Notifikationer

Markér alle som læst Log ud

eaa Nybegynder

20. maj 2009 - 20:10 Der er 5 kommentarer

Trojaner Rootkit Agent.DI i ndis.sys

Jeg har også problemer med Trojaner Rootkit Agent.DI som har inficeret ndis.sys og restore.sys

Jeg har læst med i dette spørgsmål
http://www.eksperten.dk/spm/871835
og har prøvet at lave de filer som der bliver sagt i denne tråd.

Malwarebytes' Anti-Malware 1.36
Database version: 2156
Windows 5.1.2600 Service Pack 3

2009-05-20 15:38:36
mbam-log-2009-05-20 (15-38-36).txt

Skan type: Fuldstændig skanning (C:\|)
Objekter skannet: 162929
Tid tilbagelagt: 1 hour(s), 12 minute(s), 36 second(s)

Inficerede Hukommelses Processer: 1
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 8
Inficerede Registeringsdatabase Værdier: 0
Inficerede Registeringsdatabase Filer: 0
Inficerede Mapper: 0
Inficerede Filer: 22

Inficerede Hukommelses Processer:
C:\WINDOWS\system32\sopidkc.exe (Backdoor.Bot) -> Unloaded process successfully.

Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Nøgler:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msncache (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msncache (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msncache (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Inficerede Registeringsdatabase Værdier:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Filer:
(Ingen mistænkelige filer fundet)

Inficerede Mapper:
(Ingen mistænkelige filer fundet)

Inficerede Filer:
C:\Programmer\MSN\MSNCoreFiles\copymar.exe (Worm.Luder) -> Quarantined and deleted successfully.
C:\Programmer\MSN\MSNCoreFiles\dw.exe (Worm.Luder) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEE147BC-7438-415B-8E8B-449F3EC89369}\RP257\A0048158.exe (Worm.Luder) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEE147BC-7438-415B-8E8B-449F3EC89369}\RP261\A0054275.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEE147BC-7438-415B-8E8B-449F3EC89369}\RP261\A0054276.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DEE147BC-7438-415B-8E8B-449F3EC89369}\RP261\A0054326.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\173.tmp (Trojan.Spamtool) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6D.tmp (Trojan.SpamTool) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msncache.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dncyool64.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sopidkc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tpszxyd.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wtukd32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\services.ex_ (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 09-05-19.08 - Ann 2009-05-20 15:54.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1030.18.2047.1367 [GMT 2:00]
Kører fra: c:\documents and settings\Ann\Skrivebord\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !!
.

((((((((((((((((((((((((((((((((((((((( Andet, der er slettet )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\Install.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Tjenester )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SOPIDKC
-------\Service_restore

((((((((((((((((((((((((((((( Filer skabt fra 2009-04-20 til 2009-05-20 )))))))))))))))))))))))))))))))))))
.

