/ Forside/ Teknologi / Internet / Sikkerhed / Spørgsmål
Login
Glemt dit kodeord?
Brugernavn

Kodeord


Reklame
Top 10 brugere
Sikkerhed
#NavnPoint
stl_s 37026
arlet 26827
miritdk 20260
o.v.n. 12167
als 8951
refi 8694
tedd 8272
BjarneD 7338
Klaudi 7257
10  molokyle 6481
Er jeg angrebet og af hvad?
Fra : o.v.n.
Vist : 1663 gange
200 point
Dato : 01-10-06 21:16

Tidligere i dag opdagede jeg at min antivirus og firewall pludselig var væk, den lå godt nok i Start-Alle programmer, men når jeg klikkede på ikonen, kom der meddelse om at programmet som genvejen henviste til ikke eksisterede, jeg geninstalerede programmet og har scannet for virus og spyware med Bullguard, SuperAntiSpyware,Spybot S&D og X-Cleaner uden at finde noget, senere i dag kom Stl_s med en bemærkning som har gjort mig urolig: http://www.kandu.dk/tip14833.aspx hvad kan jeg gøre for at vide mig sikker igen ?

 
 
Kommentar
Fra : miritdk


Dato : 01-10-06 21:45



Kommentar
Fra : stl_s


Dato : 01-10-06 21:47

Hej o.v.n

Det er en meget mystisk infektion, og vi ved ikke rigtigt noget om den. Du kan prøve at følge med i udviklingen i denne tråd på Spywarefri http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=30453

Jeg leder også med lys og lygte efter info om den, men har ikke fundet noget endnu.

De dårlige nyheder er, at der sandsynligvis kan ligge noget på maskinen vi ikke kan finde.

Du er velkommen med en HijackThis log:

Hent HijackThis her http://www.sitecenter.dk/secure/nss-folder/mappe/hjtspecial.exe Opret en selvstændig mappe til HijackThis, kald den f,eks HJT. Kør Hijackthis, klik "Do a systemscan and save a logfile". Kopier loggen og sæt den her ind i tråden, så kigger jeg på den. Du må ikke slette noget selv med HijackThis. Jeg skal nok give dig en vejledning til hvad du skal gøre.


Kom også med en log fra WinpFind http://www.bleepingcomputer.com/files/winpfind.php

Udpak det til egen mappe, luk alle vinduer, og kør den grønne exefil. Klik Start scan. Scanningen kan godt tage et stykke tid, så vær lidt tålmodig. OBS, klik ikke i vinduet imens den scanner, da den så kan fryse. Når den er færdig, så Copy to clipboard, og paste indholdet her ind.

Kommentar
Fra : o.v.n.


Dato : 01-10-06 22:33

Ok HTJ log kommer her, jeg prøver WinpFind så det varer sikkert lidt før jeg kigger ind igen, og så er det ikke helt korrekt, som jeg skrev før Spybot S&D fandt en registreringsdatabase ændring: Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Indstillinger (Registreringsdatabaseændring, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0
HTJ log her:
Citat
Logfile of HijackThis v1.99.1
Scan saved at 20:28:43, on 01-10-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
C:\WINDOWS\system32\LckFldService.exe
C:\Programmer\NetLimiter 2 Monitor\nlsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmer\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\ClocX\ClocX.exe
C:\Programmer\Motherboard Monitor 5\MBM5.EXE
C:\Programmer\HDD Thermometer\HDD Thermometer.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\NetLimiter 2 Monitor\NLClient.exe
C:\Programmer\Slawdog\Smart Shutdown\Smart Shutdown.exe
C:\Programmer\BullGuard Software\BullGuard\bullguard.exe
C:\Programmer\Corel\WordPerfect Office 2000\programs\ccwin9.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Corel\WORDPE~1\programs\alarm.exe
C:\Programmer\OpenOffice.org 2.0\program\soffice.exe
C:\Programmer\OpenOffice.org 2.0\program\soffice.BIN
C:\Documents and Settings\xxx xxxxxxxx\Dokumenter\Programmer\HTJ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kandu.dk/LastX.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer for xxx xxxxxxxx
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\Programmer\iFinger\plugins\IE.ifp
O4 - HKLM\..\Run: [ClocX] C:\Programmer\ClocX\ClocX.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MBM 5] "C:\Programmer\Motherboard Monitor 5\MBM5.EXE"
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Programmer\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Slawdog Smart Shutdown] C:\Programmer\Slawdog\Smart Shutdown\Smart Shutdown.exe startup
O4 - HKCU\..\Run: [BullGuard] "C:\Programmer\BullGuard Software\BullGuard\bullguard.exe"
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Programmer\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: CorelCENTRAL 9.LNK = C:\Programmer\Corel\WordPerfect Office 2000\programs\ccwin9.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmer\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmer\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Pictures - {C7486E80-B111-4768-995E-23CF307346FC} - C:\Programmer\UnH Solutions\Flash and Pics Control\FPCButton.dll (HKCU)
O15 - Trusted Zone: http://www.danskebank.dk
O15 - Trusted Zone: http://www.debitelshop.dk
O15 - Trusted Zone: http://www.kandu.dk
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Programmer\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\system32\LckFldService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Programmer\NetLimiter 2 Monitor\nlsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ptssvc - Unknown owner - C:\Programmer\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Der er redigeret lidt, mit navn er erstattet af xxx xxxxxxxx

