll
2007-03-10 20:55   475,136   --a------   C:\WINDOWS\system32\SkinCrafter.dll
2007-03-10 20:55   139,264   --a------   C:\WINDOWS\system32\viscomqtde.dll
2007-03-10 20:55   <DIR>   d--------   C:\Programmer\Plato Video To iPod Converter
2007-03-07 22:18   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Elaborate Bytes
2007-03-07 20:46   <DIR>   d--------   C:\Programmer\DVD Decrypter
2007-03-07 20:07   <DIR>   d--------   C:\Programmer\Elaborate Bytes


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-06 12:04   --------   d--------   C:\Programmer\emule
2007-04-05 12:47   --------   d--------   C:\Programmer\superantispyware
2007-04-05 10:31   --------   d--------   C:\DOCUME~1\TOMMYO~1\APPLIC~1\nokia
2007-04-04 23:28   --------   d--------   C:\Programmer\difx
2007-04-04 23:27   --------   d--------   C:\Programmer\nokia
2007-04-04 23:27   --------   d--------   C:\Programmer\F‘lles filer\pcsuite
2007-04-04 23:27   --------   d--------   C:\Programmer\F‘lles filer\nokia
2007-04-04 23:15   73258   --a------   C:\WINDOWS\system32\perfc006.dat
2007-04-04 23:15   415362   --a------   C:\WINDOWS\system32\perfh006.dat
2007-04-04 20:53   --------   d--------   C:\Programmer\electronic arts
2007-04-04 20:51   --------   d--------   C:\Programmer\maplom
2007-03-29 16:59   --------   d--------   C:\Programmer\spywareblaster
2007-03-13 21:48   --------   d--h-----   C:\Programmer\installshield installation information
2007-03-08 17:38   577536   --a------   C:\WINDOWS\system32\user32.dll
2007-03-08 17:38   40960   --a------   C:\WINDOWS\system32\mf3216.dll
2007-03-08 17:38   281600   --a------   C:\WINDOWS\system32\gdi32.dll
2007-03-08 17:35   1843584   --a------   C:\WINDOWS\system32\win32k.sys
2007-03-04 20:32   --------   d--------   C:\Programmer\registrysmart
2007-03-04 17:44   --------   d--------   C:\Programmer\itunes
2007-03-04 17:44   --------   d--------   C:\Programmer\ipod
2007-03-04 17:43   --------   d--------   C:\Programmer\quicktime
2007-03-04 14:38   --------   d--------   C:\Programmer\wincustomize
2007-03-04 14:38   --------   d--------   C:\Programmer\F‘lles filer\stardock
2007-03-04 14:16   --------   d--------   C:\Programmer\chemix skole3_00
2007-03-03 01:18   --------   d--------   C:\Programmer\pro imaging powertoys
2007-03-03 01:18   --------   d--------   C:\Programmer\java
2007-03-03 01:18   --------   d--------   C:\Programmer\F‘lles filer\nikon
2007-03-03 00:53   --------   d--------   C:\Programmer\dvd shrink
2007-02-28 21:34   --------   d--------   C:\Programmer\diskeeper corporation
2007-02-27 22:10   --------   d--------   C:\DOCUME~1\TOMMYO~1\APPLIC~1\leadertech
2007-02-24 14:19   --------   d--------   C:\DOCUME~1\TOMMYO~1\APPLIC~1\desktop sidebar
2007-02-23 17:42   2156544   --a------   C:\WINDOWS\system32\kernel1.exe
2007-02-23 17:37   --------   d--------   C:\Programmer\tgtsoft
2007-02-22 10:15   90624   --a------   C:\WINDOWS\system32\nmwcdcls.dll
2007-02-21 22:37   --------   d---s----   C:\Programmer\xfire
2007-02-21 22:37   --------   d--------   C:\DOCUME~1\TOMMYO~1\APPLIC~1\xfire
2007-02-21 22:02   --------   d--------   C:\Programmer\gamespy arcade
2007-02-21 19:41   --------   d--------   C:\DOCUME~1\TOMMYO~1\APPLIC~1\reasonable software
