Endnu en log fra Hijack this

Jeg ser på den :-)

Din maskine er slemt inficeret. Prøv derfor lige først at køre en runde med de scannere, som nævnes i denne artikel. Så kan vi lige se, hvor meget af det der er tilbage når du lægger de logs, som nævnes i artiklen:
http://www.eksperten.dk/artikler/954

Det vil også være godt, hvis du kan lave et par ekstra logs, når du har kørt ovennævnte scanninger:

Hent Blacklight her https://europe.f-secure.com/blacklight/try.shtml Scroll ned på siden, og klik "iaccept". På næste side kan du downloade Blacklight til skrivebordet. Dobbeltklik filen, og klik scan. Når den er færdig laver den en log på skrivebordet. Kopier loggen her ind. Du skal ikke lade Blacklight fjerne noget endnu.

Download Gmer-rootkit scanner, og pak den ud til skrivebordet:
http://www.gmer.net/gmer.zip
Kør programmet, klik på fanebladet "Rootkit", og klik på "Scan". Når scanningen er færdig, skal du klikke på "Copy". Så dukker et vindue op, som fortæller at resultatet af rootkit-scanningen er blevet lagt ind i udklipsholderen. Du kan herefter gå ind i denne tråd, og kopiere indholdet herind, ved at stille dig i indtastningsfeltet, og trykke ctrl-v.

DR-WEB

msijavaup32.exe    C:\    BackDoor.IRC.Sdbot.747    Deleted.
mshost32.exe    C:\WINDOWS\System32    Trojan.PWS.Banker.4758    Deleted.
msp.cpl    C:\WINDOWS\System32    Trojan.Notifier    Deleted.
ma2.exe    C:\Documents and Settings\HP_Ejer    Trojan.Notifier    Deleted.
maa.exe    C:\Documents and Settings\HP_Ejer    BackDoor.Couc    Deleted.
ttt.exe    C:\Documents and Settings\HP_Ejer    Trojan.PWS.Banker.4758    Deleted.
A0025447.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP370    BackDoor.IRC.Sdbot.747    Deleted.
A0028480.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP370    BackDoor.IRC.Sdbot.747    Deleted.
A0028523.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP370    BackDoor.IRC.Sdbot.747    Deleted.
A0030547.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP371    BackDoor.IRC.Sdbot.747    Deleted.
A0030548.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP371    BackDoor.IRC.Sdbot.747    Deleted.
A0030602.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP371    BackDoor.IRC.Sdbot.738    Deleted.
A0030603.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP371    BackDoor.IRC.Sdbot.748    Deleted.
A0030604.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP371    BackDoor.IRC.Sdbot.747    Deleted.
A0031602.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP372    BackDoor.IRC.Sdbot.747    Deleted.
A0031603.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP372    BackDoor.IRC.Sdbot.738    Deleted.
A0031604.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP372    BackDoor.IRC.Sdbot.738    Deleted.
A0034218.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    BackDoor.IRC.Sdbot.738    Deleted.
A0035604.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    BackDoor.IRC.Sdbot.738    Deleted.
A0035605.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Trojan.Fakealert    Deleted.
A0035625.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Trojan.DnsChange    Deleted.
A0035627.dll    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Trojan.Proxy.493    Deleted.
A0035628.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    BackDoor.IRC.Sdbot.738    Deleted.
A0035629.cpl    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    BackDoor.Plx    Deleted.
A0035630.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Trojan.Proxy.493    Deleted.
A0035632.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Trojan.DownLoader.10918    Deleted.
A0035635.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Adware.Look2me   
A0035636.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Trojan.PWS.Snap    Deleted.
A0035637.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    BackDoor.IRC.Sdbot.738    Deleted.
A0035638.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Trojan.DownLoader.5013    Deleted.
A0035639.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Trojan.DownLoader.5013    Deleted.
A0035640.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Trojan.Fakealert    Deleted.
A0035644.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Adware.Spysheriff   
A0035645.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Trojan.DownLoader.11355    Deleted.
A0035646.dll    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Adware.TargetServer   
A0035647.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Trojan.DownLoader.11354    Deleted.
A0035648.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Adware.TargetServer   
A0035649.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Adware.TargetServer   
A0035650.dll    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Trojan.PWS.Snap    Deleted.
A0035651.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Trojan.PWS.Snap    Deleted.
A0035652.dll    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Trojan.PWS.Snap    Deleted.
A0035653.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Adware.Surfside   
A0035654.dll    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Adware.Surfside   
A0035655.dll    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Adware.Surfside   
A0035656.dll    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Adware.Ucmore   
A0035659.dll    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Adware.Ucmore   
A0035661.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Adware.Casino   
A0035662.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Adware.Casino   
A0035663.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Adware.Surfside   
A0035664.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Adware.TargetServer   
A0035665.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Adware.Ucmore   
A0035666.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Adware.Look2me   
A0035667.dll    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Adware.Look2me   
A0035668.dll    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Adware.Look2me   
A0035669.dll    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Adware.Surfside   
A0035670.dll    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP374    Trojan.DownLoader.10919    Deleted.
A0039959.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP375    BackDoor.IRC.Sdbot.747    Deleted.
A0039972.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP376    BackDoor.IRC.Sdbot.747    Deleted.
A0039973.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP376    BackDoor.IRC.Sdbot.747    Deleted.
A0039974.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP376    Adware.DollarRevenue   
A0039975.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP376    Trojan.DownLoader.9899    Incurable.Moved.
A0039976.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP376    Trojan.DownLoader.12226    Deleted.
A0040962.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP376    BackDoor.IRC.Sdbot.738    Deleted.
A0040964.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP376    Trojan.DownLoader.5013    Deleted.
A0041976.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP376    BackDoor.IRC.Sdbot.749    Deleted.
A0043000.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP377    BackDoor.IRC.Sdbot.748    Deleted.
A0043002.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP377    Trojan.Click.1227    Deleted.
A0043003.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP377    Trojan.DownLoader.12226    Deleted.
A0043004.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP377    Adware.DollarRevenue   
A0043005.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP377    Adware.DollarRevenue   
A0043006.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP377    Adware.DollarRevenue   
A0043007.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP377    Trojan.DownLoader.12227    Deleted.
A0043008.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP377    Adware.DollarRevenue   
A0043009.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP377    BackDoor.IRC.Sdbot.748    Deleted.
A0043012.dll    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP377    Adware.Softomate   
A0043013.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP377    Adware.Surfside   
A0043014.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP377    Adware.DollarRevenue   
A0043015.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP377    Trojan.DownLoader.9899    Incurable.Moved.
A0045102.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP379    BackDoor.IRC.Sdbot.747    Deleted.
A0045103.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP379    Trojan.PWS.Banker.4758    Deleted.
A0045104.cpl    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP379    Trojan.Notifier    Deleted.
A0045105.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP379    Trojan.Notifier    Deleted.
A0045106.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP379    BackDoor.Couc    Deleted.
A0045107.exe    C:\System Volume Information\_restore{1FD1846F-4D58-43DF-B050-006CA39AB12A}\RP379    Trojan.PWS.Banker.4758    Deleted.
msijavaup32.exe    C:\WINDOWS\system32    BackDoor.IRC.Sdbot.747    Deleted.
trz536f8.dll    C:\WINDOWS\system32    Trojan.DownLoader.12021    Deleted.
netapi[1].exe    C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Temporary Internet Files\Content.IE5\67Q9ATCD    BackDoor.IRC.Sdbot.747    Deleted.
netapi[3].exe    C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Temporary Internet Files\Content.IE5\67Q9ATCD    BackDoor.IRC.Sdbot.747    Deleted.
netapi[2].exe    C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Temporary Internet Files\Content.IE5\7AIPHM4A    BackDoor.IRC.Sdbot.738    Deleted.
netapi[5].exe    C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Temporary Internet Files\Content.IE5\7AIPHM4A    BackDoor.IRC.Sdbot.747    Deleted.
netapi[6].exe    C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Temporary Internet Files\Content.IE5\7AIPHM4A    BackDoor.IRC.Sdbot.747    Deleted.
netapi[1].exe    C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Temporary Internet Files\Content.IE5\Y1G9WZC1    BackDoor.IRC.Sdbot.747    Deleted.
netapi[2].exe    C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Temporary Internet Files\Content.IE5\Y1G9WZC1    BackDoor.IRC.Sdbot.747    Deleted.
netapi[3].exe    C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Temporary Internet Files\Content.IE5\Y1G9WZC1    BackDoor.IRC.Sdbot.747    Deleted.
netapi[1].exe    C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Temporary Internet Files\Content.IE5\YDEHFPAS    BackDoor.IRC.Sdbot.747    Deleted.