2009-05-20 12:04 . 2009-05-20 12:04 -------- d-----w c:\programmer\Trend Micro
2009-05-20 11:59 . 2009-05-20 11:59 -------- d-----w c:\documents and settings\Ann\Application Data\Malwarebytes
2009-05-20 11:59 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-20 11:59 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-20 11:59 . 2009-05-20 11:59 -------- d-----w c:\programmer\Malwarebytes' Anti-Malware
2009-05-19 21:46 . 2009-05-19 13:35 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-05-19 16:02 . 2009-05-19 16:02 -------- d-----w c:\documents and settings\LocalService\Skrivebord
2009-05-19 13:35 . 2009-05-19 13:35 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-05-19 13:35 . 2009-05-19 13:35 -------- dc----w c:\windows\system32\DRVSTORE
2009-05-19 13:34 . 2009-05-19 13:34 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-19 13:34 . 2009-05-19 13:34 -------- d-----w c:\programmer\Lavasoft
2009-05-19 13:34 . 2009-05-19 13:34 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-19 13:31 . 2008-06-14 17:35 272256 ------w c:\windows\system32\drivers\bthport.sys
2009-05-19 10:17 . 2009-05-19 10:17 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-19 09:54 . 2009-05-19 09:54 -------- d-----w c:\programmer\Windows Defender
2009-05-19 09:27 . 2009-05-19 09:27 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-18 22:16 . 2009-05-19 13:43 -------- d-----w c:\windows\dhcp
2009-05-17 21:37 . 2009-05-17 21:39 -------- d-----w c:\programmer\Spybot - Search & Destroy
2009-05-17 21:37 . 2009-05-17 21:40 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-17 21:26 . 2009-05-17 21:26 -------- d-sh--w c:\documents and settings\Administrator\PrivacIE
2009-05-17 21:23 . 2009-05-17 21:23 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-05-17 17:21 . 2009-05-17 17:21 -------- d-sh--w c:\windows\system32\config\systemprofile\PrivacIE
2009-05-17 17:21 . 2009-05-17 17:21 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-05-17 17:18 . 2008-04-13 16:39 142592 -c--a-w c:\windows\system32\dllcache\aec.sys
2009-05-17 17:18 . 2008-04-13 16:39 142592 ----a-w c:\windows\system32\drivers\aec.sys
2009-05-17 15:29 . 2009-05-17 15:29 212224 -c--a-w c:\windows\system32\dllcache\ndis.sys
2009-05-17 08:48 . 2009-05-17 08:48 -------- d-----w c:\programmer\Fælles filer\Application
2009-05-17 08:48 . 2009-05-20 13:59 -------- d-----w c:\programmer\SPAMfighter
2009-05-16 09:16 . 2009-05-16 09:20 -------- d-----w c:\programmer\Wise Registry Cleaner
2009-05-16 08:56 . 2009-05-16 08:56 -------- d-----w c:\documents and settings\Ann\Application Data\Uniblue
2009-05-15 21:33 . 2009-05-16 09:01 -------- d-----w c:\documents and settings\Ann\Lokale indstillinger\Application Data\Google
2009-05-12 20:04 . 2009-05-17 15:23 -------- d-----w c:\programmer\Zeallsoft
2009-05-12 18:26 . 2009-05-12 18:26 -------- d-----w c:\windows\system32\Adobe
2009-04-29 10:54 . 2009-04-29 10:54 -------- d-sh--w c:\documents and settings\Ann\IECompatCache
2009-04-29 10:53 . 2009-04-29 10:53 -------- d-sh--w c:\documents and settings\Ann\PrivacIE
2009-04-29 10:52 . 2009-04-29 10:52 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-29 10:51 . 2009-04-29 10:51 -------- d-sh--w c:\documents and settings\Ann\IETldCache
2009-04-29 10:44 . 2009-05-20 11:38 -------- d-----w c:\windows\ie8updates
2009-04-29 10:43 . 2009-04-25 05:30 102400 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-04-29 10:38 . 2009-04-29 10:41 -------- dc-h--w c:\windows\ie8
2009-04-28 19:28 . 2009-04-28 19:28 -------- d-----w c:\programmer\Microsoft CAPICOM 2.1.0.2
2009-04-28 04:25 . 2009-04-28 04:25 -------- d-----w c:\documents and settings\Ann\cbt
2009-04-21 19:04 . 2009-04-21 19:04 -------- d-----w c:\documents and settings\Ann\Application Data\EDrawings
2009-04-21 19:03 . 2009-04-21 19:03 -------- d-----w c:\programmer\Fælles filer\SolidWorks Shared
2009-04-21 19:03 . 2009-04-21 19:03 -------- d-----w c:\programmer\Fælles filer\eDrawings2009