Kommentar
Fra : o.v.n.


Dato : 01-10-06 23:43

Nu er WindPFind færdig med at tygge sig gennem min maskine:
Citat
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 01-10-2006 22:53:11
WinPFind v1.5.0   Folder = C:\Documents and Settings\xxx xxxxxxxxx\Dokumenter\Programmer\WinPFind\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 08-07-2006 02:29:48 39424 C:\WINDOWS\zipinst.exe (NirSoft)

Checking %System% folder...
UPX! 17-09-2001 14:20:02 9216 C:\WINDOWS\SYSTEM32\cpuinf32.dll ()
PEC2 09-10-2001 14:00:00 41123 C:\WINDOWS\SYSTEM32\dfrg.msc ()
PEC2 03-07-2006 23:40:50 620180 C:\WINDOWS\SYSTEM32\DivX.dll (DivX, Inc.)
PECompact2 03-07-2006 23:40:50 620180 C:\WINDOWS\SYSTEM32\DivX.dll (DivX, Inc.)
PTech 20-09-2006 17:35:52 571696 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll (Microsoft Corporation)
PECompact2 11-09-2006 19:37:22 8960936 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 11-09-2006 19:37:22 8960936 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
WSUD 27-08-2004 02:53:52 1214464 C:\WINDOWS\SYSTEM32\ntbackup.exe (Microsoft Corporation)
aspack 27-08-2004 02:53:24 712704 C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
WSUD 27-08-2004 02:53:54 258048 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
Umonitor 27-08-2004 02:53:42 667648 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
UPX! 13-07-2004 18:49:18 412672 C:\WINDOWS\SYSTEM32\vbskpro2.ocx (JB)
winsync 09-10-2001 14:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()
PTech 20-09-2006 17:35:42 280368 C:\WINDOWS\SYSTEM32\WgaTray.exe (Microsoft Corporation)

Checking %System%\Drivers folder and sub-folders...
PTech 04-08-2004 07:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys (Smart Link)

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Items found in C:\WINDOWS\SYSTEM32\drivers\etc\lmhosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
01-10-2006 20:52:32 S 2048 C:\WINDOWS\bootstat.dat ()
02-09-2006 18:36:00 H 54156 C:\WINDOWS\QTFont.qfn ()
27-08-2006 18:52:46 HS 5120 C:\WINDOWS\Thumbs.db ()
27-08-2006 18:52:42 HS 6144 C:\WINDOWS\aod\Thumbs.db ()
27-08-2006 18:52:48 HS 4608 C:\WINDOWS\coverbase_revise02 dir\Thumbs.db ()
01-10-2006 13:28:02 H 48882 C:\WINDOWS\system32\vsconfig.xml ()
01-10-2006 12:18:14 H 4212 C:\WINDOWS\system32\zllictbl.dat ()
21-08-2006 15:00:18 S 11749 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB922582.cat ()
18-09-2006 16:40:02 S 8847 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB925486.cat ()
20-09-2006 17:36:14 S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat ()
01-10-2006 21:32:08 H 1024 C:\WINDOWS\system32\config\default.LOG ()
01-10-2006 20:52:54 H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
01-10-2006 20:53:38 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG ()
01-10-2006 23:19:08 H 1024 C:\WINDOWS\system32\config\software.LOG ()
01-10-2006 22:52:50 H 1024 C:\WINDOWS\system32\config\system.LOG ()
15-09-2006 10:54:44 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG ()
08-09-2006 02:08:08 S 18 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 ()
25-08-2006 01:59:12 S 341 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8 ()
08-09-2006 02:08:24 S 569 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\3C83474D61E624A4F9844DF935AFE217 ()
15-08-2006 05:07:20 S 413 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165 ()
08-09-2006 02:08:18 S 21069 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 ()
08-09-2006 02:07:58 S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 ()
08-09-2006 02:08:10 S 216 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 ()
25-08-2006 01:59:12 S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8 ()
08-09-2006 02:08:24 S 142 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\3C83474D61E624A4F9844DF935AFE217 ()
15-08-2006 05:07:20 S 98 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165 ()
08-09-2006 02:08:18 S 216 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 ()
08-09-2006 02:07:58 S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 ()
31-08-2006 12:15:22 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\4e2b856e-410d-4127-8de2-3fa3ea2a77ae ()
31-08-2006 12:15:22 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred ()
19-08-2006 18:43:52 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\8e7acdeb-ec19-4624-92f2-77ddfcda07e6 ()
19-08-2006 18:43:52 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred ()
01-10-2006 20:52:44 H 6 C:\WINDOWS\Tasks\SA.DAT ()
27-08-2006 18:52:46 HS 6144 C:\WINDOWS\Web\Thumbs.db ()

