Trojan.Agent

http://www.spywareinfo.dk/index.htm#/manualer/hijackthis.htm

Hent Hijackthis ned til sin egen mappe og kør det derfra.

Brug denne udgave: http://www.trendsecure.com/portal/en-US/_download/HiJackThis.exe

siden i går er der dukket lidt mere op for AVG:
Torjan Horse Generic 14.AZVP
Torjan Horse SHeur2.BDZP
Torjan Horse Dropper.Tiny.V
Virus identified Win32/Rustock.M

-specielt virus'en er ny?

en af de identificerede filer kan angiveligt ikke bare sådan lige slettes:
C:\windows\system32\drivers\str.sys
... hvad gør jeg ved den?

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:10:27, on 02-10-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\affy\AuditLoggerService.exe
D:\affy\WebService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programmer\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Programmer\Home Cinema\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmer\Home Cinema\PowerCinema\PCMService.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CmUCReye.exe
C:\Programmer\Java\jre6\bin\jqs.exe
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmer\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programmer\Java\jre6\bin\jusched.exe
C:\WINDOWS\runservice.exe
C:\Programmer\Windows Live\Messenger\msnmsgr.exe
C:\Programmer\Windows Media Player\WMPNSCFG.exe
C:\Programmer\Fælles filer\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Programmer\CyberLink\Shared Files\RichVideo.exe
C:\Programmer\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
D:\affy\TaskManagerSvc.exe
C:\Programmer\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Programmer\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\SearchIndexer.exe
D:\affy\IndexerService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\CB\Skrivebord\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programmer\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmer\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmer\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [Showwnd] showwnd.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Programmer\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [InstantOn] "C:\Program Files\CyberLink\PowerCinema Linux\ion_install.exe /c "
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [CmUCRRun] C:\WINDOWS\system32\CmUCReye.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmer\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Programmer\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Programmer\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programmer\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: FirstClass® - {02011FE3-C22B-451d-9A25-BF4DBB38B8E7} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Programmer\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Programmer\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com/
O15 - Trusted Zone: http://*.danid.dk
O15 - Trusted Zone: http://*.danid.dk (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D381386-B2F7-4A83-AE20-B9796A68397C} (proXSign Class) - https://www.borgerblanketter.dk/bb/proXSign1.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4F2A3649-7A9F-4950-9C31-409FAC6FC7C8} (IssueUtilCtrl Class) - https://danid.dk/csp/authenticode/csp.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130600261343
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181498758750
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass® Control) - ftp://ftp.sektornet.dk/sektornet/skolekom/fcplugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} - https://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{004B7031-7257-40D6-BB84-5AC466F536AB}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{004B7031-7257-40D6-BB84-5AC466F536AB}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS3\Services\Tcpip\..\{004B7031-7257-40D6-BB84-5AC466F536AB}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: fcp - {B3133379-8789-4D3C-9593-C205D7297501} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programmer\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AGCCAuditLogger - Affymetrix, Inc. - D:\affy\AuditLoggerService.exe
O23 - Service: AGCCIndexer - Affymetrix, Inc. - D:\affy\IndexerService.exe
O23 - Service: AGCCTaskManager - Affymetrix, Inc. - D:\affy\TaskManagerSvc.exe
O23 - Service: AGCCWebServer - Affymetrix, Inc. - D:\affy\WebService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programmer\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programmer\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmer\Home Cinema\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Update Service (gupdate1c985d1fa732de2) (gupdate1c985d1fa732de2) - Google Inc. - C:\Programmer\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmer\Java\jre6\bin\jqs.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmer\Fælles filer\LightScribe\LSSrvc.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmer\CyberLink\Shared Files\RichVideo.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 12792 bytes

... nyeste opdatering + fuld kørsel + log fra MalwareBytes !!!

Malwarebytes' Anti-Malware 1.41
Database version: 2891
Windows 5.1.2600 Service Pack 3

02-10-2009 11:57:01
last malwarebytes

Skan type: Fuldstændig skanning (C:\|D:\|E:\|)
Objekter skannet: 426473
Tid tilbagelagt: 1 hour(s), 59 minute(s), 18 second(s)

Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 0
Inficerede Registeringsdatabase Værdier: 0
Inficerede Registeringsdatabase Filer: 0
Inficerede Mapper: 0
Inficerede Filer: 1

Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)

Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Nøgler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Værdier:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Filer:
(Ingen mistænkelige filer fundet)

Inficerede Mapper:
(Ingen mistænkelige filer fundet)

Inficerede Filer:
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> No action taken.

No action taken. ?

Efter MalwareBytes Scanning - Tryk på "Vis resultater" knappen efter scanningen - og herefter tryk på "Fjern det valgte"

hmm... den log kopierede jeg fra programmet efter at have gjort det hele... men når jeg kigger i "logfiler" ser den sådan her ud:

Malwarebytes' Anti-Malware 1.41
Database version: 2891
Windows 5.1.2600 Service Pack 3

02-10-2009 11:57:03
mbam-log-2009-10-02 (11-57-03).txt

Skan type: Fuldstændig skanning (C:\|D:\|E:\|)
Objekter skannet: 426473
Tid tilbagelagt: 1 hour(s), 59 minute(s), 18 second(s)

Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 0
Inficerede Registeringsdatabase Værdier: 0
Inficerede Registeringsdatabase Filer: 0
Inficerede Mapper: 0
Inficerede Filer: 1

Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)

Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Nøgler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Værdier:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Filer:
(Ingen mistænkelige filer fundet)

Inficerede Mapper:
(Ingen mistænkelige filer fundet)

Inficerede Filer:
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Delete on reboot.




Efter reboot burde filen vel så være slettet - men kører jeg en malwarebyte igen(denne gang fast eftersom det tager 2 timer med en slow)  - er filen der stadig og popper op med faretegn...



Malwarebytes' Anti-Malware 1.41
Database version: 2891
Windows 5.1.2600 Service Pack 3

02-10-2009 14:04:21
mbam-log-2009-10-02 (14-04-21).txt

Skan type: Hurtig skanning
Objekter skannet: 106928
Tid tilbagelagt: 9 minute(s), 27 second(s)

Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 0
Inficerede Registeringsdatabase Værdier: 0
Inficerede Registeringsdatabase Filer: 0
Inficerede Mapper: 0
Inficerede Filer: 1

Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)

Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Nøgler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Værdier:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Filer:
(Ingen mistænkelige filer fundet)

Inficerede Mapper:
(Ingen mistænkelige filer fundet)

Inficerede Filer:
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Delete on reboot.

Så er det denne der skal i gang ->

-- Hent Combofix fra et af disse links, og gem den på dit skrivebord:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

NB: Du må ikke døbe den Combofix.exe, men eksempelvis BANAN.exe

-- Kør så combofix.exe (BANAN.exe), som du hentede tidligere, og følg anvisningerne.
Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når combofix er færdig, og efter det har genstartet, skulle der gerne åbnes en logfil: combofix.txt
Indholdet af denne fil må du gerne lægge herind.

en længere affære, men jeg kom igennem med banan-programmet :-)
Jeg fik slukket for antivirus og firewall undervejs samt afsluttede internetforbindelse imens:

ComboFix 09-10-01.01 - cb 02-10-2009 16:32.1.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.45.1030.18.3454.2663 [GMT 2:00]
Kører fra: c:\documents and settings\cb\Skrivebord\banan.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((((((  Andet, der er slettet  )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\cb\Application Data\Microsoft\Word\START\RM11CWYW.wll
c:\documents and settings\cb\Application Data\Microsoft\Word\STARTUP\RM11CWYW.wll
c:\recycler\S-1-5-21-0017298448-6413243694-326338132-6701
c:\recycler\S-1-5-21-0085745879-4807894752-248465933-3964
c:\recycler\S-1-5-21-0169673587-9053542873-171489813-0225
c:\recycler\S-1-5-21-0231585743-9642203589-455275409-0152
c:\recycler\S-1-5-21-0267524223-1958283070-198946294-1178
c:\recycler\S-1-5-21-0279875029-1957672668-868168232-1145
c:\recycler\S-1-5-21-0339294292-0255483428-217870566-0748
c:\recycler\S-1-5-21-1131348136-6281368648-419472289-7661
c:\recycler\S-1-5-21-1323779346-9851723937-666017423-5437
c:\recycler\S-1-5-21-1347469593-4727789924-325117363-7530
c:\recycler\S-1-5-21-1451266196-5271076771-404147089-1176
c:\recycler\S-1-5-21-1565426841-5493088888-934256885-0373
c:\recycler\S-1-5-21-1576761913-1206002967-474445589-5214
c:\recycler\S-1-5-21-1606317321-0751134633-882715671-4405
c:\recycler\S-1-5-21-1749502234-8767346466-064053958-8102
c:\recycler\S-1-5-21-1758231629-9558862276-695522506-8589
c:\recycler\S-1-5-21-1832986466-9142157069-382194756-2627
c:\recycler\S-1-5-21-1850555920-5281502997-828798341-6158
c:\recycler\S-1-5-21-1871861305-8422772702-973385260-4002
c:\recycler\S-1-5-21-2126084273-9940376911-173253416-4870
c:\recycler\S-1-5-21-2169830617-5051474994-898358418-9713
c:\recycler\S-1-5-21-2171096662-9163539267-414258926-7472
c:\recycler\S-1-5-21-2205060094-1161821372-367498183-4328
c:\recycler\S-1-5-21-2325135704-3261201437-472083689-6794
c:\recycler\S-1-5-21-2360659232-6330347278-392258343-6466
c:\recycler\S-1-5-21-2361213874-4124338435-901930138-3684
c:\recycler\S-1-5-21-2491899565-9886996067-381816951-3063
c:\recycler\S-1-5-21-2503172102-6169603809-867658205-0959
c:\recycler\S-1-5-21-2687881274-3738848203-529700501-3090
c:\recycler\S-1-5-21-2766513498-5745341713-292753053-3402
c:\recycler\S-1-5-21-2959579747-2079846007-820279836-3899
c:\recycler\S-1-5-21-3068322904-2003024238-216887208-2930
c:\recycler\S-1-5-21-3222423461-3408986482-616180580-0607
c:\recycler\S-1-5-21-3361950884-8863386603-092815279-1614
c:\recycler\S-1-5-21-3426730316-7393196426-414684488-0286
c:\recycler\S-1-5-21-3437153571-9403641713-973726280-0533
c:\recycler\S-1-5-21-3483228415-2768915013-300794837-1619
c:\recycler\S-1-5-21-3576718685-7807215682-288180716-0709
c:\recycler\S-1-5-21-3698438984-3436489219-216296151-6289
c:\recycler\S-1-5-21-4179807147-0594989779-654561646-4880
c:\recycler\S-1-5-21-4213914331-3941692526-798708231-5658
c:\recycler\S-1-5-21-4329576266-8025825072-011818195-7914
c:\recycler\S-1-5-21-4402646195-0449063308-064626454-3629
c:\recycler\S-1-5-21-5005806366-5823170516-119322082-1372
c:\recycler\S-1-5-21-5038784868-6392284163-327896032-4813
c:\recycler\S-1-5-21-5078384814-7109144628-140405978-0737
c:\recycler\S-1-5-21-5298801946-4050133930-227282734-5271
c:\recycler\S-1-5-21-5467152267-8306922709-726531324-9863
c:\recycler\S-1-5-21-5493329211-9313629377-534015631-9592
c:\recycler\S-1-5-21-5728714195-8221572074-955376890-5126
c:\recycler\S-1-5-21-5831050461-5635560063-529759532-8425
c:\recycler\S-1-5-21-5862143523-7123611570-634507432-5359
c:\recycler\S-1-5-21-5941454513-1925712644-058060269-6804
c:\recycler\S-1-5-21-6442875025-9532429804-795243041-3993
c:\recycler\S-1-5-21-6498288855-8922641673-276871409-5178
c:\recycler\S-1-5-21-6523465967-6222278024-966179379-8901
c:\recycler\S-1-5-21-6742524296-8396111115-415446766-9103
c:\recycler\S-1-5-21-6753275085-1577375703-637205128-1818
c:\recycler\S-1-5-21-6762900067-7106942452-756185800-3733
c:\recycler\S-1-5-21-7284773123-5234829368-248622299-0203
c:\recycler\S-1-5-21-7348586867-7455699084-539165916-2135
c:\recycler\S-1-5-21-7348734548-2789186608-282736667-0085
c:\recycler\S-1-5-21-7439477860-0230791200-566820300-7921
c:\recycler\S-1-5-21-7477671589-8890139351-951861507-8070
c:\recycler\S-1-5-21-7577528500-4888266685-122907186-7256
c:\recycler\S-1-5-21-7599847616-2833199567-640546751-0322
c:\recycler\S-1-5-21-7696232083-9766153771-134644735-6155
c:\recycler\S-1-5-21-7762133787-9256062465-796832467-5367
c:\recycler\S-1-5-21-7912507375-1323520042-939827085-2758
c:\recycler\S-1-5-21-7934453522-3941290233-412824206-7295
c:\recycler\S-1-5-21-8064340354-5259374412-879801556-0433
c:\recycler\S-1-5-21-8083461120-4450249687-872794547-3533
c:\recycler\S-1-5-21-8166406911-9128048997-942313775-3676
c:\recycler\S-1-5-21-8188177994-0631270582-535892479-4038
c:\recycler\S-1-5-21-8224177640-9952488125-217170791-7431
c:\recycler\S-1-5-21-8348967182-8827288940-686598690-8306
c:\recycler\S-1-5-21-8477988410-7169796813-615158678-3471
c:\recycler\S-1-5-21-8491668606-5098013971-604433988-3675
c:\recycler\S-1-5-21-8637050057-2244925036-644104414-8071
c:\recycler\S-1-5-21-8694677552-8952081534-111949292-8992
c:\recycler\S-1-5-21-8807715957-6656491824-313102717-6421
c:\recycler\S-1-5-21-9119721268-4767208132-199942585-1319
c:\recycler\S-1-5-21-9182661284-6696992057-047779745-1108
c:\recycler\S-1-5-21-9399229625-8356131379-478969605-2508
c:\windows\Installer\1bf81e8.msi
c:\windows\Installer\263df48.msp
c:\windows\system32\drivers\chpdzxdx.sys
c:\windows\system32\drivers\str.sys

----- BITS: Mulige inficerede internetsteder -----

hxxp://doj+|Cv+@J:NGD_DQ{zGD_DQ{zGD_DQ{zGD_DQ{z+@J:Nj+|Cv Settings\cb\Lokale indstillinger\Application Data\Temp\{A49CF8B0-9B77-4147-972A-B1684D26C762}Google Update
.
(((((((((((((((((((((((((((((((((((((((  Drivers/Tjenester  )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RKHIT
-------\Legacy_SYODOWVGBX


(((((((((((((((((((((((((((((  Filer skabt fra 2009-09-02 til 2009-10-02  )))))))))))))))))))))))))))))))))))
.