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-18 10:45 . 2009-05-18 10:45 70144 ----a-w c:\windows\system32\13.tmp
2009-05-18 06:44 . 2009-05-18 06:44 70144 ----a-w c:\windows\system32\6F.tmp
2009-05-18 06:44 . 2009-05-18 06:44 124 ----a-w c:\windows\system32\6A.tmp
2009-05-18 06:40 . 2009-05-18 06:40 70144 ----a-w c:\windows\system32\67.tmp
2009-05-18 06:40 . 2009-05-18 06:40 124 ----a-w c:\windows\system32\64.tmp
2009-05-18 02:43 . 2009-05-18 02:43 70144 ----a-w c:\windows\system32\71.tmp
2009-05-18 02:43 . 2009-05-18 02:43 124 ----a-w c:\windows\system32\6E.tmp
2009-05-18 02:05 . 2008-11-04 23:21 -------- d-----w c:\programmer\PCDR5
2009-05-17 21:23 . 2009-05-17 21:23 70144 ----a-w c:\windows\system32\38.tmp
2009-05-17 21:23 . 2009-05-17 21:23 153088 ----a-w c:\windows\system32\37.tmp
2009-05-17 21:23 . 2009-05-17 21:23 124 ----a-w c:\windows\system32\35.tmp
2009-05-17 17:18 . 2009-05-17 17:18 70144 ----a-w c:\windows\system32\17B.tmp
2009-05-17 17:17 . 2009-05-17 17:17 124 ----a-w c:\windows\system32\178.tmp
2009-05-17 15:29 . 2003-04-25 12:00 212224 ----a-w c:\windows\system32\drivers\ndis.sys
2009-05-17 15:25 . 2009-05-17 15:25 0 ----a-w c:\windows\system32\176.tmp
2009-05-17 15:25 . 2009-05-17 15:24 70144 ----a-w c:\windows\system32\175.tmp
2009-05-17 15:24 . 2009-05-17 15:24 124 ----a-w c:\windows\system32\171.tmp
2009-05-15 21:44 . 2008-11-10 17:35 -------- d-----w c:\programmer\Java
2009-05-01 16:28 . 2008-11-04 14:22 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-01 16:28 . 2008-11-04 14:22 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-01 16:28 . 2008-11-04 14:22 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-29 13:35 . 2008-11-04 14:18 69232 ----a-w c:\documents and settings\Ann\Lokale indstillinger\Application Data\GDIPFONTCACHEV1.DAT
2009-04-29 10:04 . 2009-04-14 08:42 -------- d-----w c:\programmer\Microsoft Works
2009-04-29 09:22 . 2008-11-04 22:24 -------- d-----w c:\programmer\Fælles filer\Adobe
2009-04-17 19:59 . 2009-03-15 18:44 -------- d-----w c:\programmer\MSBuild
2009-04-17 19:57 . 2009-04-17 19:57 -------- d-----w c:\programmer\Microsoft.NET
2009-04-17 19:54 . 2009-04-14 08:29 -------- d-----w c:\programmer\Microsoft Visual Studio 8
2009-04-16 11:00 . 2003-04-25 12:00 92152 ----a-w c:\windows\system32\perfc006.dat
2009-04-16 11:00 . 2003-04-25 12:00 481926 ----a-w c:\windows\system32\perfh006.dat
2009-04-16 09:02 . 2009-04-16 09:00 -------- d-----w c:\programmer\Mail PassView
2009-04-14 07:38 . 2008-11-15 19:41 -------- d-----w c:\programmer\BUFFALO
2009-04-14 07:35 . 2009-04-14 07:35 -------- d-----w c:\programmer\Elaborate Bytes
2009-04-06 23:00 . 2009-04-16 15:40 38912 ----a-w c:\windows\system32\MGASetup.exe
2009-04-06 22:01 . 2008-11-29 12:00 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-03-28 23:00 . 2008-12-31 16:04 667136 ----a-w c:\windows\system32\OGACheckControl.dll
2009-03-24 00:12 . 2009-03-24 00:12 -------- d-----w c:\programmer\MSXML 4.0
2009-03-23 23:49 . 2009-03-23 23:49 -------- d-----w c:\programmer\PixiePack Codec Pack
2009-03-23 23:48 . 2009-03-23 23:48 -------- d-----w c:\programmer\RapidSolution
2009-03-23 20:20 . 2009-03-23 19:41 -------- d-----w c:\programmer\Zortam Mp3 Media Studio
2009-03-16 09:04 . 2008-11-10 17:39 0 -c--a-w c:\documents and settings\Ann\temp.dat
2009-03-12 15:30 . 2009-03-12 15:30 142504 ----a-w c:\windows\system32\ElbyVCD.dll
2009-03-09 03:19 . 2008-11-10 17:35 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 02:34 . 2003-04-25 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 02:34 . 2003-04-25 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 02:33 . 2003-04-25 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 02:33 . 2003-04-25 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 02:32 . 2003-04-25 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 02:32 . 2003-04-25 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 02:31 . 2003-04-25 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 02:31 . 2003-04-25 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 02:31 . 2003-04-25 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 02:22 . 2003-04-25 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:20 . 2003-04-25 12:00 284672 ----a-w c:\windows\system32\pdh.dll
2009-03-02 11:49 . 2009-03-02 11:49 60273 -c--a-w c:\windows\system32\pthreadGC2.dll
2009-03-02 11:41 . 2009-03-02 11:41 29184 ----a-w c:\windows\system32\drivers\VClone.sys
2009-03-02 10:33 . 2009-03-02 10:33 67584 -c--a-w c:\windows\system32\ff_vfw.dll
.