Checking for CPL files...
27-08-2004 02:53:54 69632 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
27-08-2004 02:53:54 551936 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
11-05-1999 09:37:16 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl ()
27-08-2004 02:53:54 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
27-08-2004 02:53:54 136192 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
27-08-2004 02:53:54 80384 C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
27-08-2004 02:53:54 155648 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
27-08-2004 02:53:54 358912 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
27-08-2004 02:53:54 131584 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
27-08-2004 02:53:54 380928 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
27-08-2004 02:53:54 68608 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
03-05-2006 02:56:54 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
09-10-2001 14:00:00 188416 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
27-08-2004 02:53:54 620032 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
09-10-2001 14:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
27-08-2004 02:53:54 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
27-08-2004 02:53:54 258048 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
09-03-2006 15:29:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl ()
09-10-2001 14:00:00 37376 C:\WINDOWS\SYSTEM32\nwc.cpl (Microsoft Corporation)
27-08-2004 02:53:54 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
27-08-2004 02:53:54 115200 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
27-08-2004 02:53:56 299008 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
09-10-2001 14:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
27-08-2004 02:53:56 93696 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
09-03-2000 16:22:42 32768 C:\WINDOWS\SYSTEM32\verscpl.cpl (Corel Corporation Limited)
27-08-2004 02:53:56 148480 C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
26-05-2005 05:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
27-08-2004 02:53:54 69632 C:\WINDOWS\SYSTEM32\dllcache\access.cpl (Microsoft Corporation)
27-08-2004 02:53:54 551936 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl (Microsoft Corporation)
27-08-2004 02:53:54 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl (Microsoft Corporation)
27-08-2004 02:53:54 136192 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl (Microsoft Corporation)
27-08-2004 02:53:54 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl (Microsoft Corporation)
27-08-2004 02:53:54 155648 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl (Microsoft Corporation)
27-08-2004 02:53:54 131584 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl (Microsoft Corporation)
27-08-2004 02:53:54 380928 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl (Microsoft Corporation)
27-08-2004 02:53:54 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl (Microsoft Corporation)
09-10-2001 14:00:00 188416 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
27-08-2004 02:53:54 620032 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl (Microsoft Corporation)
09-10-2001 14:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
27-08-2004 02:53:54 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl (Microsoft Corporation)
27-08-2004 02:53:54 258048 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl (Microsoft Corporation)
09-10-2001 14:00:00 37376 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
27-08-2004 02:53:54 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl (Microsoft Corporation)
27-08-2004 02:53:54 115200 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl (Microsoft Corporation)
27-08-2004 02:53:54 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl (Microsoft Corporation)
27-08-2004 02:53:56 299008 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl (Microsoft Corporation)
09-10-2001 14:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)
27-08-2004 02:53:56 93696 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl (Microsoft Corporation)
27-08-2004 02:53:56 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl (Microsoft Corporation)
26-05-2005 05:16:22 174872 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl (Microsoft Corporation)

Checking for Downloaded Program Files...
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
29-01-2006 14:45:14 1927 C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\CorelCENTRAL 9.LNK ()
21-11-2005 13:38:08 HS 84 C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\desktop.ini ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
21-11-2005 13:19:30 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini ()
27-08-2006 23:18:46 1353 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache ()