Super Anti Spyware

SUPERAntiSpyware Scan Log
Generated 09/10/2006 at 04:01 PM

Core Rules Database Version : 3078
Trace Rules Database Version: 1113

Memory threats detected  : 0
Registry threats detected : 44
File threats detected    : 42

Adware.Tracking Cookie
    C:\Documents and Settings\HP_Ejer\Cookies\hp_ejer@tacoda[1].txt
    C:\Documents and Settings\HP_Ejer\Cookies\hp_ejer@adtech[2].txt
    C:\Documents and Settings\HP_Ejer\Cookies\hp_ejer@cgi-bin[2].txt
    C:\Documents and Settings\HP_Ejer\Cookies\hp_ejer@tribalfusion[1].txt
    C:\Documents and Settings\HP_Ejer\Cookies\hp_ejer@nasdaq.122.2o7[1].txt
    C:\Documents and Settings\HP_Ejer\Cookies\hp_ejer@e2.emediate[2].txt
    C:\Documents and Settings\HP_Ejer\Cookies\hp_ejer@doubleclick[1].txt
    C:\Documents and Settings\HP_Ejer\Cookies\hp_ejer@burstnet[2].txt
    C:\Documents and Settings\HP_Ejer\Cookies\hp_ejer@track.adform[1].txt
    C:\Documents and Settings\HP_Ejer\Cookies\hp_ejer@indextools[1].txt
    C:\Documents and Settings\HP_Ejer\Cookies\hp_ejer@mediaplex[2].txt
    C:\Documents and Settings\HP_Ejer\Cookies\hp_ejer@revsci[2].txt
    C:\Documents and Settings\HP_Ejer\Cookies\hp_ejer@fastclick[1].txt
    C:\Documents and Settings\HP_Ejer\Cookies\hp_ejer@click.tuinordiccampaign.buyingexperience[1].txt
    C:\Documents and Settings\HP_Ejer\Cookies\hp_ejer@advertising[2].txt
    C:\Documents and Settings\HP_Ejer\Cookies\hp_ejer@tradedoubler[2].txt
    C:\Documents and Settings\HP_Ejer\Cookies\hp_ejer@www.burstnet[1].txt
    C:\Documents and Settings\HP_Ejer\Cookies\hp_ejer@ad1.emediate[1].txt
    C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[1].txt
    C:\WINDOWS\system32\config\systemprofile\Cookies\system@ads.adnet-plus[1].txt
    C:\WINDOWS\system32\config\systemprofile\Cookies\system@as-eu.falkag[2].txt
    C:\WINDOWS\system32\config\systemprofile\Cookies\system@offers.worldadvertisingdirect[2].txt
    C:\WINDOWS\system32\config\systemprofile\Cookies\system@tradedoubler[2].txt

Trojan.SpySheriff
    C:\Program Files\SpySheriff\base.avd
    C:\Program Files\SpySheriff\base001.avd
    C:\Program Files\SpySheriff\base002.avd
    C:\Program Files\SpySheriff\found.wav
    C:\Program Files\SpySheriff\notfound.wav
    C:\Program Files\SpySheriff\removed.wav
    C:\Program Files\SpySheriff\SpySheriff.dvm
    C:\Program Files\SpySheriff\SpySheriff.exe
    C:\Program Files\SpySheriff

