Virus NetWorm-i..virus@fp

Kigger på den :-)

Der er godt nok en del forskelligt skidt der:

-- Hent dette program:
http://cexx.org/lspfix.zip

Pak lspfix ud, og kør det. Sæt flueben i "I know what I am doing". I venstre side (Keep) finder du følgende, som du markerer, hvorefter du klikker på pil til venstre, for at flytte det markerede over i "Remove". Klik på finish.

"msnetax.dll"

-- Hent S!Ri's SmitfraudFix.zip og gem det på dit Skrivebord.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Alternativt herfra:
http://72.232.135.12/siri/SmitfraudFix.exe

NB: Filen "process.exe" som ligger i dette værktøj bliver af visse antivirus-programmer identificeret som "RiskTool". Det har dog ikke noget på sig!

-- Hent AVG Anti-Spyware herfra (14 dages version af plus-versionen)
http://www.spywarefri.dk/downloads1.htm
Installer og opdater programmet, men vent med at scanne.

-- Klik på Start-kør. Skriv: Services.msc, og klik på OK.
Find følgende services, højreklik på dem og vælg egenskaber. Under starttype vælger du deaktiveret. Klik også på Stop:

"ieupdater"

-- Kør Hijackthis, vælg "Do a system scan only", sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked.

O2 - BHO: C:\WINNT\system32\zvZoCrypt.dll - {8A5849C4-93F3-429D-FF34-660A2068897C} - C:\WINNT\system32\zvZoCrypt.dll
O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Programmer\Video ActiveX Object\iesplugin.dll (file missing)
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Dokumenter\Settings\partnership.dll
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll
O21 - SSODL: AridcMnJ - {4CE062DE-E64A-C874-0CEA-D61C70063441} - C:\WINNT\system32\xqi.dll (file missing)
O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - C:\WINNT\system32\cwgppb.dll

-- Genstart i fejlsikret, hvis du ikke ved hvordan så kig her:
http://www.ctrlaltdel.dk/forum/forum_posts.asp?TID=23&PN=1

-- Genstart i fejlsikret, hvis du ikke ved hvordan så kig her:
http://www.ctrlaltdel.dk/forum/forum_posts.asp?TID=23&PN=1

-- Du skal nu til at slette. Som indledning hertil skal du have slået "Udvidet filvisning" til:
Åbn en mappe, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler".
Fjern flueben ved "Skjul filtypenavne for kendte filtyper".
Sæt prik i "Vis skjulte filer og mapper".

-- Slet herefter følgende (hvis du kan finde dem):
C:\WINNT\system32\zvZoCrypt.dll
c:\winnt\system32\msnetax.dll
C:\Documents and Settings\All Users\Dokumenter\Settings\partnership.dll
C:\WINNT\system32\rpcc.dll
C:\WINNT\system32\xqi.dll
C:\WINNT\system32\cwgppb.dll
C:\Documents and Settings\Bruger\~tmp0374.exe

Mappen:
C:\Programmer\Video ActiveX Object\

-- Kør SmitfraudFix. Tast 2 - svar ja til at rense (y=yes). Lad programmet gennemføre en rensning. Det vil også checke om systemfilen wininet.dll er inficeret. Hvis den er det, vil du blive bedt om tilladelse til at erstatte den med en anden. Her skal du vælge "Yes", ved at taste "y".

Programmet bliver muligvis nødt til at genstarte undervejs. Herefter vil der dukke en liste med resultaterne af rensningen op . Kopiér denne liste ind i tråden.

-- Kør en fuld scanning med AVG Anti-Spyware, og tillad programmet at fixe de ting, som det finder. Programmet laver en lille log, som du skal kopiere herind.

-- Genstart og læg en frisk Hijackthislog herind, sammen med loggen fra AVG Anti-Spyware og loggen fra SmitfraudFix (C:\rapport.txt).

-- Hent også dette værktøj, og gem det på dit skrivebord:
http://www.uploads.ejvindh.net/rootchk.exe

Kør programmet. Efter kort tid vil der dukke en logfil op. Kopier indholdet af denne log herind i tråden.

Hej Ejvindh

Det har taget lidt lang tid med mit svar men maskinen har også voldt problemer nye VIRA hele tiden, men her har du de logfiler som høre til ovenstående

Logfile of HijackThis v1.99.1
Scan saved at 11:48:23, on 15-02-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmer\Network Associates\Common Framework\FrameworkService.exe
C:\Programmer\Network Associates\VirusScan\vstskmgr.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\IBM\Personal Communications\PCS_AGNT.EXE
c:\winnt\system32\srvany.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
c:\winnt\system32\MReg.exe
C:\Programmer\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\System32\snmp.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\TpKmpSVC.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmer\Analog Devices\SoundMAX\Smax4.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Programmer\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programmer\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Programmer\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Programmer\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINNT\system32\TpShocks.exe
C:\Programmer\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Programmer\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
C:\Programmer\Network Associates\Common Framework\UpdaterUI.exe
C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Lexmark 6200 Series\lxbumon.exe
C:\Programmer\Lexmark 6200 Series\ezprint.exe
C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\WINNT\System32\lxbucoms.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Nikon\PictureProject\NkbMonitor.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bruger\Skrivebord\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmer\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Programmer\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programmer\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [QCTRAY] C:\Programmer\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Programmer\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [UC_Start] C:\Programmer\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Programmer\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [HydraVisionViewport] C:\Programmer\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programmer\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Programmer\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Programmer\Lexmark 6200 Series\lxbumon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programmer\Lexmark 6200 Series\ezprint.exe"
O4 - HKLM\..\Run: [Adaware] C:\Programmer\Norman\Norman~1\ad-aware.exe /smart +prefs:G:\Ad-Aware\settings.awc +nodefnotice +silent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [NPCTray] C:\Programmer\TDCpakke\npc\bin\npc_tray.exe /LOAD
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programmer\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://www.flc-nord.dk
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = int.radhus.dom
O17 - HKLM\Software\..\Telephony: DomainName = int.radhus.dom
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = int.radhus.dom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = int.radhus.dom
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = int.radhus.dom
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Dokumenter\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: QConGina - C:\WINNT\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINNT\System32\lxbucoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Programmer\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programmer\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: M·HardwareScan Service (MHardwareScan) - Ementor Danmark A/S - C:\WINNT\System32\MHardwareScan.exe
O23 - Service: ieupdater (Microsoft IE Updater) - Unknown owner - C:\Documents and Settings\Bruger\~tmp0374.exe (file missing)
O23 - Service: MReg - Unknown owner - c:\winnt\system32\srvany.exe
O23 - Service: M·SoftwareScan (MSoftwareScan) - Ementor Danmark A/S - C:\WINNT\System32\MSoftwareScan.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programmer\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programmer\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FLLESF~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe
O23 - Service: TrcBoot - Unknown owner - C:\WINNT\System32\drivers\trcboot.exe

SmitFraudFix v2.141

Scan done at 13:44:00,75, 12-02-2007
Run from C:\Documents and Settings\Bruger\Skrivebord\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}"="Network Neighborhood"

[HKEY_CLASSES_ROOT\CLSID\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]
@="C:\WINNT\Media\d3db32.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]
@="C:\WINNT\Media\d3db32.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8A5849C4-93F3-429D-FF34-660A2068897C}"="OpenGL additional"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2acf3add-34a1-4f2f-99cf-cc69785d1e90}"="exemplars"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1      localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Programmer\AntiVermeans\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}"="Network Neighborhood"

[HKEY_CLASSES_ROOT\CLSID\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]
@="C:\WINNT\Media\d3db32.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]
@="C:\WINNT\Media\d3db32.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8A5849C4-93F3-429D-FF34-660A2068897C}"="OpenGL additional"



»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:    10:57:55 14-02-2007

+ Scan result:   



HKU\.DEFAULT\Software\Internet Security -> Adware.IntCodec : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Internet Security -> Adware.IntCodec : Cleaned with backup (quarantined).
C:\WINNT\system32\raddrv.dll -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.20 : Ignored.


::Report end

Jeg ser på det. I mellemtiden kan du lige lave den logfil fra rootchk, som jeg også bad dig om :-)

********************************* ROOTCHK-LOG, by ejvindh
15-02-2007 12:14:33,10

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end

Det er nogle slemme infektioner, du har haft inde. Hvis du har mulighed for det, skulle du måske overveje en nyinstallation. Du kan se beskrivelsen af et par af tingene på disse links:
http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Proxy.Win32.Xorpix.Fam&threatid=44436
http://research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.Win32.Bifrose.aat&threatid=70540
http://www.sophos.com/security/analyses/trojdwnldrfvc.html

Jeg kan godt fjerne infektionerne, så de ikke er aktive mere, men jeg kan ikke garantere, at jeg får fjernet alle de områder, hvor de har sænket den generelle sikkerhed på din computer.