2007-02-20 22:21   --------   d--------   C:\Programmer\reasonable noclone 4 home
2007-02-20 21:27   --------   d--------   C:\Programmer\desktop sidebar
2007-02-18 19:10   --------   d--------   C:\Programmer\winace
2007-02-11 17:51   1093632   --a------   C:\WINDOWS\system32\freeimage.dll
2007-02-08 21:14   --------   d--------   C:\DOCUME~1\TOMMYO~1\APPLIC~1\help
2007-02-06 22:24   --------   d--------   C:\Programmer\canon
2007-02-06 21:35   --------   d--------   C:\Programmer\copernic desktop search 2
2007-02-06 21:29   5   --a------   C:\WINDOWS\system32\netdetect.dat
2007-02-06 21:29   23   --a------   C:\WINDOWS\system32\userlst.dat
2007-02-06 21:29   --------   d--------   C:\Programmer\gallup interactive
2007-01-19 13:53   51056   --a------   C:\WINDOWS\system32\sirenacm.dll
2007-01-08 20:01   17408   --a------   C:\WINDOWS\system32\corpol.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"="\"d:\\progra~1\\valve\\steam\\steam.exe\" -silent"
"TuneUp MemOptimizer"="\"C:\\Programmer\\TuneUp Utilities 2006\\MemOptimizer.exe\" autostart"
"LClock"="C:\\Programmer\\LClock\\lclock.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"PcSync"="C:\\Programmer\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Programmer\\Fælles filer\\Ahead\\lib\\NMBgMonitor.exe\""
"swg"="C:\\Programmer\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"MsnMsgr"="\"C:\\Programmer\\MSN Messenger\\MsnMsgr.Exe\" /background"
"SUPERAntiSpyware"="C:\\Programmer\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"
"WMPNSCFG"="C:\\Programmer\\Windows Media Player\\WMPNSCFG.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"NVIDIA nTune"="\"C:\\Programmer\\NVIDIA Corporation\\nTune\\\\nTune.exe\" clear"
"SunJavaUpdateSched"="\"C:\\Programmer\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"LClock"="C:\\Programmer\\LClock\\LClock.exe"
"WINCINEMAMGR"="C:\\Programmer\\InterVideo\\Common\\Bin\\WinCinemaMgr.exe"
"NWEReboot"=""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"DiskeeperSystray"="\"C:\\Programmer\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""
"LogonStudio"="\"C:\\Programmer\\WinCustomize\\LogonStudio\\logonstudio.exe\" /RANDOM"
"QuickTime Task"="\"C:\\Programmer\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Programmer\\iTunes\\iTunesHelper.exe\""
"Maplom"="C:\\Programmer\\Maplom\\Maplom.exe"
"SPAMfighter Agent"="\"C:\\Programmer\\SPAMfighter\\SFAgent.exe\" update delay 60"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"PCSuiteTrayApplication"="C:\\Programmer\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Nokia.PCSync"="C:\\Programmer\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages   REG_MULTI_SZ    msv1_0\0\0
Security Packages   REG_MULTI_SZ    kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages   REG_MULTI_SZ    scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService   REG_MULTI_SZ    Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService   REG_MULTI_SZ    DnsCache\0\0
rpcss   REG_MULTI_SZ    RpcSs\0\0
imgsvc   REG_MULTI_SZ    StiSvc\0\0
termsvcs   REG_MULTI_SZ    TermService\0\0
HTTPFilter   REG_MULTI_SZ    HTTPFilter\0\0
DcomLaunch   REG_MULTI_SZ    DcomLaunch\0TermService\0\0
WudfServiceGroup   REG_MULTI_SZ    WUDFSvc\0\0
bthsvcs   REG_MULTI_SZ    BthServ\0\0