Trojan.NetMon/DNSChange
    HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor
    HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#Type
    HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#Start
    HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ErrorControl
    HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ImagePath
    HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#DisplayName
    HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ObjectName
    HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security
    HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security#Security
    HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum
    HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#0
    HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#Count
    HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#NextInstance
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc
    C:\Programmer\Network Monitor

Trojan.cmdService
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Type
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Start
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ErrorControl
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ImagePath
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService#DisplayName
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ObjectName
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security#Security
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#0
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#Count
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#NextInstance
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Adware.Adservs
    C:\WINDOWS\system32\atmtd.dll
    C:\WINDOWS\system32\atmtd.dll._

Trojan.DollarRevenue
    C:\WINDOWS\newname.dat
    C:\WINDOWS\keyboard1.dat

Trojan.SmartLoad
    C:\WINDOWS\drsmartload2.dat

Trojan.Unknown Origin
    C:\WINDOWS\IA\KE.vbs
    C:\WINDOWS\teller2.chk
    C:\WINDOWS\uninstall_nmon.vbs

TargetSaver, Inc. Process
    C:\WINDOWS\system32\tsuninst.exe

Blacklight

09/10/06 16:06:39 [Info]: BlackLight Engine 1.0.46 initialized
09/10/06 16:06:39 [Info]: OS: 5.1 build 2600 (Service Pack 1)
09/10/06 16:06:39 [Note]: 7019 4
09/10/06 16:06:39 [Note]: 7005 0
09/10/06 16:06:45 [Note]: 7006 0
09/10/06 16:06:45 [Note]: 7011 524
09/10/06 16:06:45 [Note]: 7026 0
09/10/06 16:06:45 [Note]: 7026 0
09/10/06 16:06:56 [Note]: FSRAW library version 1.7.1019
09/10/06 16:09:16 [Note]: 7007 0

Logfile of HijackThis v1.99.1
Scan saved at 16:29:49, on 10-09-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Programmer\Fælles filer\InterVideo\SchSvr\SchSvr.exe
C:\Programmer\InterVideo\Common\Bin\WinRemote.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\keyhook.exe
C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmer\Messenger\msmsgs.exe
C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmer\HP\Digital Imaging\bin\hpqimzone.exe
C:\Programmer\Citrix\ICA Client\pnagent.exe
C:\Programmer\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\HP_Ejer\Skrivebord\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=DA_DK&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=DA_DK&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=DA_DK&c=Q404&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=DA_DK&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=DA_DK&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=DA_DK&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,msijavaup32.exe
O1 - Hosts: 235.214.107.41 www.virustotal.com
O1 - Hosts: 33.3.169.44 virusscan.jotti.org
O1 - Hosts: 95.95.239.187 sandbox.norman.no
O1 - Hosts: 236.16.252.76 www.symantec.com
O1 - Hosts: 81.237.212.190 securityresponse.symantec.com
O1 - Hosts: 153.77.69.6 symantec.com
O1 - Hosts: 101.81.142.37 www.sophos.com
O1 - Hosts: 51.92.5.83 sophos.com
O1 - Hosts: 22.84.63.236 www.mcafee.com
O1 - Hosts: 204.205.34.167 mcafee.com
O1 - Hosts: 243.212.96.143 liveupdate.symantecliveupdate.com
O1 - Hosts: 61.96.74.78 www.viruslist.com
O1 - Hosts: 104.47.238.203 viruslist.com
O1 - Hosts: 109.147.117.22 f-secure.com
O1 - Hosts: 13.244.51.53 www.f-secure.com
O1 - Hosts: 57.5.230.76 kaspersky.com
O1 - Hosts: 17.115.16.33 www.avp.com
O1 - Hosts: 90.161.208.139 www.kaspersky.com
O1 - Hosts: 50.145.99.80 avp.com
O1 - Hosts: 233.168.246.216 www.networkassociates.com
O1 - Hosts: 64.114.128.249 www.ca.com
O1 - Hosts: 236.121.110.141 ca.com
O1 - Hosts: 54.114.43.161 mast.mcafee.com
O1 - Hosts: 118.182.103.146 my-etrust.com
O1 - Hosts: 221.234.42.53 www.my-etrust.com
O1 - Hosts: 78.49.5.243 download.mcafee.com
O1 - Hosts: 11.207.240.9 dispatch.mcafee.com
O1 - Hosts: 185.176.201.53 secure.nai.com
O1 - Hosts: 219.150.202.149 nai.com
O1 - Hosts: 192.252.18.2 www.nai.com
O1 - Hosts: 21.236.30.16 update.symantec.com
O1 - Hosts: 19.195.32.170 updates.symantec.com
O1 - Hosts: 130.65.67.206 us.mcafee.com
O1 - Hosts: 115.196.49.111 liveupdate.symantec.com
O1 - Hosts: 117.157.101.252 customer.symantec.com
O1 - Hosts: 183.213.47.157 rads.mcafee.com
O1 - Hosts: 68.79.239.155 trendmicro.com
O1 - Hosts: 211.47.228.251 www.trendmicro.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\xelnu.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Programmer\Fælles filer\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] C:\Programmer\InterVideo\Common\Bin\WinRemote.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmer\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AutoTBar] c:\Programmer\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [Linksys Modem Drivers] linksys.exe
O4 - HKLM\..\Run: [kis] "C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe
O4 - HKLM\..\RunServices: [Linksys Modem Drivers] linksys.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [Linksys Modem Drivers] linksys.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Hurtig start.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Programmer\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyGaming\PartyPoker\RunApp.exe (file missing)
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.danskebank.dk/html/activex/DB/Menu.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp06.photoprintit.de/microsite/10021/defaults/activex/ImageUploader3.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - C:\WINDOWS\System32\msc.cpl (file missing)
O21 - SSODL: msp.cpl - {E21B5E20-DE35-11CF-9C87-157900512701} - C:\WINDOWS\System32\msp.cpl (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe

Jeg kunne ikke ligge loggen på fra GMER, men forsøger lige igen.