Hvis du vil fortsætte, så prøv dette: Hent Oldtimer's WinPFind3 herfra:
http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe

Dobbeltklik på WinPFind3u, som du hentede, og klik på Extract. Så udpakkes programmet i en særskilt mappe. Gå ind i denne mappe, og dobbeltklik på WinPFind3U.exe. Kopier indholdet mellem de bølgede linier ind i det hvide felt til højre (højreklik på feltet og vælg "sæt ind"/"paste"):

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[Kill Explorer]
[Unregister Dlls]
[Win32 Services - Non-Microsoft Only]
YY -> (ieupdater) Microsoft IE Updater [Win32_Own | Auto | Running] -> C:\Documents and Settings\Bruger\~tmp0374.exe
[Registry - Non-Microsoft Only]
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> partnershipreg -> C:\Documents and Settings\All Users\Dokumenter\Settings\partnership.dll
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> rpcc -> C:\WINNT\system32\rpcc.dll
< Internet Explorer Settings > ->
YN -> HKLM: Local Page -> %SystemRoot%\system32\blank.htm
YN -> HKCU: Local Page -> C:\WINDOWS\system32\blank.htm
[ Extra Files ]
C:\Documents and Settings\All Users\Dokumenter\Settings\partnership.dll
C:\WINNT\system32\rpcc.dll
[ Extra Registry Entries ]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}  ->
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}\  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{8A5849C4-93F3-429D-FF34-660A2068897C}  ->
[Start Explorer]
[Reboot]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Klik herefter på "Run Fix", og følg instruksionerne, der gives. Din computer vil nu genstarte. Efter genstart skal åbne WinPFindu-mappen igen. Her vil nu ligge en log, hvis navn består af en masse numre - den skal du også kopiere herind. Kør så WinPFind3u programmet igen. Sæt flueben og prikker på følgende måde:

Processes: Non-Microsoft
Win32 Services: Non-Microsoft
Driver Services: Non-Microsoft
Registry:  Non-Microsoft
Files Created Within: 30 Days, Non-Microsoft Only
Files Modified Within: 30 Days, Non-Microsoft Only
File String Search: Non-Microsoft

Klik herefter på "Run Scan". Efter noget tid vil der dukke en logfil op, som du gerne må paste herind. Muligvis vil loggen være så lang, at den ikke kan være i en enkelt post. Så må du lægge den ind i flere dele.

Hej Ejvindh her er logfiler

WinPFind3 logfile created on: 16-02-2007 08:46:39
WinPFind3U by OldTimer - Version 1.0.18    Folder = C:\Documents and Settings\Bruger\Skrivebord\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

261040 Kb Total Physical Memory | 67820 Kb Available Physical Memory | 25,98% Memory free
1795948 Kb Paging File | 1494432 Kb Available in Paging File | 83,21% Paging File free
Paging file location(s): D:\pagefile.sys 756 1512;

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Programmer
Drive C: | 8195008 Kb Total Space | 2482810 Kb Free Space | 30,30% Space Free
Drive D: | 21099928 Kb Total Space | 19465192 Kb Free Space | 92,25% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded


[Processes - Non-Microsoft Only]
ati2evxx.exe -> %System32%\ati2evxx.exe ->  [Ver =  | Size = 397312 bytes | Modified Date = 19-11-2004 17:40:42 | Attr =    ]
ati2evxx.exe -> %System32%\ati2evxx.exe ->  [Ver =  | Size = 397312 bytes | Modified Date = 19-11-2004 17:40:42 | Attr =    ]
avgas.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 50 | Size = 6266880 bytes | Modified Date = 15-02-2007 07:29:20 | Attr =    ]
ccapp.exe -> %CommonProgramFiles%\Symantec Shared\ccApp.exe -> Symantec Corporation [Ver = 1.00.104 | Size = 50880 bytes | Modified Date = 19-08-2002 22:22:38 | Attr =    ]
ccevtmgr.exe -> %CommonProgramFiles%\Symantec Shared\ccEvtMgr.exe -> Symantec Corporation [Ver = 1.00.37 | Size = 308936 bytes | Modified Date = 08-08-2002 22:40:02 | Attr =    ]
ezejmnap.exe -> %ProgramFiles%\ThinkPad\Utilities\EzEjMnAp.Exe -> IBM Corp. [Ver = 1, 0, 0, 0 | Size = 208896 bytes | Modified Date = 25-12-2003 10:04:00 | Attr =    ]
ezprint.exe -> %ProgramFiles%\Lexmark 6200 Series\ezprint.exe ->  [Ver =  | Size = 61440 bytes | Modified Date = 17-09-2004 14:24:00 | Attr =    ]
frameworkservice.exe -> %ProgramFiles%\Network Associates\Common Framework\FrameworkService.exe -> Network Associates, Inc. [Ver = 3.5.0.446 | Size = 102463 bytes | Modified Date = 23-11-2004 15:50:00 | Attr =    ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 28-09-2006 15:13:20 | Attr =    ]
hydradm.exe -> %ProgramFiles%\ATI Technologies\ATI HYDRAVISION\HydraDM.exe -> ATI Technologies Inc. [Ver = 3.25.0004 | Size = 270336 bytes | Modified Date = 26-06-2003 21:00:00 | Attr =    ]
hydramd.exe -> %ProgramFiles%\ATI Technologies\ATI HYDRAVISION\HydraMD.exe -> ATI Technologies Inc. [Ver = 3.25.0004 | Size = 364544 bytes | Modified Date = 26-06-2003 21:00:00 | Attr =    ]
ibmpmsvc.exe -> %System32%\ibmpmsvc.exe ->  [Ver =  | Size = 57344 bytes | Modified Date = 19-11-2004 17:41:20 | Attr =    ]
jusched.exe -> %ProgramFiles%\Java\jre1.5.0_10\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 49263 bytes | Modified Date = 09-11-2006 15:07:30 | Attr =    ]
lxbucoms.exe -> %System32%\lxbucoms.exe -> Lexmark International, Inc. [Ver = 1.101.39.0 | Size = 450560 bytes | Modified Date = 23-09-2004 18:58:02 | Attr =    ]
lxbumon.exe -> %ProgramFiles%\Lexmark 6200 Series\lxbumon.exE -> Lexmark International, Inc. [Ver = 1.198.0.0 | Size = 188416 bytes | Modified Date = 22-09-2004 11:41:02 | Attr =    ]
mreg.exe -> %System32%\MREG.EXE -> Ementor Danmark A/S [Ver = 9.02.0001 | Size = 36864 bytes | Modified Date = 14-03-2005 10:04:46 | Attr =    ]
naprdmgr.exe -> %ProgramFiles%\Network Associates\Common Framework\naPrdMgr.exe -> Network Associates, Inc. [Ver = 3.5.0.446 | Size = 237623 bytes | Modified Date = 23-11-2004 15:50:00 | Attr =    ]
navapsvc.exe -> %ProgramFiles%\Norton AntiVirus\Navapsvc.exe -> Symantec Corporation [Ver = 9.00.1104 | Size = 116336 bytes | Modified Date = 19-08-2002 22:35:38 | Attr =    ]
nkbmonitor.exe -> %ProgramFiles%\Nikon\PictureProject\NkbMonitor.exe -> Nikon Corporation [Ver = 1, 0, 0, 3007 | Size = 118784 bytes | Modified Date = 05-02-2004 14:28:16 | Attr =    ]
nprotect.exe -> %ProgramFiles%\Norton AntiVirus\AdvTools\NPROTECT.EXE -> Symantec Corporation [Ver = 16.00.0.22 | Size = 135168 bytes | Modified Date = 14-08-2002 06:03:00 | Attr =    ]
pcs_agnt.exe -> %ProgramFiles%\IBM\Personal Communications\PCS_AGNT.EXE -> IBM Corporation [Ver = 4.3 | Size = 40960 bytes | Modified Date = 03-12-2002 05:51:42 | Attr =    ]
qconsvc.exe -> %System32%\QCONSVC.EXE -> IBM Corp. [Ver = 3, 3, 0, 0 | Size = 73728 bytes | Modified Date = 18-08-2004 03:30:00 | Attr =    ]
qctray.exe -> %ProgramFiles%\ThinkPad\ConnectUtilities\QCTRAY.EXE -> IBM Corp. [Ver = 3, 3, 0, 0 | Size = 708608 bytes | Modified Date = 18-08-2004 03:30:00 | Attr =    ]
qcwlicon.exe -> %ProgramFiles%\ThinkPad\ConnectUtilities\QCWLICON.EXE -> IBM Corp. [Ver = 3, 3, 0, 0 | Size = 81920 bytes | Modified Date = 18-08-2004 03:30:00 | Attr =    ]
qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 6.5 | Size = 98304 bytes | Modified Date = 12-12-2004 11:54:06 | Attr =    ]
shstat.exe -> %ProgramFiles%\Network Associates\VirusScan\shstat.exe -> Network Associates, Inc. [Ver = 8.0.0.912 | Size = 94208 bytes | Modified Date = 22-09-2004 19:00:00 | Attr =    ]
smagent.exe -> %ProgramFiles%\Analog Devices\SoundMAX\SMAgent.exe -> Analog Devices, Inc. [Ver = 3, 2, 6, 0 | Size = 45056 bytes | Modified Date = 20-09-2002 15:50:10 | Attr =    ]
smax4.exe -> %ProgramFiles%\Analog Devices\SoundMAX\SMax4.exe -> Analog Devices, Inc. [Ver = 5, 0, 2, 4 | Size = 860160 bytes | Modified Date = 06-08-2004 08:27:56 | Attr =    ]
smax4pnp.exe -> %ProgramFiles%\Analog Devices\SoundMAX\SMax4PNP.exe -> Analog Devices, Inc. [Ver = 5, 0, 1, 57 | Size = 1368064 bytes | Modified Date = 01-04-2004 10:52:06 | Attr =    ]
srvany.exe -> %System32%\SRVANY.EXE ->  [Ver =  | Size = 13312 bytes | Modified Date = 19-11-2004 17:39:44 | Attr =    ]
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 7.5.17.12 16Jun04 | Size = 512000 bytes | Modified Date = 19-11-2004 17:41:46 | Attr =    ]
syntplpr.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPLpr.exe -> Synaptics, Inc. [Ver = 7.5.17.12 16Jun04 | Size = 110592 bytes | Modified Date = 19-11-2004 17:41:46 | Attr =    ]
tphkmgr.exe -> %ProgramFiles%\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe ->  [Ver =  | Size = 94208 bytes | Modified Date = 08-08-2003 00:57:52 | Attr =    ]
tpkmpsvc.exe -> %System32%\TpKmpSvc.exe ->  [Ver =  | Size = 32768 bytes | Modified Date = 11-07-2003 18:19:22 | Attr =    ]
tponscr.exe -> %ProgramFiles%\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe ->  [Ver =  | Size = 77824 bytes | Modified Date = 23-06-2003 16:34:18 | Attr =    ]
tpscrex.exe -> %ProgramFiles%\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe -> IBM Corporation [Ver = 1.06 | Size = 65536 bytes | Modified Date = 11-01-2002 00:01:34 | Attr =    ]
tpshocks.exe -> %System32%\TpShocks.exe ->  [Ver =  | Size = 102400 bytes | Modified Date = 28-01-2004 16:43:56 | Attr =    ]
trcboot.exe -> %System32%\drivers\trcboot.exe ->  [Ver =  | Size = 24576 bytes | Modified Date = 03-12-2002 05:51:44 | Attr =    ]
updaterui.exe -> %ProgramFiles%\Network Associates\Common Framework\UpdaterUI.exe -> Network Associates, Inc. [Ver = 3.5.0.446 | Size = 139320 bytes | Modified Date = 23-11-2004 15:50:00 | Attr =    ]
vstskmgr.exe -> %ProgramFiles%\Network Associates\VirusScan\vstskmgr.exe -> Network Associates, Inc. [Ver = 8.0.0.1002 | Size = 29184 bytes | Modified Date = 22-08-2005 19:00:00 | Attr =    ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> Oldtimer Tools [Ver = 1.0.18.0 | Size = 308736 bytes | Modified Date = 12-02-2007 21:39:14 | Attr =    ]

