Hijack this log

Joooo - der er også nogle mere end mistænkelige elementer *S*

1. omgang ->

-- Hent VirtumundoBeGone http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe , gem det på skrivebordet.

Luk alle kørende programmer, også Internetvinduer, dobbeltklik på VirtumundoBeGone.exe på skrivebordet, læs intro-informationen, klik så på Continue, klik på Start.
Når den spørger om du vil fortsætte, klik på Yes for at køre fixet.
Klik så på Save log.

Det sker sommetider at fixet afslutter med "BSOD"(blå skærm og frosset PC) så skal du bare genstarte på Resetknappen.

Der kommer en tekstfil på dit skrivebord der hedder VBG.TXT åbn den og kopier teksten herind.
Sammen med en frisk HiJackThis Log ...

com'en kører som om den er på steroids nu - nice :) - den har nok nakket synderen ville jeg tro.

Her følger logs.

VBG:

[05/03/2007, 17:29:10] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Dan\Skrivebord\VirtumundoBeGone.exe" )
[05/03/2007, 17:29:27] - Detected System Information:
[05/03/2007, 17:29:27] -  Windows Version: 5.1.2600, Service Pack 2
[05/03/2007, 17:29:27] -  Current Username: Dan (Admin)
[05/03/2007, 17:29:27] -  Windows is in NORMAL mode.
[05/03/2007, 17:29:27] - Searching for Browser Helper Objects:
[05/03/2007, 17:29:27] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/03/2007, 17:29:27] -  BHO 2: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (FGCatchUrl)
[05/03/2007, 17:29:27] -  BHO 3: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} (BitComet Helper)
[05/03/2007, 17:29:27] -  BHO 4: {7AC06F58-F80C-4940-A14C-E09FE77F9DD2} ()
[05/03/2007, 17:29:27] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/03/2007, 17:29:27] -  Checking for HKLM\...\Winlogon\Notify\awttrro
[05/03/2007, 17:29:27] -  Found: HKLM\...\Winlogon\Notify\awttrro - This is probably Virtumundo.
[05/03/2007, 17:29:27] -  Assigning {7AC06F58-F80C-4940-A14C-E09FE77F9DD2} MSEvents Object
[05/03/2007, 17:29:27] - BHO list has been changed! Starting over...
[05/03/2007, 17:29:27] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/03/2007, 17:29:27] -  BHO 2: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (FGCatchUrl)
[05/03/2007, 17:29:27] -  BHO 3: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} (BitComet Helper)
[05/03/2007, 17:29:27] -  BHO 4: {7AC06F58-F80C-4940-A14C-E09FE77F9DD2} (MSEvents Object)
[05/03/2007, 17:29:27] - ALERT: Found MSEvents Object!
[05/03/2007, 17:29:28] -  BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/03/2007, 17:29:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/03/2007, 17:29:28] -  No filename found. Continuing.
[05/03/2007, 17:29:28] -  BHO 6: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/03/2007, 17:29:28] -  BHO 7: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[05/03/2007, 17:29:28] -  BHO 8: {C611D2C3-5792-4642-A5CD-91619669842B} ()
[05/03/2007, 17:29:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/03/2007, 17:29:28] -  Checking for HKLM\...\Winlogon\Notify\sstqq
[05/03/2007, 17:29:28] -  Found: HKLM\...\Winlogon\Notify\sstqq - This is probably Virtumundo.
[05/03/2007, 17:29:28] -  Assigning {C611D2C3-5792-4642-A5CD-91619669842B} MSEvents Object
[05/03/2007, 17:29:28] - BHO list has been changed! Starting over...