Jeg ser frem til at høre fra dig.

Jeg vil anbefale at der ikke går helt så lang tid inden næste gang du melder tilbage. Det er nogle ret alvorlige infektioner, du har på computeren, og jo længere tid der går, jo nemmere har de ved at gendanne sig. :-)

-- Hent S!Ri's SmitfraudFix.zip og pak det ud til dit Skrivebord.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Programmet pakker sig ud i en mappe, der hedder SmitfraudFix.

NB: Filen "process.exe" som ligger i dette værktøj bliver af visse antivirus-programmer identificeret som "RiskTool". Det har dog ikke noget på sig!

-- Hent denne fil, og pak den ud til en mappe på skrivebordet:
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

-- Genstart i fejlsikret, hvis du ikke ved hvordan så kig her:
http://www.ctrlaltdel.dk/forum/forum_posts.asp?TID=23&PN=1

-- Gå så ind i mappen SDFix, som du hentede tidligere. Dobbeltklik på filen RunThis.bat, for at starte værktøjet. Tryk "y" for at bekræfte, at du kører værktøjet på egen risiko. Så vil værktøjet gå i gang med at fjerne trojanservicen, og lave et par reparationer af registreringsdatabasen. På et tidspunkt vil det bede dig om at trykke en taste for at genstarte computeren. Det skal du gøre, hvorefter computeren vil genstarte efter 15 sekunder.

Genstarten vil tage lidt længere end sædvanligt, idet værktøjet skal have tid til at udføre sit arbejde. Når skrivebordet dukker op, vil værktøjet skrive "Finished". Tryk herefter en taste for at indlæse dine skrivebordsikoner igen.

Åben så SDFix-mappen, find filen Report.txt, og kopier indholdet af denne fil herind

-- Genstart igen i fejlsikret.

-- Åbn mappen SmitfraudFix som du fik på Skrivebordet, og dobbeltklik på SmitfraudFix.cmd og tast 2 - svar ja til at rense (y=yes). Lad programmet gennemføre en rensning. Det vil også checke om systemfilen wininet.dll er inficeret. Hvis den er det, vil du blive bedt om tilladelse til at erstatte den med en anden. Her skal du vælge "Yes", ved at taste "y".

Programmet bliver muligvis nødt til at genstarte undervejs. Herefter vil der dukke en liste med resultaterne af rensningen op . Kopiér denne liste ind i tråden.

-- Genstart og læg en frisk Hijackthislog herind, sammen med loggen fra SmitfraudFix (C:\rapport.txt).

Hej,

Først beklager jeg den lange svartid, men det skyldes ferie.

Her er loggen fra SDFix, men det virkede ikke som den kørte rigtigt færdig, der kom ikke en besked om finished, men se på den:


SDFix: Version 1.21
-------------------------

Scan Time / Date: 18:58:45,79 / 11-09-2006


Microsoft Windows XP [version 5.1.2600]

Running from: C:\Documents and Settings\HP_Ejer\Skrivebord\SDFix\SDFix


                                Stage One...


Checking Services...

Service Name:
------------------

SVKP

File Path:
------------

\??\C:\WINDOWS\System32\SVKP.sys

Removing Services:
------------------------

SVKP ... deleted


Repairing Registry...


Restoring Default Hosts File...

Stage One Complete

Rebooting!

                                Stage Two...

Registry Cleaning Finished...

Checking For Malware Files:
----------------------------------

Her er så Smitfraudfix:

SmitFraudFix v2.87

Scan done at 19:15:31,73, 11-09-2006
Run from C:\Documents and Settings\HP_Ejer\Skrivebord\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Og til sidst Hi-Jack this:

Logfile of HijackThis v1.99.1
Scan saved at 19:19:52, on 11-09-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Programmer\Fælles filer\InterVideo\SchSvr\SchSvr.exe
C:\Programmer\InterVideo\Common\Bin\WinRemote.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmer\Messenger\msmsgs.exe
C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmer\Citrix\ICA Client\pnagent.exe
C:\Programmer\HP\Digital Imaging\bin\hpqimzone.exe
C:\Programmer\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\HP_Ejer\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O1 - Hosts: 235.214.107.41 www.virustotal.com
O1 - Hosts: 33.3.169.44 virusscan.jotti.org
O1 - Hosts: 95.95.239.187 sandbox.norman.no
O1 - Hosts: 236.16.252.76 www.symantec.com
O1 - Hosts: 81.237.212.190 securityresponse.symantec.com
O1 - Hosts: 153.77.69.6 symantec.com
O1 - Hosts: 101.81.142.37 www.sophos.com
O1 - Hosts: 51.92.5.83 sophos.com
O1 - Hosts: 22.84.63.236 www.mcafee.com
O1 - Hosts: 204.205.34.167 mcafee.com
O1 - Hosts: 243.212.96.143 liveupdate.symantecliveupdate.com
O1 - Hosts: 61.96.74.78 www.viruslist.com
O1 - Hosts: 104.47.238.203 viruslist.com
O1 - Hosts: 109.147.117.22 f-secure.com
O1 - Hosts: 13.244.51.53 www.f-secure.com
O1 - Hosts: 57.5.230.76 kaspersky.com
O1 - Hosts: 17.115.16.33 www.avp.com
O1 - Hosts: 90.161.208.139 www.kaspersky.com
O1 - Hosts: 50.145.99.80 avp.com
O1 - Hosts: 233.168.246.216 www.networkassociates.com
O1 - Hosts: 64.114.128.249 www.ca.com
O1 - Hosts: 236.121.110.141 ca.com
O1 - Hosts: 54.114.43.161 mast.mcafee.com
O1 - Hosts: 118.182.103.146 my-etrust.com
O1 - Hosts: 221.234.42.53 www.my-etrust.com
O1 - Hosts: 78.49.5.243 download.mcafee.com
O1 - Hosts: 11.207.240.9 dispatch.mcafee.com
O1 - Hosts: 185.176.201.53 secure.nai.com
O1 - Hosts: 219.150.202.149 nai.com
O1 - Hosts: 192.252.18.2 www.nai.com
O1 - Hosts: 21.236.30.16 update.symantec.com
O1 - Hosts: 19.195.32.170 updates.symantec.com
O1 - Hosts: 130.65.67.206 us.mcafee.com
O1 - Hosts: 115.196.49.111 liveupdate.symantec.com
O1 - Hosts: 117.157.101.252 customer.symantec.com
O1 - Hosts: 183.213.47.157 rads.mcafee.com
O1 - Hosts: 68.79.239.155 trendmicro.com
O1 - Hosts: 211.47.228.251 www.trendmicro.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\xelnu.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Programmer\Fælles filer\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] C:\Programmer\InterVideo\Common\Bin\WinRemote.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmer\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AutoTBar] c:\Programmer\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [kis] "C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Hurtig start.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Programmer\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyGaming\PartyPoker\RunApp.exe (file missing)
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.danskebank.dk/html/activex/DB/Menu.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp06.photoprintit.de/microsite/10021/defaults/activex/ImageUploader3.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - C:\WINDOWS\System32\msc.cpl (file missing)
O21 - SSODL: msp.cpl - {E21B5E20-DE35-11CF-9C87-157900512701} - C:\WINDOWS\System32\msp.cpl (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe

Så lykkedes det at få SDFix til at køre færdig, så den kommer lige her:


SDFix: Version 1.21
-------------------------

Scan Time / Date: 19:24:19,15 / 11-09-2006


Microsoft Windows XP [version 5.1.2600]

Running from: C:\Documents and Settings\HP_Ejer\Skrivebord\SDFix\SDFix


                                Stage One...


Checking Services...

Service Name:
------------------


File Path:
------------


Removing Services:
------------------------



Repairing Registry...


Restoring Default Hosts File...

Stage One Complete

Rebooting!

                                Stage Two...

Registry Cleaning Finished...

Checking For Malware Files:
----------------------------------

C:\WINDOWS\system32\SVKP.sys

Backing Up and Removing any Files Found...

                                Final Check:

Remaining Services:
------------------------


Remaining Files:
-------------------

                                  FINISHED

Der kommer lige en ny hi-jack this:

Logfile of HijackThis v1.99.1
Scan saved at 19:48:32, on 11-09-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Programmer\Fælles filer\InterVideo\SchSvr\SchSvr.exe
C:\Programmer\InterVideo\Common\Bin\WinRemote.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmer\Messenger\msmsgs.exe
C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmer\Citrix\ICA Client\pnagent.exe
C:\Programmer\HP\Digital Imaging\bin\hpqimzone.exe
C:\Programmer\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\Programmer\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\HP_Ejer\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O1 - Hosts: 235.214.107.41 www.virustotal.com
O1 - Hosts: 33.3.169.44 virusscan.jotti.org
O1 - Hosts: 95.95.239.187 sandbox.norman.no
O1 - Hosts: 236.16.252.76 www.symantec.com
O1 - Hosts: 81.237.212.190 securityresponse.symantec.com
O1 - Hosts: 153.77.69.6 symantec.com
O1 - Hosts: 101.81.142.37 www.sophos.com
O1 - Hosts: 51.92.5.83 sophos.com
O1 - Hosts: 22.84.63.236 www.mcafee.com
O1 - Hosts: 204.205.34.167 mcafee.com
O1 - Hosts: 243.212.96.143 liveupdate.symantecliveupdate.com
O1 - Hosts: 61.96.74.78 www.viruslist.com
O1 - Hosts: 104.47.238.203 viruslist.com
O1 - Hosts: 109.147.117.22 f-secure.com
O1 - Hosts: 13.244.51.53 www.f-secure.com
O1 - Hosts: 57.5.230.76 kaspersky.com
O1 - Hosts: 17.115.16.33 www.avp.com
O1 - Hosts: 90.161.208.139 www.kaspersky.com
O1 - Hosts: 50.145.99.80 avp.com
O1 - Hosts: 233.168.246.216 www.networkassociates.com
O1 - Hosts: 64.114.128.249 www.ca.com
O1 - Hosts: 236.121.110.141 ca.com
O1 - Hosts: 54.114.43.161 mast.mcafee.com
O1 - Hosts: 118.182.103.146 my-etrust.com
O1 - Hosts: 221.234.42.53 www.my-etrust.com
O1 - Hosts: 78.49.5.243 download.mcafee.com
O1 - Hosts: 11.207.240.9 dispatch.mcafee.com
O1 - Hosts: 185.176.201.53 secure.nai.com
O1 - Hosts: 219.150.202.149 nai.com
O1 - Hosts: 192.252.18.2 www.nai.com
O1 - Hosts: 21.236.30.16 update.symantec.com
O1 - Hosts: 19.195.32.170 updates.symantec.com
O1 - Hosts: 130.65.67.206 us.mcafee.com
O1 - Hosts: 115.196.49.111 liveupdate.symantec.com
O1 - Hosts: 117.157.101.252 customer.symantec.com
O1 - Hosts: 183.213.47.157 rads.mcafee.com
O1 - Hosts: 68.79.239.155 trendmicro.com
O1 - Hosts: 211.47.228.251 www.trendmicro.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\xelnu.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Programmer\Fælles filer\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] C:\Programmer\InterVideo\Common\Bin\WinRemote.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmer\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AutoTBar] c:\Programmer\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [kis] "C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Hurtig start.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Programmer\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyGaming\PartyPoker\RunApp.exe (file missing)
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.danskebank.dk/html/activex/DB/Menu.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp06.photoprintit.de/microsite/10021/defaults/activex/ImageUploader3.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - C:\WINDOWS\System32\msc.cpl (file missing)
O21 - SSODL: msp.cpl - {E21B5E20-DE35-11CF-9C87-157900512701} - C:\WINDOWS\System32\msp.cpl (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe

-- Klik start | kør og kopier denne linie ind i tekstfeltet i "kør boksen" :
cmd /c echo 127.0.0.1 localhost > c:\windows\system32\drivers\etc\hosts
Klik herefter ok.