[Win32 Services - Non-Microsoft Only]
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running] -> %System32%\ati2evxx.exe ->  [Ver =  | Size = 397312 bytes | Modified Date = 19-11-2004 17:40:42 | Attr =    ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 28-09-2006 15:13:20 | Attr =    ]
(ccEvtMgr) Symantec Event Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\ccEvtMgr.exe -> Symantec Corporation [Ver = 1.00.37 | Size = 308936 bytes | Modified Date = 08-08-2002 22:40:02 | Attr =    ]
(ccPwdSvc) Symantec Password Validation Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\ccPwdSvc.exe -> Symantec Corporation [Ver = 1.00.104 | Size = 63176 bytes | Modified Date = 19-08-2002 22:23:32 | Attr =    ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 225280 bytes | Modified Date = 26-08-2004 16:53:50 | Attr =    ]
(IBMPMSVC) IBM PM Service [Win32_Own | Auto | Running] -> %System32%\ibmpmsvc.exe ->  [Ver =  | Size = 57344 bytes | Modified Date = 19-11-2004 17:41:20 | Attr =    ]
(lxbu_device) lxbu_device [Win32_Own | On_Demand | Running] -> %System32%\lxbucoms.exe -> Lexmark International, Inc. [Ver = 1.101.39.0 | Size = 450560 bytes | Modified Date = 23-09-2004 18:58:02 | Attr =    ]
(McAfeeFramework) McAfee Framework Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Network Associates\Common Framework\FrameworkService.exe -> Network Associates, Inc. [Ver = 3.5.0.446 | Size = 102463 bytes | Modified Date = 23-11-2004 15:50:00 | Attr =    ]
(McTaskManager) Network Associates Task Manager [Win32_Own | Auto | Running] -> %ProgramFiles%\Network Associates\VirusScan\vstskmgr.exe -> Network Associates, Inc. [Ver = 8.0.0.1002 | Size = 29184 bytes | Modified Date = 22-08-2005 19:00:00 | Attr =    ]
(MHardwareScan) M·HardwareScan Service [Win32_Own | Auto | Stopped] -> %System32%\MHardwareScan.exe -> Ementor Danmark A/S [Ver = 9.02.0386 | Size = 442368 bytes | Modified Date = 21-02-2005 14:12:36 | Attr =    ]
(Microsoft IE Updater) ieupdater [Win32_Own | Auto | Stopped] -> %SystemDrive%\Documents and Settings\Bruger\~tmp0374.exe -> File not found
(MReg) MReg [Win32_Own | Auto | Running] -> %System32%\SRVANY.EXE ->  [Ver =  | Size = 13312 bytes | Modified Date = 19-11-2004 17:39:44 | Attr =    ]
(MSoftwareScan) M·SoftwareScan [Win32_Own | On_Demand | Stopped] -> %System32%\MSoftwareScan.exe -> Ementor Danmark A/S [Ver = 9.02.1089 | Size = 286720 bytes | Modified Date = 14-03-2005 12:11:00 | Attr =    ]
(navapsvc) Norton AntiVirus Auto Protect Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Norton AntiVirus\Navapsvc.exe -> Symantec Corporation [Ver = 9.00.1104 | Size = 116336 bytes | Modified Date = 19-08-2002 22:35:38 | Attr =    ]
(NProtectService) Norton Unerase Protection [Win32_Own | Auto | Running] -> %ProgramFiles%\Norton AntiVirus\AdvTools\NPROTECT.EXE -> Symantec Corporation [Ver = 16.00.0.22 | Size = 135168 bytes | Modified Date = 14-08-2002 06:03:00 | Attr =    ]
(QCONSVC) QCONSVC [Win32_Own | Auto | Running] -> %System32%\QCONSVC.EXE -> IBM Corp. [Ver = 3, 3, 0, 0 | Size = 73728 bytes | Modified Date = 18-08-2004 03:30:00 | Attr =    ]
(r_server) Remote Administrator Service [Win32_Own | Auto | Stopped] -> %System32%\r_server.exe ->  [Ver =  | Size = 241664 bytes | Modified Date = 21-08-2001 09:37:30 | Attr =    ]
(SBService) ScriptBlocking Service [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\Symantec Shared\Script Blocking\SBServ.exe -> Symantec Corporation [Ver = 1, 1, 0, 126 | Size = 54408 bytes | Modified Date = 13-08-2001 23:18:36 | Attr =    ]
(SNDSrvc) Symantec Network Drivers Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\SNDSrvc.exe -> Symantec Corporation [Ver = 5.5.1.6 | Size = 206552 bytes | Modified Date = 05-04-2005 11:17:22 | Attr =    ]
(SoundMAX Agent Service (default)) SoundMAX Agent Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Analog Devices\SoundMAX\SMAgent.exe -> Analog Devices, Inc. [Ver = 3, 2, 6, 0 | Size = 45056 bytes | Modified Date = 20-09-2002 15:50:10 | Attr =    ]
(TpKmpSVC) IBM KCU Service [Win32_Own | Auto | Running] -> %System32%\TpKmpSvc.exe ->  [Ver =  | Size = 32768 bytes | Modified Date = 11-07-2003 18:19:22 | Attr =    ]
(TrcBoot) TrcBoot [Win32_Own | Auto | Running] -> %System32%\drivers\trcboot.exe ->  [Ver =  | Size = 24576 bytes | Modified Date = 03-12-2002 05:51:44 | Attr =    ]