Checking files in %USERPROFILE%\Startup folder...
21-11-2005 13:38:08 HS 84 C:\Documents and Settings\xxx xxxxxxxx\Menuen Start\Programmer\Start\desktop.ini ()
10-07-2006 11:43:46 855 C:\Documents and Settings\xxx xxxxxxxx\Menuen Start\Programmer\Start\OpenOffice.org 2.0.lnk ()

Checking files in %USERPROFILE%\Application Data folder...
23-06-2006 02:38:16 1055 C:\Documents and Settings\xxx xxxxxxxx\Application Data\AdobeDLM.log ()
21-11-2005 13:19:30 HS 62 C:\Documents and Settings\xxx xxxxxxxx\Application Data\desktop.ini ()
23-06-2006 02:38:16 0 C:\Documents and Settings\xxx xxxxxxxx\Application Data\dm.ini ()
30-07-2006 01:08:40 134 C:\Documents and Settings\xxx xxxxxxxx\Application Data\nero_photoshow_express_4_eu_row[1].txt ()
26-02-2006 18:46:22 1024 C:\Documents and Settings\xxx xxxxxxxx\Application Data\WavCodec.wff ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Default_Page_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Local Page - %SystemRoot%\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.kandu.dk/LastX.aspx
\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Local Page - C:\WINDOWS\system32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{53707962-6F74-2D53-2644-206D7942484F} - = C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Programmer\Java\jre1.5.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
\{9030D464-4C02-4ABF-8ECC-5164760863C6} - Windows Live Sign-in Helper = C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
\{A114D52B-870C-4F15-8021-B6D7F91A054B} - iFinger plugin / Browser helper object = C:\Programmer\iFinger\plugins\IE.ifp (iFinger Ltd)

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{0CBD5120-990B-11D3-8ABD-00C04FA95EE0} - iFinger = C:\WINDOWS\system32\SHDOCVW.DLL (Microsoft Corporation)
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - Dagens &tip = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{30D02401-6A81-11D0-8274-00C04FD5AE38} - Search Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\{32683183-48a0-441b-a342-7c2a440a9478} - = ()
\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Adresse = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Adresse = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Hyperlinks = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar = ()
\WebBrowser\\{F2CF5485-4E02-4F68-819C-B92DE9277049} - = ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\{936E5D60-596C-11D3-BB96-00600816DF55} - 8192 =
\\NEXTID - 8196
\\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - 8193 = Yahoo! Messenger
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8194 = Sun Java Console
\\{C7486E80-B111-4768-995E-23CF307346FC} - 8195 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Programmer\Java\jre1.5.0_07\bin\npjpi150_07.dll (Sun Microsystems, Inc.)
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Programmer\Java\jre1.5.0_07\bin\ssv.dll (Sun Microsystems, Inc.)(HKCU CLSID)
\{936E5D60-596C-11D3-BB96-00600816DF55} - ButtonText: iFinger =
\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - ButtonText: Yahoo! Messenger = C:\Programmer\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{4C667F63-3FBF-11d5-B4C3-00A0C96133F1} - InkLab Shell Extension = IL32LMON.DLL (Olivetti)
\\{A70C977A-BF00-412C-90B7-034C51DA2439} - NvCpl DesktopContext Class = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation)
\\{1CDB2949-8F65-4355-8456-263E7C208A5D} - Desktop Explorer = C:\WINDOWS\system32\nvshell.dll ()
\\{1E9B04FB-F9E5-4718-997B-B8DA88302A47} - Desktop Explorer Menu = C:\WINDOWS\system32\nvshell.dll ()
\\{1E9B04FB-F9E5-4718-997B-B8DA88302A48} - nView Desktop Context Menu = C:\WINDOWS\system32\nvshell.dll ()
\\{62998FFD-B0A8-4019-8B86-CF0785539EC5} - IE Privacy Keeper Secure Delete Shell Extension = C:\Programmer\UnH Solutions\IE Privacy Keeper\SecureDelete.dll (UnH Solutions)
\\{acb4a560-3606-11d3-aef4-00104bd0f92d} - KodakShellExtension = C:\Programmer\Fælles filer\KODAK\IFSCore\shellext.dll (Eastman Kodak)
\\{FFB699E0-306A-11d3-8BD1-00104B6F7516} - Play on my TV helper = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation)
\\{5464D816-CF16-4784-B9F3-75C0DB52B499} - Yahoo! Mail = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll (Yahoo! Inc.)
\\{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} - OpenOffice.org Column Handler = "C:\Programmer\OpenOffice.org 2.0\program\shlxthdl.dll" (Sun Microsystems, Inc.)
\\{087B3AE3-E237-4467-B8DB-5A38AB959AC9} - OpenOffice.org Infotip Handler = "C:\Programmer\OpenOffice.org 2.0\program\shlxthdl.dll" (Sun Microsystems, Inc.)
\\{63542C48-9552-494A-84F7-73AA6A7C99C1} - OpenOffice.org Property Sheet Handler = "C:\Programmer\OpenOffice.org 2.0\program\shlxthdl.dll" (Sun Microsystems, Inc.)
\\{3B092F0C-7696-40E3-A80F-68D74DA84210} - OpenOffice.org Thumbnail Viewer = "C:\Programmer\OpenOffice.org 2.0\program\shlxthdl.dll" (Sun Microsystems, Inc.)
\\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Programmer\WinRAR\rarext.dll ()
\\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} - UnlockerShellExtension = C:\Programmer\Unlocker\UnlockerCOM.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\7-ZIP - {23170F69-40C1-278A-1000-000100020000} = C:\Programmer\7-Zip\7-zip.dll ()
\Erasext - {8BE13461-936F-11D1-A87D-444553540000} = C:\PROGRA~1\Eraser\erasext.dll (-)
\IEPKSecureDelete - {62998FFD-B0A8-4019-8B86-CF0785539EC5} = C:\Programmer\UnH Solutions\IE Privacy Keeper\SecureDelete.dll (UnH Solutions)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmer\WinRAR\rarext.dll ()
\Yahoo! Mail - {5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll (Yahoo! Inc.)
\{B95057E0-44DB-11CE-A5D1-00608C83BD3F} - = shellwp.dll (Corel Corporation Limited)
\{F4BF1657-195F-4A0F-ACA2-9AE99D65BC0E} - = C:\Programmer\BullGuard Software\BullGuard\BGShellExt.dll (BullGuard Ltd.)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]
\UnlockerShellExtension - {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = C:\Programmer\Unlocker\UnlockerCOM.dll ()