-- Kør Hijackthis, vælg "Do a system scan only", sæt flueben ved linierne listet her, luk alle vinduer undtaget

Hijackthis, klik på fix checked.

O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\xelnu.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe
O4 - HKCU\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe
O21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - C:\WINDOWS\System32\msc.cpl (file missing)
O21 - SSODL: msp.cpl - {E21B5E20-DE35-11CF-9C87-157900512701} - C:\WINDOWS\System32\msp.cpl (file missing)

Genstart computeren, og lav en ny log med Hijackthis, som du lægger herind til check.

Her er ny hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 21:20:52, on 11-09-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Programmer\Fælles filer\InterVideo\SchSvr\SchSvr.exe
C:\Programmer\InterVideo\Common\Bin\WinRemote.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmer\Messenger\msmsgs.exe
C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmer\Citrix\ICA Client\pnagent.exe
C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\HP\Digital Imaging\bin\hpqimzone.exe
C:\Documents and Settings\HP_Ejer\Skrivebord\HijackThis.exe
C:\Programmer\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O1 - Hosts: 235.214.107.41 www.virustotal.com
O1 - Hosts: 33.3.169.44 virusscan.jotti.org
O1 - Hosts: 95.95.239.187 sandbox.norman.no
O1 - Hosts: 236.16.252.76 www.symantec.com
O1 - Hosts: 81.237.212.190 securityresponse.symantec.com
O1 - Hosts: 153.77.69.6 symantec.com
O1 - Hosts: 101.81.142.37 www.sophos.com
O1 - Hosts: 51.92.5.83 sophos.com
O1 - Hosts: 22.84.63.236 www.mcafee.com
O1 - Hosts: 204.205.34.167 mcafee.com
O1 - Hosts: 243.212.96.143 liveupdate.symantecliveupdate.com
O1 - Hosts: 61.96.74.78 www.viruslist.com
O1 - Hosts: 104.47.238.203 viruslist.com
O1 - Hosts: 109.147.117.22 f-secure.com
O1 - Hosts: 13.244.51.53 www.f-secure.com
O1 - Hosts: 57.5.230.76 kaspersky.com
O1 - Hosts: 17.115.16.33 www.avp.com
O1 - Hosts: 90.161.208.139 www.kaspersky.com
O1 - Hosts: 50.145.99.80 avp.com
O1 - Hosts: 233.168.246.216 www.networkassociates.com
O1 - Hosts: 64.114.128.249 www.ca.com
O1 - Hosts: 236.121.110.141 ca.com
O1 - Hosts: 54.114.43.161 mast.mcafee.com
O1 - Hosts: 118.182.103.146 my-etrust.com
O1 - Hosts: 221.234.42.53 www.my-etrust.com
O1 - Hosts: 78.49.5.243 download.mcafee.com
O1 - Hosts: 11.207.240.9 dispatch.mcafee.com
O1 - Hosts: 185.176.201.53 secure.nai.com
O1 - Hosts: 219.150.202.149 nai.com
O1 - Hosts: 192.252.18.2 www.nai.com
O1 - Hosts: 21.236.30.16 update.symantec.com
O1 - Hosts: 19.195.32.170 updates.symantec.com
O1 - Hosts: 130.65.67.206 us.mcafee.com
O1 - Hosts: 115.196.49.111 liveupdate.symantec.com
O1 - Hosts: 117.157.101.252 customer.symantec.com
O1 - Hosts: 183.213.47.157 rads.mcafee.com
O1 - Hosts: 68.79.239.155 trendmicro.com
O1 - Hosts: 211.47.228.251 www.trendmicro.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Programmer\Fælles filer\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] C:\Programmer\InterVideo\Common\Bin\WinRemote.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmer\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AutoTBar] c:\Programmer\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [kis] "C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Hurtig start.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Programmer\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyGaming\PartyPoker\RunApp.exe (file missing)
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.danskebank.dk/html/activex/DB/Menu.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp06.photoprintit.de/microsite/10021/defaults/activex/ImageUploader3.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WebCheck - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe

Det hjælper på den nu.

-- Hent dette lille program og pak det ud til Skrivebordet:
http://www.funkytoad.com/download/hoster.zip

Kør Hoster. Hvis der øverst i højre side med rødt står at hosts-filen er "Read only", skal du først klikke på "make Hosts writable". Klik så på "Restore Original Hosts" og klik "OK". Gå ud af programmet.

-- Hent så Combofix, og gem den på dit skrivebord:
http://download.bleepingcomputer.com/sUBs/combofix.exe

--  Kør så combofix.exe, som du hentede tidligere, og følg anvisningerne.
Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.

Når combofix er færdig, og efter det har genstartet, skulle der gerne åbnes en logfil: combofix.txt. Indholdet af denne fil må du gerne lægge herind, sammen med en ny log fra Hijackthis

Tilføjelse:
Inden du kører combofix, så prøv lige at fixe denne linie med Hijackthis:
O21 - SSODL: WebCheck - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)

HP_Ejer - 06-09-13 17:14:11,07
ComboFix 06.09.11B - Running from: C:\Documents and Settings\HP_Ejer\Skrivebord

Microsoft Windows XP [version 5.1.2600]

((((((((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\atmtd.dll.tmp
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Programmer\Deskbar


(((((((((((((((((((((((((((((((  Files Created from 2006-08-13 to 2006-09-13  ))))))))))))))))))))))))))))))))))