[Driver Services - Non-Microsoft Only]
(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] ->  -> File not found
(abp480n5) abp480n5 [Kernel | Disabled | Stopped] ->  -> File not found
(adpu160m) adpu160m [Kernel | Disabled | Stopped] ->  -> File not found
(aeaudio) aeaudio [Kernel | On_Demand | Running] -> %System32%\drivers\aeaudio.sys -> Andrea Electronics Corporation [Ver = 4.0.1.4 | Size = 116176 bytes | Modified Date = 19-11-2004 17:40:26 | Attr =    ]
(Aha154x) Aha154x [Kernel | Disabled | Stopped] ->  -> File not found
(aic78u2) aic78u2 [Kernel | Disabled | Stopped] ->  -> File not found
(aic78xx) aic78xx [Kernel | Disabled | Stopped] ->  -> File not found
(AliIde) AliIde [Kernel | Disabled | Stopped] ->  -> File not found
(amsint) amsint [Kernel | Disabled | Stopped] ->  -> File not found
(ANC) ANC [Kernel | System | Running] -> %System32%\drivers\ANC.sys -> IBM Corp. [Ver = 8.3 | Size = 11520 bytes | Modified Date = 18-08-2004 03:30:00 | Attr =    ]
(asc) asc [Kernel | Disabled | Stopped] ->  -> File not found
(asc3350p) asc3350p [Kernel | Disabled | Stopped] ->  -> File not found
(asc3550) asc3550 [Kernel | Disabled | Stopped] ->  -> File not found
(Atdisk) Atdisk [Kernel | Disabled | Stopped] ->  -> File not found
(ati2mtag) ati2mtag [Kernel | On_Demand | Running] -> %System32%\drivers\ati2mtag.sys -> ATI Technologies Inc. [Ver = 6.14.10.6462 | Size = 701440 bytes | Modified Date = 26-08-2004 16:48:14 | Attr =    ]
(AVG Anti-Spyware Driver) AVG Anti-Spyware Driver [Kernel | System | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.sys ->  [Ver =  | Size = 4096 bytes | Modified Date = 28-09-2006 15:13:34 | Attr =    ]
(AvgAsCln) AVG Anti-Spyware Clean Driver [Kernel | System | Running] -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Modified Date = 05-09-2006 17:03:16 | Attr =    ]
(cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped] ->  -> File not found
(Changer) Changer [Kernel | System | Stopped] ->  -> File not found
(CmdIde) CmdIde [Kernel | Disabled | Stopped] ->  -> File not found
(Cpqarray) Cpqarray [Kernel | Disabled | Stopped] ->  -> File not found
(dac960nt) dac960nt [Kernel | Disabled | Stopped] ->  -> File not found
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %System32%\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 800000 bytes | Modified Date = 26-08-2004 16:49:40 | Attr =    ]
(dmio) dmio [Kernel | Disabled | Stopped] -> %System32%\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 153600 bytes | Modified Date = 26-08-2004 16:49:40 | Attr =    ]
(dmload) dmload [Kernel | Disabled | Stopped] -> %System32%\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 16-09-2002 13:00:00 | Attr =    ]
(dpti2o) dpti2o [Kernel | Disabled | Stopped] ->  -> File not found
(E1000) Intel(R) PRO/1000 Adapter Driver [Kernel | On_Demand | Running] -> %System32%\drivers\e1000325.sys -> Intel Corporation [Ver = 8.0.57.0 built by: WinDDK | Size = 169984 bytes | Modified Date = 19-11-2004 17:41:50 | Attr =    ]
(EntDrv51) EntDrv51 [Kernel | On_Demand | Stopped] -> %System32%\drivers\entdrv51.sys -> Network Associates, Inc [Ver = 8.0.0.448 | Size = 8448 bytes | Modified Date = 22-08-2005 19:00:00 | Attr =    ]
(hpn) hpn [Kernel | Disabled | Stopped] ->  -> File not found
(HSFHWICH) HSFHWICH [Kernel | On_Demand | Running] -> %System32%\drivers\HSFHWICH.sys -> Conexant Systems, Inc. [Ver = 7.02.02.00 | Size = 197888 bytes | Modified Date = 19-11-2004 17:41:00 | Attr =    ]
(HSF_DP) HSF_DP [Kernel | On_Demand | Running] -> %System32%\drivers\HSF_DP.sys -> Conexant Systems, Inc. [Ver = 7.02.02.00 | Size = 1041152 bytes | Modified Date = 19-11-2004 17:41:04 | Attr =    ]
(i2omgmt) i2omgmt [Kernel | System | Stopped] ->  -> File not found
(i2omp) i2omp [Kernel | Disabled | Stopped] ->  -> File not found
(IBMPMDRV) IBMPMDRV [Kernel | On_Demand | Running] -> %System32%\drivers\ibmpmdrv.sys -> IBM Corp. [Ver = 1.26 | Size = 11344 bytes | Modified Date = 19-11-2004 17:41:20 | Attr =    ]
(IBMTPCHK) IBMTPCHK [Kernel | System | Running] -> %System32%\drivers\IBMBLDID.SYS ->  [Ver =  | Size = 2432 bytes | Modified Date = 18-08-2004 03:30:00 | Attr =    ]
(ini910u) ini910u [Kernel | Disabled | Stopped] ->  -> File not found
(KLOGNT) KLOGNT [Kernel | On_Demand | Running] -> %System32%\drivers\klognt.sys ->  [Ver =  | Size = 23272 bytes | Modified Date = 03-12-2002 05:51:42 | Attr =    ]
(lbrtfdc) lbrtfdc [Kernel | System | Stopped] ->  -> File not found
(mdmxsdk) mdmxsdk [Kernel | Auto | Running] -> %System32%\drivers\mdmxsdk.sys -> Conexant [Ver = 1.0.2.006 | Size = 11868 bytes | Modified Date = 03-08-2004 21:41:56 | Attr =    ]
(mraid35x) mraid35x [Kernel | Disabled | Stopped] ->  -> File not found
(NaiAvFilter1) NaiAvFilter1 [Kernel | On_Demand | Stopped] -> %System32%\drivers\naiavf5x.sys -> Network Associates, Inc. [Ver = 8.0.0.309 | Size = 114624 bytes | Modified Date = 22-08-2005 19:00:00 | Attr =    ]
(NaiAvFilter102) NAI Anti Virus [File_System | On_Demand | Stopped] -> NaiAvFilter102.sys -> File not found
(NaiAvTdi1) NaiAvTdi1 [Kernel | System | Running] -> %System32%\drivers\mvstdi5x.sys -> Network Associates, Inc. [Ver = 8.0.0.301 | Size = 58464 bytes | Modified Date = 22-08-2005 19:00:00 | Attr =    ]
(NAVENG) NAVENG [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\VirusDefs\20070214.020\NAVENG.SYS -> Symantec Corporation [Ver = 20071.1.1.10 | Size = 80472 bytes | Modified Date = 14-02-2007 10:00:00 | Attr =    ]
(NAVEX15) NAVEX15 [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\VirusDefs\20070214.020\NAVEX15.SYS -> Symantec Corporation [Ver = 20071.1.1.10 | Size = 852600 bytes | Modified Date = 14-02-2007 10:00:00 | Attr =    ]
(NPDriver) Norton Unerase Protection Driver [Kernel | On_Demand | Running] -> %System32%\drivers\NPDRIVER.SYS -> Symantec Corporation [Ver = 16.00.0.22 | Size = 34578 bytes | Modified Date = 14-08-2002 06:03:00 | Attr =    ]
(NSCIRDA) NSC Infrared enhedsdriver [Kernel | On_Demand | Running] -> %System32%\drivers\nscirda.sys -> National Semiconductor Corporation [Ver = 5,02,00,011 (xpsp_sp2_rtm.040803-2158) | Size = 28672 bytes | Modified Date = 03-08-2004 22:00:52 | Attr =    ]
(NsTrcNT) NsTrcNT [Kernel | Auto | Running] -> %System32%\drivers\nstrcnt.sys ->  [Ver =  | Size = 10808 bytes | Modified Date = 03-12-2002 05:51:44 | Attr =    ]
(PCIDump) PCIDump [Kernel | System | Stopped] ->  -> File not found
(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped] ->  -> File not found
(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped] ->  -> File not found
(PDRELI) PDRELI [Kernel | On_Demand | Stopped] ->  -> File not found
(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped] ->  -> File not found
(perc2) perc2 [Kernel | Disabled | Stopped] ->  -> File not found
(perc2hib) perc2hib [Kernel | Disabled | Stopped] ->  -> File not found
(PMEM) PMEM [Kernel | Auto | Stopped] -> C:\%System32%\drivers\pmemnt.sys -> File not found
(Ptilink) Driver til direkte, parallel forbindelse [Kernel | On_Demand | Running] -> %System32%\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 16-09-2002 13:00:00 | Attr =    ]
(QCNDISIF) QCNDISIF [Kernel | On_Demand | Stopped] -> %System32%\drivers\qcndisif.sys -> IBM Corporation. [Ver = 1. 0. 0. 0 | Size = 12288 bytes | Modified Date = 18-08-2004 03:30:00 | Attr =    ]
(ql1080) ql1080 [Kernel | Disabled | Stopped] ->  -> File not found
(Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped] ->  -> File not found
(ql12160) ql12160 [Kernel | Disabled | Stopped] ->  -> File not found
(ql1240) ql1240 [Kernel | Disabled | Stopped] ->  -> File not found
(ql1280) ql1280 [Kernel | Disabled | Stopped] ->  -> File not found
(SAVRT) SAVRT [Kernel | On_Demand | Running] -> %System32%\drivers\savrt.sys -> Symantec Corporation [Ver = 9.0.1.35 | Size = 235184 bytes | Modified Date = 25-07-2002 22:28:48 | Attr =    ]
(SAVRTPEL) SAVRTPEL [Kernel | Auto | Running] -> %System32%\drivers\Savrtpel.sys -> Symantec Corporation [Ver = 9.0.1.35 | Size = 34992 bytes | Modified Date = 25-07-2002 22:28:54 | Attr =    ]
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %System32%\drivers\secdrv.sys ->  [Ver =  | Size = 27440 bytes | Modified Date = 16-09-2002 13:00:00 | Attr =    ]
(ShockMgr) ShockMgr [Kernel | Auto | Running] -> %System32%\drivers\ShockMgr.sys -> IBM Corporation [Ver = 1.20.00 | Size = 4433 bytes | Modified Date = 15-12-2003 17:29:10 | Attr =    ]
(Shockprf) Shockprf [Kernel | Boot | Running] -> %System32%\drivers\shockprf.sys -> IBM Corporation [Ver = 1.20.00 | Size = 58568 bytes | Modified Date = 17-12-2003 13:50:10 | Attr =    ]
(Simbad) Simbad [Kernel | Disabled | Stopped] ->  -> File not found
(smwdm) smwdm [Kernel | On_Demand | Running] -> %System32%\drivers\smwdm.sys -> Analog Devices, Inc. [Ver = 5.12.01.5160 | Size = 266880 bytes | Modified Date = 23-06-2004 10:42:46 | Attr =    ]
(Sparrow) Sparrow [Kernel | Disabled | Stopped] ->  -> File not found
(symc810) symc810 [Kernel | Disabled | Stopped] ->  -> File not found
(symc8xx) symc8xx [Kernel | Disabled | Stopped] ->  -> File not found
(SymEvent) SymEvent [Kernel | On_Demand | Running] -> %ProgramFiles%\Symantec\SYMEVENT.SYS -> Symantec Corporation [Ver = 11.6.8.1 | Size = 124016 bytes | Modified Date = 15-09-2006 22:52:12 | Attr =    ]
(SYMREDRV) SYMREDRV [Kernel | On_Demand | Running] -> %System32%\drivers\symredrv.sys -> Symantec Corporation [Ver = 5.5.1.6 | Size = 17976 bytes | Modified Date = 05-04-2005 11:17:00 | Attr =    ]
(SYMTDI) SYMTDI [Kernel | System | Running] -> %System32%\drivers\symtdi.sys -> Symantec Corporation [Ver = 5.5.1.6 | Size = 267192 bytes | Modified Date = 05-04-2005 11:17:02 | Attr =    ]
(sym_hi) sym_hi [Kernel | Disabled | Stopped] ->  -> File not found
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] ->  -> File not found
(SynTP) Synaptics TouchPad Driver [Kernel | On_Demand | Running] -> %System32%\drivers\SynTP.sys -> Synaptics, Inc. [Ver = 7.5.17.12 16Jun04 | Size = 270928 bytes | Modified Date = 19-11-2004 17:41:34 | Attr =    ]
(TDSMAPI) TDSMAPI [Kernel | System | Running] -> %System32%\drivers\TDSMAPI.SYS ->  [Ver =  | Size = 8831 bytes | Modified Date = 24-10-2003 09:35:00 | Attr =    ]
(TosIde) TosIde [Kernel | Disabled | Stopped] ->  -> File not found
(TPHKDRV) TPHKDRV [Kernel | System | Running] -> %System32%\drivers\TPHKDRV.sys -> IBM Corporation [Ver = 3.00 | Size = 16162 bytes | Modified Date = 23-06-2003 16:33:58 | Attr =    ]
(TPPWR) TPPWR [Kernel | System | Running] -> %System32%\drivers\TPPWR.SYS -> IBM Corp. [Ver = 1, 0, 0, 0 | Size = 15360 bytes | Modified Date = 05-02-2004 00:36:00 | Attr =    ]
(TSMAPIP) TSMAPIP [Kernel | System | Running] -> %System32%\drivers\TSMAPIP.SYS ->  [Ver =  | Size = 7168 bytes | Modified Date = 18-12-2003 10:30:00 | Attr =    ]
(ultra) ultra [Kernel | Disabled | Stopped] ->  -> File not found
(ViaIde) ViaIde [Kernel | Disabled | Stopped] ->  -> File not found
(w22n51) Intel(R) PRO/Wireless 2200 Adapter Driver for Windows XP [Kernel | On_Demand | Stopped] -> %System32%\drivers\w22n51.sys -> Intel® Corporation [Ver = 8010-25 Driver | Size = 3148672 bytes | Modified Date = 19-11-2004 17:41:20 | Attr =    ]
(WDICA) WDICA [Kernel | On_Demand | Stopped] ->  -> File not found
(winachsf) winachsf [Kernel | On_Demand | Running] -> %System32%\drivers\HSF_CNXT.sys -> Conexant Systems, Inc. [Ver = 7.02.02.00 built by: WinDDK | Size = 675840 bytes | Modified Date = 19-11-2004 17:41:02 | Attr =    ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
!AVG Anti-Spyware -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 50 | Size = 6266880 bytes | Modified Date = 15-02-2007 07:29:20 | Attr =    ]
Adaware -> %ProgramFiles%\Norman\Norman~1\ad-aware.exe /smart +prefs:G:\Ad-Aware\settings.awc -> File not found
Advanced Tools Check -> %ProgramFiles%\Norton AntiVirus\AdvTools\AdvChk.exe -> Symantec Corporation [Ver = 8.00.61 | Size = 79480 bytes | Modified Date = 26-08-2002 22:35:06 | Attr =    ]
ATIModeChange -> %System32%\Ati2mdxx.exe -> ATI Technologies, Inc. [Ver = 4.13.3 | Size = 28672 bytes | Modified Date = 19-11-2004 17:40:42 | Attr =    ]
BMMGAG -> %ProgramFiles%\ThinkPad\Utilities\PWRMONIT.DLL [RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor] -> IBM Corp. [Ver = 1, 0, 0, 0 | Size = 106496 bytes | Modified Date = 05-02-2004 00:36:00 | Attr =    ]
BMMLREF -> %ProgramFiles%\ThinkPad\Utilities\BMMLREF.EXE ->  [Ver =  | Size = 20480 bytes | Modified Date = 05-02-2004 00:36:00 | Attr =    ]
BMMMONWND -> %ProgramFiles%\ThinkPad\Utilities\BATINFEX.DLL [rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor] ->  [Ver =  | Size = 395264 bytes | Modified Date = 05-02-2004 00:36:00 | Attr =    ]
ccApp -> %CommonProgramFiles%\Symantec Shared\ccApp.exe -> Symantec Corporation [Ver = 1.00.104 | Size = 50880 bytes | Modified Date = 19-08-2002 22:22:38 | Attr =    ]
ccRegVfy -> %CommonProgramFiles%\Symantec Shared\ccRegVfy.exe -> Symantec Corporation [Ver = 1.00.104 | Size = 34504 bytes | Modified Date = 19-08-2002 22:23:16 | Attr =    ]
EZEJMNAP -> %ProgramFiles%\ThinkPad\Utilities\EzEjMnAp.Exe -> IBM Corp. [Ver = 1, 0, 0, 0 | Size = 208896 bytes | Modified Date = 25-12-2003 10:04:00 | Attr =    ]
EzPrint -> %ProgramFiles%\Lexmark 6200 Series\ezprint.exe ->  [Ver =  | Size = 61440 bytes | Modified Date = 17-09-2004 14:24:00 | Attr =    ]
FaxCenterServer -> %ProgramFiles%\Lexmark Fax Solutions\fm3032.exe ->  [Ver =  | Size = 299008 bytes | Modified Date = 22-09-2004 11:18:00 | Attr =    ]
HydraVisionDesktopManager -> %ProgramFiles%\ATI Technologies\ATI HYDRAVISION\HydraDM.exe -> ATI Technologies Inc. [Ver = 3.25.0004 | Size = 270336 bytes | Modified Date = 26-06-2003 21:00:00 | Attr =    ]
HydraVisionViewport -> %ProgramFiles%\ATI Technologies\ATI HYDRAVISION\HydraMD.exe -> ATI Technologies Inc. [Ver = 3.25.0004 | Size = 364544 bytes | Modified Date = 26-06-2003 21:00:00 | Attr =    ]
LXBUCATS -> %System32%\spool\drivers\w32x86\3\lxbutime.dll [rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16] ->  [Ver = 0.1.11.5 | Size = 69632 bytes | Modified Date = 10-09-2004 12:55:10 | Attr =    ]
lxbumon.exe -> %ProgramFiles%\Lexmark 6200 Series\lxbumon.exE -> Lexmark International, Inc. [Ver = 1.198.0.0 | Size = 188416 bytes | Modified Date = 22-09-2004 11:41:02 | Attr =    ]
McAfeeUpdaterUI -> %ProgramFiles%\Network Associates\Common Framework\UpdaterUI.exe -> Network Associates, Inc. [Ver = 3.5.0.446 | Size = 139320 bytes | Modified Date = 23-11-2004 15:50:00 | Attr =    ]
NPCTray -> %ProgramFiles%\TDCpakke\npc\bin\npc_tray.exe -> File not found
QCTRAY -> %ProgramFiles%\ThinkPad\ConnectUtilities\QCTRAY.EXE -> IBM Corp. [Ver = 3, 3, 0, 0 | Size = 708608 bytes | Modified Date = 18-08-2004 03:30:00 | Attr =    ]
QCWLICON -> %ProgramFiles%\ThinkPad\ConnectUtilities\QCWLICON.EXE -> IBM Corp. [Ver = 3, 3, 0, 0 | Size = 81920 bytes | Modified Date = 18-08-2004 03:30:00 | Attr =    ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 6.5 | Size = 98304 bytes | Modified Date = 12-12-2004 11:54:06 | Attr =    ]
ShStatEXE -> %ProgramFiles%\Network Associates\VirusScan\shstat.exe -> Network Associates, Inc. [Ver = 8.0.0.912 | Size = 94208 bytes | Modified Date = 22-09-2004 19:00:00 | Attr =    ]
SoundMAX -> %ProgramFiles%\Analog Devices\SoundMAX\SMax4.exe -> Analog Devices, Inc. [Ver = 5, 0, 2, 4 | Size = 860160 bytes | Modified Date = 06-08-2004 08:27:56 | Attr =    ]
SoundMAXPnP -> %ProgramFiles%\Analog Devices\SoundMAX\SMax4PNP.exe -> Analog Devices, Inc. [Ver = 5, 0, 1, 57 | Size = 1368064 bytes | Modified Date = 01-04-2004 10:52:06 | Attr =    ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.5.0_10\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 49263 bytes | Modified Date = 09-11-2006 15:07:30 | Attr =    ]
Symantec NetDriver Monitor -> %ProgramFiles%\SymNetDrv\SNDMon.exe -> Symantec Corporation [Ver = 5.5.1.6 | Size = 100056 bytes | Modified Date = 15-02-2007 08:19:22 | Attr =    ]
SynTPEnh -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 7.5.17.12 16Jun04 | Size = 512000 bytes | Modified Date = 19-11-2004 17:41:46 | Attr =    ]
SynTPLpr -> %ProgramFiles%\Synaptics\SynTP\SynTPLpr.exe -> Synaptics, Inc. [Ver = 7.5.17.12 16Jun04 | Size = 110592 bytes | Modified Date = 19-11-2004 17:41:46 | Attr =    ]
TP4EX -> %System32%\TP4EX.exe -> IBM Corporation [Ver = 1.05.00 | Size = 53248 bytes | Modified Date = 04-09-2002 01:05:00 | Attr =    ]
TPHOTKEY -> %ProgramFiles%\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe ->  [Ver =  | Size = 94208 bytes | Modified Date = 08-08-2003 00:57:52 | Attr =    ]
TPKMAPHELPER -> %ProgramFiles%\ThinkPad\Utilities\TpKmapAp.exe -> IBM Corp. [Ver = 1, 1, 0, 0 | Size = 897024 bytes | Modified Date = 23-10-2003 23:39:22 | Attr =    ]
TpShocks -> %System32%\TpShocks.exe ->  [Ver =  | Size = 102400 bytes | Modified Date = 28-01-2004 16:43:56 | Attr =    ]
UC_SMB ->  -> File not found
UC_Start -> %ProgramFiles%\IBM\Updater\ucstartup.exe ->  [Ver =  | Size = 36864 bytes | Modified Date = 30-09-2003 15:39:00 | Attr =    ]
UserFaultCheck ->  -> File not found
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Common Startup > -> C:\Documents and Settings\All Users\Menuen Start\Programmer\Start
%AllUsersStartup%\Adobe Reader Hurtigstart.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.0.0 | Size = 29696 bytes | Modified Date = 14-12-2004 03:44:06 | Attr =    ]
%AllUsersStartup%\NkbMonitor.exe.lnk -> %ProgramFiles%\Nikon\PictureProject\NkbMonitor.exe -> Nikon Corporation [Ver = 1, 0, 0, 3007 | Size = 118784 bytes | Modified Date = 05-02-2004 14:28:16 | Attr =    ]
< Registry Shell Spawning > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command
regfile [merge] -> Reg Data - Key not found ->
scrfile [open] -> "%1" /S ->
scrfile [config] -> "%1" ->
*Command* -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellNew\\Command ->
NewLinkHere ->  -> File not found
%1 ->  -> File not found
*Command* -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bfc\ShellNew\\Command ->
Briefcase_Create ->  -> File not found
%2!d! ->  -> File not found
%1 ->  -> File not found
< ActiveX StubPath [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} ->  ->
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} ->  ->
{2C7339CF-2B09-4501-B3F3-F3508C9228ED} -> %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ->
{44BBA840-CC51-11CF-AAFA-00AA00B6015C} -> "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install ->
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT ->
{5945c046-1e7d-11d1-bc44-00c04fd912be} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msmsgs.inf,BLC.QuietInstall.PerUser ->
{6BF52A52-394A-11d3-B153-00C04F79FAA6} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub ->
{73FA19D0-2D75-11D2-995D-00C04F98BBC9} ->  ->
{7790769C-0471-11d2-AF11-00C04FA35D02} -> "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install ->
{89820200-ECBD-11cf-8B85-00AA005B4340} -> regsvr32.exe /s /n /i:U shell32.dll ->
{89820200-ECBD-11cf-8B85-00AA005B4383} -> %SystemRoot%\system32\ie4uinit.exe ->
{89B4C1CD-B018-4511-B0A1-5476DBF70820} -> C:\WINNT\System32\Rundll32.exe C:\WINNT\System32\mscories.dll,Install ->
>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} -> C:\WINNT\INF\unregmp2.exe /ShowWMP ->
>{26923b43-4d38-484f-9b9e-de460746276c} -> %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE ->
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS -> RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP ->
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} -> %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE ->
< WOW Command Line [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
*wowcmdline* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW\\wowcmdline ->
-a ->  -> File not found
< Session Manager Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
BootExecute -> autocheck autochk *; ->
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 73728 bytes | Modified Date = 28-09-2006 15:13:28 | Attr =    ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
Control_RunDLL ->  -> File not found
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
AtiExtEvent -> %System32%\ati2evxx.dll ->  [Ver =  | Size = 86016 bytes | Modified Date = 19-11-2004 17:40:42 | Attr =    ]
QConGina -> %System32%\QConGina.dll -> IBM Corp. [Ver = 3, 3, 0, 0 | Size = 258048 bytes | Modified Date = 18-08-2004 03:30:00 | Attr =    ]
< Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoMSAppLogo5ChannelNotify -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 181 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoWelcomeScreen -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\\user32.dll -> C:\Programmer\Video ActiveX Object\isamntr.exe ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\\rare -> C:\Programmer\Video ActiveX Object\pmsnrr.exe ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
< Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
-> HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer not found. ->
< HOSTS File > (723 bytes) -> C:\WINNT\System32\drivers\etc\Hosts
127.0.0.1      localhost ->  ->
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Start Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] ->  ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{BDF3E430-B101-42AD-A544-FADC6B084872} [HKLM] -> %ProgramFiles%\Norton AntiVirus\NAVShExt.dll [CNavExtBho Class] -> Symantec Corporation [Ver = 9.00.68 | Size = 112248 bytes | Modified Date = 26-08-2002 22:36:28 | Attr =    ]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> %ProgramFiles%\Norton AntiVirus\NAVShExt.dll [Norton AntiVirus] -> Symantec Corporation [Ver = 9.00.68 | Size = 112248 bytes | Modified Date = 26-08-2002 22:36:28 | Attr =    ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> %ProgramFiles%\Norton AntiVirus\NAVShExt.dll [Norton AntiVirus] -> Symantec Corporation [Ver = 9.00.68 | Size = 112248 bytes | Modified Date = 26-08-2002 22:36:28 | Attr =    ]
< Internet Explorer CmdMapping [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -> 8192 - Sun Java Console ->
{FB5F1910-F110-11d2-BB9E-00C04F795683} -> 8194 - Windows Messenger ->
NextId -> 8195 ->
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_10\bin\npjpi150_10.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 75528 bytes | Modified Date = 09-11-2006 15:21:54 | Attr =    ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.5.0_10\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 440056 bytes | Modified Date = 09-11-2006 15:21:52 | Attr =    ]
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
E&ksporter til Microsoft Excel ->  -> File not found
< Approved Shell Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{0DF44EAA-FF21-4412-828E-260A8728E7F1} [HKLM] -> Reg Data - Key not found [Proceslinje og menuen Start] -> File not found
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Media Band] -> File not found
{42071714-76d4-11d1-8b24-00a0c9068ff3} [HKLM] -> deskpan.dll [Kontrolpanel-udvidelse til skærmpanorering] -> File not found
{764BF0E1-F219-11ce-972D-00AA00A14F56} [HKLM] -> Reg Data - Key not found [Grænsefladeudvidelser til filkomprimering] -> File not found
{7A9D77BD-5403-11d2-8785-2E0420524153} [HKLM] -> Reg Data - Key not found [Brugerkonti] -> File not found
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} [HKLM] -> Reg Data - Key not found [Kontekstmenu til kryptering] -> File not found
{88895560-9AA2-1069-930E-00AA0030EBC8} [HKLM] -> %System32%\hticons.dll [HyperTerminal-ikon] -> Hilgraeve, Inc. [Ver = 5.1.2600.0 | Size = 44544 bytes | Modified Date = 16-09-2002 13:00:00 | Attr =    ]
< ContextMenuHandlers - * [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\
{8934FCEF-F5B8-468f-951F-78A921CD3920} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\context.dll [AVG Anti-Spyware] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 49 | Size = 98304 bytes | Modified Date = 15-02-2007 07:29:18 | Attr =    ]
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} [HKLM] -> %ProgramFiles%\Norton AntiVirus\NAVShExt.dll [Symantec.Norton.Antivirus.IEContextMenu] -> Symantec Corporation [Ver = 9.00.68 | Size = 112248 bytes | Modified Date = 26-08-2002 22:36:28 | Attr =    ]
{cda2863e-2497-4c49-9b89-06840e070a87} [HKLM] -> %ProgramFiles%\Network Associates\VirusScan\shext.dll [VirusScan] -> Network Associates, Inc. [Ver = 8.0.0.912 | Size = 13824 bytes | Modified Date = 22-09-2004 19:00:00 | Attr =    ]
< ContextMenuHandlers - Directory [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\
{8934FCEF-F5B8-468f-951F-78A921CD3920} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\context.dll [AVG Anti-Spyware] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 49 | Size = 98304 bytes | Modified Date = 15-02-2007 07:29:18 | Attr =    ]
{cda2863e-2497-4c49-9b89-06840e070a87} [HKLM] -> %ProgramFiles%\Network Associates\VirusScan\shext.dll [VirusScan] -> Network Associates, Inc. [Ver = 8.0.0.912 | Size = 13824 bytes | Modified Date = 22-09-2004 19:00:00 | Attr =    ]
< ContextMenuHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} [HKLM] -> %ProgramFiles%\Norton AntiVirus\NAVShExt.dll [Symantec.Norton.Antivirus.IEContextMenu] -> Symantec Corporation [Ver = 9.00.68 | Size = 112248 bytes | Modified Date = 26-08-2002 22:36:28 | Attr =    ]
{cda2863e-2497-4c49-9b89-06840e070a87} [HKLM] -> %ProgramFiles%\Network Associates\VirusScan\shext.dll [VirusScan] -> Network Associates, Inc. [Ver = 8.0.0.912 | Size = 13824 bytes | Modified Date = 22-09-2004 19:00:00 | Attr =    ]
< ColumnHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\pdfshell.dll [PDF Shell Extension] -> Adobe Systems, Inc. [Ver = 7.0.0.0 | Size = 110592 bytes | Modified Date = 14-12-2004 01:20:02 | Attr =    ]
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
SV1 ->  ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{11D46EB8-59E8-4EAB-A388-CDE6CF512B04} ->    (Intel(R) PRO/1000 MT Mobile Connection) ->
{9EA84AE8-A167-41F8-850A-919073A77188} ->    (Intel(R) PRO/Wireless 2200BG Network Connection) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab ->
{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} -> Java Plug-in 1.4.1 - CodeBase = http://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab ->
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab ->
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab ->
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} ->  - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->
{D8575CE3-3432-4540-88A9-85A1325D3375} -> e-Safekey - CodeBase = https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab ->
DirectAnimation Java Classes ->  - CodeBase = file://C:\WINNT\Java\classes\dajava.cab ->
Microsoft XML Parser for Java ->  - CodeBase = file://C:\WINNT\Java\classes\xmldso.cab ->