2009-10-02 06:10 . 2009-10-02 06:10    --------    d-sh--w-    c:\windows\system32\config\systemprofile\IETldCache
2009-10-02 06:10 . 2009-10-02 06:10    201200    ----a-w-    C:\gsrilums.exe
2009-09-29 07:48 . 2004-02-19 17:32    126976    ----a-r-    c:\windows\system32\lxbtsnls.dll
2009-09-29 07:48 . 2004-02-20 10:45    65536    ----a-r-    c:\windows\system32\lxbtcfg.dll
2009-09-29 07:48 . 2004-02-19 17:29    139264    ----a-r-    c:\windows\system32\lxbtcoin.dll
2009-09-29 07:47 . 2009-09-29 07:48    --------    d-----w-    c:\programmer\Lexmark 5200 Series
2009-09-23 20:54 . 2009-09-23 20:54    --------    d-----w-    c:\documents and settings\cb\Lokale indstillinger\Application Data\Temp
2009-09-19 15:24 . 2009-10-02 14:43    1049    --sha-w-    c:\windows\system32\mmf.sys
2009-09-19 15:24 . 2009-09-19 15:24    48640    ----a-w-    c:\windows\mmfs.dll
2009-09-19 15:24 . 2009-09-19 15:24    2560    ----a-w-    c:\windows\Runservice.exe
2009-09-19 15:23 . 2009-09-19 15:24    --------    d-----w-    c:\programmer\Empires of Steel Demo
2009-09-15 20:47 . 2009-10-02 11:33    --------    d-----w-    c:\documents and settings\cb\Tracing
2009-09-15 20:44 . 2009-09-15 20:44    --------    d-----w-    c:\programmer\Microsoft
2009-09-15 20:44 . 2009-09-15 20:44    --------    d-----w-    c:\programmer\Windows Live SkyDrive
2009-09-15 20:44 . 2009-09-15 20:44    --------    d-----w-    c:\programmer\Windows Live
2009-09-15 20:26 . 2009-09-15 20:26    --------    d-----w-    c:\programmer\Fælles filer\Windows Live
2009-09-13 09:10 . 2009-09-13 09:10    --------    d-----w-    c:\documents and settings\NetworkService\Lokale indstillinger\Application Data\Apple
2009-09-09 20:36 . 2009-09-09 20:36    --------    d-sh--w-    c:\documents and settings\Default User\IETldCache
2009-09-09 09:01 . 2009-06-21 21:48    153088    -c----w-    c:\windows\system32\dllcache\triedit.dll
2009-09-08 17:05 . 2009-09-08 17:05    --------    dc-h--w-    c:\documents and settings\All Users\Application Data\{BE1D7187-C39B-4B11-9EBD-9D19FAE66E65}
2009-09-08 17:05 . 2009-09-08 17:05    --------    d-----w-    c:\programmer\DanID
2009-09-08 17:05 . 2009-09-08 17:05    --------    d-----w-    c:\documents and settings\cb\Lokale indstillinger\Application Data\PackageAware
2009-09-03 06:09 . 2009-09-03 06:09    --------    d-----w-    c:\windows\wb
2009-09-03 06:09 . 1996-09-30 11:32    9728    ----a-r-    c:\windows\system\rnaph.dll
2009-09-03 06:09 . 1996-08-16 12:44    87552    ----a-r-    c:\windows\system\url.dll