------- Sigcheck -------

2004-08-27 00:53 14336 94CA67FAD5012A6C6F693D400F76AA8F c:\windows\$NtServicePackUninstall$\svchost.exe

2008-04-14 16:06 14336 CC065F1BBD7FB1AAF2B4A86CCE71F62A c:\windows\ServicePackFiles\i386\svchost.exe

2008-04-14 16:06 14336 CC065F1BBD7FB1AAF2B4A86CCE71F62A c:\windows\system32\svchost.exe

[7] 2004-08-04 06:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys

2009-05-17 15:29 212224 !MD5: COULD NOT OPEN FILE ! c:\windows\system32\dllcache\ndis.sys

2009-05-17 15:29 212224 36385691398D7FB1C5BD260C9776A387 c:\windows\system32\drivers\ndis.sys

2008-04-14 16:05 1034752 274FFA1162486AD1AAB15473D38AA97D c:\windows\explorer.exe

2004-08-27 00:53 1033216 3882C15FC87BDC191E96D364962000A7 c:\windows\$NtServicePackUninstall$\explorer.exe

2008-04-14 16:05 1034752 274FFA1162486AD1AAB15473D38AA97D c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-27 00:53 15360 F4BD446283D1226C9D7CE53C603CD80C c:\windows\$NtServicePackUninstall$\ctfmon.exe

2008-04-14 16:05 15360 69A2D08C478F17CEBD657F7A04B35CE1 c:\windows\ServicePackFiles\i386\ctfmon.exe

2008-04-14 16:05 15360 69A2D08C478F17CEBD657F7A04B35CE1 c:\windows\system32\ctfmon.exe

2004-08-27 00:53 57856 60873D8E8C7D4BB327999D4F9A4C9F8A c:\windows\$NtServicePackUninstall$\spoolsv.exe

2008-04-14 16:06 57856 19CA8B7E181B57210F8F86519D464006 c:\windows\ServicePackFiles\i386\spoolsv.exe

2005-06-10 23:55 53248 81A6E3CDE9DB33FD207A9E8FBE22629B c:\windows\SoftwareDistribution\Download\c3f6eba83fadfcc4d651cfc418e9db92\sp1qfe\spoolsv.exe

2005-06-10 23:53 57856 5B7C21271CA818E5063A88E7A053E4FD c:\windows\SoftwareDistribution\Download\c3f6eba83fadfcc4d651cfc418e9db92\sp2gdr\spoolsv.exe

2005-06-11 00:17 57856 DA4C2B9DF04608EF4E410C3F3CA6BB52 c:\windows\SoftwareDistribution\Download\c3f6eba83fadfcc4d651cfc418e9db92\sp2qfe\spoolsv.exe

2008-04-14 16:06 57856 19CA8B7E181B57210F8F86519D464006 c:\windows\system32\spoolsv.exe

2004-08-27 00:53 24384 1CDC7E25682558E2ADC05DC17229FA4A c:\windows\$NtServicePackUninstall$\userinit.exe

2008-04-14 16:06 25904 28264717AC119A7EE7B19DE661B521B7 c:\windows\ServicePackFiles\i386\userinit.exe

2008-04-14 16:06 25904 28264717AC119A7EE7B19DE661B521B7 c:\windows\system32\userinit.exe

