Messenger system alert

Det ligner mest af alt en ommer.
Hvorfor er Windows ikke opdateret?
Følg vejledningen i denne artikel:
http://www.eksperten.dk/artikler/1123

En ommer!?! -nu er jeg bestemt ingen haj til computere og ej slet ikke når der er problemer...

opdatering. Gør den ikke det automatisk??? Har været min eks. der stod for alt hvad der angik min pc før. Så er også lidt på bar bund her =0(

Men nu har jeg forsøgt at følge vejledningen slavisk har det så hjulpet!?!

Nana

Logfile of HijackThis v1.99.1
Scan saved at 23:06:31, on 05-01-2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmer\SpyNoMore\SNM.exe
C:\Programmer\PC Connectivity Solution\ServiceLayer.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Nana\Skrivebord\Hijackthis\alternativ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.signon.stofanet.dk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.stofanet.dk/proxycnf.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmer\Fælles filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [PC Tilecomnu] Tilecomnu.com
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SNM] C:\Programmer\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\RunServices: [PC Tilecomnu] Tilecomnu.com
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\VIRUSfighter\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Universal Printer NT Service - Unknown owner - C:\WINDOWS\System32\dllcache\upnt.exe (file missing)




********************************* ROOTCHK-(28-12-07)-LOG, by ejvindh
05-01-2008 23:07:53,85

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end


catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 23:07:55
Windows 5.1.2600 Service Pack 1
scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

hidden processes: 0
hidden services: 0
hidden files: 0


ComboFix 08-01-04.1 - Nana 2008-01-05 23:09:44.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1030.18.278 [GMT 1:00]
Running from: C:\Documents and Settings\Nana\Skrivebord\Forsøg\ComboFix.exe
* Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_install.exe blev ikke fundet.
C:\WINDOWS\system32\.exe

.
(((((((((((((((((((((((((  Files Created from 2007-12-05 to 2008-01-05  )))))))))))))))))))))))))))))))
.

2008-01-05 23:09 . 2000-08-31 08:00    51,200    --a------    C:\WINDOWS\NirCmd.exe
2008-01-05 22:19 . 2008-01-05 22:59    <DIR>    d--------    C:\Programmer\SUPERAntiSpyware
2008-01-05 22:15 . 2008-01-05 22:15    <DIR>    d--------    C:\Programmer\CCleaner
2008-01-05 19:33 . 2008-01-05 19:37    2,100    --a------    C:\WINDOWS\system32\tmp.reg
2008-01-05 19:32 . 2008-01-05 19:39    <DIR>    d--------    C:\SmitfraudFix
2008-01-05 19:24 . 2008-01-05 19:24    1,129,580    --a------    C:\SmitfraudFix.exe
2008-01-05 17:38 . 2008-01-05 17:38    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-05 16:27 . 2008-01-05 16:27    <DIR>    d--h-----    C:\Programmer\InstallShield Installation Information
2008-01-05 16:26 . 2008-01-05 16:26    <DIR>    d--------    C:\Programmer\Fælles filer\InstallShield
2008-01-05 10:47 . 2008-01-05 11:27    <DIR>    d--------    C:\Programmer\SpyNoMore
2008-01-05 10:47 . 2008-01-05 10:47    1,152    --a------    C:\WINDOWS\system32\windrv.sys
2008-01-05 10:35 . 2008-01-05 10:35    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-05 10:34 . 2008-01-05 15:31    <DIR>    d--------    C:\Documents and Settings\Nana\Application Data\SUPERAntiSpyware.com

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 21:19    ---------    d-----w    C:\Programmer\Fælles filer\Wise Installation Wizard
2008-01-05 17:09    ---------    d-----w    C:\Programmer\Symantec
2008-01-05 17:09    ---------    d-----w    C:\Programmer\Fælles filer\Symantec Shared
2008-01-05 15:26    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-03 16:38    ---------    d-----w    C:\Programmer\Trafikteori
2007-11-24 19:14    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\Trymedia
.