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\7-ZIP - {23170F69-40C1-278A-1000-000100020000} = C:\Programmer\7-Zip\7-zip.dll ()
\jetAudio - {8D1636FD-CA49-4B4E-90E4-0A20E03A15E8} = C:\Programmer\JetAudio\JetFlExt.dll (JetAudio, Inc.)
\LockFolder - {4852341A-43E6-4994-B29B-E82904992884} = C:\Programmer\FolderAccess\LckFldMenu.dll (Topdownloads Network)
\QuickFinderMenu - {C0E10002-0028-0002-C0E1-C0E1C0E1C0E1} = C:\PROGRA~1\Corel\WORDPE~1\programs\pfse90.dll (Novell, Inc., c/o Corel Corporation Limited)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmer\WinRAR\rarext.dll ()

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]
\00nView - {1E9B04FB-F9E5-4718-997B-B8DA88302A48} = C:\WINDOWS\system32\nvshell.dll ()
\NvCplDesktopContext - {A70C977A-BF00-412C-90B7-034C51DA2439} = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\bgshellext - {F4BF1657-195F-4A0F-ACA2-9AE99D65BC0E} = C:\Programmer\BullGuard Software\BullGuard\BGShellExt.dll (BullGuard Ltd.)
\Erasext - {8BE13461-936F-11D1-A87D-444553540000} = C:\PROGRA~1\Eraser\erasext.dll (-)
\IEPKSecureDelete - {62998FFD-B0A8-4019-8B86-CF0785539EC5} = C:\Programmer\UnH Solutions\IE Privacy Keeper\SecureDelete.dll (UnH Solutions)
\jetAudio - {8D1636FD-CA49-4B4E-90E4-0A20E03A15E8} = C:\Programmer\JetAudio\JetFlExt.dll (JetAudio, Inc.)
\UnlockerShellExtension - {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = C:\Programmer\Unlocker\UnlockerCOM.dll ()
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmer\WinRAR\rarext.dll ()

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
\{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} - OpenOffice.org Column Handler = "C:\Programmer\OpenOffice.org 2.0\program\shlxthdl.dll" (Sun Microsystems, Inc.)
\{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = C:\Programmer\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.)

