Win32/Fujacks.AD virus

jeg kigger på den

Hent Combofix fra et af disse links, og gem den på dit skrivebord:
http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

-- Kør så combofix.exe, som du hentede tidligere, og følg anvisningerne.
Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når combofix er færdig, og efter det har genstartet, skulle der gerne åbnes en logfil: combofix.txt
Indholdet af denne fil må du gerne lægge herind.

BEMÆRK at Combofix af nogle virusscannere bliver detekteret som inficeret. Dette har dog intet på sig.

Hej. Her er logfilen.

ComboFix 07-11-01.1** - Åse Krabbe 2007-11-04  9:46:42.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1030.18.525 [GMT 1:00]
Running from: C:\Documents and Settings\Åse Krabbe\Skrivebord\ComboFix.exe
* Created a new restore point
.

(((((((((((((((((((((((((  Files Created from 2007-10-04 to 2007-11-04  )))))))))))))))))))))))))))))))
.

2007-11-04 09:45    51,200    --a------    C:\WINDOWS\NirCmd.exe
2007-11-02 22:35    <DIR>    dr-h-----    C:\Documents and Settings\Åse Krabbe\Recent
2007-11-02 22:35    <DIR>    dr-h-----    C:\Documents and Settings\Åse Krabbe\Recent
2007-10-31 22:01    <DIR>    d--------    C:\Documents and Settings\Åse Krabbe\Application Data\Grisoft
2007-10-31 22:00    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-31 22:00    10,872    --a------    C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-31 19:42    <DIR>    d-a------    C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-31 19:41    626,688    --a------    C:\WINDOWS\system32\msvcr80.dll
2007-10-31 18:23    <DIR>    d--------    C:\Programmer\Alwil Software
2007-10-30 20:52    <DIR>    d--------    C:\Programmer\FAST OPTION BITS
2007-10-30 20:52    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Audio 4 part browse
2007-10-30 20:51    <DIR>    d--------    C:\Documents and Settings\Åse Krabbe\Application Data\FAST OPTION BITS
2007-10-30 20:50    <DIR>    d--------    C:\Programmer\Messenger Plus! Live

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-01 18:03    ---------    d-----w    C:\Programmer\MSN Messenger
2007-10-15 14:39    ---------    d-----w    C:\Programmer\DivX
2007-10-10 08:52    ---------    d-----w    C:\Programmer\Java
2007-09-28 16:08    156,992    ----a-w    C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07    524,288    ----a-w    C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07    43,528    ------w    C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-09-28 16:07    3,596,288    ----a-w    C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07    200,704    ----a-w    C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07    129,784    ------w    C:\WINDOWS\system32\pxafs.dll
2007-09-28 16:07    120,056    ------w    C:\WINDOWS\system32\pxcpyi64.exe
2007-09-28 16:07    118,520    ------w    C:\WINDOWS\system32\pxinsi64.exe
2007-09-28 16:07    1,044,480    ----a-w    C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05    823,296    ----a-w    C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05    823,296    ----a-w    C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05    81,920    ----a-w    C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05    802,816    ----a-w    C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05    739,840    ----a-w    C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05    593,920    ----a-w    C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05    57,344    ----a-w    C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05    53,248    ----a-w    C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05    344,064    ----a-w    C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05    294,912    ----a-w    C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05    294,912    ----a-w    C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05    196,608    ----a-w    C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05    12,288    ----a-w    C:\WINDOWS\system32\DivXWMPExtType.dll
2007-08-22 12:57    96,768    ----a-w    C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 12:57    667,136    ----a-w    C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 12:57    620,032    ----a-w    C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 12:57    55,808    ----a-w    C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 12:57    532,480    ----a-w    C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 12:57    474,112    ----a-w    C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:57    449,024    ----a-w    C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 12:57    39,424    ----a-w    C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 12:57    357,888    ----a-w    C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 12:57    3,085,824    ----a-w    C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 12:57    251,904    ----a-w    C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 12:57    205,824    ----a-w    C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 12:57    16,384    ----a-w    C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 12:57    151,552    ----a-w    C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:57    146,432    ----a-w    C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 12:57    1,498,112    ----a-w    C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:57    1,056,256    ----a-w    C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:57    1,022,976    ----a-w    C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:19    18,432    ----a-w    C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:17    683,520    ----a-w    C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:17    683,520    ----a-w    C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-06-07 14:09    20    ---h--w    C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2006-12-14 10:01    68,512    ----a-w    C:\Documents and Settings\Åse Krabbe\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 C:\WINDOWS\RTHDCPL.exe]
"ntiMUI"="c:\Programmer\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 18:15]
"SunJavaUpdateSched"="C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"RemoteControl"="C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-27 06:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-27 06:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-27 06:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-27 06:00]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 17:00]
"AspireService"="C:\Programmer\Acer\Acer eMode Management\AspireService.exe" [2005-09-29 16:07]
"MediaSync"="C:\Programmer\Acer\Acer eConsole\MediaSync.exe" [2005-09-21 13:48]
"ATICCC"="C:\Programmer\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 04:50]
"DAEMON Tools-1033"="C:\Programmer\D-Tools\daemon.exe" [2004-08-22 17:05]
"nod32kui"="C:\Programmer\Eset\nod32kui.exe" [2007-05-30 08:12]
"QuickTime Task"="C:\Programmer\QuickTime\qttask.exe" [2007-04-27 08:41]
"SPAMfighter Agent"="C:\Programmer\SPAMfighter\SFAgent.exe" [2007-06-20 14:03]
"Device Detector"="C:\Programmer\Fælles filer\ACD Systems\EN\DevDetect.exe" [2004-09-02 15:51]
"iTunesHelper"="C:\Programmer\iTunes\iTunesHelper.exe" [2007-06-28 08:14]
"!AVG Anti-Spyware"="C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-27 06:00]
"msnmsgr"="C:\Programmer\MSN Messenger\msnmsgr.exe" [2007-01-19 12:55]