2006-09-11    19:14    53,248    --a------    C:\WINDOWS\system32\Process.exe
2006-09-11    19:14    40,960    --a------    C:\WINDOWS\system32\swsc.exe
2006-09-11    19:14    288,417    --a------    C:\WINDOWS\system32\SrchSTS.exe
2006-09-11    19:14    135,168    --a------    C:\WINDOWS\system32\swreg.exe
2006-09-09    19:02    94,208    --a------    C:\WINDOWS\system32\HPZipt12.dll
2006-09-09    19:02    69,632    --a------    C:\WINDOWS\system32\HPZipm12.exe
2006-09-09    19:02    61,440    --a------    C:\WINDOWS\system32\HPZinw12.exe
2006-09-09    19:02    57,344    --a------    C:\WINDOWS\system32\HPZisn12.dll
2006-09-09    19:02    278,584    --a------    C:\WINDOWS\system32\HPZidr12.dll
2006-09-09    19:02    204,800    --a------    C:\WINDOWS\system32\HPZipr12.dll
2006-08-25    18:07    377    --a------    C:\dloadad.exe
2006-08-24    18:23    377    --a------    C:\drloader.exe
2006-08-24    18:23    340    --a------    C:\serv32.exe
2006-08-21    16:58    1,167    --a------    C:\WINDOWS\system32\trz536f8.sys


((((((((((((((((((((((((((((((((((((((((((((((((  Find3M Report  )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-26 10:57    --------    d--------    C:\Programmer\F‘lles filer\Wise Installation Wizard
2006-08-26 09:51    --------    d--------    C:\Programmer\SUPERAntiSpyware
2006-08-26 09:50    --------    d--------    C:\Programmer\F‘lles filer
2006-08-26 09:50    --------    d--------    C:\Documents and Settings\HP_Ejer\Application Data\SUPERAntiSpyware.com
2006-08-26 09:45    --------    d--------    C:\Programmer\Mozilla Firefox
2006-08-25 20:00    --------    d--------    C:\Documents and Settings\HP_Ejer\Application Data\Mozilla
2006-08-22 19:17    --------    d--------    C:\Programmer\Kaspersky Lab
2006-08-22 19:00    --------    d--------    C:\Programmer\F‘lles filer\Symantec Shared
2006-08-22 18:55    --------    d--------    C:\Programmer\Symantec
2006-08-22 18:54    --------    d--------    C:\Programmer\Norton AntiVirus
2006-08-22 17:35    --------    d--------    C:\Programmer\ewido
2006-08-21 17:01    --------    d--------    C:\Programmer\F‘lles filer\fzoz
2006-08-20 17:34    --------    d--------    C:\Programmer\SPYWAREfighter
2006-08-05 11:30    --------    d--------    C:\Documents and Settings\HP_Ejer\Application Data\HP
2006-08-03 17:20    --------    d--------    C:\Programmer\PokerStars
2006-08-03 17:04    --------    d--------    C:\Programmer\PokerRoom.com
2006-08-03 16:00    --------    d--------    C:\Programmer\F‘lles filer\Sonic Shared
2006-08-03 15:59    --------    d--------    C:\Programmer\F‘lles filer\HP
2006-08-03 15:55    --------    d--------    C:\Programmer\HP
2006-08-03 15:55    --------    d--------    C:\Programmer\Hewlett-Packard
2006-07-29 12:05    --------    d--------    C:\Documents and Settings\HP_Ejer\Application Data\AdobeUM


((((((((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Programmer\\Messenger\\msmsgs.exe\" /background"
"Acme.PCHButton"="C:\\PROGRA~1\\HELPAN~1\\Pavilion\\XPHWWBF4\\plugin\\bin\\pchbutton.exe"
"SUPERAntiSpyware"="C:\\Programmer\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\\Programmer\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"Home Theater SchSvr"="\"C:\\Programmer\\Fælles filer\\InterVideo\\SchSvr\\SchSvr.exe\""
"WINREMOTE"="C:\\Programmer\\InterVideo\\Common\\Bin\\WinRemote.exe"
"iTunesHelper"="C:\\Programmer\\iTunes\\iTunesHelper.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"VTTimer"="VTTimer.exe"
"SiS Windows KeyHook"="C:\\WINDOWS\\System32\\keyhook.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="C:\\Programmer\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"AlcWzrd"="ALCWZRD.EXE"
"HPAIO_PrintFolderMgr"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\hpoopm07.exe"
"QuickTime Task"="\"C:\\Programmer\\QuickTime\\qttask.exe\" -atboottime"
"AutoTBar"="c:\\Programmer\\HP\\Digital Imaging\\bin\\AUTOTBAR.EXE"
"kis"="\"C:\\Programmer\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe\""
@=""
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"MS Java for Windows NT, XP & ME"="xpjavams.exe"
"Ms Java for Windows NT"="msijavaup32.exe"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"MS Java for Windows NT, XP & ME"="xpjavams.exe"
"Ms Java for Windows NT"="msijavaup32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
@="{E61B5E20-DE35-11CF-9C87-1579005127ED}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SASWinLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ  msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\HPpromotions journeysoftware.job

Completion time: 13-09-2006 17:18:14.73
ComboFix.txt

Logfile of HijackThis v1.99.1
Scan saved at 17:22:41, on 13-09-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Programmer\Fælles filer\InterVideo\SchSvr\SchSvr.exe
C:\Programmer\InterVideo\Common\Bin\WinRemote.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\keyhook.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmer\Messenger\msmsgs.exe
C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmer\Citrix\ICA Client\pnagent.exe
C:\Programmer\HP\Digital Imaging\bin\hpqimzone.exe
C:\Programmer\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmer\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\HP_Ejer\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Programmer\Fælles filer\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] C:\Programmer\InterVideo\Common\Bin\WinRemote.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmer\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AutoTBar] c:\Programmer\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [kis] "C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Hurtig start.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Programmer\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyGaming\PartyPoker\RunApp.exe (file missing)
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.danskebank.dk/html/activex/DB/Menu.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp06.photoprintit.de/microsite/10021/defaults/activex/ImageUploader3.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: ShellFolder for CD Burning - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe

-- Hent Avenger her:
http://swandog46.geekstogo.com/avenger.zip

-- Pak Avenger-programmet ud og dobbeltklik på avenger.exe

-- Sæt en prik i "Input Script Manually" og klik på Luppen - nu dukker der et lille vindue op, hvor du skal kopiere indholdet mellem de stiplede linier ind:

-----------------------------
Files to delete:
C:\dloadad.exe
C:\drloader.exe
C:\serv32.exe
C:\WINDOWS\system32\trz536f8.sys

registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E61B5E20-DE35-11CF-9C87-1579005127ED}

registry values to delete:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices|"MS Java for Windows NT, XP & ME"
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices|"Ms Java for Windows NT"
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices|"MS Java for Windows NT, XP & ME"
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices|"Ms Java for Windows NT"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|@
-----------------------------

-- Klik på Trafiklyset i Avenger. Programmet vil opfordre dig til at genstarte computeren straks, hvilket du skal gøre. Programmet vil lukke din computer, slette filerne og starte computeren igen.

