ntspool.exe - virus

http://www.eksperten.dk/artikler/1123 prøv denne vejledning
jeg er ikke specialist i hijacthis, men andre hjælper og og så
skal jeg på ferie. men der er en af de vanskelige.

Jeg skal nok gennemgå logfilerne.

Super... jeg kunne ikke køre combofix med Vista. Den siger noget med at der ikke er nok fysisk hukommelse og lukker ned, men her er logs fra de andre 3.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/07/2008 at 04:19 PM

Application Version : 3.7.1018

Core Rules Database Version : 3375
Trace Rules Database Version: 1369

Scan type      : Complete Scan
Total Scan Time : 00:48:01

Memory items scanned      : 217
Memory threats detected  : 0
Registry items scanned    : 7404
Registry threats detected : 0
File items scanned        : 61417
File threats detected    : 162

Adware.Tracking Cookie
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@mediaplex[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@edsa.122.2o7[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@server.iad.liveperson[3].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@watagame.banneradministration[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@rocku.adbureau[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@brightcove.112.2o7[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@serving-sys[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@specificclick[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@indextools[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@toplist[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@teenhollywood[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ehg-foxsports.hitbox[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@image.masterstats[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@casalemedia[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@warezreleases[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@videoegg.adbureau[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@telmore.112.2o7[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@statse.webtrendslive[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@media.adrevolver[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@e-2dj6wjk4updzecp.stats.esomniture[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@e-2dj6wjmykgdzgco.stats.esomniture[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@doubleclick[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@sexlist[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@server.cpmstar[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@sevenloadgmbh.112.2o7[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@adserver.easyad[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@tribalfusion[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@msnportal.112.2o7[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@burstnet[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@2.adbrite[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ad.yieldmanager[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@eas4.emediate[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ads2.jubii[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@advertising[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@tradedoubler[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@track.adform[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@click.cashengines[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@linkto.mediafire[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@2o7[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@www.fucktheclones[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@msnaccountservices.112.2o7[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@eas.apm.emediate[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@apmebf[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@realmedia[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@www.zanox-affiliate[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@3.adbrite[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@nielsen.112.2o7[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@worldlingomedia[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ads.lookery[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@fastclick[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@e-2dj6wjlyumajaaq.stats.esomniture[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@media.adrevolver[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@hitbox[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@serialz[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@www7.addfreestats[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ads.adbrite[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@revsci[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@atdmt[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@politiken.112.2o7[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@adsblue.valuead[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@clickaider[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ads.lookery[3].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@statcounter[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ads.pubmatic[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@socialmedia[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@as.teenhollywood[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@mediafire[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@partygaming.122.2o7[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@adtech[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@keywordmax[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@weborama[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ad2.billboard[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@imrworldwide[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ncom.banneradministration[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@www.gamestats[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@bs.serving-sys[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@server.iad.liveperson[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@stat.onestat[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@www.googleadservices[4].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ad1.emediate[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@media.funpic[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ehg-youtube.hitbox[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@clicktorrent[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@e-2dj6wgkyqkczscp.stats.esomniture[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@clicksor[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@adserver.banneradministration[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@adbrite[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@www6.addfreestats[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ad.blogo[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@stat.postdanmark[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@bluestreak[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@xiti[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@nordea.112.2o7[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@perf.overture[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ehg-dig.hitbox[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ehg-crain.hitbox[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@e-2dj6wjkysjd5wbq.stats.esomniture[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@paypal.112.2o7[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@e-2dj6wgmyaidpedq.stats.esomniture[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@int.sitestat[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@atwola[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@adfarm1.adition[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ads.allyourfacearebelongto[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@publishers.clickbooth[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@trafficmp[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ads.pointroll[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@www.googleadservices[7].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ads.addynamix[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@eyewonder[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@yadro[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@usenext[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ad1.clickhype[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@gamestats[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@e-2dj6wjlowod5mbp.stats.esomniture[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@crackserialkeygen[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@adfair[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ads.cartoonnetwork[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@e-2dj6wgk4qjcpmfp.stats.esomniture[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@questionmarket[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@edge.ru4[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@server.iad.liveperson[4].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@philips.112.2o7[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@azjmp[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@pacificpoker[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@semlerit.112.2o7[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@adrevolver[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@e-2dj6wjnyuidjclq.stats.esomniture[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@date.ventivmedia[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@track.webgains[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ads.cartoondollemporium[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@4.adbrite[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@www.googleadservices[5].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@rambler[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@autoscout24.112.2o7[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ehg-nokiafin.hitbox[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@komtrack[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@media.ncom[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@www.googleadservices[6].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@zedo[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@mediamac.comon[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@magasindn.112.2o7[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@counter.hitslink[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@overture[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@e2.emediate[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@e-2dj6wjkogndpkkp.stats.esomniture[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@www.mediafire[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@partypoker[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ad.zanox[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@e-2dj6wjliakazkko.stats.esomniture[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ads.revsci[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@webtracking.touchclarity[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@valueclick[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@ads.dk-kogebogen[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@e-2dj6wjk4undpgbo.stats.esomniture[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@e-2dj6wjny-1najkh.stats.esomniture[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@adserver.adreactor[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@e-2dj6wfk4uhcpceo.stats.esomniture[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@www.mediarevenue[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@www.worldlingomedia[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@revenue[2].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@postclicktracking[1].txt
    C:\Users\Cuong\AppData\Roaming\Microsoft\Windows\Cookies\cuong@e-2dj6wfligidjoeq.stats.esomniture[1].txt

********************************* ROOTCHK-(28-12-07)-LOG, by ejvindh
07-01-2008 16:33:01,70

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end


catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 16:33:01
Windows 6.0.6000
scanning hidden processes ...
IPC error: 2 Den angivne fil blev ikke fundet.

scanning hidden services & system hive ...
IPC error: 2 Den angivne fil blev ikke fundet.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:50,2b,d4,ec,c8,19,83,72,b4,0c,6b,ab,21,90,74,48,74,fb,ef,06,59,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,22,d5,77,9d,db,df,fc,94,36,88,63,ad,82,e8,46,80,94,..
"khjeh"=hex:1f,79,29,53,ca,e1,c1,08,3e,74,e7,a1,9f,8c,e0,a0,be,56,ae,1d,0a,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:e5,68,eb,69,ff,69,3a,2e,99,b0,c2,ad,ce,fe,c9,c4,85,b8,f3,da,e4,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:50,2b,d4,ec,c8,19,83,72,b4,0c,6b,ab,21,90,74,48,74,fb,ef,06,59,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,22,d5,77,9d,db,df,fc,94,36,88,63,ad,82,e8,46,80,94,..
"khjeh"=hex:1f,79,29,53,ca,e1,c1,08,3e,74,e7,a1,9f,8c,e0,a0,be,56,ae,1d,0a,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:e5,68,eb,69,ff,69,3a,2e,99,b0,c2,ad,ce,fe,c9,c4,85,b8,f3,da,e4,..

scanning hidden registry entries ...

scanning hidden files ...
IPC error: 2 Den angivne fil blev ikke fundet.

hidden processes: 0
hidden services: 0
hidden files: 0

Logfile of HijackThis v1.99.1
Scan saved at 17:22:19, on 07-01-2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Quick Launch Button\QLButton.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\conime.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Cuong\Desktop\test\alternativ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QLButton] C:\Program Files\Quick Launch Button\QLButton.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.new2.foto.com/ImageUploader4.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

[uTorrent.exe] = SUK ...

Højreklik på Combofix, vælg at køre programmet som Administrator, kan du så køre det?
Ellers prøv i fejlsikret.

Jeg har prøvet begge dele, men den kører ikke. Not enough memory siger den efter at have åbnet prompt vinduet.

-- Hent Avenger her:
http://swandog46.geekstogo.com/avenger.zip

-- Pak Avenger-programmet ud og dobbeltklik på avenger.exe

-- Sæt en prik i "Input Script Manually" og klik på Luppen - nu dukker der et lille vindue op, hvor du skal kopiere HELE indholdet mellem ~~~ ind:
~~~~~~~~~~~~~~~~

Files to delete:
C:\WINDOWS\system32\ntspool.exe

~~~~~~~~~~~~~~~~
-- Klik på Trafiklyset i Avenger. Programmet vil opfordre dig til at genstarte computeren straks, hvilket du skal gøre. Programmet vil lukke din computer, slette filerne og starte computeren igen.

-- Efter genstarten vil der dukke et notepad-vindue op, med en log for Avengers handlinger. Den må du gerne lægge ind i dit næste svar.

Prøv Combofix igen, denne gang skal du ikke vælge at gemme, men istedet vælge Kør.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Jeg kører Avenger her om lidt. Jeg prøvede at køre ComboFix, og nu siger den "Freeware implementation of reg.exe er holdt op med at fungere" og i prompt vinduet siger den: "Access violation at address 77B6258F. Read of address 006D006C".

Beskyttelse mod skadelig software i Windows Sikkerhedscenter slås automatisk fra. Tror at det sker efter jeg kører ComboFix, men jeg er ikke sikker. Det er sket et par gange nu.

Satte computeren på standby og tændte den igen, så var prompt vinduet klar.
Her er filen

ComboFix 08-01-07.5 - Cuong 2008-01-08 10:03:16.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium  6.0.6000.0.1252.1.1030.18.1106 [GMT 1:00]
Running from: C:\Users\Cuong\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\49J2HCYZ\ComboFix[1].exe
* Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\lsprst7.dll
C:\Windows\system32\nsprs.dll
C:\Windows\system32\serauth1.dll
C:\Windows\system32\serauth2.dll
C:\Windows\system32\ssprs.dll

.
(((((((((((((((((((((((((  Files Created from 2007-12-08 to 2008-01-08  )))))))))))))))))))))))))))))))
.