[05/03/2007, 17:29:28] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/03/2007, 17:29:28] -  BHO 2: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (FGCatchUrl)
[05/03/2007, 17:29:28] -  BHO 3: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} (BitComet Helper)
[05/03/2007, 17:29:28] -  BHO 4: {7AC06F58-F80C-4940-A14C-E09FE77F9DD2} (MSEvents Object)
[05/03/2007, 17:29:28] - ALERT: Found MSEvents Object!
[05/03/2007, 17:29:28] -  BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/03/2007, 17:29:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/03/2007, 17:29:28] -  No filename found. Continuing.
[05/03/2007, 17:29:28] -  BHO 6: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/03/2007, 17:29:28] -  BHO 7: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[05/03/2007, 17:29:28] -  BHO 8: {C611D2C3-5792-4642-A5CD-91619669842B} (MSEvents Object)
[05/03/2007, 17:29:28] - ALERT: Found MSEvents Object!
[05/03/2007, 17:29:28] -  BHO 9: {D651AFF4-9590-424d-BD1E-8E33E090DFB3} ()
[05/03/2007, 17:29:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/03/2007, 17:29:28] -  Checking for HKLM\...\Winlogon\Notify\qtlegbgw
[05/03/2007, 17:29:28] -  Key not found: HKLM\...\Winlogon\Notify\qtlegbgw, continuing.
[05/03/2007, 17:29:28] -  BHO 10: {F156768E-81EF-470C-9057-481BA8380DBA} (FlashGet GetFlash Class)
[05/03/2007, 17:29:28] - Finished Searching Browser Helper Objects
[05/03/2007, 17:29:28] - *** Detected MSEvents Object
[05/03/2007, 17:29:28] - Trying to remove MSEvents Object...
[05/03/2007, 17:29:29] -    Terminating Process: IEXPLORE.EXE
[05/03/2007, 17:29:29] -    Terminating Process: RUNDLL32.EXE
[05/03/2007, 17:29:30] -    Disabling Automatic Shell Restart
[05/03/2007, 17:29:30] -    Terminating Process: EXPLORER.EXE
[05/03/2007, 17:29:30] -    Suspending the NT Session Manager System Service
[05/03/2007, 17:29:31] -    Terminating Windows NT Logon/Logoff Manager
[05/03/2007, 17:29:31] -    Re-enabling Automatic Shell Restart
[05/03/2007, 17:29:31] -  File to disable: C:\WINDOWS\system32\awttrro.dll
[05/03/2007, 17:29:31] -  Renaming C:\WINDOWS\system32\awttrro.dll -> C:\WINDOWS\system32\awttrro.dll.vir
[05/03/2007, 17:29:31] -  File successfully renamed!
[05/03/2007, 17:29:31] -  Removing HKLM\...\Browser Helper Objects\{7AC06F58-F80C-4940-A14C-E09FE77F9DD2}
[05/03/2007, 17:29:31] -  Removing HKCR\CLSID\{7AC06F58-F80C-4940-A14C-E09FE77F9DD2}
[05/03/2007, 17:29:31] -  Adding Kill Bit for ActiveX for GUID: {7AC06F58-F80C-4940-A14C-E09FE77F9DD2}
[05/03/2007, 17:29:31] -  Deleting ATLEvents/MSEvents Registry entries
[05/03/2007, 17:29:31] -  Removing HKLM\...\Winlogon\Notify\awttrro
[05/03/2007, 17:29:31] - Searching for Browser Helper Objects:
[05/03/2007, 17:29:31] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/03/2007, 17:29:31] -  BHO 2: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (FGCatchUrl)
[05/03/2007, 17:29:31] -  BHO 3: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} (BitComet Helper)
[05/03/2007, 17:29:31] -  BHO 4: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/03/2007, 17:29:31] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/03/2007, 17:29:31] -  No filename found. Continuing.