-- Efter genstarten vil der dukke et notepad-vindue op, med en log for Avengers handlinger. Den må du gerne lægge ind i dit næste svar.

-- Kør Hijackthis, vælg "Do a system scan only", sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked.

O21 - SSODL: ShellFolder for CD Burning - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)

Genstart computeren, og lav en ny log med Hijackthis, som du lægger herind sammen med loggen fra Avenger.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ucnxnclb

*******************

Script file located at: \??\C:\Program Files\kbdtvkaj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\dloadad.exe deleted successfully.
File C:\drloader.exe deleted successfully.
File C:\serv32.exe deleted successfully.
File C:\WINDOWS\system32\trz536f8.sys deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E61B5E20-DE35-11CF-9C87-1579005127ED} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E61B5E20-DE35-11CF-9C87-1579005127ED} failed!
Status: 0xc0000034

Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices|MS Java for Windows NT, XP & ME deleted successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices|Ms Java for Windows NT deleted successfully.


Could not delete registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices|MS Java for Windows NT, XP & ME
Deletion of registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices|MS Java for Windows NT, XP & ME failed!
Status: 0xc0000034



Could not delete registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices|Ms Java for Windows NT
Deletion of registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices|Ms Java for Windows NT failed!
Status: 0xc0000034

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} deleted successfully.


Could not delete registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|@
Deletion of registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|@ failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished!  Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 20:54:27, on 13-09-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Programmer\Fælles filer\InterVideo\SchSvr\SchSvr.exe
C:\Programmer\InterVideo\Common\Bin\WinRemote.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmer\Messenger\msmsgs.exe
C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmer\Citrix\ICA Client\pnagent.exe
C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\HP\Digital Imaging\bin\hpqimzone.exe
C:\Programmer\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Documents and Settings\HP_Ejer\Skrivebord\HijackThis.exe
C:\Programmer\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Programmer\Fælles filer\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] C:\Programmer\InterVideo\Common\Bin\WinRemote.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmer\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AutoTBar] c:\Programmer\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [kis] "C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Hurtig start.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Programmer\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyGaming\PartyPoker\RunApp.exe (file missing)
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.danskebank.dk/html/activex/DB/Menu.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp06.photoprintit.de/microsite/10021/defaults/activex/ImageUploader3.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: ShellFolder for CD Burning - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe

Nå, den er stædig... Kopier indholdet mellem de stiplede linier ind i et notepad-vindue, og gem indholdet på skrivebordet som regfix.reg. Når du gemmer, skal du sikre dig, at der under "filtyper" står "alle filer":

-----------------------------
REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E61B5E20-DE35-11CF-9C87-1579005127ED}]
-----------------------------
Dobbeltklik på filen, og sig ja til at tilføje oplysningerne til registreringsdatabasen.

Genstart herefter til fejlsikret tilstand, og dobbeltklik igen på filen.

Genstart så til normal tilstand, og lav en ny log med Hijackthis, som du lægger herind.

Logfile of HijackThis v1.99.1
Scan saved at 22:04:53, on 13-09-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Programmer\Fælles filer\InterVideo\SchSvr\SchSvr.exe
C:\Programmer\InterVideo\Common\Bin\WinRemote.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmer\Citrix\ICA Client\pnagent.exe
C:\Programmer\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\HP_Ejer\Skrivebord\HijackThis.exe
C:\Programmer\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Programmer\Fælles filer\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] C:\Programmer\InterVideo\Common\Bin\WinRemote.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmer\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AutoTBar] c:\Programmer\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [kis] "C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Hurtig start.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Programmer\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyGaming\PartyPoker\RunApp.exe (file missing)
O16 - DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} (CSMenu Class) - https://netbank.danskebank.dk/html/activex/DB/Menu.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp06.photoprintit.de/microsite/10021/defaults/activex/ImageUploader3.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programmer\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe

Så lykkedes det. Loggen er ren. Har du også fået løst dit problem?

For at gøre arbejdet helt færdig:
Det kan være en god ide og rydde op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.spywarefri.dk/virusscannere.htm#alle) - genstart din computer - aktiver systemgendannelse.
Og så kan det også være en god ide at skjule dine systemfiler og -mapper igen, så du ikke ved en fejl kommer til at slette en vigtig fil. Det gør du samme sted, hvor du satte det til at vise alle filer, denne gang vælger du bare: Vis ikke skjulte filer og mapper.

Det kan også være en god ide at få renset ud i dine midlertidige filer. Det kan gøres på en hurtig og nem måde med denne fil
www.spywareinfo.dk/download/cleantempxp2k.bat
---------------------------

For at forhindre gentagelser, vil jeg anbefale dig at lægge nogle små programmer ind, som forhindrer spyware i at komme ind i første omgang. Du finder links og gode råd her:
http://www.spywarefri.dk/manualer/sikkerhedspakke.htm

Jeg vil også foreslå, at du læser disse artikler om hvordan du kan undgå at blive inficeret i fremtiden:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414
http://www.ctrlaltdel.dk/forum/forum_posts.asp?TID=25&PN=1

Det var en lang sej kamp men det hele værd, computeren kører fint igen. Tusind tak for hjælpen.

Du er velkommen :-)