2008-01-07 17:54 . 2008-01-07 17:54    <DIR>    d--------    C:\Users\Cuong\AppData\Roaming\Canon
2008-01-07 17:53 . 2008-01-07 17:53    <DIR>    d--------    C:\Program Files\Canon
2008-01-07 17:47 . 2008-01-07 17:47    <DIR>    d--------    C:\Temp\CanoScanTB_v4131
2008-01-07 17:47 . 2008-01-07 17:47    <DIR>    d--------    C:\Temp\CanoScan_Toolbox_v4131
2008-01-07 17:47 . 2008-01-07 17:47    <DIR>    d--------    C:\Temp
2008-01-07 17:37 . 2008-01-07 17:38    <DIR>    d--h-----    C:\CanoScan
2008-01-07 17:37 . 2002-04-12 20:17    339,968    --a------    C:\Windows\System32\N067UFW.DLL
2008-01-07 17:37 . 2001-04-11 02:10    327,740    --a------    C:\Windows\System32\UCS32P.DLL
2008-01-07 17:37 . 2002-04-26 18:37    32,768    --a------    C:\Windows\System32\CNQU70.DLL
2008-01-07 16:32 . 2000-08-31 08:00    51,200    --a------    C:\Windows\NirCmd.exe
2008-01-07 15:26 . 2008-01-07 15:26    <DIR>    d--------    C:\Users\Cuong\AppData\Roaming\SUPERAntiSpyware.com
2008-01-07 15:26 . 2008-01-07 17:20    <DIR>    d--------    C:\Program Files\SUPERAntiSpyware
2007-12-26 11:16 . 2007-12-26 11:16    <DIR>    d--------    C:\Users\Cuong\AppData\Roaming\Apple Computer
2007-12-26 11:16 . 2008-01-07 18:42    54,156    --ah-----    C:\Windows\QTFont.qfn
2007-12-26 11:16 . 2007-12-26 11:16    1,409    --a------    C:\Windows\QTFont.for
2007-12-26 11:15 . 2007-12-26 11:15    <DIR>    d--------    C:\Program Files\iTunes
2007-12-26 11:15 . 2007-12-26 11:15    <DIR>    d--------    C:\Program Files\iPod
2007-12-26 11:14 . 2007-12-26 11:15    <DIR>    d--------    C:\Users\All Users\Apple Computer
2007-12-26 11:14 . 2007-12-26 11:15    <DIR>    d--------    C:\ProgramData\Apple Computer
2007-12-26 11:14 . 2007-12-26 11:15    <DIR>    d--------    C:\Program Files\QuickTime
2007-12-26 11:14 . 2007-12-26 11:14    <DIR>    d--------    C:\Program Files\Apple Software Update
2007-12-26 11:13 . 2007-12-26 11:13    <DIR>    d--------    C:\Users\All Users\Apple
2007-12-26 11:13 . 2007-12-26 11:13    <DIR>    d--------    C:\ProgramData\Apple
2007-12-26 11:13 . 2007-12-26 11:13    <DIR>    d--------    C:\Program Files\Common Files\Apple
2007-12-25 21:56 . 2007-12-25 21:56    0    -rah-----    C:\logwmemory.bin
2007-12-25 21:39 . 2007-12-25 21:39    <DIR>    d--------    C:\Users\Cuong\AppData\Roaming\Soldat
2007-12-12 15:18 . 2007-12-12 15:18    1,327,104    --a------    C:\Windows\System32\quartz.dll
2007-12-12 15:18 . 2007-12-12 15:18    223,232    --a------    C:\Windows\System32\WMASF.DLL
2007-12-12 15:18 . 2007-12-12 15:18    9,728    --a------    C:\Windows\System32\LAPRXY.DLL
2007-12-12 15:18 . 2007-12-12 15:18    2,048    --a------    C:\Windows\System32\asferror.dll
2007-12-12 15:12 . 2007-12-12 15:12    130,048    --a------    C:\Windows\System32\drivers\srv2.sys
2007-12-12 15:12 . 2007-12-12 15:12    101,888    --a------    C:\Windows\System32\drivers\mrxsmb.sys
2007-12-12 15:12 . 2007-12-12 15:12    84,992    --a------    C:\Windows\System32\drivers\srvnet.sys
2007-12-12 15:12 . 2007-12-12 15:12    58,368    --a------    C:\Windows\System32\drivers\mrxsmb20.sys
2007-12-12 15:11 . 2007-12-12 15:11    3,504,824    --a------    C:\Windows\System32\ntkrnlpa.exe
2007-12-12 15:11 . 2007-12-12 15:11    3,470,520    --a------    C:\Windows\System32\ntoskrnl.exe
2007-12-12 15:11 . 2007-12-12 15:11    2,048    --a------    C:\Windows\System32\tzres.dll
2007-12-11 17:01 . 2007-12-11 17:10    <DIR>    d--hsc---    C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-11 17:00 . 2007-12-11 17:00    <DIR>    d--------    C:\Users\All Users\WLInstaller
2007-12-11 17:00 . 2007-12-11 17:00    <DIR>    d--------    C:\ProgramData\WLInstaller
2007-12-11 10:57 . 2007-12-11 10:57    65,536    --a------    C:\Windows\System32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57    49,152    --a------    C:\Windows\System32\QuickTime.qts