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ClocX - C:\Programmer\ClocX\ClocX.exe (BonSoft)
NvCplDaemon - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll ()
NvMediaCenter - RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll ()
nwiz - C:\WINDOWS\SYSTEM32\nwiz.exe ()
MBM 5 - C:\Programmer\Motherboard Monitor 5\MBM5.EXE (Alex van Kaam)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
RSD_HDDThermo - C:\Programmer\HDD Thermometer\HDD Thermometer.exe ()
SUPERAntiSpyware - C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
Slawdog Smart Shutdown - C:\Programmer\Slawdog\Smart Shutdown\Smart Shutdown.exe (Slawdog E-Solutions, Inc.)
BullGuard - C:\Programmer\BullGuard Software\BullGuard\bullguard.exe (BullGuard Software)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\CorelCENTRAL 9.LNK - C:\Programmer\Corel\WordPerfect Office 2000\programs\ccwin9.exe (Corel Corporation Limited)
C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\desktop.ini ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\Ove Nørgaard\Menuen Start\Programmer\Start\desktop.ini ()
C:\Documents and Settings\Ove Nørgaard\Menuen Start\Programmer\Start\OpenOffice.org 2.0.lnk - C:\Programmer\OpenOffice.org 2.0\program\quickstart.exe ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
   system.ini   0
   win.ini   0
   bootini   0
   services   0
   startup   0


[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
\\SV1 -

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - SABShellExecuteHook Class = C:\Programmer\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL = (SUPERAntiSpyware.com)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\WgaLogon - WgaLogon.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{6B569330-DF6F-41FF-B6B5-393D5CC867A1} - ()
{8E40B0E6-7AE9-486F-8DF9-2F4785582035} - (Realtek RTL8139 Family PCI Fast Ethernet NIC)
{9107FDDD-1FE5-4376-9E43-C3E04B73FC7E} - (Skyr@cer Pro PCI 154)

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000016\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Kommentar
Fra : stl_s


Dato : 02-10-06 01:01

Der var ikke noget at komme efter, på nær lidt rester af Zonealarm. Det kan du lige slette, og det skal gøres i fejlsikret.


Gå i Start/Kør og Skriv: services.msc Find så denne tjeneste "TrueVector Internet Monitor". Dobbeltklik på den. Under "Tjenestestatus" klikker du "STOP", under "Starttype" vælger du "DEAKTIVERET".


Slet denne mappe, og disse filer i fejlsikret tilstand:

C:\WINDOWS\system32\ZoneLabs

C:\WINDOWS\system32\vsconfig.xml

C:\WINDOWS\system32\zllictbl.dat

---------------------------------------------------------------

Lad os så lige tage et tjek for evt rootkits:


Download Gmer-rootkit scanner, og pak den ud til skrivebordet:
http://www.gmer.net/gmer111beta.zip

Kør programmet, i fanebladet "Rootkit" klik på "Scan". Når scanningen er færdig, skal du klikke på "Copy". Så dukker et vindue op, som fortæller at resultatet af rootkit-scanningen er blevet lagt ind i udklipsholderen. Du kan herefter gå ind i denne tråd, og kopiere indholdet herind, ved at stille dig i indtastningsfeltet, og trykke ctrl-v

--------------------------------

Hent Blacklight her https://europe.f-secure.com/blacklight/try.shtml Scroll ned på siden, og klik "iaccept". På næste side kan du downloade Blacklight til skrivebordet (tag den øverste). Dobbeltklik filen, og klik scan. Når den er færdig laver den en log på skrivebordet. Kopier loggen her ind. Du skal ikke lade Blacklight fjerne noget endnu.






Kommentar
Fra : o.v.n.


Dato : 02-10-06 01:32

Hej stl_s og tusind mange tak for at du gider hjælpe, gmer scanner i øjeblikket, loggen følger om lidt, det er godt nok mystisk hvad der foregår. Hos Spywarefri skrev de at man skulle afinstalere Bullguard, og fjerne rester med en reg cleaner, det slap jeg meget nemmere om ved, da jeg afinstalerede blev jeg spurgt om jeg ville gemme instillinger til en geninstalation, det sagde jeg ja til, var det forkert ? Bullguard fungerer tilsyneladende som den skal, den registrerer når der kommer angreb på computeren, ca hver anden time angriber den samme IP adresse, er det en

Kommentar
Fra : o.v.n.