.
((((((((((((((((((((((((((((((((((((((((  Find3M Rapport  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 12:47 . 2007-10-03 19:58    --------    d-----w-    c:\programmer\Steam
2009-10-02 09:23 . 2006-04-03 15:22    41348    ----a-w-    c:\documents and settings\cb\Application Data\wklnhst.dat
2009-10-02 07:06 . 2009-06-02 17:43    --------    d-----w-    c:\documents and settings\All Users\Application Data\avg8
2009-10-01 07:53 . 2009-06-28 19:51    --------    d-----w-    c:\programmer\Malwarebytes' Anti-Malware
2009-09-30 18:21 . 2005-10-20 07:23    --------    d--h--w-    c:\programmer\InstallShield Installation Information
2009-09-29 21:37 . 2008-08-09 21:04    127    ----a-w-    c:\windows\popcinfot.dat
2009-09-23 20:55 . 2005-10-30 10:57    --------    d-----w-    c:\programmer\Google
2009-09-14 14:53 . 2006-04-01 18:28    90952    ----a-w-    c:\documents and settings\cb\Lokale indstillinger\Application Data\GDIPFONTCACHEV1.DAT
2009-09-13 08:55 . 2009-06-27 06:20    --------    d-----w-    c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-10 15:03 . 2006-05-28 11:46    --------    d-----w-    c:\documents and settings\cb\Application Data\Skype
2009-09-10 12:54 . 2009-06-28 19:51    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 12:53 . 2009-06-28 19:51    19160    ----a-w-    c:\windows\system32\drivers\mbam.sys
2009-09-09 20:18 . 2008-08-10 16:29    444952    ----a-w-    c:\windows\system32\wrap_oal.dll
2009-09-09 20:18 . 2008-08-10 16:29    109080    ----a-w-    c:\windows\system32\OpenAL32.dll
2009-09-08 17:05 . 2006-04-11 16:51    --------    d-----w-    c:\programmer\Fælles filer\Wise Installation Wizard
2009-08-25 08:54 . 2007-02-06 07:46    --------    d-----w-    c:\programmer\Stata9
2009-08-24 18:01 . 2006-04-30 15:36    --------    d-----w-    c:\programmer\QuickTime
2009-08-24 17:56 . 2007-04-15 17:57    --------    d-----w-    c:\programmer\Apple Software Update
2009-08-24 17:56 . 2009-08-24 17:56    --------    d-----w-    c:\documents and settings\All Users\Application Data\Apple
2009-08-17 17:11 . 2008-11-25 15:40    0    ----a-w-    c:\documents and settings\cb\temp.dat
2009-08-16 08:53 . 2009-06-02 17:44    11952    ----a-w-    c:\windows\system32\avgrsstx.dll
2009-08-16 08:53 . 2009-06-02 17:43    335240    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2009-08-16 08:53 . 2009-06-02 17:43    27784    ----a-w-    c:\windows\system32\drivers\avgmfx86.sys
2009-08-05 09:00 . 2005-10-20 06:51    204800    ----a-w-    c:\windows\system32\mswebdvd.dll
2009-08-05 07:01 . 2006-03-02 13:54    --------    d-----w-    c:\programmer\Java
2009-07-26 14:44 . 2009-07-26 14:44    48448    ----a-w-    c:\windows\system32\sirenacm.dll
2009-07-25 03:23 . 2009-06-01 09:10    411368    ----a-w-    c:\windows\system32\deploytk.dll
2009-07-17 19:03 . 2005-10-20 06:51    58880    ----a-w-    c:\windows\system32\atl.dll
2009-07-13 21:43 . 2005-10-20 06:51    286208    ----a-w-    c:\windows\system32\wmpdxm.dll
2003-03-12 04:16 . 2008-12-27 23:28    307200    ----a-w-    c:\programmer\internet explorer\plugins\djvu0407.dll
2003-03-12 04:16 . 2008-12-27 23:28    303104    ----a-w-    c:\programmer\internet explorer\plugins\djvu0409.dll
2003-03-12 04:16 . 2008-12-27 23:28    311296    ----a-w-    c:\programmer\internet explorer\plugins\djvu040c.dll
2003-03-12 04:16 . 2008-12-27 23:28    299008    ----a-w-    c:\programmer\internet explorer\plugins\djvu0411.dll
2003-03-12 04:16 . 2008-12-27 23:28    303104    ----a-w-    c:\programmer\internet explorer\plugins\djvu0412.dll
2003-03-12 04:16 . 2008-12-27 23:28    290816    ----a-w-    c:\programmer\internet explorer\plugins\djvu0804.dll
2003-03-12 04:15 . 2008-12-27 23:28    122880    ----a-w-    c:\programmer\internet explorer\plugins\DjVuCntl.dll
2005-10-30 10:57 . 2005-10-30 10:57    8    --sh--r-    c:\windows\system32\C182B8F083.sys
2005-10-30 10:57 . 2005-10-30 10:57    4704    --sha-w-    c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((  Start steder i reg.basen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\programmer\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\programmer\Windows Media Player\WMPNSCFG.exe" [2006-11-15 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-27 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-27 455168]
"PCMService"="c:\programmer\Home Cinema\PowerCinema\PCMService.exe" [2006-02-22 143360]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-27 59392]
"InstantOn"="c:\program files\CyberLink\PowerCinema Linux\ion_install.exe" [2005-09-22 93640]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-27 208952]
"CmUCRRun"="c:\windows\system32\CmUCReye.exe" [2005-10-12 241664]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-16 2007832]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-30 86016]
"GrooveMonitor"="c:\programmer\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\programmer\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Lexmark 5200 series"="c:\programmer\Lexmark 5200 series\lxbtbmgr.exe" [2004-02-24 57344]
"Malwarebytes Anti-Malware (reboot)"="c:\programmer\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Showwnd"="showwnd.exe" - c:\windows\ShowWnd.exe [2003-09-18 36864]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-01-11 15961088]
"ledpointer"="CNYHKey.exe" - c:\windows\CNYHKey.exe [2005-11-10 5585408]
"CHotkey"="mHotkey.exe" - c:\windows\mHotkey.exe [2004-12-08 550912]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-04-30 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programmer\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 08:53    11952    ----a-w-    c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^Adobe Reader Hurtigstart.lnk]
path=c:\documents and settings\All Users\Menuen Start\Programmer\Start\Adobe Reader Hurtigstart.lnk
backup=c:\windows\pss\Adobe Reader Hurtigstart.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^Portal Control.lnk]
path=c:\documents and settings\All Users\Menuen Start\Programmer\Start\Portal Control.lnk
backup=c:\windows\pss\Portal Control.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^Windows Search.lnk]
path=c:\documents and settings\All Users\Menuen Start\Programmer\Start\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Programmer\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programmer\\GameSpy Arcade\\Aphex.exe"=
"c:\\Programmer\\Steam\\Steam.exe"=
"c:\\Programmer\\Steam\\steamapps\\fleemaster\\team fortress 2\\hl2.exe"=
"c:\\Programmer\\JustVoip.com\\JustVoip\\JustVoip.exe"=
"c:\\Programmer\\BitLord\\BitLord.exe"=
"c:\\Programmer\\Steam\\steamapps\\fleemaster\\day of defeat source\\hl2.exe"=
"c:\\Programmer\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Programmer\\Steam\\steamapps\\common\\sid meier's civilization iv beyond the sword\\Beyond the Sword\\Civ4BeyondSword.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmer\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Programmer\\Steam\\steamapps\\fleemaster\\synergy\\hl2.exe"=
"c:\\Programmer\\Steam\\steamapps\\fleemaster\\zombie panic! source\\hl2.exe"=
"c:\\Programmer\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Programmer\\Steam\\steamapps\\common\\civilization iv colonization\\Colonization.exe"=
"c:\\Programmer\\Steam\\steamapps\\common\\company of heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Programmer\\Ventrilo\\Ventrilo.exe"=
"c:\\Programmer\\Enlight\\Capitalism 2\\cap2.exe"=
"c:\\Programmer\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programmer\\Steam\\steamapps\\common\\splinter cell - double agent\\SCDA-Offline\\System\\SplinterCell4.exe"=
"c:\\Programmer\\Steam\\steamapps\\common\\splinter cell - double agent\\SCDA-Online\\System\\SCDA_online.exe"=
"c:\\Programmer\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmer\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmer\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programmer\\Mozilla Firefox\\firefox.exe"=
"c:\\Programmer\\Steam\\steamapps\\common\\europa universalis iii - demo\\eu3demo.exe"=
"c:\\Programmer\\Steam\\steamapps\\common\\defensegridtheawakening\\DefenseGrid.exe"=
"c:\\Programmer\\Skype\\Phone\\Skype.exe"=
"c:\\Programmer\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmer\\Microsoft Office\\Office12\\POWERPNT.EXE"=
"c:\\Programmer\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=
"c:\\Programmer\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Programmer\\Steam\\steamapps\\common\\splinter cell - double agent\\SCDALauncher.exe"=
"c:\\Programmer\\Steam\\steamapps\\common\\company of heroes\\RelicCOH.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [02-06-2009 19:43 335240]
R2 AGCCAuditLogger;AGCCAuditLogger;d:\affy\AuditLoggerService.exe [23-10-2008 16:55 6144]
R2 AGCCIndexer;AGCCIndexer;d:\affy\IndexerService.exe [23-10-2008 16:55 9216]
R2 AGCCTaskManager;AGCCTaskManager;d:\affy\TaskManagerSvc.exe [23-10-2008 17:09 7168]
R2 AGCCWebServer;AGCCWebServer;d:\affy\WebService.exe [23-10-2008 17:23 28672]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [02-06-2009 19:43 297752]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [18-10-2005 15:01 826752]
R3 CMISTOR;CMIUCR.SYS CM220 Card Reader Driver;c:\windows\system32\drivers\cmiucr.SYS [20-10-2005 09:27 72320]
S0 rseb;rseb; [x]
S2 gupdate1c985d1fa732de2;Google Update Service (gupdate1c985d1fa732de2);c:\programmer\Google\Update\GoogleUpdate.exe [03-02-2009 09:35 133104]
S2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [19-09-2009 17:24 2560]
S2 syodowvgbx;syodowvgbx;\??\c:\windows\system32\drivers\chpdzxdx.sys --> c:\windows\system32\drivers\chpdzxdx.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Indhold af mappen 'Planlagte Opgaver'

2009-09-26 c:\windows\Tasks\AGCC Data Uploader.job
- d:\affy\Uploader.exe [2008-10-23 14:55]

2009-09-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmer\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-10-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmer\Google\Update\GoogleUpdate.exe [2009-02-03 07:35]

2009-10-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmer\Google\Update\GoogleUpdate.exe [2009-02-03 07:35]

2009-10-02 c:\windows\Tasks\User_Feed_Synchronization-{6927A0B9-9C1A-487D-AF43-B9FD54F2E5C2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]
.
.
------- Yderligere scanning -------
.
uStart Page = hxxp://www.google.dk/
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: danid.dk
Trusted Zone: danid.dk
TCP: {004B7031-7257-40D6-BB84-5AC466F536AB} = 208.67.222.222,208.67.220.220
DPF: {1D381386-B2F7-4A83-AE20-B9796A68397C} - hxxps://www.borgerblanketter.dk/bb/proXSign1.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {4F2A3649-7A9F-4950-9C31-409FAC6FC7C8} - hxxps://danid.dk/csp/authenticode/csp.exe
DPF: {9C196458-4145-46AF-8A77-1506878DFECA} - ftp://ftp.sektornet.dk/sektornet/skolekom/fcplugin.cab
DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} - hxxps://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
FF - ProfilePath - c:\documents and settings\cb\Application Data\Mozilla\Firefox\Profiles\qssukcs4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.dk/
FF - plugin: c:\programmer\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLITIKKER ----
c:\programmer\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".dk");
.
- - - - TOMME GENVEJE FJERNET - - - -

URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-{FAF88B432344413595BB2DED98385684} - c:\programmer\DivX\DivXUserGuideUninstall



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 16:44
Windows 5.1.2600 Service Pack 3 NTFS

scanner skjulte processer ... 

scanner skjulte autostarter ...

scanner skjulte filer ... 