(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-04-23 15:46 1318128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSC_UserPrompt"="C:\Programmer\Fælles filer\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 15:59 218240]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"HP Software Update"="C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 11:40 49152]
"PC Tilecomnu"="Tilecomnu.com" []
"QuickTime Task"="C:\Programmer\QuickTime\qttask.exe" [2007-09-14 10:13 286720]
"PCSuiteTrayApplication"="C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-28 13:12 222720]
"SNM"="C:\Programmer\SpyNoMore\SNM.exe" [2007-11-15 12:02 1212368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"PC Tilecomnu"="Tilecomnu.com" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-09 13:13 13312]
"PcSync"="C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 16:15 1634304]

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Adobe Reader Hurtigstart.lnk - C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Microsoft Office.lnk - C:\Programmer\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmer\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmer\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programmer\SUPERAntiSpyware\SASWINLO.dll

R0 viaagp;VIA AGP-busfilter;C:\WINDOWS\System32\DRIVERS\viaagp.sys [2001-08-17 21:58]
R3 rtl8029;NT-driver til Realtek RTL8029(AS)-baseret PCI Ethernet-netværkskort;C:\WINDOWS\System32\DRIVERS\RTL8029.SYS [2001-08-17 20:12]
S2 MSWindows;Network Windows Service;"C:\WINDOWS\System32\urdvxc.exe" []
S2 Universal Printer NT Service;Universal Printer NT Service;"C:\WINDOWS\System32\dllcache\upnt.exe" []

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-05 21:59:19 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Programmer\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 23:10:31
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 23:10:59
ComboFix-quarantined-files.txt  2008-01-05 22:10:51




********************************* ROOTCHK-(28-12-07)-LOG, by ejvindh
05-01-2008 23:07:53,85

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end


catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 23:07:55
Windows 5.1.2600 Service Pack 1
scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

hidden processes: 0
hidden services: 0
hidden files: 0

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/05/2008 at 10:54 PM

Application Version : 3.7.1018

Core Rules Database Version : 3374
Trace Rules Database Version: 1369

Scan type      : Complete Scan
Total Scan Time : 00:29:08

Memory items scanned      : 149
Memory threats detected  : 0
Registry items scanned    : 4562
Registry threats detected : 0
File items scanned        : 18150
File threats detected    : 3

Adware.Tracking Cookie
    C:\Documents and Settings\Nana\Lokale indstillinger\Temp\Cookies\nana@atdmt[2].txt
    C:\Documents and Settings\Nana\Lokale indstillinger\Temp\Cookies\nana@doubleclick[1].txt
    C:\Documents and Settings\Nana\Lokale indstillinger\Temp\Cookies\nana@track.adform[2].txt

Det ser ikke så slemt ud som frygtet, så lad os se om ikke vi kan få has på det.
Først klik på Start->Kontrolpanel->Tilføj/Fjern programmer, find og afinstaller SpyNoMore, genstart.
Så skal du hente installationsfilen til et Antivirus, uden det er det omsonst at rense maskinen.
Lav en ny mappe i mappen dokumenter, kald den AVG, så ved du hvor filen ligger, klik så på linket og vælg gem, gem den i den mappe du lige har lavet.
http://free.grisoft.com/filedir/inst/avg75free_516a1225.exe
Du skal ikke installere det endnu, vi skal lige have resterne fra Norton og Norman væk først.
Hent AVG opdateringerne og gem dem i samme mappe.
De ligger her (5 stk)
http://free.grisoft.com/doc/24/us/frt/0
Luk mappen.
---------------------------------------
Klik på Start->Kør skriv Services.msc og klik OK.
Find nedenstående >> Tjenester << stop dem hvis de kører, højreklik på dem, klik på Egenskaber og vælg Starttype Deaktiveret.
Det skal du gøre enkeltvis.
Network Windows Service (MSWindows)
Norman API-hooking helper (NipSvc)
SymWMI Service (SymWSC)
Universal Printer NT Service
---------------------------------------
Hent Ccleaner her:
http://www.filehippo.com/download_ccleaner/
Installer Ccleaner, husk at fjerne fluebenet udfor installation af Yahoo toolbar.
Start programmet, fjern fluebenet i cookies.
Klik på kør Cleaner og lad den fjerne hvad den finder.
Klik så på Register ovre i venstre side (den blå terning), klik på Skan efter problemer, når den er færdig, klik på Udbedre valgte problemer, lav evt. en backup af registreringsdatabasen, klik så på udbedre alle valgte problemer.
Klik på OK, klik på Luk når den er færdig.
Genstart.
---------------------------------------
Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked.

O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmer\Fælles filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PC Tilecomnu] Tilecomnu.com
O4 - HKLM\..\Run: [SNM] C:\Programmer\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\RunServices: [PC Tilecomnu] Tilecomnu.com

---------------------------------------
Kopiér indholdet mellem de bølgede linier ind i et notepad-vindue, og gem indholdet i samme mappe, som Combofix ligger med navnet CFScript.txt. Når du gemmer, skal du sikre, at der under "filtyper" står "alle filer".

~~~~~~~~~~~~~~~~~~~~~~~~~~

Killall::

File::
C:\Windows\System32\Tilecomnu.com

Folder::
C:\Programmer\SpyNoMore
C:\Programmer\Symantec
"C:\Programmer\Fælles filer\Symantec Shared"
"C:\Documents and Settings\All Users\Application Data\Symantec"

~~~~~~~~~~~~~~~~~~~~~~~~~~
Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du "giver slip" med musen.
http://www.fromsej.saknet.dk/billeder/cfscript.gif
Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
---------------------------------------
Vi skal se en frisk hijackthislog, samt den nye combofixlog.