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-07 17:47    ---------    d-----w    C:\Users\Cuong\AppData\Roaming\uTorrent
2008-01-07 16:53    ---------    d--h--w    C:\Program Files\InstallShield Installation Information
2008-01-07 16:52    ---------    d-----w    C:\Program Files\Common Files\InstallShield
2008-01-07 16:19    ---------    d-----w    C:\Program Files\Common Files\Wise Installation Wizard
2008-01-07 14:03    47,473    ----a-w    C:\Users\Cuong\AppData\Roaming\nvModes.dat
2008-01-07 07:38    ---------    d---a-w    C:\ProgramData\TEMP
2007-12-17 17:22    ---------    d-----w    C:\Program Files\Messenger Plus! Live
2007-12-12 14:19    ---------    d-----w    C:\ProgramData\Microsoft Help
2007-12-12 14:17    56,320    ----a-w    C:\Windows\System32\iesetup.dll
2007-12-12 14:17    52,736    ----a-w    C:\Windows\AppPatch\iebrshim.dll
2007-12-12 14:17    26,624    ----a-w    C:\Windows\System32\ieUnatt.exe
2007-12-11 16:16    ---------    d-----w    C:\Program Files\MSN Messenger
2007-12-11 16:01    ---------    d-----w    C:\Program Files\Windows Live
2007-11-30 19:23    ---------    d-----w    C:\Program Files\StuffPlug3
2007-11-27 17:40    ---------    d-----w    C:\Users\Cuong\AppData\Roaming\Decisioneering
2007-11-27 17:40    ---------    d-----w    C:\ProgramData\InstallShield
2007-11-27 17:40    ---------    d-----w    C:\ProgramData\Decisioneering
2007-11-18 20:36    ---------    d-----w    C:\Users\Cuong\AppData\Roaming\.purple
2007-11-18 20:36    ---------    d-----w    C:\Program Files\Pidgin
2007-11-18 19:51    ---------    d-----w    C:\Program Files\Common Files\GTK
2007-11-16 06:32    ---------    d-----w    C:\Users\Cuong\AppData\Roaming\TEXTware
2007-11-16 06:32    ---------    d-----w    C:\Users\Cuong\AppData\Roaming\Gyldendal
2007-11-16 06:31    ---------    d-----w    C:\Program Files\TEXTware
2007-11-16 06:31    ---------    d-----w    C:\Program Files\Gyldendal
2007-11-14 13:13    ---------    d-----w    C:\Program Files\utorrent
2007-11-14 10:28    ---------    d-----w    C:\Program Files\Windows Mail
2007-11-14 10:16    704,000    ----a-w    C:\Windows\System32\PhotoScreensaver.scr
2007-11-14 10:15    67,584    ----a-w    C:\Windows\System32\wlanhlp.dll
2007-11-14 10:15    542,720    ----a-w    C:\Windows\System32\sysmain.dll
2007-11-14 10:15    502,784    ----a-w    C:\Windows\System32\wlansvc.dll
2007-11-14 10:15    47,104    ----a-w    C:\Windows\System32\wlanapi.dll
2007-11-14 10:15    297,984    ----a-w    C:\Windows\System32\wlansec.dll
2007-11-14 10:15    290,816    ----a-w    C:\Windows\System32\wlanmsm.dll
2007-11-14 10:15    28,344    ----a-w    C:\Windows\system32\drivers\battc.sys
2007-11-14 10:15    258,232    ----a-w    C:\Windows\system32\drivers\acpi.sys
2007-11-14 10:15    24,064    ----a-w    C:\Windows\System32\wtsapi32.dll
2007-11-14 10:15    20,920    ----a-w    C:\Windows\system32\drivers\compbatt.sys
2007-11-14 10:15    2,923,520    ----a-w    C:\Windows\explorer.exe
2007-11-14 10:15    2,027,008    ----a-w    C:\Windows\System32\win32k.sys
2007-11-14 10:15    14,208    ----a-w    C:\Windows\system32\drivers\CmBatt.sys
2007-11-14 10:14    1,244,672    ----a-w    C:\Windows\System32\mcmde.dll
2007-11-13 10:13    ---------    d-----w    C:\Program Files\SPSS
2007-11-12 09:22    ---------    d-----w    C:\Program Files\AGEIA Technologies
2007-11-12 09:20    ---------    d-----w    C:\Program Files\Ave3dUserPic
2007-11-12 08:51    615,424    ----a-w    C:\Windows\System32\themeui.dll
2007-11-12 08:51    240,640    ----a-w    C:\Windows\System32\uxtheme.dll
2007-11-12 08:49    ---------    d-----w    C:\Program Files\CodeGazer
2007-11-08 12:22    271,360    ----a-w    C:\Windows\system32\drivers\atksgt.sys
2007-11-08 12:22    18,048    ----a-w    C:\Windows\system32\drivers\lirsgt.sys
2007-11-07 08:35    86,016    ----a-w    C:\Windows\System32\OpenAL32.dll
2007-11-07 08:35    262,144    ----a-w    C:\Windows\System32\wrap_oal.dll
2007-10-18 10:31    51,224    ----a-w    C:\Windows\System32\sirenacm.dll
2007-10-15 13:36    298,104    ----a-w    C:\Windows\System32\imon.dll
2007-10-15 12:46    319,456    ----a-w    C:\Windows\DIFxAPI.dll
2007-10-15 12:45    315,392    ----a-w    C:\Windows\HideWin.exe
2007-10-15 12:37    229,888    ----a-w    C:\Windows\System32\msshsq.dll
2007-10-15 12:33    53,080    ----a-w    C:\Windows\System32\wuauclt.exe
2007-10-15 12:33    43,352    ----a-w    C:\Windows\System32\wups2.dll
2007-10-15 12:33    1,712,984    ----a-w    C:\Windows\System32\wuaueng.dll
2007-10-15 12:33    1,524,224    ----a-w    C:\Windows\System32\wucltux.dll
2007-10-15 12:32    80,896    ----a-w    C:\Windows\System32\wudriver.dll
2007-10-15 12:32    549,720    ----a-w    C:\Windows\System32\wuapi.dll
2007-10-15 12:32    33,624    ----a-w    C:\Windows\System32\wups.dll
2007-10-15 12:31    31,232    ----a-w    C:\Windows\System32\wuapp.exe
2007-10-15 12:31    163,000    ----a-w    C:\Windows\System32\wuwebv.dll
2007-10-15 12:25    174    --sha-w    C:\Program Files\desktop.ini
2007-10-15 12:19    8,192    ----a-w    C:\Windows\System32\riched32.dll
2007-10-15 12:19    77,824    ----a-w    C:\Windows\System32\rascfg.dll
2007-10-15 12:19    694,784    ----a-w    C:\Windows\System32\localspl.dll
2007-10-15 12:19    52,736    ----a-w    C:\Windows\System32\rasdiag.dll
2007-10-15 12:19    384,000    ----a-w    C:\Windows\System32\netcfgx.dll
2007-10-15 12:19    36,864    ----a-w    C:\Windows\System32\cdd.dll
2007-10-15 12:19    33,280    ----a-w    C:\Windows\System32\traffic.dll
2007-10-15 12:19    32,768    ----a-w    C:\Windows\System32\rasmxs.dll
2007-10-15 12:19    286,208    ----a-w    C:\Windows\System32\ipnathlp.dll
2007-10-15 12:19    22,016    ----a-w    C:\Windows\System32\rasser.dll
2007-10-15 12:19    15,360    ----a-w    C:\Windows\System32\pacerprf.dll
2007-10-15 12:19    134,656    ----a-w    C:\Windows\System32\dps.dll
2007-10-15 12:19    13,824    ----a-w    C:\Windows\System32\wshqos.dll
2007-10-15 12:19    13,824    ----a-w    C:\Windows\System32\icsunattend.exe
2007-10-15 12:18    87,040    ----a-w    C:\Windows\System32\msoert2.dll
2007-10-15 12:18    39,424    ----a-w    C:\Windows\System32\ACCTRES.dll
2007-10-15 12:18    205,824    ----a-w    C:\Windows\System32\msoeacct.dll
2007-10-15 12:17    49,664    ----a-w    C:\Windows\System32\csrsrv.dll
2007-10-15 12:17    376,320    ----a-w    C:\Windows\System32\winsrv.dll
2007-10-15 12:15    374,456    ----a-w    C:\Windows\System32\mcupdate_GenuineIntel.dll
2007-10-15 12:14    414,208    ----a-w    C:\Windows\System32\msscp.dll
2007-10-15 12:13    86,016    ----a-w    C:\Windows\System32\icfupgd.dll
2007-10-15 12:13    8,147,968    ----a-w    C:\Windows\System32\wmploc.DLL
2007-10-15 12:13    7,680    ----a-w    C:\Windows\System32\spwmp.dll
2007-10-15 12:13    61,952    ----a-w    C:\Windows\System32\cmifw.dll
2007-10-15 12:13    4,096    ----a-w    C:\Windows\System32\dxmasf.dll
2007-10-15 12:13    396,800    ----a-w    C:\Windows\System32\MPSSVC.dll
2007-10-15 12:13    392,192    ----a-w    C:\Windows\System32\FirewallAPI.dll
2007-10-15 12:13    356,864    ----a-w    C:\Windows\System32\MediaMetadataHandler.dll
2007-10-15 12:13    178,688    ----a-w    C:\Windows\System32\iphlpsvc.dll
2007-10-15 12:13    16,896    ----a-w    C:\Windows\System32\wfapigp.dll
2007-10-15 12:12    104,448    ----a-w    C:\Windows\System32\DWWIN.EXE
2007-10-15 12:11    537,600    ----a-w    C:\Windows\AppPatch\AcLayers.dll
2007-10-15 12:11    449,536    ----a-w    C:\Windows\AppPatch\AcSpecfc.dll
.

(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-11-02 13:35 1196032]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-12-11 21:28 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-04-23 15:46 1318128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-10-15 13:16 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 12:04 4423680 C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-04-04 18:41 86016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-04-04 18:41 81920]
"QLButton"="C:\Program Files\Quick Launch Button\QLButton.exe" [2005-01-06 12:53 106496]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-15 07:03 1021224]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-15 14:36 949376]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 05:31 102400]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"NTSpool"= NTSpool.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 18:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-09-20 15:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BisonMnt]
--a------ 2005-04-13 11:25 176128 C:\Windows\BisonCam\BisonMnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 15:16 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-08-09 06:03 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-08-09 06:03 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-04 18:41 8429568 C:\Windows\system32\NvCpl.dll

R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-05-11 16:40]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 08:30]
R3 TPM;TPM;C:\Windows\system32\drivers\tpm.sys [2006-11-02 10:50]
R3 winbondcir;Winbond IR Transceiver;C:\Windows\system32\DRIVERS\winbondcir.sys [2007-03-15 09:25]
S3 viaagp;VIA AGP Bus Filter;C:\Windows\system32\drivers\viaagp.sys [2006-11-02 10:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted    REG_MULTI_SZ      hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4653ddb-7cd9-11dc-8a30-00030d000001}]
\shell\AutoRun\command - F:\wd_windows_tools\setup.exe

*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 10:05:36
Windows 6.0.6000  NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-08 10:06:17
ComboFix-quarantined-files.txt  2008-01-08 09:06:14
.
2007-12-12 14:19:28    --- E O F ---

Jeg kan ikke køre avenger på Vista - den siger at programmet kun kan køres på 2000 og XP.

Det vidste jeg faktisk godt, men havde glemt det. :-(
Nå, jeg kigger på din log nu, så tager vi det den vej rundt.
Men du beder selv om problemer, med MessengerPlus og uTorrent.
Afinstaller begge og drop fildeling, det er den sikreste vej til at blive inficeret, og medvirke til spredning af skidtet.
Det legale i det overlader jeg trygt til andre, jeg ser det fra et sikkerhedssynspunkt.

Hent Ccleaner her:
http://www.filehippo.com/download_ccleaner/
Installer Ccleaner, husk at fjerne fluebenet udfor installation af Yahoo toolbar.
Start programmet, fjern fluebenet i cookies.
Klik på kør Cleaner og lad den fjerne hvad den finder.
Klik så på Register ovre i venstre side (den blå terning), klik på Skan efter problemer, når den er færdig, klik på Udbedre valgte problemer, lav evt. en backup af registreringsdatabasen, klik så på udbedre alle valgte problemer.
Klik på OK, klik på Luk når den er færdig.
Genstart.
---------------------------------------
Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

---------------------------------------
Kopiér indholdet mellem de bølgede linier ind i et notepad-vindue, og gem indholdet i samme mappe, som Combofix ligger med navnet CFScript.txt. Når du gemmer, skal du sikre, at der under "filtyper" står "alle filer".

~~~~~~~~~~~~~~~~~~~~~~~~~~

Killall::

File::
C:\WINDOWS\system32\ntspool.exe

Folder::
C:\Users\Cuong\AppData\Roaming\uTorrent
"C:\Program Files\Messenger Plus! Live"
"C:\Program Files\utorrent"

~~~~~~~~~~~~~~~~~~~~~~~~~~
Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du "giver slip" med musen.
http://www.fromsej.saknet.dk/billeder/cfscript.gif
Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
---------------------------------------
Genstart i fejlsikret (tryk på <F8> under opstarten)
Start SuperAntiSpyware, klik på Scan your Computer, sæt flueben i de drev der skal scannes.
(Fixed disk betyder harddisk)
Flyt prikken til Perform complete scan og klik på Næste, så kører scanningen.

Når den er færdig kommer der et vindue med en opsummering, klik på OK, klik så på næste og så på Udfør.

Der kommer et vindue med Quarantine and removal Complete, klik på OK, klik på Udfør.
Luk programmet, genstart normalt.
---------------------------------------
Vi skal se en frisk hijackthislog, samt den nye combofixlog.