~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20060813-185839-259
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe
backup-20060813-185838-582
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{A9B0DC39-901C-40B2-BA94-ADF1AA5E2F98}.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-06 13:10:32
C:\ComboFix-quarantined-files.txt ... 07-04-06 13:10

---

Du har flere filer som måske -måske ikke er snavs. Prøv lige at køre denne procedure igennem http://www.malwarecheck.dk/forum/viewtopic.php?t=11

Kør den i fejlsikret tilstand (Installer programmerne i normal tilstand).

Genstart til normal tilstand, og kom med en frisk log fra Combofix.

---

Så skulle den være der
"tommy olsen" - 07-04-06 23:39:30 Service Pack 2
ComboFix 07-04-05 - Running from: "D:\download\sikkerhed"


((((((((((((((((((((((((((((((( Files Created from 2007-03-06 to 2007-04-06 ))))))))))))))))))))))))))))))))))


2007-04-06 23:20   <DIR>   d--------   C:\WINDOWS\LastGood
2007-04-06 23:19   49,152   -ra------   C:\WINDOWS\system32\INETWH32.dll
2007-04-06 23:19   1,089,536   -ra------   C:\WINDOWS\system32\ROBOEX32.DLL
2007-04-06 23:19   <DIR>   d--------   C:\Garmin
2007-04-06 17:43   <DIR>   d--------   C:\Programmer\RogueRemover
2007-04-05 00:09   <DIR>   d--------   C:\Programmer\Virtual Earth 3D
2007-04-04 23:41   <DIR>   d--------   C:\Programmer\ScanSoft
2007-04-04 23:26   <DIR>   d--------   C:\Programmer\PC Connectivity Solution
2007-04-04 23:20   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Installations
2007-04-04 21:04   2,297,552   --a------   C:\WINDOWS\system32\d3dx9_26.dll
2007-04-04 19:54   22,848   --a------   C:\WINDOWS\system32\drivers\LwUsbHid.sys
2007-04-04 16:30   <DIR>   d--------   C:\DOCUME~1\TOMMYO~1\APPLIC~1\Nokia Multimedia Player
2007-04-04 16:23   8,192   --a------   C:\WINDOWS\system32\wshirda.dll
2007-04-04 16:23   27,648   --a------   C:\WINDOWS\system32\irmon.dll
2007-04-04 16:23   153,088   --a------   C:\WINDOWS\system32\irftp.exe
2007-04-04 16:19   <DIR>   d--------   C:\DOCUME~1\NETWOR~1\Dokumenter
2007-04-04 11:44   1   --a------   C:\WINDOWS\system32\index.dat
2007-04-03 23:04   14,122   --a------   C:\WINDOWS\system32\B23FD116.exe
2007-04-02 21:01   <DIR>   d--------   C:\WINDOWS\SxsCaPendDel
2007-04-02 18:23   <DIR>   d--------   C:\Programmer\F‘lles filer\Ankiro
2007-04-02 18:22   <DIR>   d--------   C:\Programmer\SPAMfighter
2007-04-02 18:22   <DIR>   d--------   C:\Programmer\F‘lles filer\Application
2007-04-02 18:22   <DIR>   d--------   C:\DOCUME~1\TOMMYO~1\APPLIC~1\SPAMfighter
2007-03-11 20:06   <DIR>   d--------   C:\Programmer\CDBurnerXP Pro 3
2007-03-11 15:38   58,904   --a------   C:\WINDOWS\system32\sysfolderazipcnt.dll
2007-03-11 15:38   58,904   --a------   C:\WINDOWS\system32\azipcontmn.dll
2007-03-11 15:38   <DIR>   d--------   C:\Programmer\AlphaZIP
2007-03-10 21:14   <DIR>   d--------   C:\Programmer\Red Kawa
2007-03-10 21:10   <DIR>   d--------   C:\Programmer\Videora
2007-03-10 21:10   <DIR>   d--------   C:\Programmer\BitComet
2007-03-10 21:07   <DIR>   d--------   C:\Programmer\Boilsoft MP4 Converter
2007-03-10 20:55   81,920   --a------   C:\WINDOWS\system32\viscomwave.dll
2007-03-10 20:55   475,136   --a------   C:\WINDOWS\system32\SkinCrafter.dll
2007-03-10 20:55   139,264   --a------   C:\WINDOWS\system32\viscomqtde.dll
2007-03-10 20:55   <DIR>   d--------   C:\Programmer\Plato Video To iPod Converter
2007-03-07 22:18   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Elaborate Bytes
2007-03-07 20:46   <DIR>   d--------   C:\Programmer\DVD Decrypter
2007-03-07 20:07   <DIR>   d--------   C:\Programmer\Elaborate Bytes