.
((((((((((((((((((((((((((((( SnapShot@2009-05-20_07.56.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-20 13:59 . 2009-05-20 13:59 16384 c:\windows\Temp\Perflib_Perfdata_5e4.dat
- 2009-05-17 17:21 . 2009-05-19 19:12 98304 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
+ 2009-05-17 17:21 . 2009-05-20 14:01 98304 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
+ 2009-05-20 14:01 . 2009-05-20 14:01 32768 c:\windows\system32\config\systemprofile\Lokale indstillinger\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-20 08:01 . 2009-05-20 11:32 32768 c:\windows\system32\config\systemprofile\Lokale indstillinger\Oversigt\History.IE5\MSHist012009052020090521\index.dat
+ 2009-05-20 11:32 . 2009-05-20 11:52 26112 c:\windows\system32\config\systemprofile\Lokale indstillinger\Application Data\Microsoft\Internet Explorer\Recovery\Active\{EE069534-4531-11DE-8D1E-0010C6E245F3}.dat
- 2009-05-17 21:23 . 2009-05-19 19:12 32768 c:\windows\system32\config\systemprofile\Lokale indstillinger\Application Data\Microsoft\Feeds Cache\index.dat
+ 2009-05-17 21:23 . 2009-05-20 14:01 32768 c:\windows\system32\config\systemprofile\Lokale indstillinger\Application Data\Microsoft\Feeds Cache\index.dat
+ 2008-11-04 10:12 . 2009-05-20 14:01 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-04 10:12 . 2009-05-19 19:12 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-05-18 22:28 . 2009-05-19 19:12 32768 c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
+ 2009-05-18 22:28 . 2009-05-20 11:32 32768 c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
+ 2009-05-20 11:32 . 2009-05-20 11:32 3584 c:\windows\system32\config\systemprofile\Lokale indstillinger\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{EE069533-4531-11DE-8D1E-0010C6E245F3}.dat
+ 2009-05-20 13:47 . 2009-05-20 13:47 3584 c:\windows\system32\config\systemprofile\Lokale indstillinger\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{C0417F73-4544-11DE-8D1F-0010C6E245F3}.dat
+ 2009-05-20 14:01 . 2009-05-20 14:01 3584 c:\windows\system32\config\systemprofile\Lokale indstillinger\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{A71F2333-4546-11DE-8D20-0010C6E245F3}.dat
+ 2009-05-20 13:53 . 2009-05-20 13:53 3584 c:\windows\system32\config\systemprofile\Lokale indstillinger\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{91A668F3-4545-11DE-8D1F-0010C6E245F3}.dat
+ 2009-05-20 08:01 . 2009-05-20 08:22 5120 c:\windows\system32\config\systemprofile\Lokale indstillinger\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{5FAB2A53-4514-11DE-8D1C-0010C6E245F3}.dat
+ 2009-05-20 13:47 . 2009-05-20 13:47 4096 c:\windows\system32\config\systemprofile\Lokale indstillinger\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C0417F74-4544-11DE-8D1F-0010C6E245F3}.dat
+ 2009-05-20 14:01 . 2009-05-20 14:01 4096 c:\windows\system32\config\systemprofile\Lokale indstillinger\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B750CEE0-4546-11DE-8D20-0010C6E245F3}.dat
+ 2009-05-20 13:53 . 2009-05-20 13:53 4096 c:\windows\system32\config\systemprofile\Lokale indstillinger\Application Data\Microsoft\Internet Explorer\Recovery\Active\{91A668F4-4545-11DE-8D1F-0010C6E245F3}.dat
+ 2009-05-20 08:01 . 2009-05-20 08:01 4608 c:\windows\system32\config\systemprofile\Lokale indstillinger\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5FAB2A54-4514-11DE-8D1C-0010C6E245F3}.dat
- 2008-11-04 10:12 . 2009-05-19 19:12 180224 c:\windows\system32\config\systemprofile\Lokale indstillinger\Oversigt\History.IE5\index.dat
+ 2008-11-04 10:12 . 2009-05-20 14:01 180224 c:\windows\system32\config\systemprofile\Lokale indstillinger\Oversigt\History.IE5\index.dat
+ 2009-05-17 17:21 . 2009-05-20 11:32 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-05-17 17:21 . 2009-05-19 19:12 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-05-20 11:38 . 2008-07-09 07:36 394616 c:\windows\ie8updates\KB969497-IE8\spuninst\updspapi.dll
+ 2009-05-20 11:38 . 2008-07-09 07:36 232824 c:\windows\ie8updates\KB969497-IE8\spuninst\spuninst.exe
+ 2009-05-20 11:38 . 2009-02-28 04:55 105984 c:\windows\ie8updates\KB969497-IE8\iecompat.dll
.
((((((((((((((((((((((((((((((((((( Start steder i reg.basen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-01 1947928]
"SynTPLpr"="c:\programmer\Synaptics\SynTP\SynTPLpr.exe" [2008-07-03 115662]
"SynTPEnh"="c:\programmer\Synaptics\SynTP\SynTPEnh.exe" [2008-07-03 1323008]
"ACWLIcon"="c:\programmer\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-10-27 143360]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976]
"TPKMAPHELPER"="c:\programmer\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"SoundMAXPnP"="c:\programmer\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"BrMfcWnd"="c:\programmer\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"ControlCenter3"="c:\programmer\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"TVT Scheduler Proxy"="c:\programmer\Fælles filer\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"VirtualCloneDrive"="c:\programmer\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-01-29 52392]
"GrooveMonitor"="c:\programmer\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\programmer\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\programmer\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"SPAMfighter Agent"="c:\programmer\SPAMfighter\SFAgent.exe" [2009-03-12 326792]
"Ad-Watch"="c:\programmer\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-19 516440]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2008-06-06 181536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menuen Start\Programmer\Start\
Windows Search.lnk - c:\programmer\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programmer\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2008-10-27 08:57 32768 ----a-w c:\programmer\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-01 16:28 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 22:45 28672 ----a-w c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 19:16 24576 ----a-w c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmer\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programmer\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmer\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmer\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmer\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-05-19 64160]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2008-05-14 114728]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-05-14 19496]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-04 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-04 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-05 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-04 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\programmer\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 953168]
R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\programmer\SPAMfighter\sfus.exe [2009-03-12 184968]
R2 WinDefend;Windows Defender;c:\programmer\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S1 ethakwfl;ethakwfl;c:\windows\system32\drivers\ethakwfl.sys --> c:\windows\system32\drivers\ethakwfl.sys [?]
S1 ethamzxm;ethamzxm;c:\windows\system32\drivers\ethamzxm.sys --> c:\windows\system32\drivers\ethamzxm.sys [?]
S1 ethbwkif;ethbwkif;c:\windows\system32\drivers\ethbwkif.sys --> c:\windows\system32\drivers\ethbwkif.sys [?]
S1 ethehncq;ethehncq;c:\windows\system32\drivers\ethehncq.sys --> c:\windows\system32\drivers\ethehncq.sys [?]
S1 ethgvlvn;ethgvlvn;c:\windows\system32\drivers\ethgvlvn.sys --> c:\windows\system32\drivers\ethgvlvn.sys [?]
S1 ethijaau;ethijaau;c:\windows\system32\drivers\ethijaau.sys --> c:\windows\system32\drivers\ethijaau.sys [?]
S1 ethiyauz;ethiyauz;c:\windows\system32\drivers\ethiyauz.sys --> c:\windows\system32\drivers\ethiyauz.sys [?]
S1 ethjjhqj;ethjjhqj;c:\windows\system32\drivers\ethjjhqj.sys --> c:\windows\system32\drivers\ethjjhqj.sys [?]
S1 ethmhjhs;ethmhjhs;c:\windows\system32\drivers\ethmhjhs.sys --> c:\windows\system32\drivers\ethmhjhs.sys [?]
S1 ethmuwqq;ethmuwqq;c:\windows\system32\drivers\ethmuwqq.sys --> c:\windows\system32\drivers\ethmuwqq.sys [?]
S1 ethneskd;ethneskd;c:\windows\system32\drivers\ethneskd.sys --> c:\windows\system32\drivers\ethneskd.sys [?]
S1 ethnvpgp;ethnvpgp;c:\windows\system32\drivers\ethnvpgp.sys --> c:\windows\system32\drivers\ethnvpgp.sys [?]
S1 ethtvnbf;ethtvnbf;c:\windows\system32\drivers\ethtvnbf.sys --> c:\windows\system32\drivers\ethtvnbf.sys [?]
S1 ethxswfa;ethxswfa;c:\windows\system32\drivers\ethxswfa.sys --> c:\windows\system32\drivers\ethxswfa.sys [?]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
msncache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9C450606-ED24-4958-92BA-B8940C99D441}]
c:\programmer\PixiePack Codec Pack\InstallerHelper.exe
.
Indhold af mappen 'Planlagte Opgaver'