Dato : 02-10-06 01:40

Det tager sin tid med den scanning, i mellemtiden kan jeg oplyse at ZoneAlarm altså er instaleret på computeren, til reserve, jeg havde den tændt mens Bullguard ikke virkede, og jeg chattede med Bianca (engelsk supporter) på mit bedste skole engelsk

Kommentar
Fra : stl_s


Dato : 02-10-06 01:55

Der er måske en forklaring på at du slap nemmere om ved det, og det er at du sikkert slet ikke har været ramt af den der grimmert. Det er slet ikke utænkeligt at Bullguard og Zonealarm er "ramlet sammen" under opstarten, og har lavet al balladen. Zonealarms service kører også, selv om firewallen er lukket ned, så det er absolut muligt de har konfliktet ved boot. Det er slet ikke nogen god ide at have to firewalls på maskinen. I nogle tilfælde kan det faktisk gå temmelig galt. Jeg syntes at du skulle afinstallere Zonealarm, og hvis du så skulle få behov for at lukke for Bullguard kortvarigt, kan du bruge XP2 firewallen. Det kan godt gå an.

Alle firewalls vil opfange ting fra nettet, og det er ikke altid hackere der er på spil, så hvad der er for en ip er ikke til at vide.

Kommentar
Fra : o.v.n.


Dato : 02-10-06 02:11

Nu har de 2 været på computeren siden november 05 da jeg købte Bullguard, uden problemer, og det var ikke i forbindelse med start, at Bullguard forsvandt, jeg husker med sikkerhed at der kom en advarsel om at nogen scanner mine porte, det var senere på formiddagen at jeg opdagede at ikonen manglede ved uret, og hvad mener du om meddelelsen om at programmet som genvejen henviser til ikke kan findes, da jeg ville åbne Bullguard fra Start-Alle programmer ?
ZoneAlarm starter ikke sammen med Windows, men jeg vil følge dit råd og bruge Windows firewall, når og hvis der er problemer med Bullguard.
Det er dog en frygtelig lang tid gmer bruger for at scanne, og jeg skal hen og hente ny hundehvalp om formiddagen, men nu gør jeg dem færdig og sender loggen men så sker der heller ikke mere i dag/nat

Kommentar
Fra : stl_s


Dato : 02-10-06 02:38

Hmm, når der ikke var noget for enden af genvejen, ja så har Bullguard været slettet. Den infektion er godt nok mystisk .

Jeg går i seng nu, og ser på de nye logs i morgen, måske først eftermiddag.

Kommentar
Fra : o.v.n.


Dato : 02-10-06 03:00

Log fra gmer:
Citat
GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-02 02:34:10
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.11 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwMapViewOfSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwShutdownSystem
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwTerminateProcess

---- Devices - GMER 1.0.11 ----

Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_FILE_SYSTEM_CONTROL [B95CA98C] BsUDF.SYS
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_FILE_SYSTEM_CONTROL [B95CA98C] BsUDF.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F40C92A0] vsdatant.sys
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL [B95C9E9C] BsUDF.SYS
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL [B95C9E9C] BsUDF.SYS
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_INTERNAL_DEVICE_CONTROL [B95C9E9C] BsUDF.SYS
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_INTERNAL_DEVICE_CONTROL [B95C9E9C] BsUDF.SYS
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_INTERNAL_DEVICE_CONTROL [B95C9E9C] BsUDF.SYS
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_INTERNAL_DEVICE_CONTROL [B95C9E9C] BsUDF.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F40C92A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F40C92A0] vsdatant.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [B95CA98C] BsUDF.SYS

---- Files - GMER 1.0.11 ----

ADS C:\Computer indhold\everest.exe:SummaryInformation
ADS C:\Computer indhold\everest.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS ...
ADS ...
ADS ...
ADS H:\E-MAIL BACKUP\SignaturesWinXP.reg:SummaryInformation
ADS H:\E-MAIL BACKUP\SignaturesWinXP.reg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS H:\Hentede filer\5598_113\597v113.exe:SummaryInformation
ADS H:\Hentede filer\5598_113\597v113.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS H:\Hentede filer\7z432.exe:SummaryInformation
ADS H:\Hentede filer\7z432.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS H:\Hentede filer\aports\setup.exe:SummaryInformation
ADS H:\Hentede filer\aports\setup.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS ...