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-06 23:19   --------   d--h-----   C:\Programmer\installshield installation information
2007-04-06 22:47   73258   --a------   C:\WINDOWS\system32\perfc006.dat
2007-04-06 22:47   415362   --a------   C:\WINDOWS\system32\perfh006.dat
2007-04-06 16:35   --------   d--------   C:\Programmer\superantispyware
2007-04-06 15:52   --------   d--------   C:\Programmer\emule
2007-04-06 15:31   --------   d--------   C:\Programmer\maplom
2007-04-05 10:31   --------   d--------   C:\DOCUME~1\TOMMYO~1\APPLIC~1\nokia
2007-04-04 23:28   --------   d--------   C:\Programmer\difx
2007-04-04 23:27   --------   d--------   C:\Programmer\nokia
2007-04-04 23:27   --------   d--------   C:\Programmer\F‘lles filer\pcsuite
2007-04-04 23:27   --------   d--------   C:\Programmer\F‘lles filer\nokia
2007-04-04 20:53   --------   d--------   C:\Programmer\electronic arts
2007-03-29 16:59   --------   d--------   C:\Programmer\spywareblaster
2007-03-08 17:38   577536   --a------   C:\WINDOWS\system32\user32.dll
2007-03-08 17:38   40960   --a------   C:\WINDOWS\system32\mf3216.dll
2007-03-08 17:38   281600   --a------   C:\WINDOWS\system32\gdi32.dll
2007-03-08 17:35   1843584   --a------   C:\WINDOWS\system32\win32k.sys
2007-03-04 17:44   --------   d--------   C:\Programmer\itunes
2007-03-04 17:44   --------   d--------   C:\Programmer\ipod
2007-03-04 17:43   --------   d--------   C:\Programmer\quicktime
2007-03-04 14:38   --------   d--------   C:\Programmer\wincustomize
2007-03-04 14:38   --------   d--------   C:\Programmer\F‘lles filer\stardock
2007-03-04 14:16   --------   d--------   C:\Programmer\chemix skole3_00
2007-03-03 01:18   --------   d--------   C:\Programmer\pro imaging powertoys
2007-03-03 01:18   --------   d--------   C:\Programmer\java
2007-03-03 01:18   --------   d--------   C:\Programmer\F‘lles filer\nikon
2007-03-03 00:53   --------   d--------   C:\Programmer\dvd shrink
2007-02-28 21:34   --------   d--------   C:\Programmer\diskeeper corporation
2007-02-27 22:10   --------   d--------   C:\DOCUME~1\TOMMYO~1\APPLIC~1\leadertech
2007-02-24 14:19   --------   d--------   C:\DOCUME~1\TOMMYO~1\APPLIC~1\desktop sidebar
2007-02-23 17:42   2156544   --a------   C:\WINDOWS\system32\kernel1.exe
2007-02-23 17:37   --------   d--------   C:\Programmer\tgtsoft
2007-02-22 10:15   90624   --a------   C:\WINDOWS\system32\nmwcdcls.dll
2007-02-21 22:37   --------   d---s----   C:\Programmer\xfire
2007-02-21 22:37   --------   d--------   C:\DOCUME~1\TOMMYO~1\APPLIC~1\xfire
2007-02-21 22:02   --------   d--------   C:\Programmer\gamespy arcade
2007-02-21 19:41   --------   d--------   C:\DOCUME~1\TOMMYO~1\APPLIC~1\reasonable software
2007-02-20 22:21   --------   d--------   C:\Programmer\reasonable noclone 4 home
2007-02-20 21:27   --------   d--------   C:\Programmer\desktop sidebar
2007-02-18 19:10   --------   d--------   C:\Programmer\winace
2007-02-11 17:51   1093632   --a------   C:\WINDOWS\system32\freeimage.dll
2007-02-08 21:14   --------   d--------   C:\DOCUME~1\TOMMYO~1\APPLIC~1\help