---------------------------------------
Mens jeg/vi tjekker de nye logs, skal du installere AVG, åbn mappen du gemte i og dobbeltklik på installationsfilen, følg vejledningen på skærmen.
Når AVG vil opdatere, vælger du "From folder" og viser programmet stien til hvor opdateringerne ligger.
Så burde det gå ganske smertefrit.

Logfile of HijackThis v1.99.1
Scan saved at 12:12:23, on 06-01-2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\PC Connectivity Solution\ServiceLayer.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nana\Skrivebord\Hijackthis\alternativ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.signon.stofanet.dk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.stofanet.dk/proxycnf.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\PC Connectivity Solution\ServiceLayer.exe


ComboFix 08-01-04.1 - Nana 2008-01-06 12:03:51.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1030.18.372 [GMT 1:00]
Running from: C:\Documents and Settings\Nana\Skrivebord\Forsøg\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nana\Skrivebord\Forsøg\CFScript.txt
* Created a new restore point

FILE
C:\Windows\System32\Tilecomnu.com
.

(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_install.exe blev ikke fundet.
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Symantec\LiveSubscribe\Catalog.LiveSubscribe
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\1.Log.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\1.Product.Catalog.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\1.Settings.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2.Log.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2.Product.Catalog.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2.Settings.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\3.Log.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\3.Product.Catalog.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\3.Settings.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Configuration.Log.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\avenge$201.5$20microdefs2_microdefsb.curdefs_symalllanguages_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\avenge$201.5$20microdefs2_microdefsb.full_symalllanguages_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\avenge$201.5$20microdefs2_microdefsb.oct_symalllanguages_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\avenge$201.5$20microdefs25$20nav2003_microdefsb.curdefs_symalllanguages_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\avenge$201.5$20microdefs25$20nav2003_microdefsb.dec_symalllanguages_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\avenge$201.5$20microdefs25$20nav2003_microdefsb.jul_symalllanguages_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\avenge$201.5$20microdefs25$20nav2003_microdefsb.oct_symalllanguages_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\common$20client$20core_1.0_english_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ExItem2711_symnet$20consumer_4.7.1_english\Message.exe
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ExItem2711_symnet$20consumer_4.7.1_english\patch.dis
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ExItem2711_symnet$20consumer_4.7.1_english\setup.exe
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ExItem2711_symnet$20consumer_4.7.1_english\SNDUpdater.msi
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ExItem2717_symnet$20consumer_5.4.4_english\Message.exe
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ExItem2717_symnet$20consumer_5.4.4_english\patch.dis
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ExItem2717_symnet$20consumer_5.4.4_english\setup.exe
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ExItem2717_symnet$20consumer_5.4.4_english\SNDUpdater.msi
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ExItem2717_symnet$20consumer_5.4.4_english\SymStore.dll
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ids$20$2d$20consumer_6.1.1_english_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\livereg_2.2.0_english_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\liveupdate_1.80_english_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\lrconsumer_1.0_english_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\minitri.flg