2009-05-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\programmer\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 13:35]

2009-05-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\programmer\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2009-05-06 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\programmer\PCDR5\pcdr5cuiw32.exe [2008-10-31 18:14]

2009-05-20 c:\windows\Tasks\User_Feed_Synchronization-{B0DD439F-9B4E-469D-B106-C2962296512E}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]
.
- - - - TOMME GENVEJE FJERNET - - - -

Notify-aagszw - aagszw.dll

.
------- Yderligere scanning -------
.
uStart Page = hxxp://www.google.dk/ig?hl=da
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {32646EBA-0919-4C2F-94D6-599F46DC34F2} - hxxps://www.kryds-feltet.dk/WebDokument/AutomateWord.CAB
DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} - hxxps://udstedelse.certifikat.tdc.dk/csp/authenticode/digitalsignatur-csp.exe
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-20 15:59
Windows 5.1.2600 Service Pack 3 NTFS

scanner skjulte processer ...

scanner skjulte autostarter ...

scanner skjulte filer ...

c:\windows\TEMP\TMP00000047070CA564506C1C8B 524288 bytes executable

scanning gennemført med succes
skjulte filer: 1

**************************************************************************
.
--------------------- LÅSTE REGISTRERINGS NØGLER ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,63,c0,91,7a,c5,bd,4a,98,4c,06,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,63,c0,91,7a,c5,bd,4a,98,4c,06,\

[HKEY_USERS\S-1-5-21-436374069-1202660629-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{43F649F8-7940-21D9-2DED-DBAFFBEFDAC8}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jafdlpeejnkdlnbccjej"=hex:6b,61,62,62,67,62,6d,62,64,6e,70,6b,6a,6f,70,68,65,
6c,64,6b,70,6e,00,00
"iapdnjnpbonibhedbb"=hex:6b,61,62,62,67,62,6d,62,64,6e,70,6b,6a,6f,70,68,65,6c,
64,6b,70,6e,00,00
.
--------------------- DLLs startet under kørende Processer ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\programmer\ThinkPad\ConnectUtilities\ACNotify.dll
c:\programmer\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\programmer\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\programmer\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(892)
c:\programmer\ThinkPad\ConnectUtilities\ACGina.dll
c:\programmer\ThinkPad\ConnectUtilities\ACHelper.dll
c:\programmer\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\programmer\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\programmer\ThinkPad\ConnectUtilities\ACON.dll
c:\programmer\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\programmer\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\programmer\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\programmer\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\programmer\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll

- - - - - - - > 'Explorer.EXE'(1224)
c:\windows\system32\ieframe.dll
.
------------------------ Andre kørende processer ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\programmer\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\programmer\Java\jre6\bin\jqs.exe
c:\programmer\Fælles filer\Microsoft Shared\VS7DEBUG\mdm.exe
c:\programmer\Analog Devices\SoundMAX\SMAgent.exe
c:\programmer\Fælles filer\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\programmer\Fælles filer\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\searchindexer.exe
c:\programmer\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\programmer\ThinkPad\ConnectUtilities\AcSvc.exe
c:\programmer\AVG\AVG8\avgcsrvx.exe
c:\programmer\Brother\ControlCenter3\BrccMCtl.exe
c:\windows\system32\rundll32.exe
c:\program files\ThinkPad\UltraNav Wizard\UNavTray.exe
c:\programmer\Brother\Brmfcmon\BrMfimon.exe
c:\programmer\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\msiexec.exe
c:\windows\Temp\BN16.tmp
c:\programmer\Internet Explorer\iexplore.exe
c:\programmer\AVG\AVG8\avgcsrvx.exe
c:\programmer\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Gennemført tid: 2009-05-20 16:05 - maskinen blev genstartet
ComboFix-quarantined-files.txt 2009-05-20 14:05
ComboFix2.txt 2009-05-20 08:01

Pre-Kørsel: 53,988,511,744 byte ledig
Post-Kørsel: 53,972,860,928 byte ledig

372 --- E O F --- 2009-05-19 14:03

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:16, on 2009-05-20
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmer\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programmer\Java\jre6\bin\jqs.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmer\SPAMfighter\sfus.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Programmer\Fælles filer\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Programmer\ThinkPad\ConnectUtilities\AcSvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programmer\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\Programmer\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmer\Brother\Brmfcmon\BrMfcWnd.exe
C:\Programmer\Fælles filer\Lenovo\Scheduler\scheduler_proxy.exe
C:\Programmer\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Programmer\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Programmer\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programmer\Java\jre6\bin\jusched.exe
C:\Programmer\SPAMfighter\SFAgent.exe
C:\Programmer\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Brother\Brmfcmon\BrMfimon.exe
C:\Programmer\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\BN16.tmp
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/ig?hl=da
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programmer\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Programmer\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programmer\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Programmer\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Programmer\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Programmer\Fælles filer\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Programmer\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmer\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Programmer\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [Ad-Watch] C:\Programmer\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Programmer\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://louk.solidworks.com/htdocs/pdownload/edrawings/e2009sp03/cab/eModelsStandard.cab
O16 - DPF: {32646EBA-0919-4C2F-94D6-599F46DC34F2} (AutomateWord.Invoice) - https://www.kryds-feltet.dk/WebDokument/AutomateWord.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1225806068112
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1225808764386
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/digitalsignatur-csp.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programmer\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmer\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\avgrsstx.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Programmer\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programmer\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmer\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Programmer\Fælles filer\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Programmer\SPAMfighter\sfus.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Programmer\Fælles filer\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Programmer\Fælles filer\Lenovo\Scheduler\tvtsched.exe

--
End of file - 10664 bytes

Håber at dette er hvad der skal bruges..

Aasberg

Synes godt om

f-arn Guru

20. maj 2009 - 22:21 #1

Jeg har en grim fornemmelse af at det her ender med en formatering og genindstallering. Har du original Windows XP CD?

Find og upload disse filer hos Jotti eller Virustotal:

c:\windows\system32\drivers\ndis.sys
c:\windows\explorer.exe

http://virusscan.jotti.org/ - http://www.virustotal.com/en/indexf.html

Hvis du ikke ved hvordan så se her:
http://www.it-artikler.dk/2008/03/05/vis-skjulte-filer-og-mapper/

Kopier resultatet herind.

Har du kørt Combofix mere end en gang?

ComboFix2.txt

Den vil jeg gerne se hvis den er der.