[05/03/2007, 17:29:31] -  BHO 5: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/03/2007, 17:29:31] -  BHO 6: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[05/03/2007, 17:29:31] -  BHO 7: {C611D2C3-5792-4642-A5CD-91619669842B} (MSEvents Object)
[05/03/2007, 17:29:31] - ALERT: Found MSEvents Object!
[05/03/2007, 17:29:31] -  BHO 8: {D651AFF4-9590-424d-BD1E-8E33E090DFB3} ()
[05/03/2007, 17:29:31] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/03/2007, 17:29:31] -  Checking for HKLM\...\Winlogon\Notify\qtlegbgw
[05/03/2007, 17:29:31] -  Key not found: HKLM\...\Winlogon\Notify\qtlegbgw, continuing.
[05/03/2007, 17:29:31] -  BHO 9: {F156768E-81EF-470C-9057-481BA8380DBA} (FlashGet GetFlash Class)
[05/03/2007, 17:29:31] - Finished Searching Browser Helper Objects
[05/03/2007, 17:29:31] - *** Detected MSEvents Object
[05/03/2007, 17:29:31] - Trying to remove MSEvents Object...
[05/03/2007, 17:29:32] -    Terminating Process: IEXPLORE.EXE
[05/03/2007, 17:29:32] -    Terminating Process: RUNDLL32.EXE
[05/03/2007, 17:29:33] -    Disabling Automatic Shell Restart
[05/03/2007, 17:29:33] -    Terminating Process: EXPLORER.EXE
[05/03/2007, 17:29:33] -    Suspending the NT Session Manager System Service
[05/03/2007, 17:29:33] -    Terminating Windows NT Logon/Logoff Manager
[05/03/2007, 17:29:33] -    Re-enabling Automatic Shell Restart
[05/03/2007, 17:29:33] -  File to disable: C:\WINDOWS\system32\sstqq.dll
[05/03/2007, 17:29:33] -  Renaming C:\WINDOWS\system32\sstqq.dll -> C:\WINDOWS\system32\sstqq.dll.vir
[05/03/2007, 17:29:33] -  File successfully renamed!
[05/03/2007, 17:29:33] -  Removing HKLM\...\Browser Helper Objects\{C611D2C3-5792-4642-A5CD-91619669842B}
[05/03/2007, 17:29:33] -  Removing HKCR\CLSID\{C611D2C3-5792-4642-A5CD-91619669842B}
[05/03/2007, 17:29:33] -  Adding Kill Bit for ActiveX for GUID: {C611D2C3-5792-4642-A5CD-91619669842B}
[05/03/2007, 17:29:33] -  Deleting ATLEvents/MSEvents Registry entries
[05/03/2007, 17:29:33] -  Removing HKLM\...\Winlogon\Notify\sstqq
[05/03/2007, 17:29:33] - Searching for Browser Helper Objects:
[05/03/2007, 17:29:33] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/03/2007, 17:29:33] -  BHO 2: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (FGCatchUrl)
[05/03/2007, 17:29:33] -  BHO 3: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} (BitComet Helper)
[05/03/2007, 17:29:33] -  BHO 4: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/03/2007, 17:29:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/03/2007, 17:29:33] -  No filename found. Continuing.
[05/03/2007, 17:29:33] -  BHO 5: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/03/2007, 17:29:33] -  BHO 6: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[05/03/2007, 17:29:33] -  BHO 7: {D651AFF4-9590-424d-BD1E-8E33E090DFB3} ()
[05/03/2007, 17:29:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/03/2007, 17:29:33] -  Checking for HKLM\...\Winlogon\Notify\qtlegbgw
[05/03/2007, 17:29:33] -  Key not found: HKLM\...\Winlogon\Notify\qtlegbgw, continuing.
[05/03/2007, 17:29:33] -  BHO 8: {F156768E-81EF-470C-9057-481BA8380DBA} (FlashGet GetFlash Class)
[05/03/2007, 17:29:33] - Finished Searching Browser Helper Objects
[05/03/2007, 17:29:33] - Finishing up...
[05/03/2007, 17:29:33] - A restart is needed.
[05/03/2007, 17:29:40] - Attempting to Restart via STOP error (Blue Screen!)