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Adobe Gamma Loader.lnk - C:\Programmer\F‘lles filer\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-16 16:49:36]
Adobe Reader Speed Launch.lnk - C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
hp psc 1000 series.lnk - C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34]
hpoddt01.exe.lnk - C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 20:56:10]

R0 m5287;m5287;C:\WINDOWS\system32\drivers\m5287.sys
R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys
R1 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R2 int15.sys;int15.sys;\??\C:\Acer\Empowering Technology\eRecovery\int15.sys
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\MAGIX\Common\Database\bin\fbserver.exe
S3 idrmkl;idrmkl;\??\C:\DOCUME~1\SEKRAB~1\LOKALE~1\Temp\idrmkl.sys
S3 WmaCDriverV32;WmaCDriverV32;C:\WINDOWS\system32\drivers\WmaCDriverV32.sys
S3 z530bus;Sony Ericsson Z530 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\z530bus.sys
S3 z530mdfl;Sony Ericsson Z530 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\z530mdfl.sys
S3 z530mdm;Sony Ericsson Z530 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\z530mdm.sys
S3 z530mgmt;Sony Ericsson Z530 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\z530mgmt.sys
S3 z530obex;Sony Ericsson Z530 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\z530obex.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchEAW.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28538dfa-ba7d-11da-bfa6-00142a7ac92b}]
\Shell\AutoRun\command - F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ba8a968-b101-11da-bf88-00142a7ac92b}]
\Shell\AutoRun\command - F:\setupSNK.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - INT15.SYS
.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 22:00:00 C:\WINDOWS\Tasks\A45D5914917ED040.job"
- c:\docume~1\sekrab~1\applic~1\fastop~1\Drivehelpamok.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-04 09:48:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-04  9:49:21
.
    --- E O F ---

Hmm, den er ikke lige til at finde..

Kør trin 1 her http://www.malwarecheck.dk/forum/viewtopic.php?t=11 og læg loggen ind

Nå, så ser det sådan ud.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/04/2007 at 11:33 AM

Application Version : 3.9.1008

Core Rules Database Version : 3337
Trace Rules Database Version: 1338

Scan type      : Complete Scan
Total Scan Time : 00:26:47

Memory items scanned      : 633
Memory threats detected  : 0
Registry items scanned    : 5863
Registry threats detected : 0
File items scanned        : 33542
File threats detected    : 19

Adware.Tracking Cookie
    C:\Documents and Settings\Åse Krabbe\Cookies\åse krabbe@serving-sys[1].txt
    C:\Documents and Settings\Åse Krabbe\Cookies\åse krabbe@doubleclick[1].txt
    C:\Documents and Settings\Åse Krabbe\Cookies\åse krabbe@track.adform[2].txt
    C:\Documents and Settings\Åse Krabbe\Cookies\åse krabbe@bs.serving-sys[1].txt
    C:\Documents and Settings\Åse Krabbe\Cookies\åse krabbe@tradedoubler[1].txt
    C:\Documents and Settings\Åse Krabbe\Cookies\åse krabbe@adtech[1].txt
    C:\Documents and Settings\Åse Krabbe\Cookies\åse krabbe@advertising[2].txt