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
--------------------- LÅSTE REGISTRERINGS NØGLER ---------------------

[HKEY_USERS\S-1-5-21-2352802925-1520458886-3822836906-1006\Software\SecuROM\License information*]
"datasecu"=hex:da,3b,ee,2b,bc,a5,3c,a6,66,a9,37,23,2b,8d,be,bf,25,62,1b,89,cb,
  e4,a0,26,4a,2b,fc,58,ee,39,56,f6,e3,c2,1b,8b,c4,50,33,a2,6d,bf,66,f8,1e,2e,\
"rkeysecu"=hex:63,c7,4f,0a,92,c3,03,3e,48,ed,e7,ac,f5,3e,24,a6

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]
"1"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,ae,
  25
"2"=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8b,
  c3
"3"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,48,
  8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\6437968F264CADE72B36F1227E9F55FF]
"1"=hex:c3,6d,34,27,8d,3e,17,ae,88,3d,e9,fa,16,d7,3d,cc,76,43,40,c1,aa,4c,05,
  25,1f,6f,bb,0d,b2,67,93,e5
"2"=hex:52,b6,d8,39,72,3e,5a,00
"3"=hex:6a,c0,d2,90,32,b0,95,a1,a0,d7,52,d8,6b,3a,9b,28,c9,bf,b5,e6,2d,6f,86,
  0c,c1,62,50,3a,f1,e9,ab,35,46,9e,2b,ab,99,e9,c8,d6,f0,37,c6,a6,ac,b7,c4,cb,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
  1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
  51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:58,eb,3b,8d,af,31,32,62,d7,23,d5,cc,e0,21,3a,a4,42,64,d6,76,4c,94,9f,
  ff,26,c6,a2,e8,b2,10,23,f1,73,27,93,69,70,ea,32,ac,7f,0f,b5,e5,5f,3a,23,65,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,07,4e,b3,f7,88,a5,2d,b1,06,23,59,0f,c0,b1,29,
  1d,28,4d,3d,a0,7d,bf,57,49,ee,6d,36,b9,5b,9e,24,de,3d,49,d1,dd,c8,a5,cc,5b
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:c6,de,6f,42,bb,36,34,61
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
--------------------- DLLs startet under kørende Processer ---------------------

- - - - - - - > 'explorer.exe'(992)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andre kørende processer ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\programmer\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
c:\programmer\Home Cinema\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
c:\programmer\Java\jre6\bin\jqs.exe
c:\programmer\Fælles filer\LightScribe\LSSrvc.exe
c:\programmer\AVG\AVG8\avgrsx.exe
c:\programmer\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\programmer\CyberLink\Shared Files\RichVideo.exe
c:\programmer\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\programmer\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\progra~1\COMMON~1\X10\Common\X10nets.exe
c:\programmer\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
c:\windows\system32\WGATray.exe
c:\windows\system32\searchindexer.exe
c:\programmer\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\programmer\Lexmark 5200 Series\lxbtbmon.exe
c:\programmer\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Gennemført tid: 2009-10-02 16:49 - maskinen blev genstartet
ComboFix-quarantined-files.txt  2009-10-02 14:49

Pre-Kørsel: 11.240.128.512 byte ledig
Post-Kørsel: 11.473.424.384 byte ledig

WindowsXP-KB310994-SP2-Home-BootDisk-DAN.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

426    --- E O F ---    2009-09-16 23:32

Så blev
c:\windows\system32\drivers\str.sys
ædt...

Hvordan kører putteren så nu ?

tja, en ny malwarebytes siger 3 infektioner. Den een i en karentæne-folder og de to andre i noget restore-folder.
Så det skyldes måske, at combofix laver en restore?


Malwarebytes' Anti-Malware 1.41
Database version: 2891
Windows 5.1.2600 Service Pack 3

03-10-2009 00:23:08
mbam-log-2009-10-03 (00-23-08).txt

Skan type: Fuldstændig skanning (C:\|D:\|E:\|)
Objekter skannet: 425876
Tid tilbagelagt: 1 hour(s), 43 minute(s), 31 second(s)

Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 0
Inficerede Registeringsdatabase Værdier: 0
Inficerede Registeringsdatabase Filer: 0
Inficerede Mapper: 0
Inficerede Filer: 3

Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)

Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Nøgler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Værdier:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Filer:
(Ingen mistænkelige filer fundet)

Inficerede Mapper:
(Ingen mistænkelige filer fundet)

Inficerede Filer:
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\str.sys.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FDFF6704-B445-46DC-A83C-5857ED410A5E}\RP88\A0010572.sys (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FDFF6704-B445-46DC-A83C-5857ED410A5E}\RP88\A0010621.sys (Worm.Agent) -> Quarantined and deleted successfully.

Der er ikke gendannet noget fra en kørsel med Combofix.
Combofix laver et gendannelsespunkt, og det er derfra det nu er slettet.

Det ser fint ud imo.

Hvad mad de to her?

C:\gsrilums.exe
c:\windows\system32\drivers\chpdzxdx.sys

Enig! <f-arn>: Du må gerne ta' over...

efter den fulde malwarebytes har jeg faktisk kørt ccleaner og en ny fuld malwarebytes, som stadig finder noget:

Malwarebytes' Anti-Malware 1.41
Database version: 2897
Windows 5.1.2600 Service Pack 3

03-10-2009 11:39:00
mbam-log-2009-10-03 (11-39-00).txt

Skan type: Fuldstændig skanning (C:\|D:\|E:\|)
Objekter skannet: 424100
Tid tilbagelagt: 1 hour(s), 41 minute(s), 32 second(s)

Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 0
Inficerede Registeringsdatabase Værdier: 0
Inficerede Registeringsdatabase Filer: 0
Inficerede Mapper: 0
Inficerede Filer: 1

Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)

Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Nøgler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Værdier:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Filer:
(Ingen mistænkelige filer fundet)

Inficerede Mapper:
(Ingen mistænkelige filer fundet)

Inficerede Filer:
C:\gsrilums.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Jep...
f-arn den er din!

Slet banan.exe, hent og gem Combofix på dit skrivebord som alg.exe:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Højreklik på skrivebordet og vælg ny->tekstdokument og kopier  indholdet mellem  linierne ind og gem filen som CFScript.txt

Du skal sikre dig at den ikke kommer til at hedde CFScript.txt.txt


--------------

Killall::
Snapshot::
File::
c:\windows\system32\drivers\chpdzxdx.sys
Driver::
syodowvgbx

--------------

Da Combofix kan konflikte med dine sikkerheds programmer er det vigtigt at du deaktiverer dem.

Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du "giver slip" med musen.
http://www.fromsej.saknet.dk/billeder/cfscript.gif


Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når Combofix er færdig, og efter det (muligvis) har genstartet, skulle der gerne åbnes en logfil: combofix.txt som ligger her C:\Combofix txt

Indholdet af denne fil må du gerne lægge herind.

og det er gjort:
der står godt nok, at filen hedder combofix, men jeg renamede den nu godt nok - ved ikke lige, hvad der skete der?
-håber det virker alligevel...


ComboFix 09-10-01.05 - cb 03-10-2009 12:49.2.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.45.1030.18.3454.2704 [GMT 2:00]
Kører fra: c:\documents and settings\cb\Skrivebord\ComboFix.exe
Kommandoer benyttet :: c:\documents and settings\cb\Skrivebord\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\drivers\chpdzxdx.sys"
.

(((((((((((((((((((((((((((((((((((((((  Andet, der er slettet  )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
(((((((((((((((((((((((((((((((((((((((  Drivers/Tjenester  )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_syodowvgbx


(((((((((((((((((((((((((((((  Filer skabt fra 2009-09-03 til 2009-10-03  )))))))))))))))))))))))))))))))))))
.