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\navnt$202003$20professional$20edition_9.00_english_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\navnt$202003$20professional$20edition_9.05_english_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\norton$20wmi$20core_1.2_english_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\norton$20wmi$20master$20patch_0.1_english_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\norton$20wmi$20shared_1.2_english_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\norton$20wmi$20user$20interface_1.2_english_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\scan$20$26$20deliver$20filter_1.0_english_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\scriptblocking_1.1_english_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\scss$20shared$20licensing_3.0_english_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\simon$20shared$20components_2.0_english_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\symevent$20installer$20$2d$20consumer_11.0_english_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\symevent$20installer$20$2d$20consumer_11.6_english_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\symnet$20consumer_4.7.1_english_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\symnet$20consumer_5.4.4_english_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\symnet$20consumer_5.5.1_english_livetri.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Log.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Product.Catalog.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Settings.LiveUpdate
C:\Programmer\Fælles filer\Symantec Shared
C:\Programmer\Fælles filer\Symantec Shared\ccWebWnd.dll
C:\Programmer\Fælles filer\Symantec Shared\IraLsClt.dll
C:\Programmer\Fælles filer\Symantec Shared\LiveReg\Catalog.LiveSubscribe
C:\Programmer\Fælles filer\Symantec Shared\LiveReg\Defaults.liveReg
C:\Programmer\Fælles filer\Symantec Shared\LiveReg\iraDefA2.dll
C:\Programmer\Fælles filer\Symantec Shared\LiveReg\IraLrShl.exe
C:\Programmer\Fælles filer\Symantec Shared\LiveReg\iraLSCl2.dll
C:\Programmer\Fælles filer\Symantec Shared\LiveReg\iraLSUI.dll
C:\Programmer\Fælles filer\Symantec Shared\LiveReg\IraVcLc2.dll
C:\Programmer\Fælles filer\Symantec Shared\LiveReg\IraVcObj.dll
C:\Programmer\Fælles filer\Symantec Shared\LiveReg\LR2CHLP.HLP
C:\Programmer\Fælles filer\Symantec Shared\LiveReg\LrResEN.dll
C:\Programmer\Fælles filer\Symantec Shared\LiveReg\VcCleanUp.exe
C:\Programmer\Fælles filer\Symantec Shared\LiveReg\VcResEN.dll
C:\Programmer\Fælles filer\Symantec Shared\LiveReg\VcSetup.exe
C:\Programmer\Fælles filer\Symantec Shared\LiveReg\Watermrk.gif
C:\Programmer\Fælles filer\Symantec Shared\Security Center\sscnav.dll
C:\Programmer\Fælles filer\Symantec Shared\Security Center\sscnis56.dll
C:\Programmer\Fælles filer\Symantec Shared\Security Center\sscnis7.dll
C:\Programmer\Fælles filer\Symantec Shared\Security Center\SSCOpts.dat
C:\Programmer\Fælles filer\Symantec Shared\Security Center\SymSCWb.dll
C:\Programmer\Fælles filer\Symantec Shared\Security Center\SymWSC.exe
C:\Programmer\Fælles filer\Symantec Shared\Security Center\SymWSCNo.exe
C:\Programmer\Fælles filer\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Programmer\Fælles filer\Symantec Shared\Security Center\WSCHlpr.dll
C:\Programmer\Symantec
C:\Programmer\Symantec\LiveUpdate\1.Settings.Default.LiveUpdate
C:\Programmer\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Programmer\Symantec\LiveUpdate\AUPDATE.EXE
C:\Programmer\Symantec\LiveUpdate\LSETUP.EXE
C:\Programmer\Symantec\LiveUpdate\LuAll.cnt
C:\Programmer\Symantec\LiveUpdate\LUALL.EXE
C:\Programmer\Symantec\LiveUpdate\LUALL.HLP
C:\Programmer\Symantec\LiveUpdate\LuComServer.EXE
C:\Programmer\Symantec\LiveUpdate\LuComServerPS.DLL
C:\Programmer\Symantec\LiveUpdate\ludirloc.dat
C:\Programmer\Symantec\LiveUpdate\LUINFO.INF
C:\Programmer\Symantec\LiveUpdate\LUInit.exe
C:\Programmer\Symantec\LiveUpdate\LUInit.ini
C:\Programmer\Symantec\LiveUpdate\LUINSDLL.DLL
C:\Programmer\Symantec\LiveUpdate\LuResult.txt
C:\Programmer\Symantec\LiveUpdate\NDETECT.EXE
C:\Programmer\Symantec\LiveUpdate\NetDetectController.DLL
C:\Programmer\Symantec\LiveUpdate\ProductRegCom.DLL
C:\Programmer\Symantec\LiveUpdate\ProductRegComPS.DLL
C:\Programmer\Symantec\LiveUpdate\README.TXT
C:\Programmer\Symantec\LiveUpdate\S32LIVE1.DLL
C:\Programmer\Symantec\LiveUpdate\S32LUCP1.CPL
C:\Programmer\Symantec\LiveUpdate\S32LUIS1.DLL
C:\Programmer\Symantec\LiveUpdate\S32LUWI1.DLL
C:\Programmer\Symantec\LiveUpdate\SymantecRootInstaller.exe

.
(((((((((((((((((((((((((  Files Created from 2007-12-06 to 2008-01-06  )))))))))))))))))))))))))))))))
.