Adware.Lop-Variant
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AUDIO 4 PART BROWSE\BEEP PART.EXE
    C:\DOCUMENTS AND SETTINGS\ÅSE KRABBE\APPLICATION DATA\FAST OPTION BITS\DRIVEHELPAMOK.EXE
    C:\DOCUMENTS AND SETTINGS\ÅSE KRABBE\APPLICATION DATA\FAST OPTION BITS\GLUESUPPORTMEETFORK.EXE
    C:\DOCUMENTS AND SETTINGS\ÅSE KRABBE\APPLICATION DATA\FAST OPTION BITS\LOMBKVSM.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{B39D9D2D-902C-41CD-82C6-DED6761C71DE}\RP568\A0085266.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{B39D9D2D-902C-41CD-82C6-DED6761C71DE}\RP568\A0085290.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{B39D9D2D-902C-41CD-82C6-DED6761C71DE}\RP568\A0086334.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{B39D9D2D-902C-41CD-82C6-DED6761C71DE}\RP570\A0086468.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{B39D9D2D-902C-41CD-82C6-DED6761C71DE}\RP570\A0086517.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{B39D9D2D-902C-41CD-82C6-DED6761C71DE}\RP570\A0086549.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{B39D9D2D-902C-41CD-82C6-DED6761C71DE}\RP570\A0086561.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{B39D9D2D-902C-41CD-82C6-DED6761C71DE}\RP570\A0086651.EXE

2007-10-30 20:52    <DIR>    d--------    C:\Programmer\FAST OPTION BITS
2007-10-30 20:52    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Audio 4 part browse
2007-10-30 20:51    <DIR>    d--------    C:\Documents and Settings\Åse Krabbe\Application Data\FAST OPTION BITS
2007-10-30 20:50    <DIR>    d--------    C:\Programmer\Messenger Plus! Live

Contents of the 'Scheduled Tasks' folder
"2007-11-03 22:00:00 C:\WINDOWS\Tasks\A45D5914917ED040.job"
- c:\docume~1\sekrab~1\applic~1\fastop~1\Drivehelpamok.exe

Min gamle "ven" er på spil igen.*S* (Lop/C2Media)

Tak Fromsej. Ved ikke hvorfor jeg overser lop, det var anden gang.. Godt du kan finde det*S*

spaak ->
Kopiér indholdet mellem de stiplede linier ind i et notepad-vindue, og gem indholdet i samme mappe, som Combofix ligger med navnet CFScript.txt.
Når du gemmer, skal du sikre, at der under "filtyper" står "alle filer".

-------------------------
File::
c:\docume~1\sekrab~1\applic~1\fastop~1\Drivehelpamok.exe

Folder::
C:\Programmer\FAST OPTION BITS
C:\Documents and Settings\All Users\Application Data\Audio 4 part browse
C:\Documents and Settings\Åse Krabbe\Application Data\FAST OPTION BITS
C:\Programmer\Messenger Plus! Live
-------------------------

Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du "giver slip" med musen. - http://www.fromsej.saknet.dk/billeder/cfscript.gif
Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.

Kopier indholdet af Combofix.txt her ind sammen med en ny hijackthis log

Nu har jeg gjort som du siger og følgende er kommet frem:

ComboFix 07-11-01.1** - Åse Krabbe 2007-11-05 18:45:50.3 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1030.18.428 [GMT 1:00]
Running from: C:\Documents and Settings\Åse Krabbe\Skrivebord\ComboFix.exe
Command switches used :: C:\ComboFix\CFScript.txt
* Created a new restore point
.

(((((((((((((((((((((((((  Files Created from 2007-10-05 to 2007-11-05  )))))))))))))))))))))))))))))))
.