2007-02-06 22:24   --------   d--------   C:\Programmer\canon
2007-02-06 21:35   --------   d--------   C:\Programmer\copernic desktop search 2
2007-02-06 21:29   5   --a------   C:\WINDOWS\system32\netdetect.dat
2007-02-06 21:29   23   --a------   C:\WINDOWS\system32\userlst.dat
2007-02-06 21:29   --------   d--------   C:\Programmer\gallup interactive
2007-01-19 13:53   51056   --a------   C:\WINDOWS\system32\sirenacm.dll
2007-01-08 20:01   17408   --a------   C:\WINDOWS\system32\corpol.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"="\"d:\\progra~1\\valve\\steam\\steam.exe\" -silent"
"TuneUp MemOptimizer"="\"C:\\Programmer\\TuneUp Utilities 2006\\MemOptimizer.exe\" autostart"
"LClock"="C:\\Programmer\\LClock\\lclock.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"PcSync"="C:\\Programmer\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Programmer\\Fælles filer\\Ahead\\lib\\NMBgMonitor.exe\""
"swg"="C:\\Programmer\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"MsnMsgr"="\"C:\\Programmer\\MSN Messenger\\MsnMsgr.Exe\" /background"
"SUPERAntiSpyware"="C:\\Programmer\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"
"WMPNSCFG"="C:\\Programmer\\Windows Media Player\\WMPNSCFG.exe"
"gStart"="C:\\Garmin\\gStart.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"NVIDIA nTune"="\"C:\\Programmer\\NVIDIA Corporation\\nTune\\\\nTune.exe\" clear"
"SunJavaUpdateSched"="\"C:\\Programmer\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"LClock"="C:\\Programmer\\LClock\\LClock.exe"
"WINCINEMAMGR"="C:\\Programmer\\InterVideo\\Common\\Bin\\WinCinemaMgr.exe"
"NWEReboot"=""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"DiskeeperSystray"="\"C:\\Programmer\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""
"LogonStudio"="\"C:\\Programmer\\WinCustomize\\LogonStudio\\logonstudio.exe\" /RANDOM"
"QuickTime Task"="\"C:\\Programmer\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Programmer\\iTunes\\iTunesHelper.exe\""
"Maplom"="C:\\Programmer\\Maplom\\Maplom.exe"
"SPAMfighter Agent"="\"C:\\Programmer\\SPAMfighter\\SFAgent.exe\" update delay 60"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"PCSuiteTrayApplication"="C:\\Programmer\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Nokia.PCSync"="C:\\Programmer\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages   REG_MULTI_SZ    msv1_0\0\0
Security Packages   REG_MULTI_SZ    kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages   REG_MULTI_SZ    scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService   REG_MULTI_SZ    Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService   REG_MULTI_SZ    DnsCache\0\0
rpcss   REG_MULTI_SZ    RpcSs\0\0
imgsvc   REG_MULTI_SZ    StiSvc\0\0
termsvcs   REG_MULTI_SZ    TermService\0\0
HTTPFilter   REG_MULTI_SZ    HTTPFilter\0\0
DcomLaunch   REG_MULTI_SZ    DcomLaunch\0TermService\0\0
WudfServiceGroup   REG_MULTI_SZ    WUDFSvc\0\0
bthsvcs   REG_MULTI_SZ    BthServ\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_RSVP