2009-10-02 06:10 . 2009-10-02 06:10    --------    d-sh--w-    c:\windows\system32\config\systemprofile\IETldCache
2009-09-29 07:48 . 2004-02-19 17:32    126976    ----a-r-    c:\windows\system32\lxbtsnls.dll
2009-09-29 07:48 . 2004-02-20 10:45    65536    ----a-r-    c:\windows\system32\lxbtcfg.dll
2009-09-29 07:48 . 2004-02-19 17:29    139264    ----a-r-    c:\windows\system32\lxbtcoin.dll
2009-09-29 07:47 . 2009-09-29 07:48    --------    d-----w-    c:\programmer\Lexmark 5200 Series
2009-09-23 20:54 . 2009-09-23 20:54    --------    d-----w-    c:\documents and settings\cb\Lokale indstillinger\Application Data\Temp
2009-09-19 15:24 . 2009-10-03 10:58    1049    --sha-w-    c:\windows\system32\mmf.sys
2009-09-19 15:24 . 2009-09-19 15:24    48640    ----a-w-    c:\windows\mmfs.dll
2009-09-19 15:24 . 2009-09-19 15:24    2560    ----a-w-    c:\windows\Runservice.exe
2009-09-19 15:23 . 2009-09-19 15:24    --------    d-----w-    c:\programmer\Empires of Steel Demo
2009-09-15 20:47 . 2009-10-03 09:53    --------    d-----w-    c:\documents and settings\cb\Tracing
2009-09-15 20:44 . 2009-09-15 20:44    --------    d-----w-    c:\programmer\Microsoft
2009-09-15 20:44 . 2009-09-15 20:44    --------    d-----w-    c:\programmer\Windows Live SkyDrive
2009-09-15 20:44 . 2009-09-15 20:44    --------    d-----w-    c:\programmer\Windows Live
2009-09-15 20:26 . 2009-09-15 20:26    --------    d-----w-    c:\programmer\Fælles filer\Windows Live
2009-09-13 09:10 . 2009-09-13 09:10    --------    d-----w-    c:\documents and settings\NetworkService\Lokale indstillinger\Application Data\Apple
2009-09-09 20:36 . 2009-09-09 20:36    --------    d-sh--w-    c:\documents and settings\Default User\IETldCache
2009-09-09 09:01 . 2009-06-21 21:48    153088    -c----w-    c:\windows\system32\dllcache\triedit.dll
2009-09-08 17:05 . 2009-09-08 17:05    --------    dc-h--w-    c:\documents and settings\All Users\Application Data\{BE1D7187-C39B-4B11-9EBD-9D19FAE66E65}
2009-09-08 17:05 . 2009-09-08 17:05    --------    d-----w-    c:\programmer\DanID
2009-09-08 17:05 . 2009-09-08 17:05    --------    d-----w-    c:\documents and settings\cb\Lokale indstillinger\Application Data\PackageAware

.
((((((((((((((((((((((((((((((((((((((((  Find3M Rapport  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 19:18 . 2007-10-03 19:58    --------    d-----w-    c:\programmer\Steam
2009-10-02 09:23 . 2006-04-03 15:22    41348    ----a-w-    c:\documents and settings\cb\Application Data\wklnhst.dat
2009-10-02 07:06 . 2009-06-02 17:43    --------    d-----w-    c:\documents and settings\All Users\Application Data\avg8
2009-10-01 07:53 . 2009-06-28 19:51    --------    d-----w-    c:\programmer\Malwarebytes' Anti-Malware
2009-09-30 18:21 . 2005-10-20 07:23    --------    d--h--w-    c:\programmer\InstallShield Installation Information
2009-09-29 21:37 . 2008-08-09 21:04    127    ----a-w-    c:\windows\popcinfot.dat
2009-09-23 20:55 . 2005-10-30 10:57    --------    d-----w-    c:\programmer\Google
2009-09-14 14:53 . 2006-04-01 18:28    90952    ----a-w-    c:\documents and settings\cb\Lokale indstillinger\Application Data\GDIPFONTCACHEV1.DAT
2009-09-13 08:55 . 2009-06-27 06:20    --------    d-----w-    c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-10 15:03 . 2006-05-28 11:46    --------    d-----w-    c:\documents and settings\cb\Application Data\Skype
2009-09-10 12:54 . 2009-06-28 19:51    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 12:53 . 2009-06-28 19:51    19160    ----a-w-    c:\windows\system32\drivers\mbam.sys
2009-09-09 20:18 . 2008-08-10 16:29    444952    ----a-w-    c:\windows\system32\wrap_oal.dll
2009-09-09 20:18 . 2008-08-10 16:29    109080    ----a-w-    c:\windows\system32\OpenAL32.dll
2009-09-08 17:05 . 2006-04-11 16:51    --------    d-----w-    c:\programmer\Fælles filer\Wise Installation Wizard
2009-08-25 08:54 . 2007-02-06 07:46    --------    d-----w-    c:\programmer\Stata9
2009-08-24 18:01 . 2006-04-30 15:36    --------    d-----w-    c:\programmer\QuickTime
2009-08-24 17:56 . 2007-04-15 17:57    --------    d-----w-    c:\programmer\Apple Software Update
2009-08-24 17:56 . 2009-08-24 17:56    --------    d-----w-    c:\documents and settings\All Users\Application Data\Apple
2009-08-17 17:11 . 2008-11-25 15:40    0    ----a-w-    c:\documents and settings\cb\temp.dat
2009-08-16 08:53 . 2009-06-02 17:44    11952    ----a-w-    c:\windows\system32\avgrsstx.dll
2009-08-16 08:53 . 2009-06-02 17:43    335240    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2009-08-16 08:53 . 2009-06-02 17:43    27784    ----a-w-    c:\windows\system32\drivers\avgmfx86.sys
2009-08-05 09:00 . 2005-10-20 06:51    204800    ----a-w-    c:\windows\system32\mswebdvd.dll
2009-08-05 07:01 . 2006-03-02 13:54    --------    d-----w-    c:\programmer\Java
2009-07-26 14:44 . 2009-07-26 14:44    48448    ----a-w-    c:\windows\system32\sirenacm.dll
2009-07-25 03:23 . 2009-06-01 09:10    411368    ----a-w-    c:\windows\system32\deploytk.dll
2009-07-17 19:03 . 2005-10-20 06:51    58880    ----a-w-    c:\windows\system32\atl.dll
2009-07-13 21:43 . 2005-10-20 06:51    286208    ----a-w-    c:\windows\system32\wmpdxm.dll
2003-03-12 04:16 . 2008-12-27 23:28    307200    ----a-w-    c:\programmer\internet explorer\plugins\djvu0407.dll
2003-03-12 04:16 . 2008-12-27 23:28    303104    ----a-w-    c:\programmer\internet explorer\plugins\djvu0409.dll
2003-03-12 04:16 . 2008-12-27 23:28    311296    ----a-w-    c:\programmer\internet explorer\plugins\djvu040c.dll
2003-03-12 04:16 . 2008-12-27 23:28    299008    ----a-w-    c:\programmer\internet explorer\plugins\djvu0411.dll
2003-03-12 04:16 . 2008-12-27 23:28    303104    ----a-w-    c:\programmer\internet explorer\plugins\djvu0412.dll
2003-03-12 04:16 . 2008-12-27 23:28    290816    ----a-w-    c:\programmer\internet explorer\plugins\djvu0804.dll
2003-03-12 04:15 . 2008-12-27 23:28    122880    ----a-w-    c:\programmer\internet explorer\plugins\DjVuCntl.dll
2005-10-30 10:57 . 2005-10-30 10:57    8    --sh--r-    c:\windows\system32\C182B8F083.sys
2005-10-30 10:57 . 2005-10-30 10:57    4704    --sha-w-    c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((  Start steder i reg.basen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\programmer\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\programmer\Windows Media Player\WMPNSCFG.exe" [2006-11-15 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-27 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-27 455168]
"PCMService"="c:\programmer\Home Cinema\PowerCinema\PCMService.exe" [2006-02-22 143360]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-27 59392]
"InstantOn"="c:\program files\CyberLink\PowerCinema Linux\ion_install.exe" [2005-09-22 93640]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-27 208952]
"CmUCRRun"="c:\windows\system32\CmUCReye.exe" [2005-10-12 241664]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-03 2023704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-30 86016]
"GrooveMonitor"="c:\programmer\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\programmer\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Lexmark 5200 series"="c:\programmer\Lexmark 5200 series\lxbtbmgr.exe" [2004-02-24 57344]
"Malwarebytes Anti-Malware (reboot)"="c:\programmer\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Showwnd"="showwnd.exe" - c:\windows\ShowWnd.exe [2003-09-18 36864]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-01-11 15961088]
"ledpointer"="CNYHKey.exe" - c:\windows\CNYHKey.exe [2005-11-10 5585408]
"CHotkey"="mHotkey.exe" - c:\windows\mHotkey.exe [2004-12-08 550912]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-04-30 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programmer\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 08:53    11952    ----a-w-    c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^Adobe Reader Hurtigstart.lnk]
path=c:\documents and settings\All Users\Menuen Start\Programmer\Start\Adobe Reader Hurtigstart.lnk
backup=c:\windows\pss\Adobe Reader Hurtigstart.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^Portal Control.lnk]
path=c:\documents and settings\All Users\Menuen Start\Programmer\Start\Portal Control.lnk
backup=c:\windows\pss\Portal Control.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^Windows Search.lnk]
path=c:\documents and settings\All Users\Menuen Start\Programmer\Start\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Programmer\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programmer\\GameSpy Arcade\\Aphex.exe"=
"c:\\Programmer\\Steam\\Steam.exe"=
"c:\\Programmer\\Steam\\steamapps\\fleemaster\\team fortress 2\\hl2.exe"=
"c:\\Programmer\\JustVoip.com\\JustVoip\\JustVoip.exe"=
"c:\\Programmer\\BitLord\\BitLord.exe"=
"c:\\Programmer\\Steam\\steamapps\\fleemaster\\day of defeat source\\hl2.exe"=
"c:\\Programmer\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Programmer\\Steam\\steamapps\\common\\sid meier's civilization iv beyond the sword\\Beyond the Sword\\Civ4BeyondSword.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmer\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Programmer\\Steam\\steamapps\\fleemaster\\synergy\\hl2.exe"=
"c:\\Programmer\\Steam\\steamapps\\fleemaster\\zombie panic! source\\hl2.exe"=
"c:\\Programmer\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Programmer\\Steam\\steamapps\\common\\civilization iv colonization\\Colonization.exe"=
"c:\\Programmer\\Steam\\steamapps\\common\\company of heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Programmer\\Ventrilo\\Ventrilo.exe"=
"c:\\Programmer\\Enlight\\Capitalism 2\\cap2.exe"=
"c:\\Programmer\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programmer\\Steam\\steamapps\\common\\splinter cell - double agent\\SCDA-Offline\\System\\SplinterCell4.exe"=
"c:\\Programmer\\Steam\\steamapps\\common\\splinter cell - double agent\\SCDA-Online\\System\\SCDA_online.exe"=
"c:\\Programmer\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmer\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmer\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programmer\\Mozilla Firefox\\firefox.exe"=
"c:\\Programmer\\Steam\\steamapps\\common\\europa universalis iii - demo\\eu3demo.exe"=
"c:\\Programmer\\Steam\\steamapps\\common\\defensegridtheawakening\\DefenseGrid.exe"=
"c:\\Programmer\\Skype\\Phone\\Skype.exe"=
"c:\\Programmer\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmer\\Microsoft Office\\Office12\\POWERPNT.EXE"=
"c:\\Programmer\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=
"c:\\Programmer\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Programmer\\Steam\\steamapps\\common\\splinter cell - double agent\\SCDALauncher.exe"=
"c:\\Programmer\\Steam\\steamapps\\common\\company of heroes\\RelicCOH.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [02-06-2009 19:43 335240]
R2 AGCCAuditLogger;AGCCAuditLogger;d:\affy\AuditLoggerService.exe [23-10-2008 16:55 6144]
R2 AGCCIndexer;AGCCIndexer;d:\affy\IndexerService.exe [23-10-2008 16:55 9216]
R2 AGCCTaskManager;AGCCTaskManager;d:\affy\TaskManagerSvc.exe [23-10-2008 17:09 7168]
R2 AGCCWebServer;AGCCWebServer;d:\affy\WebService.exe [23-10-2008 17:23 28672]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [02-06-2009 19:43 297752]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [18-10-2005 15:01 826752]
R3 CMISTOR;CMIUCR.SYS CM220 Card Reader Driver;c:\windows\system32\drivers\cmiucr.SYS [20-10-2005 09:27 72320]
S0 rseb;rseb; [x]
S2 gupdate1c985d1fa732de2;Google Update Service (gupdate1c985d1fa732de2);c:\programmer\Google\Update\GoogleUpdate.exe [03-02-2009 09:35 133104]
S2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [19-09-2009 17:24 2560]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Indhold af mappen 'Planlagte Opgaver'