Ikke for at være et skarn eller fordi jeg ikke er taknemmelig, men jeg bruger uTorrent ofte, som ellers er anbefalet af mange hardcore torrent-brugere. Messenger-plus blev installeret uden sponsor. Skal jeg stadig fjerne mapperne til begge programmer?

Det er stensikkert via fildeling du har fået infektionerne.
Jeg ved udmærket hvad fildelerne mener om vores indstilling til tingene, og jeg er ganske ligeglad.
Igen, jeg ser det fra et sikkerhedssynspunkt, om APG, Koda eller hvad de ellers hedder får knaldet fildelere, tjae jo flere der ryger, jo mindre skidt bliver der spredt.
Så min holdning er glasklar, væk med skidtet og drop fildeling.
Hvad angår MessengerPlus, ved at installere det er du også med til at støtte C2Media/Lop, som er en af de største spywareproducenter der findes.
Så væk med det også.

Ok, så fik jeg også fjernet utorrent ved at køre ComboFix igen. Hmm ved bare så ikke lige hvordan jeg får hentet anime. Er det egentlig ulovligt at hente anime?

ComboFix 08-01-07.5 - Cuong 2008-01-08 15:52:58.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium  6.0.6000.0.1252.1.1030.18.1442 [GMT 1:00]
Running from: C:\Users\Cuong\Desktop\test\CF\ComboFix.exe
Command switches used :: C:\Users\Cuong\Desktop\test\CF\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\ntspool.exe
.

(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\utorrent
C:\Program Files\utorrent\utorrent.exe
C:\Users\Cuong\AppData\Roaming\uTorrent
C:\Users\Cuong\AppData\Roaming\uTorrent\[A-Destiny]_Konjiki_no_Gash_Bell_-_120_[69BBC0E7].mp4.torrent
C:\Users\Cuong\AppData\Roaming\uTorrent\[A-Destiny]_Konjiki_no_Gash_Bell_-_121_[44CC9F19].mp4.torrent
C:\Users\Cuong\AppData\Roaming\uTorrent\[A-Destiny]_Konjiki_no_Gash_Bell_-_122_[C7DA5FD7].mp4.torrent
C:\Users\Cuong\AppData\Roaming\uTorrent\[DB]_Naruto_Shippuuden_034_[E68BCD64].avi.torrent
C:\Users\Cuong\AppData\Roaming\uTorrent\[DB]_Naruto_Shippuuden_035_[2931DD96].avi.torrent
C:\Users\Cuong\AppData\Roaming\uTorrent\[DB]_Naruto_Shippuuden_036-037_[B06574F4].avi.1.torrent
C:\Users\Cuong\AppData\Roaming\uTorrent\[DB]_Naruto_Shippuuden_036-037_[B06574F4].avi.torrent
C:\Users\Cuong\AppData\Roaming\uTorrent\[DB]_Naruto_Shippuuden_038_[58960409].avi.torrent
C:\Users\Cuong\AppData\Roaming\uTorrent\[DB]_Naruto_Shippuuden_039_[DB247C5C].avi.torrent
C:\Users\Cuong\AppData\Roaming\uTorrent\[DB]_Naruto_Shippuuden_040-041_[18BB34E6].avi.torrent
C:\Users\Cuong\AppData\Roaming\uTorrent\dht.dat
C:\Users\Cuong\AppData\Roaming\uTorrent\dht.dat.old
C:\Users\Cuong\AppData\Roaming\uTorrent\resume.dat
C:\Users\Cuong\AppData\Roaming\uTorrent\resume.dat.old
C:\Users\Cuong\AppData\Roaming\uTorrent\settings.dat
C:\Users\Cuong\AppData\Roaming\uTorrent\settings.dat.old

.
(((((((((((((((((((((((((  Files Created from 2007-12-08 to 2008-01-08  )))))))))))))))))))))))))))))))
.

2008-01-08 12:21 . 2008-01-08 12:21    <DIR>    d--------    C:\Program Files\CCleaner
2008-01-07 17:54 . 2008-01-07 17:54    <DIR>    d--------    C:\Users\Cuong\AppData\Roaming\Canon
2008-01-07 17:53 . 2008-01-07 17:53    <DIR>    d--------    C:\Program Files\Canon
2008-01-07 17:47 . 2008-01-07 17:47    <DIR>    d--------    C:\Temp\CanoScanTB_v4131
2008-01-07 17:47 . 2008-01-07 17:47    <DIR>    d--------    C:\Temp\CanoScan_Toolbox_v4131
2008-01-07 17:47 . 2008-01-07 17:47    <DIR>    d--------    C:\Temp
2008-01-07 17:37 . 2008-01-07 17:38    <DIR>    d--h-----    C:\CanoScan
2008-01-07 17:37 . 2002-04-12 20:17    339,968    --a------    C:\Windows\System32\N067UFW.DLL
2008-01-07 17:37 . 2001-04-11 02:10    327,740    --a------    C:\Windows\System32\UCS32P.DLL
2008-01-07 17:37 . 2002-04-26 18:37    32,768    --a------    C:\Windows\System32\CNQU70.DLL
2008-01-07 16:32 . 2000-08-31 08:00    51,200    --a------    C:\Windows\NirCmd.exe
2008-01-07 15:26 . 2008-01-07 15:26    <DIR>    d--------    C:\Users\Cuong\AppData\Roaming\SUPERAntiSpyware.com
2008-01-07 15:26 . 2008-01-08 12:47    <DIR>    d--------    C:\Program Files\SUPERAntiSpyware
2007-12-26 11:16 . 2007-12-26 11:16    <DIR>    d--------    C:\Users\Cuong\AppData\Roaming\Apple Computer
2007-12-26 11:16 . 2008-01-08 15:57    54,156    --ah-----    C:\Windows\QTFont.qfn
2007-12-26 11:16 . 2007-12-26 11:16    1,409    --a------    C:\Windows\QTFont.for
2007-12-26 11:15 . 2007-12-26 11:15    <DIR>    d--------    C:\Program Files\iTunes
2007-12-26 11:15 . 2007-12-26 11:15    <DIR>    d--------    C:\Program Files\iPod
2007-12-26 11:14 . 2007-12-26 11:15    <DIR>    d--------    C:\Users\All Users\Apple Computer
2007-12-26 11:14 . 2007-12-26 11:15    <DIR>    d--------    C:\ProgramData\Apple Computer
2007-12-26 11:14 . 2007-12-26 11:15    <DIR>    d--------    C:\Program Files\QuickTime
2007-12-26 11:14 . 2007-12-26 11:14    <DIR>    d--------    C:\Program Files\Apple Software Update
2007-12-26 11:13 . 2007-12-26 11:13    <DIR>    d--------    C:\Users\All Users\Apple
2007-12-26 11:13 . 2007-12-26 11:13    <DIR>    d--------    C:\ProgramData\Apple
2007-12-26 11:13 . 2007-12-26 11:13    <DIR>    d--------    C:\Program Files\Common Files\Apple
2007-12-25 21:56 . 2007-12-25 21:56    0    -rah-----    C:\logwmemory.bin
2007-12-25 21:39 . 2007-12-25 21:39    <DIR>    d--------    C:\Users\Cuong\AppData\Roaming\Soldat
2007-12-12 15:18 . 2007-12-12 15:18    1,327,104    --a------    C:\Windows\System32\quartz.dll
2007-12-12 15:18 . 2007-12-12 15:18    223,232    --a------    C:\Windows\System32\WMASF.DLL
2007-12-12 15:18 . 2007-12-12 15:18    9,728    --a------    C:\Windows\System32\LAPRXY.DLL
2007-12-12 15:18 . 2007-12-12 15:18    2,048    --a------    C:\Windows\System32\asferror.dll
2007-12-12 15:12 . 2007-12-12 15:12    130,048    --a------    C:\Windows\System32\drivers\srv2.sys
2007-12-12 15:12 . 2007-12-12 15:12    101,888    --a------    C:\Windows\System32\drivers\mrxsmb.sys
2007-12-12 15:12 . 2007-12-12 15:12    84,992    --a------    C:\Windows\System32\drivers\srvnet.sys
2007-12-12 15:12 . 2007-12-12 15:12    58,368    --a------    C:\Windows\System32\drivers\mrxsmb20.sys
2007-12-12 15:11 . 2007-12-12 15:11    3,504,824    --a------    C:\Windows\System32\ntkrnlpa.exe
2007-12-12 15:11 . 2007-12-12 15:11    3,470,520    --a------    C:\Windows\System32\ntoskrnl.exe
2007-12-12 15:11 . 2007-12-12 15:11    2,048    --a------    C:\Windows\System32\tzres.dll
2007-12-11 17:01 . 2007-12-11 17:10    <DIR>    d--hsc---    C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-11 17:00 . 2007-12-11 17:00    <DIR>    d--------    C:\Users\All Users\WLInstaller
2007-12-11 17:00 . 2007-12-11 17:00    <DIR>    d--------    C:\ProgramData\WLInstaller
2007-12-11 10:57 . 2007-12-11 10:57    65,536    --a------    C:\Windows\System32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57    49,152    --a------    C:\Windows\System32\QuickTime.qts