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{A9B0DC39-901C-40B2-BA94-ADF1AA5E2F98}.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-06 23:42:13
C:\ComboFix-quarantined-files.txt ... 07-04-06 23:42
C:\ComboFix2.txt ... 07-04-06 13:10

---

Upload denne fil til scanning C:\WINDOWS\system32\B23FD116.exe

Her http://www.virustotal.com/en/indexf.html

Klik gennemse, klik dig frem til den, og klik send. Afvent resultatet, og læg det her ind.

---

Complete scanning result of "B23FD116.rar", processed in VirusTotal at 04/07/2007 12:57:58 (CET).

[ file data ]
* name: B23FD116.rar
* size: 13593
* md5.: 27ccb9476d364732c094c8b34015e940
* sha1: f69f7d7e7d065c445656a5f6a686e6b154369a58

[ scan result ]
AhnLab-V3   2007.4.7.0/20070406   found nothing
AntiVir   7.3.1.48/20070407   found [TR/Crypt.NSPM.Gen]
Authentium   4.93.8/20070406   found nothing
Avast   4.7.936.0/20070406   found nothing
AVG   7.5.0.447/20070407   found nothing
BitDefender   7.2/20070407   found nothing
CAT-QuickHeal   9.00/20070406   found [(Suspicious) - DNAScan]
ClamAV   devel-20070312/20070407   found nothing
DrWeb   4.33/20070407   found [Trojan.Click.2085]
eSafe   7.0.15.0/20070407   found [suspicious Trojan/Worm]
eTrust-Vet   30.7.3549/20070406   found nothing
Ewido   4.0/20070407   found nothing
F-Prot   4.3.1.45/20070404   found nothing
F-Secure   6.70.13030.0/20070406   found [Backdoor.Win32.Agent.ahj]
FileAdvisor   1/20070407   found nothing
Fortinet   2.85.0.0/20070407   found [W32/Agent.MIY!tr.bdr]
Ikarus   T3.1.1.3/20070407   found [Backdoor.Win32.Hupigon.BV]
Kaspersky   4.0.2.24/20070407   found [Backdoor.Win32.Agent.ahj]
McAfee   5003/20070406   found nothing
Microsoft   1.2405/20070407   found [VirTool:Win32/Obfuscator.A]
NOD32v2   2172/20070407   found nothing
Norman   5.80.02/20070405   found nothing
Panda   9.0.0.4/20070406   found [Adware/Alexa]
Prevx1   V2/20070407   found [Covert.Sys.Exec]
Sophos   4.16.0/20070406   found nothing
Sunbelt   2.2.907.0/20070407   found [VIPRE.Suspicious]
Symantec   10/20070407   found nothing
TheHacker   6.1.6.085/20070404   found nothing
VBA32   3.11.3/20070406   found [Trojan.Click.2085]
VirusBuster   4.3.7:9/20070406   found [Trojan.Agent.GYX]
Webwasher-Gateway   6.0.1/20070407   found [Trojan.Crypt.NSPM.Gen]

[ notes ]
packers: NSPack, PE_Patch
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=fd8385685831
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

---

Det anede mig. Væk med den

Hent Avenger her:
http://swandog46.geekstogo.com/avenger.zip

1. Pak Avenger-programmet ud og dobbeltklik på avenger.exe

2. Sæt en prik i "Input Script Manually" og klik på Luppen - nu dukker der et lille vindue op, hvor du skal kopiere indholdet mellem de stiplede linier ind:

-----------------------------

Files to delete:
C:\WINDOWS\system32\B23FD116.exe

-----------------------------

3. Klik på Trafiklyset i Avenger. Programmet vil opfordre dig til at genstarte computeren straks, hvilket du skal gøre. Programmet vil lukke din computer, slette filerne og starte computeren igen.

4. Efter genstarten vil der dukke et notepad-vindue op, med en log for Avengers handlinger. Den må du gerne lægge ind i dit næste svar.

-----------------------------

Jeg vil så foreslå, at du lige kører en onlinescanning her http://www.trendmicro.com/hc_intro/default.asp


Kom også lige med en frisk HijackThis log, så vi kan få ryddet op i det sidste.

---

jeg kan ikke få onlinescanneren til at køre
og notepad var tom
men her er :
Logfile of HijackThis v1.99.1
Scan saved at 15:43:42, on 07-04-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmer\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Java\jre1.5.0_11\bin\jusched.exe
C:\Programmer\LClock\LClock.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\SPAMfighter\SFAgent.exe
C:\WINDOWS\system32\rundll32.exe
D:\progra~1\valve\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Fælles filer\Ahead\lib\NMBgMonitor.exe
C:\Programmer\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Programmer\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Programmer\Windows Media Player\WMPNSCFG.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmer\PC Connectivity Solution\ServiceLayer.exe
C:\Programmer\Fælles filer\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Programmer\Internet Explorer\iexplore.exe
D:\download\sikkerhed\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Programmer\Desktop Sidebar\sbhelp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar4.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Programmer\Copernic Desktop Search 2\DesktopSearchBand2526.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Programmer\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [LClock] C:\Programmer\LClock\LClock.exe
O4 - HKLM\..\Run: [WINCINEMAMGR] C:\Programmer\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programmer\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Programmer\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Maplom] C:\Programmer\Maplom\Maplom.exe
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Programmer\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [Steam] "d:\progra~1\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Programmer\TuneUp Utilities 2006\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [LClock] C:\Programmer\LClock\lclock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Programmer\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programmer\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmer\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetBehaviour.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Programmer\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Programmer\Desktop Sidebar\sbhelp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: 84379234 - Unknown owner - C:\WINDOWS\system32\84379234.EXE (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programmer\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\PC Connectivity Solution\ServiceLayer.exe