2007-11-04 11:04    <DIR>    d--------    C:\Programmer\SUPERAntiSpyware
2007-11-04 11:04    <DIR>    d--------    C:\Documents and Settings\Åse Krabbe\Application Data\SUPERAntiSpyware.com
2007-11-04 11:04    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-04 09:45    51,200    --a------    C:\WINDOWS\NirCmd.exe
2007-10-31 22:01    <DIR>    d--------    C:\Documents and Settings\Åse Krabbe\Application Data\Grisoft
2007-10-31 22:00    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-31 22:00    10,872    --a------    C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-31 19:42    <DIR>    d-a------    C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-31 19:41    626,688    --a------    C:\WINDOWS\system32\msvcr80.dll
2007-10-31 18:23    <DIR>    d--------    C:\Programmer\Alwil Software

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-05 15:34    7,602,176    ----a-w    C:\Documents and Settings\Åse Krabbe\ntuser.dat
2007-11-05 15:34    7,602,176    ----a-w    C:\Documents and Settings\Åse Krabbe\ntuser.dat
2007-11-04 10:04    ---------    d-----w    C:\Documents and Settings\Åse Krabbe\Application Data\SUPERAntiSpyware.com
2007-11-04 10:03    ---------    d-----w    C:\Programmer\Fælles filer\Wise Installation Wizard
2007-11-01 18:03    ---------    d-----w    C:\Programmer\MSN Messenger
2007-10-31 21:01    ---------    d-----w    C:\Documents and Settings\Åse Krabbe\Application Data\Grisoft
2007-10-15 14:39    ---------    d-----w    C:\Programmer\DivX
2007-10-10 08:52    ---------    d-----w    C:\Programmer\Java
2007-09-28 16:08    156,992    ----a-w    C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07    524,288    ----a-w    C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07    43,528    ------w    C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-09-28 16:07    3,596,288    ----a-w    C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07    200,704    ----a-w    C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07    129,784    ------w    C:\WINDOWS\system32\pxafs.dll
2007-09-28 16:07    120,056    ------w    C:\WINDOWS\system32\pxcpyi64.exe
2007-09-28 16:07    118,520    ------w    C:\WINDOWS\system32\pxinsi64.exe
2007-09-28 16:07    1,044,480    ----a-w    C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05    823,296    ----a-w    C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05    823,296    ----a-w    C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05    81,920    ----a-w    C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05    802,816    ----a-w    C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05    739,840    ----a-w    C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05    593,920    ----a-w    C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05    57,344    ----a-w    C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05    53,248    ----a-w    C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05    344,064    ----a-w    C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05    294,912    ----a-w    C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05    294,912    ----a-w    C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05    196,608    ----a-w    C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05    12,288    ----a-w    C:\WINDOWS\system32\DivXWMPExtType.dll
2007-08-22 12:57    96,768    ----a-w    C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 12:57    667,136    ----a-w    C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 12:57    620,032    ----a-w    C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 12:57    55,808    ----a-w    C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 12:57    532,480    ----a-w    C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 12:57    474,112    ----a-w    C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:57    449,024    ----a-w    C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 12:57    39,424    ----a-w    C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 12:57    357,888    ----a-w    C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 12:57    3,085,824    ----a-w    C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 12:57    251,904    ----a-w    C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 12:57    205,824    ----a-w    C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 12:57    16,384    ----a-w    C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 12:57    151,552    ----a-w    C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:57    146,432    ----a-w    C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 12:57    1,498,112    ----a-w    C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:57    1,056,256    ----a-w    C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:57    1,022,976    ----a-w    C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:19    18,432    ----a-w    C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:17    683,520    ----a-w    C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:17    683,520    ----a-w    C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-06-07 14:09    20    ---h--w    C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2006-12-14 10:01    68,512    ----a-w    C:\Documents and Settings\Åse Krabbe\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((  snapshot@2007-11-04_ 9.48.54,25  )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-04 10:04:22    29,696    ----a-r    C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-11-04 10:04:22    18,944    ----a-r    C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-11-04 10:04:22    65,024    ----a-r    C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 C:\WINDOWS\RTHDCPL.exe]
"ntiMUI"="c:\Programmer\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 18:15]
"SunJavaUpdateSched"="C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"RemoteControl"="C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-27 06:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-27 06:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-27 06:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-27 06:00]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 17:00]
"AspireService"="C:\Programmer\Acer\Acer eMode Management\AspireService.exe" [2005-09-29 16:07]
"MediaSync"="C:\Programmer\Acer\Acer eConsole\MediaSync.exe" [2005-09-21 13:48]
"ATICCC"="C:\Programmer\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 04:50]
"DAEMON Tools-1033"="C:\Programmer\D-Tools\daemon.exe" [2004-08-22 17:05]
"nod32kui"="C:\Programmer\Eset\nod32kui.exe" [2007-05-30 08:12]
"QuickTime Task"="C:\Programmer\QuickTime\qttask.exe" [2007-04-27 08:41]
"SPAMfighter Agent"="C:\Programmer\SPAMfighter\SFAgent.exe" [2007-06-20 14:03]
"Device Detector"="C:\Programmer\Fælles filer\ACD Systems\EN\DevDetect.exe" [2004-09-02 15:51]
"iTunesHelper"="C:\Programmer\iTunes\iTunesHelper.exe" [2007-06-28 08:14]
"!AVG Anti-Spyware"="C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-27 06:00]
"msnmsgr"="C:\Programmer\MSN Messenger\msnmsgr.exe" [2007-01-19 12:55]
"SUPERAntiSpyware"="C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Adobe Gamma Loader.lnk - C:\Programmer\Fælles filer\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-16 16:49:36]
Adobe Reader Speed Launch.lnk - C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
hp psc 1000 series.lnk - C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34]
hpoddt01.exe.lnk - C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 20:56:10]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmer\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmer\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programmer\SUPERAntiSpyware\SASWINLO.dll