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 14:47    47,473    ----a-w    C:\Users\Cuong\AppData\Roaming\nvModes.dat
2008-01-07 16:53    ---------    d--h--w    C:\Program Files\InstallShield Installation Information
2008-01-07 16:52    ---------    d-----w    C:\Program Files\Common Files\InstallShield
2008-01-07 16:19    ---------    d-----w    C:\Program Files\Common Files\Wise Installation Wizard
2008-01-07 07:38    ---------    d---a-w    C:\ProgramData\TEMP
2007-12-12 14:19    ---------    d-----w    C:\ProgramData\Microsoft Help
2007-12-12 14:17    52,736    ----a-w    C:\Windows\AppPatch\iebrshim.dll
2007-12-11 16:16    ---------    d-----w    C:\Program Files\MSN Messenger
2007-12-11 16:01    ---------    d-----w    C:\Program Files\Windows Live
2007-11-30 19:23    ---------    d-----w    C:\Program Files\StuffPlug3
2007-11-27 17:40    ---------    d-----w    C:\Users\Cuong\AppData\Roaming\Decisioneering
2007-11-27 17:40    ---------    d-----w    C:\ProgramData\InstallShield
2007-11-27 17:40    ---------    d-----w    C:\ProgramData\Decisioneering
2007-11-18 20:36    ---------    d-----w    C:\Users\Cuong\AppData\Roaming\.purple
2007-11-18 20:36    ---------    d-----w    C:\Program Files\Pidgin
2007-11-18 19:51    ---------    d-----w    C:\Program Files\Common Files\GTK
2007-11-16 06:32    ---------    d-----w    C:\Users\Cuong\AppData\Roaming\TEXTware
2007-11-16 06:32    ---------    d-----w    C:\Users\Cuong\AppData\Roaming\Gyldendal
2007-11-16 06:31    ---------    d-----w    C:\Program Files\TEXTware
2007-11-16 06:31    ---------    d-----w    C:\Program Files\Gyldendal
2007-11-14 10:28    ---------    d-----w    C:\Program Files\Windows Mail
2007-11-14 10:15    28,344    ----a-w    C:\Windows\system32\drivers\battc.sys
2007-11-14 10:15    258,232    ----a-w    C:\Windows\system32\drivers\acpi.sys
2007-11-14 10:15    20,920    ----a-w    C:\Windows\system32\drivers\compbatt.sys
2007-11-14 10:15    2,923,520    ----a-w    C:\Windows\explorer.exe
2007-11-14 10:15    14,208    ----a-w    C:\Windows\system32\drivers\CmBatt.sys
2007-11-13 10:13    ---------    d-----w    C:\Program Files\SPSS
2007-11-12 09:22    ---------    d-----w    C:\Program Files\AGEIA Technologies
2007-11-12 09:20    ---------    d-----w    C:\Program Files\Ave3dUserPic
2007-11-12 08:49    ---------    d-----w    C:\Program Files\CodeGazer
2007-11-08 12:22    271,360    ----a-w    C:\Windows\system32\drivers\atksgt.sys
2007-11-08 12:22    18,048    ----a-w    C:\Windows\system32\drivers\lirsgt.sys
2007-10-15 12:46    319,456    ----a-w    C:\Windows\DIFxAPI.dll
2007-10-15 12:45    315,392    ----a-w    C:\Windows\HideWin.exe
2007-10-15 12:25    174    --sha-w    C:\Program Files\desktop.ini
2007-10-15 12:11    537,600    ----a-w    C:\Windows\AppPatch\AcLayers.dll
2007-10-15 12:11    449,536    ----a-w    C:\Windows\AppPatch\AcSpecfc.dll
2007-10-15 12:11    2,144,256    ----a-w    C:\Windows\AppPatch\AcGenral.dll
2007-10-15 12:11    173,056    ----a-w    C:\Windows\AppPatch\AcXtrnal.dll
.

(((((((((((((((((((((((((((((  snapshot_2008-01-08_12.45.54.28  )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-08 11:43:56    67,584    --s-a-w    C:\Windows\bootstat.dat
+ 2008-01-08 14:57:13    67,584    --s-a-w    C:\Windows\bootstat.dat
- 2008-01-08 11:26:55    262,144    ----a-w    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-01-08 14:47:30    262,144    ----a-w    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-01-08 11:44:10    1,310,720    --sha-w    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-01-08 14:57:27    1,310,720    --sha-w    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-01-08 11:35:34    262,144    ----a-w    C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-01-08 14:50:15    262,144    ----a-w    C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-01-08 11:44:10    1,310,720    --sha-w    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-01-08 14:57:28    1,310,720    --sha-w    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-01-08 11:31:25    81,296    ----a-w    C:\Windows\System32\perfc006.dat
+ 2008-01-08 14:51:37    81,296    ----a-w    C:\Windows\System32\perfc006.dat
- 2008-01-08 11:31:25    104,768    ----a-w    C:\Windows\System32\perfc009.dat
+ 2008-01-08 14:51:37    104,768    ----a-w    C:\Windows\System32\perfc009.dat
- 2008-01-08 11:31:25    488,634    ----a-w    C:\Windows\System32\perfh006.dat
+ 2008-01-08 14:51:37    488,634    ----a-w    C:\Windows\System32\perfh006.dat
- 2008-01-08 11:31:25    613,046    ----a-w    C:\Windows\System32\perfh009.dat
+ 2008-01-08 14:51:37    613,046    ----a-w    C:\Windows\System32\perfh009.dat
- 2008-01-08 11:28:02    6,758    ----a-w    C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3150878735-702015577-2062200739-1000_UserData.bin
+ 2008-01-08 14:49:02    7,156    ----a-w    C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3150878735-702015577-2062200739-1000_UserData.bin
- 2008-01-08 11:28:02    68,078    ----a-w    C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-01-08 14:49:02    68,354    ----a-w    C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-01-08 11:37:33    30,390    ----a-w    C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-01-08 14:48:59    30,684    ----a-w    C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-11-02 13:35 1196032]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-12-11 21:28 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-04-23 15:46 1318128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-10-15 13:16 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 12:04 4423680 C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-04-04 18:41 86016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-04-04 18:41 81920]
"QLButton"="C:\Program Files\Quick Launch Button\QLButton.exe" [2005-01-06 12:53 106496]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-15 07:03 1021224]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-15 14:36 949376]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 05:31 102400]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"NTSpool"= NTSpool.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 18:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-09-20 15:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BisonMnt]
--a------ 2005-04-13 11:25 176128 C:\Windows\BisonCam\BisonMnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 15:16 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-08-09 06:03 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-08-09 06:03 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-04 18:41 8429568 C:\Windows\system32\NvCpl.dll

R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-05-11 16:40]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 08:30]
R3 TPM;TPM;C:\Windows\system32\drivers\tpm.sys [2006-11-02 10:50]
R3 winbondcir;Winbond IR Transceiver;C:\Windows\system32\DRIVERS\winbondcir.sys [2007-03-15 09:25]
S3 viaagp;VIA AGP Bus Filter;C:\Windows\system32\drivers\viaagp.sys [2006-11-02 10:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted    REG_MULTI_SZ      hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4653ddb-7cd9-11dc-8a30-00030d000001}]
\shell\AutoRun\command - F:\wd_windows_tools\setup.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 15:57:35
Windows 6.0.6000  NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-08 15:59:03 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-08 14:58:58
ComboFix2.txt  2008-01-08 14:48:11
ComboFix3.txt  2008-01-08 11:46:09
ComboFix4.txt  2008-01-08 09:06:18
.
2007-12-12 14:19:28    --- E O F --- 

Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 16:03:10, on 08-01-2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Quick Launch Button\QLButton.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Cuong\Desktop\test\alternativ.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QLButton] C:\Program Files\Quick Launch Button\QLButton.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.new2.foto.com/ImageUploader4.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

Jeg fandt den anden log inde i QooBox mappen:

ComboFix 08-01-07.5 - Cuong 2008-01-08 15:42:48.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium  6.0.6000.0.1252.1.1030.18.1418 [GMT 1:00]
Running from: C:\Users\Cuong\Desktop\test\CF\ComboFix.exe
Command switches used :: C:\Users\Cuong\Desktop\test\CF\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\ntspool.exe
.

(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Messenger Plus! Live
C:\Program Files\Messenger Plus! Live\Detoured.dll
C:\Program Files\Messenger Plus! Live\Events Style Sheet.xsl
C:\Program Files\Messenger Plus! Live\lame_enc.dll
C:\Program Files\Messenger Plus! Live\Languages\Lng_Arabic.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Catalan.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_ChineseSimplified.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_ChineseTraditional.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Danish.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Default.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Dutch.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Estonian.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Finnish.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_French.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_German.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Hebrew.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Hungarian.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Italian.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Japanese.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Korean.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Norwegian.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Portuguese.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Spanish.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Swedish.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Thai.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Turkish.ini
C:\Program Files\Messenger Plus! Live\libsndfile.dll
C:\Program Files\Messenger Plus! Live\Log Viewer.exe
C:\Program Files\Messenger Plus! Live\MPScripts.dll
C:\Program Files\Messenger Plus! Live\MPSkins.dll
C:\Program Files\Messenger Plus! Live\MPTools.exe
C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
C:\Program Files\Messenger Plus! Live\MsgPlusLiveRes.dll
C:\Program Files\Messenger Plus! Live\MsgPlusLoader.dll
C:\Program Files\Messenger Plus! Live\Uninstall.exe

.
(((((((((((((((((((((((((  Files Created from 2007-12-08 to 2008-01-08  )))))))))))))))))))))))))))))))
.