[Files - Created Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 267374592 bytes | Created Date = 02-01-1601 23:00:00 | Attr =  HS]
AVG Anti-Spyware.lnk -> %AllUsersDesktop%\AVG Anti-Spyware.lnk ->  [Ver =  | Size = 833 bytes | Created Date = 12-02-2007 13:14:01 | Attr =    ]
Norton AntiVirus 2003 Professional Edition.lnk -> %AllUsersDesktop%\Norton AntiVirus 2003 Professional Edition.lnk ->  [Ver =  | Size = 1897 bytes | Created Date = 12-02-2007 09:50:56 | Attr =    ]
rootchk.exe -> %UserDesktop%\rootchk.exe ->  [Ver =  | Size = 257047 bytes | Created Date = 12-02-2007 13:06:05 | Attr =    ]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\rootchk.exe:Zone.Identifier ->
winpfind3u.exe -> %UserDesktop%\winpfind3u.exe ->  [Ver =  | Size = 342421 bytes | Created Date = 16-02-2007 07:54:50 | Attr =    ]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\winpfind3u.exe:Zone.Identifier ->
_delis32.ini -> %SystemRoot%\_delis32.ini ->  [Ver =  | Size = 264 bytes | Created Date = 12-02-2007 09:51:09 | Attr =    ]
{BEE5DFC8-2772-4BF1-9B45-EE59A39571C1}.dat -> %SystemRoot%\{BEE5DFC8-2772-4BF1-9B45-EE59A39571C1}.dat ->  [Ver =  | Size = 32 bytes | Created Date = 12-02-2007 09:52:05 | Attr =  HS]
31321612ld.exe -> %System32%\31321612ld.exe ->  [Ver =  | Size = 26280 bytes | Created Date = 07-02-2007 19:31:32 | Attr =    ]
365672ld.exe -> %System32%\365672ld.exe ->  [Ver =  | Size = 11680 bytes | Created Date = 07-02-2007 19:36:56 | Attr =    ]
dumphive.exe -> %System32%\dumphive.exe ->  [Ver =  | Size = 51200 bytes | Created Date = 12-02-2007 13:43:33 | Attr =    ]
@Alternate Data Stream - 26 bytes -> %System32%\dumphive.exe:Zone.Identifier ->
Process.exe -> %System32%\Process.exe -> http://www.beyondlogic.org [Ver = 2, 0, 0, 0 | Size = 53248 bytes | Created Date = 12-02-2007 13:43:33 | Attr =    ]
@Alternate Data Stream - 26 bytes -> %System32%\Process.exe:Zone.Identifier ->
qt-mt335.dll -> %System32%\qt-mt335.dll ->  [Ver =  | Size = 3489792 bytes | Created Date = 07-02-2007 20:38:03 | Attr =    ]
RunOnce.tm_ -> %System32%\RunOnce.tm_ ->  [Ver =  | Size = 14 bytes | Created Date = 07-02-2007 19:11:02 | Attr =    ]
RunOnce.t__ -> %System32%\RunOnce.t__ ->  [Ver =  | Size = 25 bytes | Created Date = 07-02-2007 19:11:02 | Attr =    ]
S32EVNT1.DLL -> %System32%\S32EVNT1.DLL -> Symantec Corporation [Ver = 11.6.8.1 | Size = 91904 bytes | Created Date = 12-02-2007 09:50:54 | Attr =    ]
SR2.dat -> %System32%\SR2.dat ->  [Ver =  | Size = 14 bytes | Created Date = 12-02-2007 09:51:49 | Attr =    ]
SrchSTS.exe -> %System32%\SrchSTS.exe -> S!Ri [Ver =  | Size = 288417 bytes | Created Date = 12-02-2007 13:43:33 | Attr =    ]
@Alternate Data Stream - 26 bytes -> %System32%\SrchSTS.exe:Zone.Identifier ->
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.0 | Size = 135168 bytes | Created Date = 12-02-2007 13:43:33 | Attr =    ]
@Alternate Data Stream - 26 bytes -> %System32%\swreg.exe:Zone.Identifier ->
swsc.exe -> %System32%\swsc.exe ->  [Ver =  | Size = 40960 bytes | Created Date = 12-02-2007 13:43:33 | Attr =    ]
@Alternate Data Stream - 26 bytes -> %System32%\swsc.exe:Zone.Identifier ->
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 79360 bytes | Created Date = 12-02-2007 13:43:33 | Attr =    ]
@Alternate Data Stream - 26 bytes -> %System32%\swxcacls.exe:Zone.Identifier ->
tmp.reg -> %System32%\tmp.reg ->  [Ver =  | Size = 6586 bytes | Created Date = 12-02-2007 13:44:05 | Attr =    ]
update00822631.exe -> %System32%\update00822631.exe ->  [Ver =  | Size = 128278 bytes | Created Date = 07-02-2007 19:11:05 | Attr =    ]
update21677000.exe -> %System32%\update21677000.exe ->  [Ver =  | Size = 17267 bytes | Created Date = 07-02-2007 19:11:27 | Attr =    ]
{E85DE27B-3AD1-49DC-8C7B-729ED7EC83BC}.dat -> %System32%\{E85DE27B-3AD1-49DC-8C7B-729ED7EC83BC}.dat ->  [Ver =  | Size = 32 bytes | Created Date = 12-02-2007 09:52:05 | Attr =  HS]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 12-02-2007 13:13:54 | Attr =    ]
NPDRIVER.SYS -> %System32%\drivers\NPDRIVER.SYS -> Symantec Corporation [Ver = 16.00.0.22 | Size = 34578 bytes | Created Date = 12-02-2007 09:51:18 | Attr =    ]
SYMEVENT.SYS -> %System32%\drivers\SYMEVENT.SYS -> Symantec Corporation [Ver = 11.6.8.1 | Size = 124016 bytes | Created Date = 12-02-2007 09:50:54 | Attr =    ]