R0 m5287;m5287;C:\WINDOWS\system32\drivers\m5287.sys
R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys
R1 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R2 int15.sys;int15.sys;\??\C:\Acer\Empowering Technology\eRecovery\int15.sys
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\MAGIX\Common\Database\bin\fbserver.exe
S3 idrmkl;idrmkl;\??\C:\DOCUME~1\SEKRAB~1\LOKALE~1\Temp\idrmkl.sys
S3 WmaCDriverV32;WmaCDriverV32;C:\WINDOWS\system32\drivers\WmaCDriverV32.sys
S3 z530bus;Sony Ericsson Z530 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\z530bus.sys
S3 z530mdfl;Sony Ericsson Z530 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\z530mdfl.sys
S3 z530mdm;Sony Ericsson Z530 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\z530mdm.sys
S3 z530mgmt;Sony Ericsson Z530 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\z530mgmt.sys
S3 z530obex;Sony Ericsson Z530 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\z530obex.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchEAW.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28538dfa-ba7d-11da-bfa6-00142a7ac92b}]
\Shell\AutoRun\command - F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ba8a968-b101-11da-bf88-00142a7ac92b}]
\Shell\AutoRun\command - F:\setupSNK.exe

*Newly Created Service* - INT15.SYS
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 18:47:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-05 18:48:16
C:\ComboFix2.txt ... 2007-11-04 09:49
.
    --- E O F ---



Her er logfilen fra Hijackthis:


Logfile of HijackThis v1.99.1
Scan saved at 18:49:57, on 05-11-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Programmer\Acer\Acer eMode Management\AspireService.exe
C:\Programmer\Acer\Acer eConsole\MediaSync.exe
C:\Programmer\ATI Technologies\ATI.ACE\cli.exe
C:\Programmer\D-Tools\daemon.exe
C:\Programmer\Eset\nod32kui.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\SPAMfighter\SFAgent.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programmer\Acer\Acer eConsole\MediaServerService.exe
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmer\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Programmer\ATI Technologies\ATI.ACE\cli.exe
C:\Programmer\ATI Technologies\ATI.ACE\cli.exe
C:\Programmer\MSN Messenger\usnsvc.exe
C:\Programmer\Guitar Pro 5\GP5.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmer\internet explorer\iexplore.exe
C:\Documents and Settings\Åse Krabbe\Skrivebord\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.signon.stofanet.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ntiMUI] c:\Programmer\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [AspireService] C:\Programmer\Acer\Acer eMode Management\AspireService.exe
O4 - HKLM\..\Run: [MediaSync] C:\Programmer\Acer\Acer eConsole\MediaSync.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programmer\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [nod32kui] "C:\Programmer\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Programmer\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [Device Detector] "C:\Programmer\Fælles filer\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programmer\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmer\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmer\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmer\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmer\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmer\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://johankrabbe.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171718099281
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://express.foto.com/Newuploader/ImageUploader4.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acer Media Server - Acer Inc. - C:\Programmer\Acer\Acer eConsole\MediaServerService.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Programmer\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Hilsen Åse.

Kør Hijackthis, scan, sæt flueben ved linien/linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked, luk hijackthis igen.