2009-09-26 c:\windows\Tasks\AGCC Data Uploader.job
- d:\affy\Uploader.exe [2008-10-23 14:55]

2009-09-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmer\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmer\Google\Update\GoogleUpdate.exe [2009-02-03 07:35]

2009-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmer\Google\Update\GoogleUpdate.exe [2009-02-03 07:35]

2009-10-03 c:\windows\Tasks\User_Feed_Synchronization-{6927A0B9-9C1A-487D-AF43-B9FD54F2E5C2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]
.
.
------- Yderligere scanning -------
.
uStart Page = hxxp://www.google.dk/
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: danid.dk
Trusted Zone: danid.dk
TCP: {004B7031-7257-40D6-BB84-5AC466F536AB} = 208.67.222.222,208.67.220.220
DPF: {1D381386-B2F7-4A83-AE20-B9796A68397C} - hxxps://www.borgerblanketter.dk/bb/proXSign1.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {4F2A3649-7A9F-4950-9C31-409FAC6FC7C8} - hxxps://danid.dk/csp/authenticode/csp.exe
DPF: {9C196458-4145-46AF-8A77-1506878DFECA} - ftp://ftp.sektornet.dk/sektornet/skolekom/fcplugin.cab
DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} - hxxps://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
FF - ProfilePath - c:\documents and settings\cb\Application Data\Mozilla\Firefox\Profiles\qssukcs4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.dk/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLITIKKER ----
c:\programmer\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".dk");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-03 12:59
Windows 5.1.2600 Service Pack 3 NTFS

scanner skjulte processer ... 

scanner skjulte autostarter ...

scanner skjulte filer ... 

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
--------------------- LÅSTE REGISTRERINGS NØGLER ---------------------

[HKEY_USERS\S-1-5-21-2352802925-1520458886-3822836906-1006\Software\SecuROM\License information*]
"datasecu"=hex:da,3b,ee,2b,bc,a5,3c,a6,66,a9,37,23,2b,8d,be,bf,25,62,1b,89,cb,
  e4,a0,26,4a,2b,fc,58,ee,39,56,f6,e3,c2,1b,8b,c4,50,33,a2,6d,bf,66,f8,1e,2e,\
"rkeysecu"=hex:63,c7,4f,0a,92,c3,03,3e,48,ed,e7,ac,f5,3e,24,a6

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]
"1"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,ae,
  25
"2"=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8b,
  c3
"3"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,48,
  8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\6437968F264CADE72B36F1227E9F55FF]
"1"=hex:c3,6d,34,27,8d,3e,17,ae,88,3d,e9,fa,16,d7,3d,cc,76,43,40,c1,aa,4c,05,
  25,1f,6f,bb,0d,b2,67,93,e5
"2"=hex:52,b6,d8,39,72,3e,5a,00
"3"=hex:6a,c0,d2,90,32,b0,95,a1,a0,d7,52,d8,6b,3a,9b,28,c9,bf,b5,e6,2d,6f,86,
  0c,c1,62,50,3a,f1,e9,ab,35,46,9e,2b,ab,99,e9,c8,d6,f0,37,c6,a6,ac,b7,c4,cb,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
  1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
  51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:58,eb,3b,8d,af,31,32,62,d7,23,d5,cc,e0,21,3a,a4,42,64,d6,76,4c,94,9f,
  ff,26,c6,a2,e8,b2,10,23,f1,73,27,93,69,70,ea,32,ac,7f,0f,b5,e5,5f,3a,23,65,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,07,4e,b3,f7,88,a5,2d,b1,06,23,59,0f,c0,b1,29,
  1d,28,4d,3d,a0,7d,bf,57,49,ee,6d,36,b9,5b,9e,24,de,3d,49,d1,dd,c8,a5,cc,5b
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:c6,de,6f,42,bb,36,34,61
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
--------------------- DLLs startet under kørende Processer ---------------------