2008-01-05 23:09 . 2000-08-31 08:00    51,200    --a------    C:\WINDOWS\NirCmd.exe
2008-01-05 22:19 . 2008-01-06 09:29    <DIR>    d--------    C:\Programmer\SUPERAntiSpyware
2008-01-05 22:15 . 2008-01-05 22:15    <DIR>    d--------    C:\Programmer\CCleaner
2008-01-05 19:33 . 2008-01-05 19:37    2,100    --a------    C:\WINDOWS\system32\tmp.reg
2008-01-05 17:38 . 2008-01-05 17:38    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-05 16:27 . 2008-01-05 16:27    <DIR>    d--h-----    C:\Programmer\InstallShield Installation Information
2008-01-05 16:26 .     <DIR>        C:\Programmer\Fælles filer\InstallShield
2008-01-05 10:47 . 2008-01-05 10:47    1,152    --a------    C:\WINDOWS\system32\windrv.sys
2008-01-05 10:35 . 2008-01-05 10:35    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-05 10:34 . 2008-01-05 15:31    <DIR>    d--------    C:\Documents and Settings\Nana\Application Data\SUPERAntiSpyware.com

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 21:19    ---------    d-----w    C:\Programmer\Fælles filer\Wise Installation Wizard
2008-01-03 16:38    ---------    d-----w    C:\Programmer\Trafikteori
2007-11-24 19:14    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\Trymedia
.

(((((((((((((((((((((((((((((  snapshot@2008-01-05_23.10.36,11  )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-05 21:59:13    16,384    ----a-w    C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-06 10:51:28    16,384    ----a-w    C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-05 21:59:13    32,768    ----a-w    C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Oversigt\History.IE5\index.dat
+ 2008-01-06 10:51:28    32,768    ----a-w    C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Oversigt\History.IE5\index.dat
- 2008-01-05 21:59:13    32,768    ----a-w    C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-06 10:51:28    32,768    ----a-w    C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Temporary Internet Files\Content.IE5\index.dat
- 2007-10-29 18:33:14    47,276    ----a-w    C:\WINDOWS\system32\perfc006.dat
+ 2008-01-06 08:15:45    47,276    ----a-w    C:\WINDOWS\system32\perfc006.dat
- 2007-10-29 18:33:14    40,128    ----a-w    C:\WINDOWS\system32\perfc009.dat
+ 2008-01-06 08:15:45    40,128    ----a-w    C:\WINDOWS\system32\perfc009.dat
- 2007-10-29 18:33:14    324,960    ----a-w    C:\WINDOWS\system32\perfh006.dat
+ 2008-01-06 08:15:45    324,960    ----a-w    C:\WINDOWS\system32\perfh006.dat
- 2007-10-29 18:33:14    311,740    ----a-w    C:\WINDOWS\system32\perfh009.dat
+ 2008-01-06 08:15:45    311,740    ----a-w    C:\WINDOWS\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-04-23 15:46 1318128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"HP Software Update"="C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 11:40 49152]
"QuickTime Task"="C:\Programmer\QuickTime\qttask.exe" [2007-09-14 10:13 286720]
"PCSuiteTrayApplication"="C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-28 13:12 222720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-09 13:13 13312]
"PcSync"="C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 16:15 1634304]

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Adobe Reader Hurtigstart.lnk - C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Microsoft Office.lnk - C:\Programmer\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmer\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmer\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programmer\SUPERAntiSpyware\SASWINLO.dll

R0 viaagp;VIA AGP-busfilter;C:\WINDOWS\System32\DRIVERS\viaagp.sys [2001-08-17 21:58]
R3 rtl8029;NT-driver til Realtek RTL8029(AS)-baseret PCI Ethernet-netværkskort;C:\WINDOWS\System32\DRIVERS\RTL8029.SYS [2001-08-17 20:12]
S2 MSWindows;Network Windows Service;"C:\WINDOWS\System32\urdvxc.exe" []
S4 Universal Printer NT Service;Universal Printer NT Service;"C:\WINDOWS\System32\dllcache\upnt.exe" []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 11:08:41 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Programmer\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 12:09:00
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-06 12:09:49 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-06 11:09:35

Det pyntede, men der er desværre lidt endnu.

Lav et nyt CFScript og kør det efter vejledningen.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Killall::

File::
C:\WINDOWS\System32\urdvxc.exe
C:\WINDOWS\System32\dllcache\upnt.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Kopier den friske Combofix log ind.

Jeg har helt glemt at ønske dig velkommen til Eksperten. :-)
Vi har lavet en uofficiel FAQ, hvor du kan se hvordan du får mest ud af Eksperten.
http://expfaq.dk/ - Eksperten: Sådan gør jeg.

Tak tak, er også vældig glad for at ha "opdaget" jer=0)

Prøver så lige igen... Men uanset hvad popper Messenger stadig op med de advarsler og forsøg på at lokke mig til at købe et eller andet... SUK.....