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)


Derefter er loggen ren..

Kør lige trin 5 og 6 herfra: http://www.malwarecheck.dk/forum/viewtopic.php?t=11

Finder nod32 stadig noget??

Nej nod32 finder intet, jeg banker lige under bordet 7-9-13.
Tusind tak for hjælpen

Så er den gal igen.
Nu finder computeren igen "Win32/Fujacks.AD virus".

Logfile of HijackThis v1.99.1
Scan saved at 15:02:50, on 07-11-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmer\Acer\Acer eMode Management\AspireService.exe
C:\Programmer\Acer\Acer eConsole\MediaSync.exe
C:\Programmer\ATI Technologies\ATI.ACE\cli.exe
C:\Programmer\D-Tools\daemon.exe
C:\Programmer\Eset\nod32kui.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\SPAMfighter\SFAgent.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Acer\Acer eConsole\MediaServerService.exe
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmer\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\ATI Technologies\ATI.ACE\cli.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programmer\ATI Technologies\ATI.ACE\cli.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Programmer\MSN Messenger\usnsvc.exe
C:\Programmer\internet explorer\iexplore.exe
C:\Documents and Settings\Åse Krabbe\Skrivebord\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.signon.stofanet.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ntiMUI] c:\Programmer\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [AspireService] C:\Programmer\Acer\Acer eMode Management\AspireService.exe
O4 - HKLM\..\Run: [MediaSync] C:\Programmer\Acer\Acer eConsole\MediaSync.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programmer\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [nod32kui] "C:\Programmer\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Programmer\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [Device Detector] "C:\Programmer\Fælles filer\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programmer\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmer\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmer\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmer\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmer\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmer\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://johankrabbe.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171718099281
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://express.foto.com/Newuploader/ImageUploader4.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acer Media Server - Acer Inc. - C:\Programmer\Acer\Acer eConsole\MediaServerService.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Programmer\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

gik ind i reg.edit og søgte på games.exe. og så væltede det frem med ikke gode sager. Det har jeg slettet. nu ser jeg lige tiden an.

Prøv at opdater nod32 og derefter lav et fuld scan.

Hvad finder den??

er gjort, den finder intet..... vi håber det bedste

Lop er en udspekuleret satan, så lad os lige tjekke med lidt mere.
Hent Schtasks her:
http://fromsej.dk/download/schtasks.exe
Den skal ligge i C:\windows\system32\
Hvis du bliver spurgt om den skal overskrives, så annuller download, så har du filen allerede.

Hent fl.zip, pak den ud og kør fl.bat - programmet laver en lille tekst fil, som du også skal kopiere herind:
http://www.ctrlaltdel.dk/Programmer/fl.zip

Klik på Start->Kør skriv CMD og klik OK.
I "DOS"vinduet skriver du følgende: (tryk på <Enter> efter hver linie)
schtasks /query>C:\tasks.txt
notepad C:\tasks.txt
Kopier indholdet herind.

Nu er jeg kommet på en prøve. Schtasks.exe ligger i windows\prefetch og ikke i system32.
Er det godt eller skidt ?

Hmm, prøv at kopiere den fra Prefetch over i system32, se om det så vil.

Efter at have kørt fl-bat siger det følgende:

Disken i drev C er ACER
Diskens serienummer er ACA6-B542

Indhold af C:\Documents and Settings\All Users\Application Data

07-06-2007  15:02    <DIR>          ACD Systems
27-06-2007  21:43    <DIR>          Adobe
02-07-2007  20:21    <DIR>          Apple
08-04-2007  19:16    <DIR>          Apple Computer
24-08-2007  13:51    <DIR>          Avg7
20-03-2006  07:31    <DIR>          CyberLink
11-03-2006  17:26    <DIR>          eConsole
15-05-2007  15:42    <DIR>          EnterNHelp
31-10-2007  22:00    <DIR>          Grisoft
12-03-2006  12:22              209 hpzinstall.log
16-04-2007  16:50    <DIR>          Macrovision
05-12-2006  15:50    <DIR>          MAGIX
15-05-2007  15:48    <DIR>          muvee Technologies
18-06-2007  16:55            1.362 QTSBandwidthCache
15-06-2007  11:18    <DIR>          Spybot - Search & Destroy
04-11-2007  11:04    <DIR>          SUPERAntiSpyware.com
30-05-2007  08:09    <DIR>          Symantec
31-10-2007  19:58    <DIR>          TEMP
15-05-2007  15:42    <DIR>          Ultima_T15
13-03-2006  17:24    <DIR>          Windows Genuine Advantage
              2 fil(er)            1.571 byte
              18 mappe(r)  122.881.224.704 byte ledig
Disken i drev C er ACER
Diskens serienummer er ACA6-B542