[Files - Modified Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 267374592 bytes | Modified Date = 16-02-2007 08:08:46 | Attr =  HS]
IconCache.db -> %LocalAppData%\IconCache.db ->  [Ver =  | Size = 4833360 bytes | Modified Date = 16-02-2007 08:06:04 | Attr =  H ]
AVG Anti-Spyware.lnk -> %AllUsersDesktop%\AVG Anti-Spyware.lnk ->  [Ver =  | Size = 833 bytes | Modified Date = 12-02-2007 13:14:02 | Attr =    ]
Norton AntiVirus 2003 Professional Edition.lnk -> %AllUsersDesktop%\Norton AntiVirus 2003 Professional Edition.lnk ->  [Ver =  | Size = 1897 bytes | Modified Date = 12-02-2007 10:02:30 | Attr =    ]
rootchk.exe -> %UserDesktop%\rootchk.exe ->  [Ver =  | Size = 257047 bytes | Modified Date = 12-02-2007 13:06:18 | Attr =    ]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\rootchk.exe:Zone.Identifier ->
winpfind3u.exe -> %UserDesktop%\winpfind3u.exe ->  [Ver =  | Size = 342421 bytes | Modified Date = 16-02-2007 07:55:06 | Attr =    ]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\winpfind3u.exe:Zone.Identifier ->
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 16-02-2007 08:08:48 | Attr =  S]
randseed.rnd -> %SystemRoot%\randseed.rnd ->  [Ver =  | Size = 512 bytes | Modified Date = 16-02-2007 08:40:22 | Attr =    ]
system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 307 bytes | Modified Date = 16-02-2007 08:15:14 | Attr =    ]
_delis32.ini -> %SystemRoot%\_delis32.ini ->  [Ver =  | Size = 264 bytes | Modified Date = 12-02-2007 09:51:10 | Attr =    ]
{BEE5DFC8-2772-4BF1-9B45-EE59A39571C1}.dat -> %SystemRoot%\{BEE5DFC8-2772-4BF1-9B45-EE59A39571C1}.dat ->  [Ver =  | Size = 32 bytes | Modified Date = 12-02-2007 09:52:06 | Attr =  HS]
31321612ld.exe -> %System32%\31321612ld.exe ->  [Ver =  | Size = 26280 bytes | Modified Date = 07-02-2007 19:32:40 | Attr =    ]
365672ld.exe -> %System32%\365672ld.exe ->  [Ver =  | Size = 11680 bytes | Modified Date = 07-02-2007 19:38:32 | Attr =    ]
dumphive.exe -> %System32%\dumphive.exe ->  [Ver =  | Size = 51200 bytes | Modified Date = 12-02-2007 13:12:32 | Attr =    ]
@Alternate Data Stream - 26 bytes -> %System32%\dumphive.exe:Zone.Identifier ->
FLC-HJE-HOK2.DELTA -> %System32%\FLC-HJE-HOK2.DELTA ->  [Ver =  | Size = 1090 bytes | Modified Date = 16-02-2007 08:15:04 | Attr =    ]
FLC-HJE-HOK2.HWS -> %System32%\FLC-HJE-HOK2.HWS ->  [Ver =  | Size = 279383 bytes | Modified Date = 16-02-2007 08:15:04 | Attr =    ]
Process.exe -> %System32%\Process.exe -> http://www.beyondlogic.org [Ver = 2, 0, 0, 0 | Size = 53248 bytes | Modified Date = 12-02-2007 13:12:32 | Attr =    ]
@Alternate Data Stream - 26 bytes -> %System32%\Process.exe:Zone.Identifier ->
RunOnce.tm_ -> %System32%\RunOnce.tm_ ->  [Ver =  | Size = 14 bytes | Modified Date = 07-02-2007 19:11:04 | Attr =    ]
RunOnce.t__ -> %System32%\RunOnce.t__ ->  [Ver =  | Size = 25 bytes | Modified Date = 07-02-2007 19:17:04 | Attr =    ]
SR2.dat -> %System32%\SR2.dat ->  [Ver =  | Size = 14 bytes | Modified Date = 12-02-2007 09:51:50 | Attr =    ]
SrchSTS.exe -> %System32%\SrchSTS.exe -> S!Ri [Ver =  | Size = 288417 bytes | Modified Date = 12-02-2007 13:12:34 | Attr =    ]
@Alternate Data Stream - 26 bytes -> %System32%\SrchSTS.exe:Zone.Identifier ->
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.0 | Size = 135168 bytes | Modified Date = 12-02-2007 13:12:34 | Attr =    ]
@Alternate Data Stream - 26 bytes -> %System32%\swreg.exe:Zone.Identifier ->
swsc.exe -> %System32%\swsc.exe ->  [Ver =  | Size = 40960 bytes | Modified Date = 12-02-2007 13:12:34 | Attr =    ]
@Alternate Data Stream - 26 bytes -> %System32%\swsc.exe:Zone.Identifier ->
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 79360 bytes | Modified Date = 12-02-2007 13:12:34 | Attr =    ]
@Alternate Data Stream - 26 bytes -> %System32%\swxcacls.exe:Zone.Identifier ->
tmp.reg -> %System32%\tmp.reg ->  [Ver =  | Size = 6586 bytes | Modified Date = 12-02-2007 13:44:06 | Attr =    ]
update00822631.exe -> %System32%\update00822631.exe ->  [Ver =  | Size = 128278 bytes | Modified Date = 07-02-2007 19:11:16 | Attr =    ]
update21677000.exe -> %System32%\update21677000.exe ->  [Ver =  | Size = 17267 bytes | Modified Date = 07-02-2007 19:11:34 | Attr =    ]
wpa.dbl -> %System32%\wpa.dbl ->  [Ver =  | Size = 2278 bytes | Modified Date = 10-02-2007 09:45:22 | Attr =    ]
{E85DE27B-3AD1-49DC-8C7B-729ED7EC83BC}.dat -> %System32%\{E85DE27B-3AD1-49DC-8C7B-729ED7EC83BC}.dat ->  [Ver =  | Size = 32 bytes | Modified Date = 12-02-2007 09:52:06 | Attr =  HS]