ComboFix 08-01-04.1 - Nana 2008-01-06 14:36:30.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1030.18.332 [GMT 1:00]
Running from: C:\Documents and Settings\Nana\Skrivebord\Forsøg\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nana\Skrivebord\Forsøg\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\System32\dllcache\upnt.exe
C:\WINDOWS\System32\urdvxc.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
.

(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_install.exe blev ikke fundet.
C:\WINDOWS\Tasks\Symantec NetDetect.job

.
(((((((((((((((((((((((((  Files Created from 2007-12-06 to 2008-01-06  )))))))))))))))))))))))))))))))
.

2008-01-06 12:16 . 2008-01-06 12:17    <DIR>    d--------    C:\Documents and Settings\Nana\Application Data\AVG7
2008-01-06 12:16 . 2008-01-06 12:16    <DIR>    d--------    C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-06 12:15 . 2008-01-06 12:15    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-05 23:09 . 2000-08-31 08:00    51,200    --a------    C:\WINDOWS\NirCmd.exe
2008-01-05 22:19 . 2008-01-06 09:29    <DIR>    d--------    C:\Programmer\SUPERAntiSpyware
2008-01-05 22:15 . 2008-01-05 22:15    <DIR>    d--------    C:\Programmer\CCleaner
2008-01-05 19:33 . 2008-01-05 19:37    2,100    --a------    C:\WINDOWS\system32\tmp.reg
2008-01-05 17:38 . 2008-01-06 12:16    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-05 16:27 . 2008-01-05 16:27    <DIR>    d--h-----    C:\Programmer\InstallShield Installation Information
2008-01-05 16:26 .     <DIR>        C:\Programmer\Fælles filer\InstallShield
2008-01-05 10:47 . 2008-01-05 10:47    1,152    --a------    C:\WINDOWS\system32\windrv.sys
2008-01-05 10:35 . 2008-01-05 10:35    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-05 10:34 . 2008-01-05 15:31    <DIR>    d--------    C:\Documents and Settings\Nana\Application Data\SUPERAntiSpyware.com

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 21:19    ---------    d-----w    C:\Programmer\Fælles filer\Wise Installation Wizard
2008-01-03 16:38    ---------    d-----w    C:\Programmer\Trafikteori
2007-11-24 19:14    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\Trymedia
.

(((((((((((((((((((((((((((((  snapshot@2008-01-05_23.10.36,11  )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-05 21:59:13    16,384    ----a-w    C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-06 10:51:28    16,384    ----a-w    C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-05 21:59:13    32,768    ----a-w    C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Oversigt\History.IE5\index.dat
+ 2008-01-06 10:51:28    32,768    ----a-w    C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Oversigt\History.IE5\index.dat
+ 2008-01-06 11:16:02    821,856    ----a-w    C:\WINDOWS\system32\drivers\avg7core.sys
+ 2008-01-06 11:16:08    4,224    ----a-w    C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2008-01-06 11:16:08    27,776    ----a-w    C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2008-01-06 11:16:09    10,760    ----a-w    C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-01-06 11:16:09    26,952    ----a-w    C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-01-06 11:16:09    4,960    ----a-w    C:\WINDOWS\system32\drivers\avgtdi.sys
- 2007-10-29 18:33:14    47,276    ----a-w    C:\WINDOWS\system32\perfc006.dat
+ 2008-01-06 08:15:45    47,276    ----a-w    C:\WINDOWS\system32\perfc006.dat
- 2007-10-29 18:33:14    40,128    ----a-w    C:\WINDOWS\system32\perfc009.dat
+ 2008-01-06 08:15:45    40,128    ----a-w    C:\WINDOWS\system32\perfc009.dat
- 2007-10-29 18:33:14    324,960    ----a-w    C:\WINDOWS\system32\perfh006.dat
+ 2008-01-06 08:15:45    324,960    ----a-w    C:\WINDOWS\system32\perfh006.dat
- 2007-10-29 18:33:14    311,740    ----a-w    C:\WINDOWS\system32\perfh009.dat
+ 2008-01-06 08:15:45    311,740    ----a-w    C:\WINDOWS\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-04-23 15:46 1318128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"HP Software Update"="C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 11:40 49152]
"QuickTime Task"="C:\Programmer\QuickTime\qttask.exe" [2007-09-14 10:13 286720]
"PCSuiteTrayApplication"="C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-28 13:12 222720]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-06 12:15 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-09 13:13 13312]
"PcSync"="C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 16:15 1634304]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-06 12:15 219136]

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Adobe Reader Hurtigstart.lnk - C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Microsoft Office.lnk - C:\Programmer\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmer\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmer\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programmer\SUPERAntiSpyware\SASWINLO.dll