2008-01-08 12:21 . 2008-01-08 12:21    <DIR>    d--------    C:\Program Files\CCleaner
2008-01-07 17:54 . 2008-01-07 17:54    <DIR>    d--------    C:\Users\Cuong\AppData\Roaming\Canon
2008-01-07 17:53 . 2008-01-07 17:53    <DIR>    d--------    C:\Program Files\Canon
2008-01-07 17:47 . 2008-01-07 17:47    <DIR>    d--------    C:\Temp\CanoScanTB_v4131
2008-01-07 17:47 . 2008-01-07 17:47    <DIR>    d--------    C:\Temp\CanoScan_Toolbox_v4131
2008-01-07 17:47 . 2008-01-07 17:47    <DIR>    d--------    C:\Temp
2008-01-07 17:37 . 2008-01-07 17:38    <DIR>    d--h-----    C:\CanoScan
2008-01-07 17:37 . 2002-04-12 20:17    339,968    --a------    C:\Windows\System32\N067UFW.DLL
2008-01-07 17:37 . 2001-04-11 02:10    327,740    --a------    C:\Windows\System32\UCS32P.DLL
2008-01-07 17:37 . 2002-04-26 18:37    32,768    --a------    C:\Windows\System32\CNQU70.DLL
2008-01-07 16:32 . 2000-08-31 08:00    51,200    --a------    C:\Windows\NirCmd.exe
2008-01-07 15:26 . 2008-01-07 15:26    <DIR>    d--------    C:\Users\Cuong\AppData\Roaming\SUPERAntiSpyware.com
2008-01-07 15:26 . 2008-01-08 12:47    <DIR>    d--------    C:\Program Files\SUPERAntiSpyware
2007-12-26 11:16 . 2007-12-26 11:16    <DIR>    d--------    C:\Users\Cuong\AppData\Roaming\Apple Computer
2007-12-26 11:16 . 2008-01-08 15:46    54,156    --ah-----    C:\Windows\QTFont.qfn
2007-12-26 11:16 . 2007-12-26 11:16    1,409    --a------    C:\Windows\QTFont.for
2007-12-26 11:15 . 2007-12-26 11:15    <DIR>    d--------    C:\Program Files\iTunes
2007-12-26 11:15 . 2007-12-26 11:15    <DIR>    d--------    C:\Program Files\iPod
2007-12-26 11:14 . 2007-12-26 11:15    <DIR>    d--------    C:\Users\All Users\Apple Computer
2007-12-26 11:14 . 2007-12-26 11:15    <DIR>    d--------    C:\ProgramData\Apple Computer
2007-12-26 11:14 . 2007-12-26 11:15    <DIR>    d--------    C:\Program Files\QuickTime
2007-12-26 11:14 . 2007-12-26 11:14    <DIR>    d--------    C:\Program Files\Apple Software Update
2007-12-26 11:13 . 2007-12-26 11:13    <DIR>    d--------    C:\Users\All Users\Apple
2007-12-26 11:13 . 2007-12-26 11:13    <DIR>    d--------    C:\ProgramData\Apple
2007-12-26 11:13 . 2007-12-26 11:13    <DIR>    d--------    C:\Program Files\Common Files\Apple
2007-12-25 21:56 . 2007-12-25 21:56    0    -rah-----    C:\logwmemory.bin
2007-12-25 21:39 . 2007-12-25 21:39    <DIR>    d--------    C:\Users\Cuong\AppData\Roaming\Soldat
2007-12-12 15:18 . 2007-12-12 15:18    1,327,104    --a------    C:\Windows\System32\quartz.dll
2007-12-12 15:18 . 2007-12-12 15:18    223,232    --a------    C:\Windows\System32\WMASF.DLL
2007-12-12 15:18 . 2007-12-12 15:18    9,728    --a------    C:\Windows\System32\LAPRXY.DLL
2007-12-12 15:18 . 2007-12-12 15:18    2,048    --a------    C:\Windows\System32\asferror.dll
2007-12-12 15:12 . 2007-12-12 15:12    130,048    --a------    C:\Windows\System32\drivers\srv2.sys
2007-12-12 15:12 . 2007-12-12 15:12    101,888    --a------    C:\Windows\System32\drivers\mrxsmb.sys
2007-12-12 15:12 . 2007-12-12 15:12    84,992    --a------    C:\Windows\System32\drivers\srvnet.sys
2007-12-12 15:12 . 2007-12-12 15:12    58,368    --a------    C:\Windows\System32\drivers\mrxsmb20.sys
2007-12-12 15:11 . 2007-12-12 15:11    3,504,824    --a------    C:\Windows\System32\ntkrnlpa.exe
2007-12-12 15:11 . 2007-12-12 15:11    3,470,520    --a------    C:\Windows\System32\ntoskrnl.exe
2007-12-12 15:11 . 2007-12-12 15:11    2,048    --a------    C:\Windows\System32\tzres.dll
2007-12-11 17:01 . 2007-12-11 17:10    <DIR>    d--hsc---    C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-11 17:00 . 2007-12-11 17:00    <DIR>    d--------    C:\Users\All Users\WLInstaller
2007-12-11 17:00 . 2007-12-11 17:00    <DIR>    d--------    C:\ProgramData\WLInstaller
2007-12-11 10:57 . 2007-12-11 10:57    65,536    --a------    C:\Windows\System32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57    49,152    --a------    C:\Windows\System32\QuickTime.qts

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 11:26    47,473    ----a-w    C:\Users\Cuong\AppData\Roaming\nvModes.dat
2008-01-07 17:47    ---------    d-----w    C:\Users\Cuong\AppData\Roaming\uTorrent
2008-01-07 16:53    ---------    d--h--w    C:\Program Files\InstallShield Installation Information
2008-01-07 16:52    ---------    d-----w    C:\Program Files\Common Files\InstallShield
2008-01-07 16:19    ---------    d-----w    C:\Program Files\Common Files\Wise Installation Wizard
2008-01-07 07:38    ---------    d---a-w    C:\ProgramData\TEMP
2007-12-12 14:19    ---------    d-----w    C:\ProgramData\Microsoft Help
2007-12-12 14:17    52,736    ----a-w    C:\Windows\AppPatch\iebrshim.dll
2007-12-11 16:16    ---------    d-----w    C:\Program Files\MSN Messenger
2007-12-11 16:01    ---------    d-----w    C:\Program Files\Windows Live
2007-11-30 19:23    ---------    d-----w    C:\Program Files\StuffPlug3
2007-11-27 17:40    ---------    d-----w    C:\Users\Cuong\AppData\Roaming\Decisioneering
2007-11-27 17:40    ---------    d-----w    C:\ProgramData\InstallShield
2007-11-27 17:40    ---------    d-----w    C:\ProgramData\Decisioneering
2007-11-18 20:36    ---------    d-----w    C:\Users\Cuong\AppData\Roaming\.purple
2007-11-18 20:36    ---------    d-----w    C:\Program Files\Pidgin
2007-11-18 19:51    ---------    d-----w    C:\Program Files\Common Files\GTK
2007-11-16 06:32    ---------    d-----w    C:\Users\Cuong\AppData\Roaming\TEXTware
2007-11-16 06:32    ---------    d-----w    C:\Users\Cuong\AppData\Roaming\Gyldendal
2007-11-16 06:31    ---------    d-----w    C:\Program Files\TEXTware
2007-11-16 06:31    ---------    d-----w    C:\Program Files\Gyldendal
2007-11-14 13:13    ---------    d-----w    C:\Program Files\utorrent
2007-11-14 10:28    ---------    d-----w    C:\Program Files\Windows Mail
2007-11-14 10:15    28,344    ----a-w    C:\Windows\system32\drivers\battc.sys
2007-11-14 10:15    258,232    ----a-w    C:\Windows\system32\drivers\acpi.sys
2007-11-14 10:15    20,920    ----a-w    C:\Windows\system32\drivers\compbatt.sys
2007-11-14 10:15    2,923,520    ----a-w    C:\Windows\explorer.exe
2007-11-14 10:15    14,208    ----a-w    C:\Windows\system32\drivers\CmBatt.sys
2007-11-13 10:13    ---------    d-----w    C:\Program Files\SPSS
2007-11-12 09:22    ---------    d-----w    C:\Program Files\AGEIA Technologies
2007-11-12 09:20    ---------    d-----w    C:\Program Files\Ave3dUserPic
2007-11-12 08:49    ---------    d-----w    C:\Program Files\CodeGazer
2007-11-08 12:22    271,360    ----a-w    C:\Windows\system32\drivers\atksgt.sys
2007-11-08 12:22    18,048    ----a-w    C:\Windows\system32\drivers\lirsgt.sys
2007-10-15 12:46    319,456    ----a-w    C:\Windows\DIFxAPI.dll
2007-10-15 12:45    315,392    ----a-w    C:\Windows\HideWin.exe
2007-10-15 12:25    174    --sha-w    C:\Program Files\desktop.ini
2007-10-15 12:11    537,600    ----a-w    C:\Windows\AppPatch\AcLayers.dll
2007-10-15 12:11    449,536    ----a-w    C:\Windows\AppPatch\AcSpecfc.dll
2007-10-15 12:11    2,144,256    ----a-w    C:\Windows\AppPatch\AcGenral.dll
2007-10-15 12:11    173,056    ----a-w    C:\Windows\AppPatch\AcXtrnal.dll
.