Indhold af C:\Documents and Settings\Åse Krabbe\Application Data

06-11-2007  16:24    <DIR>          .
06-11-2007  16:24    <DIR>          ..
07-06-2007  15:21    <DIR>          ACD Systems
27-06-2007  21:43    <DIR>          Adobe
06-07-2007  18:53    <DIR>          AdobeUM
27-09-2006  18:57    <DIR>          Apple Computer
11-03-2006  17:02    <DIR>          ATI
06-05-2007  16:20              606 AutoGK.ini
07-04-2007  16:58    <DIR>          Command & Conquer 3 Tiberium Wars
19-05-2006  14:59    <DIR>          Cryptomathic
20-03-2006  07:31    <DIR>          CyberLink
09-06-2007  17:44    <DIR>          Disney Interactive Studios
04-05-2007  15:50    <DIR>          DivX
14-12-2006  11:01            68.512 GDIPFONTCACHEV1.DAT
11-03-2006  17:17    <DIR>          Google
31-10-2007  22:01    <DIR>          Grisoft
10-04-2006  09:04    <DIR>          Help
12-03-2006  12:22    <DIR>          Hewlett-Packard
07-11-2007  15:32    <DIR>          ICAClient
15-01-2006  09:01    <DIR>          Identities
11-03-2006  14:41    <DIR>          Lavasoft
31-03-2006  19:27    <DIR>          Macromedia
05-12-2006  16:12    <DIR>          MAGIX
04-05-2007  16:01    <DIR>          Media Player Classic
08-04-2006  15:38    <DIR>          Microsoft Games
29-08-2006  18:23    <DIR>          Music Recognition
15-05-2007  15:48    <DIR>          muvee Technologies
15-05-2007  15:43    <DIR>          Nikon
11-01-2007  18:22    <DIR>          PDF
29-06-2006  15:31    <DIR>          Real
16-03-2007  14:57    <DIR>          RegistrySmart
11-06-2006  12:00    <DIR>          Renegade Minds
15-10-2006  20:42    <DIR>          SlySoft
17-03-2007  17:37    <DIR>          Sony Ericsson
14-06-2007  20:18    <DIR>          SPAMfighter
11-03-2006  17:18    <DIR>          Sun
04-11-2007  11:04    <DIR>          SUPERAntiSpyware.com
30-05-2007  08:09    <DIR>          Symantec
02-08-2007  11:55    <DIR>          Teleca
              2 fil(er)          69.118 byte
              37 mappe(r)  122.881.224.704 byte ledig
Disken i drev C er ACER
Diskens serienummer er ACA6-B542

Indhold af C:\Documents and Settings\Default User\Application Data

15-01-2006  09:01    <DIR>          .
15-01-2006  09:01    <DIR>          ..
16-12-2005  06:02                62 desktop.ini
              1 fil(er)              62 byte
              2 mappe(r)  122.881.224.704 byte ledig
Disken i drev C er ACER
Diskens serienummer er ACA6-B542

Indhold af C:\Documents and Settings\LocalService\Application Data

Disken i drev C er ACER
Diskens serienummer er ACA6-B542

Indhold af C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues

Jeg er ikke helt sikker på udførelsen af schtasks.exe.
Men umiddelbart er der "ingen planlagte opgaver i systemet".

Der er ikke flere spor af Lop. :-)

Skal vi så ikke tro på at der ikke er mere skidt..

Hvordan kører computeren??

Fromsej-> Tak for hjælpen-> http://www.eksperten.dk/spm/804981

Fromsej, du skal have tusind tak. Du burde jo have en masse point for det. Men kan jeg give dig det ?

spaak -> Jeg har delt pointene med fromsej(se 08/11-2007 20:56:19)

ok, det er jeg glad for.

Spaak >> Som du kan se har Arlet og jeg klaret pointdelingen, derudover findes der mange ting der betyder mere end point på Eksperten, indtil den dag man kan købe øl for dem, så skal der gang i høsten. ;-)
Det vigtige er at du er Lopfri.