Hijackthis:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:31:59, on 03-05-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\system32\svshost.exe
C:\Programmer\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\RECYCLER\msnmrsgrs.exe
C:\WINDOWS\system32\svbhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Bonjour\mDNSResponder.exe
C:\Programmer\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Winamp\winamp.exe
C:\Programmer\Fælles filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe
C:\Documents and Settings\Dan\Skrivebord\HiJackThis_v2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\MSN Messenger\usnsvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programmer\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programmer\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\qtlegbgw.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programmer\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [Microsoft Updates] svshost.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Programmer\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\FLLESF~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Windows Security Centers] C:\RECYCLER\msnmrsgrs.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Video Driver] svbhost.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] svshost.exe
O4 - HKLM\..\RunServices: [Video Driver] svbhost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Programmer\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Programmer\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Programmer\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Programmer\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programmer\FlashGet\jc_link.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programmer\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programmer\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Programmer\Fælles filer\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmer\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmer\Fælles filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Det tog da det rå.
Men så længe han bruger fildeling, er det fuldstændig spildt at rense maskinen, der ligger andet "godt" på den endnu.

Afinstaller BitComet i Tilføj/Fjern programmer, genstart.

Hent Crapcleaner her:
http://www.filehippo.com/download_ccleaner/
---------------------------------------
Hent og installer denne scanner:
http://www.superantispyware.com/downloads/SUPERAntiSpyware1241.exe

Start programmet, klik på Check for updates, når det er opdateret, luk programmet, du skal ikke scanne endnu.
---------------------------------------
Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked, genstart i fejlsikret (tryk på <F8> under opstarten), slet filer og mapper listet nedenunder, kør SaS.

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programmer\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\qtlegbgw.dll
O4 - HKLM\..\Run: [Microsoft Updates] svshost.exe
O4 - HKLM\..\Run: [Windows Security Centers] C:\RECYCLER\msnmrsgrs.exe
O4 - HKLM\..\Run: [Video Driver] svbhost.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] svshost.exe
O4 - HKLM\..\RunServices: [Video Driver] svbhost.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Programmer\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Programmer\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Programmer\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

---------------------------------------
Sletning af \mapper\ og filer:
Åbn Stifinder, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".
-------------------
Mapper:
C:\Programmer\BitComet\
-------------------
Filer:
C:\WINDOWS\system32\qtlegbgw.dll
C:\WINDOWS\system32\svshost.exe
C:\WINDOWS\system32\svbhost.exe
---------------------------------------
Start SuperAntiSpyware, klik på Scan your Computer, sæt flueben i de drev der skal scannes.
(Fixed disk betyder harddisk)
Flyt prikken til Perform complete scan og klik på Næste, så kører scanningen.

Når den er færdig kommer der et vindue med en opsummering, klik på OK, klik så på næste og så på Udfør.

Der kommer et vindue med Quarantine and removal Complete, klik på OK, klik på Udfør.
Luk programmet, genstart normalt.
---------------------------------------
Installer Crapcleaner, husk at fjerne fluebenet udfor installation af Yahoo toolbar.
Start programmet, fjern fluebenet i cookies.
Klik på kør Cleaner og lad den fjerne hvad den finder.
Klik så på Problemer ovre i venstre side (den blå terning), klik på Skan efter problemer, når den er færdig, klik på Udbedre valgte problemer, lav evt. en backup af registreringsdatabasen, klik så på udbedre alle valgte problemer.
Klik på OK, klik på Luk når den er færdig.
---------------------------------------
Start SuperAntiSpyware igen, klik på Preferences, skift til fanebladet Statistics/Logs, i vinduet dobbeltklikker du på SUPERAntiSpyware Scan Log, den åbner i notesblok, kopier resultatet herind.
Vi skal også se en frisk hijackthislog.

den napper vi lige i morgen :) - godnat og tak for den videre hjælp, dælme super! :D

Ovenstående beskrivelse gennemført.