- - - - - - - > 'explorer.exe'(2808)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andre kørende processer ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\programmer\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
c:\programmer\Home Cinema\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
c:\programmer\Java\jre6\bin\jqs.exe
c:\programmer\Fælles filer\LightScribe\LSSrvc.exe
c:\programmer\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\programmer\AVG\AVG8\avgrsx.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\programmer\CyberLink\Shared Files\RichVideo.exe
c:\programmer\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\programmer\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\progra~1\COMMON~1\X10\Common\X10nets.exe
c:\programmer\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\WGATray.exe
c:\programmer\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\programmer\Lexmark 5200 Series\lxbtbmon.exe
c:\programmer\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Gennemført tid: 2009-10-03 13:04 - maskinen blev genstartet
ComboFix-quarantined-files.txt  2009-10-03 11:04
ComboFix2.txt  2009-10-02 14:49

Pre-Kørsel: 11.327.287.296 byte ledig
Post-Kørsel: 11.297.538.048 byte ledig

317    --- E O F ---    2009-09-16 23:32

"der står godt nok, at filen hedder combofix, men jeg renamede den nu godt nok - ved ikke lige, hvad der skete der?"

Combofix omdøbte sig selv, hvad jeg også havde regnet med.

------------

Find og upload disse filer hos Jotti eller Virustotal:

c:\windows\system32\drivers\cmiucr.SYS
d:\affy\AuditLoggerService.exe

http://virusscan.jotti.org/ - http://www.virustotal.com/en/indexf.html

Du skal måske slå vis skjulte filer og mapper til.

Hvis du ikke ved hvordan så se her:
http://www.it-artikler.dk/2008/03/05/vis-skjulte-filer-og-mapper/

Kopier resultatet herind

------------

Ved du hvad denne mappe er for moget?
c:\documents and settings\cb\Tracing

bruger jotti:

Filename:  cmiucr.SYS 
Status:  Scan finished. 0 out of 21 scanners reported malware

Filename:  AuditLoggerService.exe 
Status:  Scan finished. 0 out of 21 scanners reported malware

håber det var de resultater, du mente...

jeg kender ikke til mappen c:\documents and settings\cb\Tracing
men den indeholder en tom folder: "WPPMedia"
og en fil: "WindowsLiveMessenger-uccapi-0.uccapilog", der angiveligt har størrelsen 0.
(har husket at vise skjulte filer og mapper)

som en lille kuriosum, finde jeg i c:\windows 
227 skjulte mapper med næsten ens navne ala:
$NtUninstallKB873339$

ja, man bliver jo helt paranoid over det hele og har ikke set dem før - er det ok?

De skjulte mapper der kommer når windows opdaterer, så de er ok.

Hvordan kører maskinen nu?

tja, maskine kører jo fint, det har ikke været problemet, men malwarebytes finder stadig infektion:


Malwarebytes' Anti-Malware 1.41
Database version: 2900
Windows 5.1.2600 Service Pack 3

03-10-2009 22:11:40
mbam-log-2009-10-03 (22-11-40).txt

Skan type: Fuldstændig skanning (C:\|D:\|E:\|)
Objekter skannet: 426650
Tid tilbagelagt: 1 hour(s), 44 minute(s), 28 second(s)

Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 0
Inficerede Registeringsdatabase Værdier: 0
Inficerede Registeringsdatabase Filer: 0
Inficerede Mapper: 0
Inficerede Filer: 1

Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)

Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Nøgler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Værdier:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Filer:
(Ingen mistænkelige filer fundet)

Inficerede Mapper:
(Ingen mistænkelige filer fundet)

Inficerede Filer:
C:\System Volume Information\_restore{FDFF6704-B445-46DC-A83C-5857ED410A5E}\RP90\A0010918.sys (Worm.Agent) -> Quarantined and deleted successfully.

Det er nemt da den ligger i systemgendannelsespunkterne som bare skal slettes:

Sådan gør du
Gå i Start > Alle programmer > Tilbehør > Systemværktøjer > Diskoprydning
Hvis du bliver bedt om det, skal du klikke på det drev, du vil rydde op, og derefter klikke på OK.
Gå nu på fanebladet Flere indstillinger
Klik på Ryd op ud for Systemgendannelse.
Klik Ja.

Genstart pc, og ny log fra malwarebyte - just in case :)

Klik start, kør og kopier dettte: combofix /u
tryk enter
Det vil fjerne Combofix og nulstille urets indstillinger.
Nulstille systemgendannelsen.
Skjule filtypenavne, hvis det kræves.
Skjule System/skjulte filer, hvis det kræves

------------

Jeg vil virkelig anbefale at du udskifter AVG:
http://www.spywarefri.dk/artikel/computerblade-misinformerer/

Hvis du bestæmmer dig for det så se her:
http://www.spywarefri.dk/sikkerhedspakken/
Hvis det skal være gratis, vil jeg anbefale Avast med Online Armor som Firewall

Når du har bestemt dig til hvad du vil ha' så download det og hent også denne:
http://www.avg.com/download-tools

Afbryd så dit internet.

Kør avgremover.exe

Derefter installer du det du har valgt, tilslutter internettet igen og henter de nødvendige opdateringer.

NB Systemgendannelsen har john_stigers jo taget sig af.

ok,
combofix er afinstalleret
systemgendannelse nulstillet
AVG afinstalleret
ESET Smart Security installeret og komplet scan kørt uden infektioner!

Så alle anstrengelserne lader jo til at have virket - ærgerligt ikke at have læst artiklen om AVG tidligere men burde måske have været mere kritisk. Uanset er jeg ihvert fald utroligt glad for jeres store hjælp, der ganske givet er mere værd, end de 30 point, jeg har sat på højkant.

Bare for lige at være på den sikre side fremover:
Med ESET er jeg er så sikker, som jeg kan blive?
Windows firewall - noget skidt?
Nogen grund til at køre ekstra check med mellemrum(malwarebyte/Kaspersky online)?

svar er velkomne og så håber jeg ikke i fremtiden at have brug for eksperternes hjælp mht. virusproblemer :-)

Der findes ikke 100% sikkerhed. Det er et godt valg du har truffet. Personligt kører jeg med Norton Internet Security 2010, men jeg bruger også Malwarebytes til at foretage en skanning af min computer engang imellem. Windows firewall er ikke særlig god.
Jeg synes du skulle afinstalle HijackThis, men beholde Malwarebytes og lave en skan med den engang imellem.
Efter opdatering naturligvis :)

ok, mange tak - 30 point givet(kunne ikke få lov at give flere)

ESET og malwarebytes er kørt uden at finde noget.
Til gengæld var der yderligere gevinst på en usb, noget som ESET også kunne klare.

har allerede i dag stødt på flere kolleger og "sikre" systemer, der nøjes med AVG 8.5 free, så bolden ruller forhåbentligt lidt videre...

glemte lige at spørge, om der er nogen speciel grund til at skifte passwords på alle systemer(websites, netbank, email mm.) ud fra det skete?

Jeg ville skifte det til netbank-for en sikkerheds skyld. Det er måske ikke nødvendigt, men jeg ville gøre det.

ok, takker