(((((((((((((((((((((((((((((  snapshot_2008-01-08_12.45.54.28  )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-08 11:43:56    67,584    --s-a-w    C:\Windows\bootstat.dat
+ 2008-01-08 14:46:16    67,584    --s-a-w    C:\Windows\bootstat.dat
- 2008-01-08 11:26:55    262,144    ----a-w    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-01-08 14:35:58    262,144    ----a-w    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-01-08 11:44:10    1,310,720    --sha-w    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-01-08 14:46:32    1,310,720    --sha-w    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-01-08 11:35:34    262,144    ----a-w    C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-01-08 14:38:29    262,144    ----a-w    C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-01-08 11:44:10    1,310,720    --sha-w    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-01-08 14:46:32    1,310,720    --sha-w    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-01-08 11:31:25    81,296    ----a-w    C:\Windows\System32\perfc006.dat
+ 2008-01-08 14:40:43    81,296    ----a-w    C:\Windows\System32\perfc006.dat
- 2008-01-08 11:31:25    104,768    ----a-w    C:\Windows\System32\perfc009.dat
+ 2008-01-08 14:40:43    104,768    ----a-w    C:\Windows\System32\perfc009.dat
- 2008-01-08 11:31:25    488,634    ----a-w    C:\Windows\System32\perfh006.dat
+ 2008-01-08 14:40:43    488,634    ----a-w    C:\Windows\System32\perfh006.dat
- 2008-01-08 11:31:25    613,046    ----a-w    C:\Windows\System32\perfh009.dat
+ 2008-01-08 14:40:43    613,046    ----a-w    C:\Windows\System32\perfh009.dat
- 2008-01-08 11:28:02    6,758    ----a-w    C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3150878735-702015577-2062200739-1000_UserData.bin
+ 2008-01-08 14:37:09    6,758    ----a-w    C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3150878735-702015577-2062200739-1000_UserData.bin
- 2008-01-08 11:28:02    68,078    ----a-w    C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-01-08 14:37:09    68,228    ----a-w    C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-01-08 11:37:33    30,390    ----a-w    C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-01-08 14:37:08    30,406    ----a-w    C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-11-02 13:35 1196032]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-12-11 21:28 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-04-23 15:46 1318128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-10-15 13:16 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 12:04 4423680 C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-04-04 18:41 86016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-04-04 18:41 81920]
"QLButton"="C:\Program Files\Quick Launch Button\QLButton.exe" [2005-01-06 12:53 106496]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-15 07:03 1021224]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-15 14:36 949376]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 05:31 102400]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"NTSpool"= NTSpool.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 18:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-09-20 15:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BisonMnt]
--a------ 2005-04-13 11:25 176128 C:\Windows\BisonCam\BisonMnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 15:16 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-08-09 06:03 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-08-09 06:03 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-04 18:41 8429568 C:\Windows\system32\NvCpl.dll

R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-05-11 16:40]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 08:30]
R3 TPM;TPM;C:\Windows\system32\drivers\tpm.sys [2006-11-02 10:50]
R3 winbondcir;Winbond IR Transceiver;C:\Windows\system32\DRIVERS\winbondcir.sys [2007-03-15 09:25]
S3 viaagp;VIA AGP Bus Filter;C:\Windows\system32\drivers\viaagp.sys [2006-11-02 10:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted    REG_MULTI_SZ      hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4653ddb-7cd9-11dc-8a30-00030d000001}]
\shell\AutoRun\command - F:\wd_windows_tools\setup.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 15:46:39
Windows 6.0.6000  NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-08 15:48:11 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-08 14:48:05
ComboFix2.txt  2008-01-08 11:46:09
ComboFix3.txt  2008-01-08 09:06:18
.
2007-12-12 14:19:28    --- E O F ---

Lav og kør dette CFScript:
~~~~~~~~~~~~~~~~

Killall::

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"NTSpool"=-

~~~~~~~~~~~~~~~~
Så er der ikke mere at komme efter.
Hvad angår Anime, det ved jeg ikke, men hvis det er copyrightbeskyttet, så er det ikke lovligt at hente uden at betale for det.

ComboFix 08-01-07.5 - Cuong 2008-01-08 17:49:35.5 - NTFSx86
Microsoft® Windows Vista™ Home Premium  6.0.6000.0.1252.1.1030.18.1410 [GMT 1:00]
Running from: C:\Users\Cuong\Desktop\test\CF\ComboFix.exe
Command switches used :: C:\Users\Cuong\Desktop\test\CF\CFScript.txt
* Created a new restore point
.

(((((((((((((((((((((((((  Files Created from 2007-12-08 to 2008-01-08  )))))))))))))))))))))))))))))))
.

2008-01-08 12:21 . 2008-01-08 12:21    <DIR>    d--------    C:\Program Files\CCleaner
2008-01-07 17:54 . 2008-01-07 17:54    <DIR>    d--------    C:\Users\Cuong\AppData\Roaming\Canon
2008-01-07 17:53 . 2008-01-07 17:53    <DIR>    d--------    C:\Program Files\Canon
2008-01-07 17:37 . 2008-01-07 17:38    <DIR>    d--h-----    C:\CanoScan
2008-01-07 17:37 . 2002-04-12 20:17    339,968    --a------    C:\Windows\System32\N067UFW.DLL
2008-01-07 17:37 . 2001-04-11 02:10    327,740    --a------    C:\Windows\System32\UCS32P.DLL
2008-01-07 17:37 . 2002-04-26 18:37    32,768    --a------    C:\Windows\System32\CNQU70.DLL
2008-01-07 16:32 . 2000-08-31 08:00    51,200    --a------    C:\Windows\NirCmd.exe
2008-01-07 15:26 . 2008-01-07 15:26    <DIR>    d--------    C:\Users\Cuong\AppData\Roaming\SUPERAntiSpyware.com
2008-01-07 15:26 . 2008-01-08 12:47    <DIR>    d--------    C:\Program Files\SUPERAntiSpyware
2007-12-26 11:16 . 2007-12-26 11:16    <DIR>    d--------    C:\Users\Cuong\AppData\Roaming\Apple Computer
2007-12-26 11:16 . 2008-01-08 17:52    54,156    --ah-----    C:\Windows\QTFont.qfn
2007-12-26 11:16 . 2007-12-26 11:16    1,409    --a------    C:\Windows\QTFont.for
2007-12-26 11:15 . 2007-12-26 11:15    <DIR>    d--------    C:\Program Files\iTunes
2007-12-26 11:15 . 2007-12-26 11:15    <DIR>    d--------    C:\Program Files\iPod
2007-12-26 11:14 . 2007-12-26 11:15    <DIR>    d--------    C:\Users\All Users\Apple Computer
2007-12-26 11:14 . 2007-12-26 11:15    <DIR>    d--------    C:\ProgramData\Apple Computer
2007-12-26 11:14 . 2007-12-26 11:15    <DIR>    d--------    C:\Program Files\QuickTime
2007-12-26 11:14 . 2007-12-26 11:14    <DIR>    d--------    C:\Program Files\Apple Software Update
2007-12-26 11:13 . 2007-12-26 11:13    <DIR>    d--------    C:\Users\All Users\Apple
2007-12-26 11:13 . 2007-12-26 11:13    <DIR>    d--------    C:\ProgramData\Apple
2007-12-26 11:13 . 2007-12-26 11:13    <DIR>    d--------    C:\Program Files\Common Files\Apple
2007-12-25 21:56 . 2007-12-25 21:56    0    -rah-----    C:\logwmemory.bin
2007-12-25 21:39 . 2007-12-25 21:39    <DIR>    d--------    C:\Users\Cuong\AppData\Roaming\Soldat
2007-12-12 15:18 . 2007-12-12 15:18    1,327,104    --a------    C:\Windows\System32\quartz.dll
2007-12-12 15:18 . 2007-12-12 15:18    223,232    --a------    C:\Windows\System32\WMASF.DLL
2007-12-12 15:18 . 2007-12-12 15:18    9,728    --a------    C:\Windows\System32\LAPRXY.DLL
2007-12-12 15:18 . 2007-12-12 15:18    2,048    --a------    C:\Windows\System32\asferror.dll
2007-12-12 15:12 . 2007-12-12 15:12    130,048    --a------    C:\Windows\System32\drivers\srv2.sys
2007-12-12 15:12 . 2007-12-12 15:12    101,888    --a------    C:\Windows\System32\drivers\mrxsmb.sys
2007-12-12 15:12 . 2007-12-12 15:12    84,992    --a------    C:\Windows\System32\drivers\srvnet.sys
2007-12-12 15:12 . 2007-12-12 15:12    58,368    --a------    C:\Windows\System32\drivers\mrxsmb20.sys
2007-12-12 15:11 . 2007-12-12 15:11    3,504,824    --a------    C:\Windows\System32\ntkrnlpa.exe
2007-12-12 15:11 . 2007-12-12 15:11    3,470,520    --a------    C:\Windows\System32\ntoskrnl.exe
2007-12-12 15:11 . 2007-12-12 15:11    2,048    --a------    C:\Windows\System32\tzres.dll
2007-12-11 17:01 . 2007-12-11 17:10    <DIR>    d--hsc---    C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-11 17:00 . 2007-12-11 17:00    <DIR>    d--------    C:\Users\All Users\WLInstaller
2007-12-11 17:00 . 2007-12-11 17:00    <DIR>    d--------    C:\ProgramData\WLInstaller
2007-12-11 10:57 . 2007-12-11 10:57    65,536    --a------    C:\Windows\System32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57    49,152    --a------    C:\Windows\System32\QuickTime.qts