R0 viaagp;VIA AGP-busfilter;C:\WINDOWS\System32\DRIVERS\viaagp.sys [2001-08-17 21:58]
R3 rtl8029;NT-driver til Realtek RTL8029(AS)-baseret PCI Ethernet-netværkskort;C:\WINDOWS\System32\DRIVERS\RTL8029.SYS [2001-08-17 20:12]
S2 MSWindows;Network Windows Service;"C:\WINDOWS\System32\urdvxc.exe" []
S4 Universal Printer NT Service;Universal Printer NT Service;"C:\WINDOWS\System32\dllcache\upnt.exe" []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 14:42:05
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-06 14:42:58 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-06 13:42:50
ComboFix2.txt  2008-01-06 11:09:49

Tjenesten Messenger skal deaktiveres, så ser du ikke mere til den pop-up.
Det bliver den automatisk, hvis du henter og installerer Servicepack 2 til XP, den kan hentes her:
http://intern.sdu.dk/it-service/tjenester/ftphotel/ftpindhold/
Husk at tage den danske udgave.
Du kan også hurtigt slippe af med den, ved at hente og køre Shoot the Messenger herfra:
http://www.fromsej.saknet.dk/download/shootthemessenger.exe
Du skal klikke på Disable Messenger.

Jeg skal lige have en "second opinion" på noget i din log, men det ser fint ud.

Lav og kør dette CFScript.

~~~~~~~~~~~~~~~~~~~~~~~~~~

Driver::
"MSWindows;Network Windows Service"
"Universal Printer NT Service"

~~~~~~~~~~~~~~~~~~~~~~~~~~

Kopier den friske Combofix herind, så burde vi være i mål.
Har du fået installeret Antivirus?

Så, håber i har nået målet :-)

Er dybt taknemlig for hjælpen!!!
Og ja, har indstalleret AVG.

ComboFix 08-01-04.1 - Nana 2008-01-07 18:37:18.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1030.18.274 [GMT 1:00]
Running from: C:\Documents and Settings\Nana\Skrivebord\Forsøg\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nana\Skrivebord\Forsøg\CFScript.txt
* Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_install.exe blev ikke fundet.

.
(((((((((((((((((((((((((((((((((((((((  Drivers/Services  )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_UNIVERSAL_PRINTER_NT_SERVICE
-------\Universal Printer NT Service


(((((((((((((((((((((((((  Files Created from 2007-12-07 to 2008-01-07  )))))))))))))))))))))))))))))))
.

2008-01-06 12:16 . 2008-01-07 18:14    <DIR>    d--------    C:\Documents and Settings\Nana\Application Data\AVG7
2008-01-06 12:16 . 2008-01-06 12:16    <DIR>    d--------    C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-06 12:15 . 2008-01-06 12:15    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-05 23:09 . 2000-08-31 08:00    51,200    --a------    C:\WINDOWS\NirCmd.exe
2008-01-05 22:19 . 2008-01-06 09:29    <DIR>    d--------    C:\Programmer\SUPERAntiSpyware
2008-01-05 22:15 . 2008-01-05 22:15    <DIR>    d--------    C:\Programmer\CCleaner
2008-01-05 19:33 . 2008-01-05 19:37    2,100    --a------    C:\WINDOWS\system32\tmp.reg
2008-01-05 17:38 . 2008-01-07 18:14    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-05 16:27 . 2008-01-05 16:27    <DIR>    d--h-----    C:\Programmer\InstallShield Installation Information
2008-01-05 16:26 .     <DIR>        C:\Programmer\Fælles filer\InstallShield
2008-01-05 10:47 . 2008-01-05 10:47    1,152    --a------    C:\WINDOWS\system32\windrv.sys
2008-01-05 10:35 . 2008-01-05 10:35    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-05 10:34 . 2008-01-05 15:31    <DIR>    d--------    C:\Documents and Settings\Nana\Application Data\SUPERAntiSpyware.com

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 21:19    ---------    d-----w    C:\Programmer\Fælles filer\Wise Installation Wizard
2008-01-03 16:38    ---------    d-----w    C:\Programmer\Trafikteori
2007-11-24 19:14    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\Trymedia
.