---- EOF - GMER 1.0.11 ----

Og fra Blacklight:
Citat
10/02/06 02:04:51 [Info]: BlackLight Engine 1.0.47 initialized
10/02/06 02:04:51 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/02/06 02:04:53 [Note]: 7019 4
10/02/06 02:04:53 [Note]: 7005 0
10/02/06 02:36:45 [Note]: 7006 0
10/02/06 02:36:45 [Note]: 7011 2012
10/02/06 02:36:45 [Note]: 7026 0
10/02/06 02:36:46 [Note]: 7026 0
10/02/06 02:37:03 [Note]: FSRAW library version 1.7.1020
10/02/06 02:49:05 [Note]: 2000 1012
10/02/06 02:50:23 [Note]: 7007 0


Kommentar
Fra : stl_s


Dato : 02-10-06 03:37

Ingen rootkits.

Kommentar
Fra : Manse9933


Dato : 02-10-06 07:15

stl_s>Det kunne muligvis være det sidste nye sikkerheds hul som spøger/udnyttes,det blev offentlig gjort dagen efter
de sidst udgivne hoffix'es(zero day exployt)>
Microsoft Security Advisory (926043)
Vulnerability in Windows Shell Could Allow Remote Code Execution

http://www.microsoft.com/technet/security/advisory/926043.mspx
Jeg valgte selv den midleger tidige løsning under>

Suggested Actions>
Temporarily prevent the Microsoft WebViewFolderIcon ActiveX control from running in Internet Explorer>>>



Temporarily prevent the Microsoft WebViewFolderIcon ActiveX control from running in Internet Explorer

You can disable attempts to instantiate this ActiveX control in Internet Explorer by setting the kill bit for the control in the registry.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

For detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent a COM object from being instantiated in Internet Explorer.

To set the kill bit for a CLSID with a value of {e5df9d10-3b52-11d1-83e8-00a0c90dc849}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{e5df9d10-3b52-11d1-83e8-00a0c90dc849}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{844F4806-E8A8-11d2-9652-00C04FC30871}]
"Compatibility Flags"=dword:00000400

You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites.

Det er det mindst besværlige midlertidige fix,indtil
Microblød udgiver de næste Hotfix'es(10/10/06)


Published: September 28, 2006
Exploytet er offentligt på nettet.

Manse9933









Kommentar
Fra : stl_s


Dato : 02-10-06 10:35

Det ser ud til at Spywarefri mener at det var SAS som var problemet http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=30453

Havde du den på maskinen da det skete ?

Kommentar
Fra : Manse9933


Dato : 02-10-06 10:42

Jeg har ingen problemer,det var bare en kommentar til det omsig gribende problem du har omtalt i dit tip og her i tråden,angåede trussel på nettet/nedlæggelse af diverse sikkerheds programmer.
Det er måske ikke mit indlæg du kommenterer?
Manse9933

Kommentar
Fra : stl_s


Dato : 02-10-06 10:55

Hej Manse.

Lidt pinligt, jeg så ikke det var dig der havde skrevet .

Men ellers var det bare info .

Kommentar
Fra : o.v.n.


Dato : 02-10-06 11:00

Ja jer har SuperAntiSpyware Pro og har haft den siden 23. marst 06, den opdaterer selv, men jeg kørte igen scanninger eller manuelle opdateringer omkring det tidspunkt hvor Bullguard forsvandt, det er træls hvis det er den der er skyld i problemerne, jeg har før haft problemer med den, men jeg kan forstå at de nu har fået fat i en dansk Windows XP, det lyder rart at problemet er løst, jeg er ærlig talt lidt nervøs for at gå i netbanken og købe med dankort, når der er mulige infektioner på computeren

Accepteret svar
Fra : stl_s

Modtaget 200 point
Dato : 02-10-06 13:01

Ja, det er noget mystisk noget, men det gode er, at der ikke er det mindste tegn på infektioner på maskinen, så du kan være helt rolig

Godkendelse af svar
Fra : o.v.n.


Dato : 03-10-06 02:30

Tak for svaret stl_s. Godt at problemet blev løst og igen mange tak fordi du brugte megen tid på mig

Kommentar
Fra : stl_s


Dato : 03-10-06 02:35

Velbekomme o.v.n , og tak for point

Du har følgende muligheder
Eftersom du ikke er logget ind i systemet, kan du ikke skrive et indlæg til dette spørgsmål.

Hvis du ikke allerede er registreret, kan du gratis blive medlem, ved at trykke på "Bliv medlem" ude i menuen.
Søg
Reklame
Statistik
Spørgsmål : 177558
Tips : 31968
Nyheder : 719565
Indlæg : 6408918
Brugere : 218888

Månedens bedste
Årets bedste
Sidste års bedste