[File String Scan - Non-Microsoft Only]
@Alternate Data Stream - 26 bytes -> %UserDesktop%\rootchk.exe:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %UserDesktop%\winpfind3u.exe:Zone.Identifier ->
UPX! , UPX0 ,  -> %System32%\31321612ld.exe ->  [Ver =  | Size = 26280 bytes | Modified Date = 07-02-2007 19:32:40 | Attr =    ]
UPX! , UPX0 ,  -> %System32%\365672ld.exe ->  [Ver =  | Size = 11680 bytes | Modified Date = 07-02-2007 19:38:32 | Attr =    ]
PEC2 ,  -> %System32%\dfrg.msc ->  [Ver =  | Size = 41123 bytes | Modified Date = 16-09-2002 13:00:00 | Attr =    ]
@Alternate Data Stream - 26 bytes -> %System32%\dumphive.exe:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %System32%\Process.exe:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %System32%\SrchSTS.exe:Zone.Identifier ->
UPX! , UPX0 ,  -> %System32%\SrchSTS.exe -> S!Ri [Ver =  | Size = 288417 bytes | Modified Date = 12-02-2007 13:12:34 | Attr =    ]
@Alternate Data Stream - 26 bytes -> %System32%\swreg.exe:Zone.Identifier ->
UPX! , UPX0 ,  -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.0 | Size = 135168 bytes | Modified Date = 12-02-2007 13:12:34 | Attr =    ]
@Alternate Data Stream - 26 bytes -> %System32%\swsc.exe:Zone.Identifier ->
UPX! , UPX0 ,  -> %System32%\swsc.exe ->  [Ver =  | Size = 40960 bytes | Modified Date = 12-02-2007 13:12:34 | Attr =    ]
@Alternate Data Stream - 26 bytes -> %System32%\swxcacls.exe:Zone.Identifier ->
UPX! , UPX0 ,  -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 79360 bytes | Modified Date = 12-02-2007 13:12:34 | Attr =    ]
UPX! , UPX0 ,  -> %System32%\update00822631.exe ->  [Ver =  | Size = 128278 bytes | Modified Date = 07-02-2007 19:11:16 | Attr =    ]
UpackByDwing , MZKERNEL32.DLL ,  -> %System32%\update21677000.exe ->  [Ver =  | Size = 17267 bytes | Modified Date = 07-02-2007 19:11:34 | Attr =    ]
winsync ,  -> %System32%\wbdbase.deu ->  [Ver =  | Size = 1309184 bytes | Modified Date = 16-09-2002 13:00:00 | Attr =    ]
PTech ,  -> %System32%\dllcache\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 03-08-2004 21:41:38 | Attr =    ]
PTech ,  -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 03-08-2004 21:41:38 | Attr =    ]