SuperAntiSpyware log:
SUPERAntiSpyware Scan Log
Generated 05/04/2007 at 11:23 AM

Application Version : 3.5.1016

Core Rules Database Version : 3231
Trace Rules Database Version: 1242

Scan type      : Complete Scan
Total Scan Time : 01:09:04

Memory items scanned      : 414
Memory threats detected  : 0
Registry items scanned    : 4555
Registry threats detected : 0
File items scanned        : 57486
File threats detected    : 124

Adware.Tracking Cookie
    C:\Documents and Settings\Dan\Cookies\dan@doubleclick[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@ad.ofir[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@ad.zanox[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@adfair[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@adopt.euroclick[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@adopt.hbmediapro[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@ads.arto[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@ads.cbox[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@ads.neowin[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@ads.pointroll[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@adserver.banneradministration[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@adult[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@adverts.loadedinc[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@as-us.falkag[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@atwola[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@belnk[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@campaign.indieclick[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@cassava[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@devart.adbureau[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@dist.belnk[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@fortunecity[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@hurricanedigitalmedia[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@indexstats[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@keywordmax[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@livenation.122.2o7[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@maxserving[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@members.fortunecity[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@microsofteup.112.2o7[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@microsoftwga.112.2o7[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@msnportal.112.2o7[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@oas-central.realmedia[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@paycounter[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@questionmarket[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@sel.as-eu.falkag[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@server.iad.liveperson[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@stat.if[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@stats.liutilities[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@usenext[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@www.adult-templates[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@www.etracker[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@www.smartadserver[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@xml.bravenetmedianetwork[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan lund@yourmedia[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@2o7[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@3.adbrite[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@ad.adserverplus[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@ad1.emediate[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@adbrite[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@adfarm1.adition[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@ads.adbrite[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@ads.ak.facebook[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@ads.customize[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@ads.newgrounds[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@ads.wowhead[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@adtech[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@adv.surinter[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@as1.falkag[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@bannere.fyens[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@bs.serving-sys[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@burstnet[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@click.adbrite[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@cs.sexcounter[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@e2.emediate[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@image.masterstats[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@indextools[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@kanoodle[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@m1.webstats.motigo[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@medialab[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@overture[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@partypoker[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@precisionclick[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@qnsr[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@realmedia[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@revsci[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@server.cpmstar[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@serving-sys[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@specificclick[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@stat.onestat[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@tacoda[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@track.adform[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@tribalfusion[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@www.adbrite[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@www.burstnet[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@www.cibleclick[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@www.googleadservices[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@www.googleadservices[2].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@www3.addfreestats[1].txt
    C:\Documents and Settings\Dan Lund\Cookies\dan_lund@yadro[2].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@ad.ofir[1].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@adtech[2].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@advertising[1].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@atdmt[1].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@bs.serving-sys[2].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@counter1.sextracker[1].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@cs.sexcounter[2].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@doubleclick[1].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@e2.emediate[1].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@imrworldwide[2].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@mediaplex[1].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@msnportal.112.2o7[1].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@paycounter[1].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@server.iad.liveperson[1].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@server.iad.liveperson[3].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@serving-sys[2].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@sexdebut[2].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@sextracker[1].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@specificclick[2].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@statcounter[1].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@track.adform[2].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@www.nabosex[2].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@www.sex-sex-sex[1].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@www.sexbilleder[2].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@www.sexgallerier[2].txt
    C:\Documents and Settings\Mor & Far\Cookies\mor_&_far@xxxcounter[1].txt

Trojan.Downloader-Gen/LIB
    C:\DOCUMENTS AND SETTINGS\DAN\SKRIVEBORD\BACKUPS\BACKUP-20070504-100357-767.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{EDDA686E-4CBD-4D4C-BB48-2E1FEE283AF4}\RP35\A0045477.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{EDDA686E-4CBD-4D4C-BB48-2E1FEE283AF4}\RP36\A0047775.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{EDDA686E-4CBD-4D4C-BB48-2E1FEE283AF4}\RP36\A0049293.DLL

Adware.Vundo Variant
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{EDDA686E-4CBD-4D4C-BB48-2E1FEE283AF4}\RP34\A0044886.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{EDDA686E-4CBD-4D4C-BB48-2E1FEE283AF4}\RP34\A0045454.DLL
    C:\WINDOWS\SYSTEM32\AWTTRRO.DLL.VIR
    C:\WINDOWS\SYSTEM32\JKKHFCB.DLL