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 14:58    47,473    ----a-w    C:\Users\Cuong\AppData\Roaming\nvModes.dat
2008-01-07 16:53    ---------    d--h--w    C:\Program Files\InstallShield Installation Information
2008-01-07 16:52    ---------    d-----w    C:\Program Files\Common Files\InstallShield
2008-01-07 16:19    ---------    d-----w    C:\Program Files\Common Files\Wise Installation Wizard
2008-01-07 07:38    ---------    d---a-w    C:\ProgramData\TEMP
2007-12-12 14:19    ---------    d-----w    C:\ProgramData\Microsoft Help
2007-12-12 14:17    52,736    ----a-w    C:\Windows\AppPatch\iebrshim.dll
2007-12-11 16:16    ---------    d-----w    C:\Program Files\MSN Messenger
2007-12-11 16:01    ---------    d-----w    C:\Program Files\Windows Live
2007-11-30 19:23    ---------    d-----w    C:\Program Files\StuffPlug3
2007-11-27 17:40    ---------    d-----w    C:\Users\Cuong\AppData\Roaming\Decisioneering
2007-11-27 17:40    ---------    d-----w    C:\ProgramData\InstallShield
2007-11-27 17:40    ---------    d-----w    C:\ProgramData\Decisioneering
2007-11-18 20:36    ---------    d-----w    C:\Users\Cuong\AppData\Roaming\.purple
2007-11-18 20:36    ---------    d-----w    C:\Program Files\Pidgin
2007-11-18 19:51    ---------    d-----w    C:\Program Files\Common Files\GTK
2007-11-16 06:32    ---------    d-----w    C:\Users\Cuong\AppData\Roaming\TEXTware
2007-11-16 06:32    ---------    d-----w    C:\Users\Cuong\AppData\Roaming\Gyldendal
2007-11-16 06:31    ---------    d-----w    C:\Program Files\TEXTware
2007-11-16 06:31    ---------    d-----w    C:\Program Files\Gyldendal
2007-11-14 10:28    ---------    d-----w    C:\Program Files\Windows Mail
2007-11-14 10:15    28,344    ----a-w    C:\Windows\system32\drivers\battc.sys
2007-11-14 10:15    258,232    ----a-w    C:\Windows\system32\drivers\acpi.sys
2007-11-14 10:15    20,920    ----a-w    C:\Windows\system32\drivers\compbatt.sys
2007-11-14 10:15    2,923,520    ----a-w    C:\Windows\explorer.exe
2007-11-14 10:15    14,208    ----a-w    C:\Windows\system32\drivers\CmBatt.sys
2007-11-13 10:13    ---------    d-----w    C:\Program Files\SPSS
2007-11-12 09:22    ---------    d-----w    C:\Program Files\AGEIA Technologies
2007-11-12 09:20    ---------    d-----w    C:\Program Files\Ave3dUserPic
2007-11-12 08:49    ---------    d-----w    C:\Program Files\CodeGazer
2007-11-08 12:22    271,360    ----a-w    C:\Windows\system32\drivers\atksgt.sys
2007-11-08 12:22    18,048    ----a-w    C:\Windows\system32\drivers\lirsgt.sys
2007-10-15 12:46    319,456    ----a-w    C:\Windows\DIFxAPI.dll
2007-10-15 12:45    315,392    ----a-w    C:\Windows\HideWin.exe
2007-10-15 12:25    174    --sha-w    C:\Program Files\desktop.ini
2007-10-15 12:11    537,600    ----a-w    C:\Windows\AppPatch\AcLayers.dll
2007-10-15 12:11    449,536    ----a-w    C:\Windows\AppPatch\AcSpecfc.dll
2007-10-15 12:11    2,144,256    ----a-w    C:\Windows\AppPatch\AcGenral.dll
2007-10-15 12:11    173,056    ----a-w    C:\Windows\AppPatch\AcXtrnal.dll
.

(((((((((((((((((((((((((((((  snapshot_2008-01-08_12.45.54.28  )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-08 11:43:56    67,584    --s-a-w    C:\Windows\bootstat.dat
+ 2008-01-08 16:51:58    67,584    --s-a-w    C:\Windows\bootstat.dat
- 2008-01-08 11:26:55    262,144    ----a-w    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-01-08 16:12:23    262,144    ----a-w    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-01-08 11:44:10    1,310,720    --sha-w    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-01-08 16:52:14    1,310,720    --sha-w    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-01-08 11:35:34    262,144    ----a-w    C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-01-08 15:01:11    262,144    ----a-w    C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-01-08 11:44:10    1,310,720    --sha-w    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-01-08 16:52:13    1,310,720    --sha-w    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-01-08 11:21:20    16,384    --sha-w    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-08 16:37:43    16,384    --sha-w    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-08 11:21:20    32,768    --sha-w    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-08 16:37:43    32,768    --sha-w    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-08 11:21:20    16,384    --sha-w    C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-08 16:37:43    16,384    --sha-w    C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-08 11:31:25    81,296    ----a-w    C:\Windows\System32\perfc006.dat
+ 2008-01-08 15:02:46    81,296    ----a-w    C:\Windows\System32\perfc006.dat
- 2008-01-08 11:31:25    104,768    ----a-w    C:\Windows\System32\perfc009.dat
+ 2008-01-08 15:02:46    104,768    ----a-w    C:\Windows\System32\perfc009.dat
- 2008-01-08 11:31:25    488,634    ----a-w    C:\Windows\System32\perfh006.dat
+ 2008-01-08 15:02:46    488,634    ----a-w    C:\Windows\System32\perfh006.dat
- 2008-01-08 11:31:25    613,046    ----a-w    C:\Windows\System32\perfh009.dat
+ 2008-01-08 15:02:46    613,046    ----a-w    C:\Windows\System32\perfh009.dat
- 2008-01-08 11:28:02    6,758    ----a-w    C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3150878735-702015577-2062200739-1000_UserData.bin
+ 2008-01-08 14:59:57    7,220    ----a-w    C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3150878735-702015577-2062200739-1000_UserData.bin
- 2008-01-08 11:28:02    68,078    ----a-w    C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-01-08 14:59:57    68,456    ----a-w    C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-01-08 11:37:33    30,390    ----a-w    C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-01-08 14:59:54    30,732    ----a-w    C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-11-02 13:35 1196032]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-12-11 21:28 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-04-23 15:46 1318128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-10-15 13:16 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 12:04 4423680 C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-04-04 18:41 86016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-04-04 18:41 81920]
"QLButton"="C:\Program Files\Quick Launch Button\QLButton.exe" [2005-01-06 12:53 106496]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-15 07:03 1021224]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-15 14:36 949376]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 05:31 102400]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 18:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-09-20 15:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BisonMnt]
--a------ 2005-04-13 11:25 176128 C:\Windows\BisonCam\BisonMnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 15:16 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-08-09 06:03 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-08-09 06:03 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-04 18:41 8429568 C:\Windows\system32\NvCpl.dll

R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-05-11 16:40]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 08:30]
R3 TPM;TPM;C:\Windows\system32\drivers\tpm.sys [2006-11-02 10:50]
R3 winbondcir;Winbond IR Transceiver;C:\Windows\system32\DRIVERS\winbondcir.sys [2007-03-15 09:25]
S3 viaagp;VIA AGP Bus Filter;C:\Windows\system32\drivers\viaagp.sys [2006-11-02 10:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted    REG_MULTI_SZ      hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4653ddb-7cd9-11dc-8a30-00030d000001}]
\shell\AutoRun\command - F:\wd_windows_tools\setup.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 17:52:20
Windows 6.0.6000  NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-08 17:53:46 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-08 16:53:42
ComboFix2.txt  2008-01-08 15:14:07
ComboFix3.txt  2008-01-08 14:48:11
ComboFix4.txt  2008-01-08 11:46:09
ComboFix5.txt  2008-01-08 09:06:18
.
2007-12-12 14:19:28    --- E O F --- 

Kan jeg bare slette SUPERantispyware og QooBox mappen?

Vi har "tryllet" lidt, og lavet et program der rydder op efter os.
(Det er FBJ TeamSpywarefri der har lavet programmet)

Din log er ren. Hvis dine problemer er væk, så er det tid til lidt oprydning. Hent denne lille fil og gem den i roden af dit C-drev (C:\SWF_oprydning.exe):

http://www.ctrlaltdel.dk/SWF_oprydning.exe

Dobbeltklik på SWF_oprydning.exe og følg vejledningen som programmet giver. Når programmet er færdigt med at rydde op vil Notesblok åbne en log - kopier indholdet af log'en herind og luk herefter Notesblok.

Genstart din computer for at afslutte oprydningen....

Når det er gjort skal du rydde op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.ctrlaltdel.dk/forum/forum_posts.asp?TID=4&PN=1) - vent et par minutter - aktiver systemgendannelse. Gå herefter i Start -> Programmer -> Tilbehør -> Systemværktøjer -> Systemgendannelse og lav et systemgendannelsespunkt, så du har det at vende tilbage til, hvis noget går galt.

Du får et par gode råd om sikker surfing med på vejen:

http://www.spywarefri.dk/manualer/sikkerhedspakke.htm

God fornøjelse

Version 0.5.1 - 7. januar 2008, 22:35

HaxFix blev ikke fundet
C:\ComboFix*.txt slettet
Avenger.* ikke fundet
Avenger ikke fundet
Bfu.* ikke fundet
BFU ikke fundet
Dss.exe ikke fundet
FindAWF.* ikke fundet
AWF.txt ikke fundet
VundoFix.* ikke fundet
VundoFix ikke fundet
Gmer.* ikke fundet
NoLop.* ikke fundet
NoLopBackup ikke fundet
Winpfind.* ikke fundet
Killbox.* ikke fundet
!Killbox ikke fundet
SmitfraudFix*.* ikke fundet
SmitfraudFix ikke fundet
Fixwareout*.* ikke fundet
Fixwareout ikke fundet
SDFix*.* ikke fundet
SDFix ikke fundet
Rootchk*.* ikke fundet
Rootlog.* ikke fundet
Sysinsite ikke fundet
Spywarefri mappe ikke fundet
C:\Spywarefri mappe ikke fundet
Drweb-cureit.exe
DoctorWeb\Quarantine

Tak for det hele fromsej!! =)

Velbekomme og tak for point. :-)