< End of report >

Explorer killed successfully
[Win32 Services - Non-Microsoft Only]
Unable to stop service ieupdater .
Unable to delete service ieupdater .
File C:\Documents and Settings\Bruger\~tmp0374.exe not found.
[Registry - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\partnershipreg deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rpcc deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\\Local Page deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\\Local Page deleted successfully.
[ Extra Files ]
File/Folder C:\Documents and Settings\All Users\Dokumenter\Settings\partnership.dll not found.
LoadLibrary failed for C:\WINNT\system32\rpcc.dll
C:\WINNT\system32\rpcc.dll NOT unregistered.
File move failed. C:\WINNT\system32\rpcc.dll scheduled to be moved on reboot.
[ Extra Registry Entries ]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F} deleted successfully.
Registry value deletion failed for HKEY_LOCAL_MACHINE\\\ .
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{8A5849C4-93F3-429D-FF34-660A2068897C} deleted successfully.
< End of log >
Created on 02-16-2007 08:04:28

Ok, det ser bedre ud. Prøv så følgende:

Kør WinPFind3U fra WinPFind3U-mappen igen. Kopier indholdet mellem de bølgede linier ind i det hvide felt til højre (højreklik på feltet og vælg "sæt ind"/"paste"):

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[Kill Explorer]
[Win32 Services - Non-Microsoft Only]
YY -> (Microsoft IE Updater) ieupdater [Win32_Own | Auto | Stopped] -> %SystemDrive%\Documents and Settings\Bruger\~tmp0374.exe
[Files - Created Within 30 days]
NY -> 31321612ld.exe -> %System32%\31321612ld.exe
NY -> 365672ld.exe -> %System32%\365672ld.exe
[Start Explorer]
[Reboot]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Klik herefter på "Run Fix", og følg instruksionerne, der gives. Din computer vil nu genstarte. Efter genstart skal du åbne WinPFindu-mappen igen. Her vil nu ligge en log, hvis navn består af en masse numre - den skal du også kopiere herind. Du behøver i første omgang ikke lægge en ny log fra Winpfind3u herind.

Hej Evindh

Her er så lofilen men jeg går til møde ude i byen og vil ikke kunne fortsætte før mandag morgen, men du skal have tak for det store arbejde du har udført indtil nu

Explorer killed successfully
[Win32 Services - Non-Microsoft Only]
Service Microsoft IE Updater stopped successfully.
Service Microsoft IE Updater deleted successfully.
File C:\Documents and Settings\Bruger\~tmp0374.exe not found.
[Files - Created Within 30 days]
C:\WINNT\SYSTEM32\31321612ld.exe moved successfully.
C:\WINNT\SYSTEM32\365672ld.exe moved successfully.
< End of log >
Created on 02-16-2007 10:36:15

Du behøver heller ikke gøre mere, for nu vil jeg mene at skidtet er ved at være slået ned. Hvordan kører computeren ellers?

For at gøre arbejdet helt færdig:
Det kan være en god ide og rydde op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.spywarefri.dk/virusscannere.htm#alle) - genstart din computer - aktiver systemgendannelse.
Og så kan det også være en god ide at skjule dine systemfiler og -mapper igen, så du ikke ved en fejl kommer til at slette en vigtig fil. Det gør du samme sted, hvor du satte det til at vise alle filer, denne gang vælger du bare: Vis ikke skjulte filer og mapper.

Det kan også være en god ide at få renset ud i dine midlertidige filer. Det kan gøres på en hurtig og nem måde med denne fil
www.spywareinfo.dk/download/cleantempxp2k.bat
---------------------------

For at forhindre gentagelser, vil jeg anbefale dig at lægge nogle små programmer ind, som forhindrer spyware i at komme ind i første omgang. Du finder links og gode råd her:
http://www.spywarefri.dk/manualer/sikkerhedspakke.htm

Jeg vil også foreslå, at du læser disse artikler om hvordan du kan undgå at blive inficeret i fremtiden:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414
http://www.ejvindh.net/viewtopic.php?t=37

Hej Ejvindh

<den køre men en lille smule langsomt men meget bedre end da vi startede , tak for hjælpen

Du er velkommen. Angående den resterende langsomhed, så har jeg en checkliste, du kan prøve at gennemgå. Det er muligt at systemet trænger til lidt oprydning i kølvandet på infektionen:

1. Prøv at downloade og installere Ccleaner herfra:
http://www.ccleaner.com/

Kør en rensnings-procedure med programmet -- både under "Renser" og "Problemer" menuerne i programmet. Lad den fjerne alt hvad den finder. Genstart, og se om det har hjulpet.

2. Prøv at defragmentere din HD: Dobbeltklik på Denne Computer, højreklik på din HD, vælg Egenskaber-Funktioner-Defragmenter nu, og kør en defragmentering. Det kan godt tage lang tid. Genstart, og se om det har hjulpet.

3. Prøv et sfc-scan: Klik på Start=>Kør skriv: SFC /scannow  (husk mellemrum mellem SFC og /scannow)
Din windows skive skal sidde i drevet. Den tjekker og reparer dine systemfiler.

4. Prøv en repair: http://www.hcma.dk/tips1to10.htm#no4
Efter en repair er det vigtigt at gå ind og få opdateret windows-styresystemet (da styresystemet føres tilbage til det niveau som findes på din installations-skive):
http://windowsupdate.microsoft.com/

Genstart, og se om det har hjulpet.


5. Klik på start-kør, skriv devmgmt.msc og klik på OK.

Så åbner enhedshåndteringen. Klik på +-tegnet ud for "IDE ATA/ATAPI-controllere", og højreklik på "Primær IDE-kanal", og vælg Egenskaber. Klik på fanebladet "Avancerede indstillinger". Hvis der står "Kun PIO" ved overførsels-tilstanden, ved nogle af enhederne, kan det være årsagen til en langsom computer. Du kan prøve at ændre dette på 2 måder:

a. Prøv først at lave om på dette ved at skifte til "DMA, hvis den er tilgængelig", klik på OK, og genstart computeren. Hjalp det?

b. Hvis nej, så prøv igen at gå ind i enhedshåndteringen, Klik på +-tegnet ud for "IDE ATA/ATAPI-controllere", og højreklik på "Primær IDE-kanal", og vælg Egenskaber. Klik på fanebladet "Driver", og klik på fjern. Når processen er færdig skal du genstarte computeren, hvorved styresystemet nyinstallerer din HD, og giver den standard-indstillingerne.


6. Endelig er der også nogle forslag på dette link, som du kan afprøve:
http://www.spywareinfo.dk/index.htm#/tip-og-tricks/langsom-op-og-nedlukning-xp.htm