---

Ok, så nupper vi det på en anden måde:


For at kunne se alle filer og mapper, gør du dette http://www.spywareinfo.dk/#/tip-og-tricks/mappeindstillinger.htm

Så gør du dette:

1. Klik på "Start" - Vælg "Søg".

2. Klik på linket "Skift indstillinger".

3. Klik på "Skift søgefunktioner for filer og mapper"

4. Sæt prik i "Avanceret" og klik OK.

5. Klik på "Alle filer og mapper"

6. Klik på "Flere avancerede indstillinger"
Sæt flueben i de tre øverste.

--------------------------------------

Hent og dobbeltklik denne fil. Den pakker sig ud til C:\SDFix:
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Genstart i fejlsikret.

Søg på disse to filer, og hvis du finder dem, så slet dem:

C:\WINDOWS\system32\84379234.EXE

C:\WINDOWS\system32\B23FD116.exe

Bagefter så fix denne linie i HijackThis:

O23 - Service: 84379234 - Unknown owner - C:\WINDOWS\system32\84379234.EXE (file missing)

Er den væk efter genstart,behøver jeg ikke at se flere HijackThis logs.
--------------------------------------

Gå så ind i mappen SDFix på C drevet. Dobbeltklik på filen RunThis.bat, for at starte værktøjet. Tryk "y" for at bekræfte, at du kører værktøjet på egen risiko. Så vil værktøjet gå i gang med at fjerne trojanservicen, og lave et par reparationer af registreringsdatabasen. På et tidspunkt vil det bede dig om at trykke en taste for at genstarte computeren. Det skal du gøre, hvorefter computeren vil genstarte efter 15 sekunder.

Genstarten vil tage lidt længere end sædvanligt, idet værktøjet skal have tid til at udføre sit arbejde. Når skrivebordet dukker op, vil værktøjet skrive "Finished". Tryk herefter en taste for at indlæse dine skrivebordsikoner igen.

Åben så SDFix-mappen, find filen Report.txt, og kopier indholdet af denne fil herind.

---

Jeg kan ikke finde SDFix nogen steder!!

---

Sorry, den var flyttet http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

---

SDFix: Version 1.77

Run by Administrator - 07-04-2007 - 16:41:13,01

Microsoft Windows XP [version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...




ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programmer\\eMule\\emule.exe"="C:\\Programmer\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Programmer\\Internet Explorer\\iexplore.exe"="C:\\Programmer\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------


Checking For Files with Hidden Attributes:

C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp

Finished

---

Det ser godt ud. Så skal der lige rettes på det som skidtet har ændret i din firewall:

Hent Dial-A-Fix her http://djlizard.net/software/Dial-a-fix-v0.60.0.24.zip

Pak den ud, og kør Dial-A-Fix.exe

Klik på "Policies" og fjern dem der måtte være med "Remove".

Klik så på den lille hammer (tools). I menuen scroller du ned til "Repair permissions", marker det, og klikker GO. Vent til den er færdig.

Genstart.

Så skal din Windows firewall nulstilles. Det gør du med denne fil http://www.sitecenter.dk/secure/nss-folder/mappe/reset.zip

Vejledning er vedlagt.

Så vil jeg foreslå at du lige gentager trin 5 og 6 her http://www.malwarecheck.dk/forum/viewtopic.php?t=11

Hvordan kører maskinen nu ?

Btw, downloads med Emule og brug af netbank, er ikke nogen god kombination. Der kan sagtens liste sig noget ind, som opsnapper koderne. Faktisk er det sådan noget du har haft inde, så det kan være en ide at udskifte dit password til netbank.

Et bedre antivirus kan også anbefales http://www.activevirusshield.com/

---

Så kører den igen og har skiftet koder (gør jeg tit)
tak for hjælpen

---

Velbekomme .

Eftersom du ikke er logget ind i systemet, kan du ikke skrive et indlæg til dette spørgsmål.

Hvis du ikke allerede er registreret, kan du gratis blive medlem, ved at trykke på "Bliv medlem" ude i menuen.