Synes godt om

f-arn Guru

20. maj 2009 - 22:22 #2

Og det er selvfølgelig hvis du ikke ved hvordan du finder skjulte filer og mapper :-)

Synes godt om

eaa Nybegynder

21. maj 2009 - 20:29 #3

Jotti's malware scan
Filename: explorer.exe
Status: Scan finished. 3 out of 20 scanners reported malware.
Scan taken on: Thu 21 May 2009 14:33:39 (CET) Permalink

Additional info
File size: 1034752 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 274ffa1162486ad1aab15473d38aa97d
SHA1: bcb9dc1afd4420dd29172e2fdebba3a840b21cea

http://virusscan.jotti.org/images/logos/asquared.gif
2009-05-21 Trojan.Win32.Patched!IK

http://virusscan.jotti.org/images/logos/avira.gif
2009-05-21 HEUR/Malware

http://virusscan.jotti.org/images/logos/ikarus.gif
2009-05-21 Trojan.Win32.Patched

Alle andre fandt ikke noget!

Synes godt om

eaa Nybegynder

21. maj 2009 - 20:34 #4

Åh jo, Jotti fandt ikke noget i ndis.sys filen, men AVG siger at der er Trojaner Rootkit Agent.DI i denne fil ???!!!???

Jeg prøver lige med VirusTotal

Synes godt om

f-arn Guru

25. maj 2009 - 08:59 #5

Kom du længere?

Synes godt om

Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Følg dette spørgsmål

Opret Preview

Se alle it-kurser fra Computerworld Kurser

IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Se alle it-kurser

Flere spørgsmål fra Virus kategorien

Titel	Indlæg	Oprettet	Seneste aktivitet
Vil skrifte antivirusprogram. Af ErikHg i Virus	22	26/11/202510:42	23/12/202514:29
Er gratis Bitdefender værd at installere ? Af Ikke-ekspert i Virus	8	31/08/202519:08	01/09/202514:18
Ukendte filer på min Pc Af jonpet i Virus	10	03/02/202514:20	04/02/202511:05
mulig ukendt virus Af jackie18 i Virus	3	18/01/202514:07	18/01/202516:39
virus popper op med jævne mellemrum Af Malm i Virus	13	18/01/202511:40	20/01/202517:53

Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester

Alle kategorier på Eksperten

Seneste artiklerRSS

27/12

AI er blevet forretningskritisk: Her er de fem skift, der definerer 2026

26/12

Nørgaard: Jeg har sparet MANGE penge for jer

24/12

AI-lab #17: Jeg mistede en af mine AI-superkræfter – men fandt en endnu stærkere en midt i juletravlheden

23/12

Dansk pensionskæmpe køber op i hemmelighedsfuld it-komet fra Aalborg

23/12

Vil publicere millioner af hackede sange fra Spotify: Enhver vil kunne lave sin egen version af musiktjenesten, advarer eksperter

23/12

Hackerangreb rammer dansk a-kasse med 86.000 medlemmer: Cpr-numre og personlige oplysninger i fare for misbrug

23/12

Fransk postvæsen ramt af omfattende cyberangreb midt i juleræset

23/12

Investeringerne i datacentre slår alle rekorder - så mange milliarder bruges der i år

23/12

Flygiganten Airbus vil flytte sin kritiske it-systemer til en suveræn europæisk cloud: På vej med stort udbud

23/12

Vil du have fuldt udbytte af AI, så skal du lære dette nye begreb

23/12

Film: Too rich to care

Vis flere artikler

IT-JOB

Politi

Backend-udvikler til nyt team i Rigspolitiet

Forsvarsministeriets Materiel- og Indkøbsstyrelse

Chef til stor applikationstransformation i Forsvaret

Scandlines

Senior Enterprise BI & Data Platform Engineer

KMD A/S

Frontend-udvikler

Politiets Efterretningstjeneste

PET søger AD-specialister til Danmarks mest hemmelige AD-infrastruktur

Vis flere jobs

Seneste spørgsmål Seneste aktivitet

I går 22:02	Låse brugt iPad op Af drstein i iOS, iPhone & iPad
I går 19:21	Hvor finder jeg en oversigt over mine spørgsmål Af KurtG i Hjælp og fejl
I går 11:31	TP-Link Wifi extender opsat som accesspoint giver 50% up- og download, Af Uvanga i Wifi
26/1213:05	Hvorfor bliver tiff-filer større ved konvertering til samme format Af KurtG i Billedbehandling
23/1221:36	Gøre Ikonerne lidt større i proceslinjen (Windows 10) Af Ikke-ekspert i Windows

White papers

Revolutionér kundeoplevelsen med AI og automatisering
Sabio
Udnyt Genesys Cloud CX optimalt og styrk kundeoplevelsen
Sabio
Undgå at printeren bliver svageste led i sikkerheden
Konica Minolta
IT i front: Sådan bliver netværk en strategisk driver
TDC Erhverv

Flere white papers »