Trojan.Downloader-Gen/HardFall
    C:\WINDOWS\SYSTEM32\SSTQQ.DLL.VIR

Trojan.Downoader-Gen/SVEHost
    C:\WINDOWS\SYSTEM32\SVEHOST.EXE

Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:41:01, on 04-05-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmer\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\StartupMonitor.exe
C:\Programmer\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Programmer\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Fælles filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Programmer\Winamp\winamp.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Programmer\MSN Messenger\usnsvc.exe
E:\setup.exe
C:\PROGRA~1\FLLESF~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe
C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Documents and Settings\Dan\Skrivebord\HiJackThis_v2.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programmer\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programmer\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programmer\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Programmer\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\FLLESF~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programmer\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\DOCUME~1\Dan\LOKALE~1\Temp\SSUPDATE.EXE Software\SUPERAntiSpyware.com\SUPERAntiSpyware
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Programmer\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Programmer\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Programmer\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Programmer\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programmer\FlashGet\jc_link.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programmer\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programmer\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programmer\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Programmer\Fælles filer\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmer\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmer\Fælles filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Det virker som om det hjalp en del på hans computer, men fjerne hans Bitcomet kunne jeg ikke få lov til :(

Smid endelig et svar begge 2, så fordeler jeg pointene næsten lige :)
Hvis altså ikke der er mere jeg kan gøre? (udover at fjerne hans elskede Bitcomet *suk*)

Du får lige 'talen' ->

Her er hvorfor torrents og alle andre P2P systemer skal fjernes, før vi gider røre ved det:
Her er lidt læsning om P2P og risici ved at bruge dem.

http://www.microsoft.com/danmark/athome/security/online/p2p_file_sharing.mspx
http://www.computerworld.dk/art/29010
http://www.pressbox.dk/Default.asp?obj=arkiv&id=10118

P2P er noget skrammel, man åbner sin maskine for omverdenen, det beskyttelse man i dyre domme har købt, eller hentet freewareversioner af, bliver udsat for alle mulige angreb, heldigvis kan nogle programmer holde det ude, men da det i sagens natur er "skidt"programmøren der er foran, vil der uværgerligt slippe noget igennem.

Den seneste tids debat om Rootkits, og hvor stort et problem de allerede er, burde også få folk til at genoverveje brugen af P2P.
http://www.computerforensics.dk/rootkits.htm
Der er ingen garanti for at det spil, program, film eller musik man henter ikke er inficeret, tværtimod er risikoen for det enorm.

... i øvrigt er PC'en 'ren' (endnu) ...

Åbn en mappe, klik på Funktioner >Mappeindstillinger >Vis.
Sæt flueben ved "Skjul beskyttede operativsystemfiler".
Sæt prik i "Vis ikke skjulte filer og mapper".

Du bør rense temp med denne fil, det tager kun få sek.
http://www.spywareinfo.dk/download/cleantempxp2k.bat

Efter sådan en tur er det altid en god ide og rydde op i systemgendannelsesfilerne.
Deaktiver systemgendannelse -> http://www.spywareinfo.dk/#/tip-og-tricks/deaktiver_systemgendannelse.htm
Genstart din computer - aktiver systemgendannelse. Dette gøres samme sted, hvor du deaktiverede, denne gang skal du blot aktivere.
Det vil også være en god idé manuelt at oprette et nyt punkt, som du kan navngive, og vende tilbage til, hvis du skulle få problemer af nogen art.

Et par artikler om sikker surfing finder du her:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414

Safe Surfing...

(Husk også Point til <Fromsej> efter aftale...)

Jeg takker for talen og giver ham lige en reprimande ved lejlighed! :)

Fromsej, smid et svar :)

(Tager måske lidt tid mht Fromsej - er noget optaget pt...)

Vi venter bare på ham så :) - no stress :D

Flyttemand Fromsejs svar kommer her. ;-)