(((((((((((((((((((((((((((((  snapshot@2008-01-05_23.10.36,11  )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 07:00:00    163,328    ----a-w    C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2008-01-05 21:59:13    16,384    ----a-w    C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-06 10:51:28    16,384    ----a-w    C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-05 21:59:13    32,768    ----a-w    C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Oversigt\History.IE5\index.dat
+ 2008-01-06 10:51:28    32,768    ----a-w    C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Oversigt\History.IE5\index.dat
+ 2008-01-06 11:16:02    821,856    ----a-w    C:\WINDOWS\system32\drivers\avg7core.sys
+ 2008-01-06 11:16:08    4,224    ----a-w    C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2008-01-06 11:16:08    27,776    ----a-w    C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2008-01-06 11:16:09    10,760    ----a-w    C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-01-06 11:16:09    26,952    ----a-w    C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-01-06 11:16:09    4,960    ----a-w    C:\WINDOWS\system32\drivers\avgtdi.sys
- 2007-10-29 18:33:14    47,276    ----a-w    C:\WINDOWS\system32\perfc006.dat
+ 2008-01-06 08:15:45    47,276    ----a-w    C:\WINDOWS\system32\perfc006.dat
- 2007-10-29 18:33:14    40,128    ----a-w    C:\WINDOWS\system32\perfc009.dat
+ 2008-01-06 08:15:45    40,128    ----a-w    C:\WINDOWS\system32\perfc009.dat
- 2007-10-29 18:33:14    324,960    ----a-w    C:\WINDOWS\system32\perfh006.dat
+ 2008-01-06 08:15:45    324,960    ----a-w    C:\WINDOWS\system32\perfh006.dat
- 2007-10-29 18:33:14    311,740    ----a-w    C:\WINDOWS\system32\perfh009.dat
+ 2008-01-06 08:15:45    311,740    ----a-w    C:\WINDOWS\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-04-23 15:46 1318128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"HP Software Update"="C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 11:40 49152]
"QuickTime Task"="C:\Programmer\QuickTime\qttask.exe" [2007-09-14 10:13 286720]
"PCSuiteTrayApplication"="C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-28 13:12 222720]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-06 12:15 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-09 13:13 13312]
"PcSync"="C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 16:15 1634304]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-06 12:15 219136]

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Adobe Reader Hurtigstart.lnk - C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Microsoft Office.lnk - C:\Programmer\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmer\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmer\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programmer\SUPERAntiSpyware\SASWINLO.dll

R0 viaagp;VIA AGP-busfilter;C:\WINDOWS\System32\DRIVERS\viaagp.sys [2001-08-17 21:58]
R3 rtl8029;NT-driver til Realtek RTL8029(AS)-baseret PCI Ethernet-netværkskort;C:\WINDOWS\System32\DRIVERS\RTL8029.SYS [2001-08-17 20:12]
S2 MSWindows;Network Windows Service;"C:\WINDOWS\System32\urdvxc.exe" []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 18:41:58
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-07 18:42:52 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-07 17:42:44
ComboFix2.txt  2008-01-06 13:42:58
ComboFix3.txt  2008-01-06 11:09:49

Det var #%%/&(/)""%#¤
Klik på Start->Kør skriv Services.msc og klik OK.
Find Tjenesten >> Network Windows Service (MSWindows) << stop den hvis den kører, højreklik på den, klik på Egenskaber og vælg Starttype Deaktiveret.
Når du har gjort det, genstart og kom med en frisk Hijackthislog.

Here it is...

Logfile of HijackThis v1.99.1
Scan saved at 19:44:33, on 07-01-2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\PC Connectivity Solution\ServiceLayer.exe
C:\Documents and Settings\Nana\Skrivebord\Hijackthis\alternativ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.signon.stofanet.dk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.stofanet.dk/proxycnf.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\PC Connectivity Solution\ServiceLayer.exe

Tak, jeg var sq bange for at jeg havde mistet "taget". ;-)

Så nåede vi vejs ende, i denne omgang.
Men du skal se at få installeret Servicepack 2, derefter få Windows opdateret online, ellers holder det ikke skidtet ude.
http://intern.sdu.dk/it-service/tjenester/ftphotel/ftpindhold/ - Servicepack 2 (husk på dansk)
Vi har også sammensat en pakke med forskellige gratis sikkerhedsprogrammer, den finder du her:
http://www.spywarefri.dk/manualer/sikkerhedspakke.htm
Som minimum anbefaler jeg Spywareguard, Spywareblaster, Zoned-out og IE Privacy Keeper.
Et par artikler om sikker surfing finder du her:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414
http://fromsej.dk/html/avoid.html
Mvh:
Fromsej/Team Spywarefri.

(Hvis du så lige markerer mit navn i boksen og klikker på Accepter, så er her afsluttet korrekt)

jeg takker endnu engang. Tar hatten af for din indsats! Sætter jeg meget stor pris på =0) Og godt du ikke mistede taget ;-9

Skal jeg så nok gøre. Og håbe på det ikke bliver så slemt igen.

Nana

Tak for point. :-)

Går det galt, ved du hvor du kan finde os. *S*