Jump to content


Photo

Trojan horse Generic 13 BNPB


  • This topic is locked This topic is locked
65 replies to this topic

#1 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 28 June 2009 - 05:11 AM

Hi.

Anyone who would know how to remove the Trojan horse Generic 13 BNPB from a computer ?
I had a number of infections some time back but I managed to get most of them removed with the help from this forum.
Only one was never removed but since it was not really very active I just left it.
However, now it seems to have become active or been re-activated so my AVG antivirus has reported infections the past couple of days when running scans.
For some reason though the AVG antivirus does not seem to remove the rootcause only the effect.
Does anyone know how to eliminate this malware entirely ?

thanks a lot.

Hi,

Help us help you.

Please read this article and follow the protocol.
http://spywareinfofo...showtopic=23382
Then submit a fresh HijackThis log. One of our helpers will take care of you. It's the only way we can give you sound advice.

Edited by nasdaq, 28 June 2009 - 08:09 AM.
HijackThis log requested.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 30 June 2009 - 05:35 PM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 01 July 2009 - 08:06 AM

Hi,

Please submit a HijackThis log as requested in the note I left on our first post.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 03 July 2009 - 01:43 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:28 AM, on 7/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmer\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmer\ATKOSD2\ATKOSD2.exe
C:\Programmer\ASUS\ATK Media\DMEDIA.EXE
C:\Programmer\Wireless Console 2\wcourier.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Programmer\ASUS\Splendid\ACMON.exe
C:\Programmer\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programmer\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Programmer\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Spybot\TeaTimer.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Programmer\Hotspot Shield\bin\openvpnas.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Programmer\Hotspot Shield\HssWPR\hsssrv.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\ifxspmgt.exe
C:\WINDOWS\system32\ifxtcs.exe
C:\Programmer\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IfxPsdSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programmer\AVG\AVG8\avgcsrvx.exe
C:\Programmer\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Programmer\Infineon\Security Platform Software\PSDrt.exe
C:\Programmer\Infineon\Security Platform Software\SpTna.exe
C:\Programmer\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmer\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmer\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmer\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmer\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Programmer\Hotspot Shield\hssie\HssIE.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPEnh] "C:\Programmer\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [RTHDCPL] "RTHDCPL.EXE"
O4 - HKLM\..\Run: [SkyTel] "SkyTel.EXE"
O4 - HKLM\..\Run: [SMSERIAL] "C:\Programmer\Motorola\SMSERIAL\sm56hlpr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ATKOSD2] "C:\Programmer\ATKOSD2\ATKOSD2.exe"
O4 - HKLM\..\Run: [IFXSPMGT] "C:\WINDOWS\system32\ifxspmgt.exe" /NotifyLogon
O4 - HKLM\..\Run: [ATKMEDIA] "C:\Programmer\ASUS\ATK Media\DMEDIA.EXE"
O4 - HKLM\..\Run: [Wireless Console 2] "C:\Programmer\Wireless Console 2\wcourier.exe"
O4 - HKLM\..\Run: [Power_Gear] "C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" 1
O4 - HKLM\..\Run: [ACMON] "C:\Programmer\ASUS\Splendid\ACMON.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Programmer\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programmer\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] "%systemroot%\system32\dumprep" 0 -u
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\M\Lokale indstillinger\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FLLESF~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programmer\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmer\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programmer\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programmer\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1194865892203
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-w...agi3.0.84.2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.dans...B/e-Safekey.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C3017C7-FFDF-4D15-8DB9-677319608D6E}: NameServer = 213.234.192.7 195.14.50.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmer\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Programmer\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Programmer\ATKGFNEX\GFNEXSrv.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Programmer\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Programmer\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\ifxtcs.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmer\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\WINDOWS\system32\IfxPsdSv.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Programmer\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 13542 bytes

EDIT: Since nasdaq has already responded to your topic, I deleted your post in "Not getting help"...

Edited by Budfred, 03 July 2009 - 02:32 AM.


#5 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 03 July 2009 - 07:10 AM

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Nothing suspicious was found on your log.

Please run this program and submit the log.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.
Look at this tutorial if assistance is needed.
http://www.bleepingc...opic131299.html
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#6 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 03 July 2009 - 10:07 AM

Thank you.


SDFix: Version 1.240
Run by M on Fri 07/03/2009 at 06:47 PM

Microsoft Windows XP [version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 18:56:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Programmer\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"="C:\\Programmer\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe:*:Enabled:Adobe Version Cue CS2"
"C:\\Programmer\\DNA\\btdna.exe"="C:\\Programmer\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Programmer\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Programmer\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Programmer\\Yahoo!\\Messenger\\YServer.exe"="C:\\Programmer\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Programmer\\SopCast\\adv\\SopAdver.exe"="C:\\Programmer\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Programmer\\SopCast\\SopCast.exe"="C:\\Programmer\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Programmer\\Mozilla Firefox\\firefox.exe"="C:\\Programmer\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Documents and Settings\\M\\Lokale indstillinger\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"="C:\\Documents and Settings\\M\\Lokale indstillinger\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll:*:Enabled:Google Talk Plugin"
"C:\\Documents and Settings\\M\\Lokale indstillinger\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"="C:\\Documents and Settings\\M\\Lokale indstillinger\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe:*:Enabled:Google Talk Plugin"
"C:\\Programmer\\TVAnts\\Tvants.exe"="C:\\Programmer\\TVAnts\\Tvants.exe:*:Enabled:TVAnts"
"C:\\Programmer\\ICQ6.5\\ICQ.exe"="C:\\Programmer\\ICQ6.5\\ICQ.exe:*:Enabled:ICQ6"
"C:\\Programmer\\TVUPlayer\\TVUPlayer.exe"="C:\\Programmer\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVUPlayer Component"
"C:\\Programmer\\Infineon\\Security Platform Software\\SpTNA.exe"="C:\\Programmer\\Infineon\\Security Platform Software\\SpTNA.exe:*:Enabled:SpTna"
"C:\\Programmer\\AVG\\AVG8\\avgemc.exe"="C:\\Programmer\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Programmer\\AVG\\AVG8\\avgupd.exe"="C:\\Programmer\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Programmer\\AVG\\AVG8\\avgnsx.exe"="C:\\Programmer\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\Programmer\\Java\\jre6\\bin\\java.exe"="C:\\Programmer\\Java\\jre6\\bin\\java.exe:*:Enabled:Java™ Platform SE binary"
"C:\\Programmer\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Programmer\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Programmer\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Programmer\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\\Programmer\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Programmer\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Kør en DLL som et program"
"C:\\Programmer\\Skype\\Phone\\Skype.exe"="C:\\Programmer\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Programmer\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Programmer\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Programmer\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Programmer\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\\Programmer\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Programmer\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

Remaining Files :



Files with Hidden Attributes :

Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Spybot\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Spybot\SpybotSD.exe"
Thu 5 Mar 2009 2,260,480 A.SHR --- "C:\Spybot\TeaTimer.exe"
Mon 14 Apr 2008 1,695,232 ..SH. --- "C:\Programmer\Messenger\msmsgs.exe"
Mon 14 Apr 2008 60,416 A.SH. --- "C:\Programmer\Outlook Express\msimn.exe"
Sat 8 Mar 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 3 Feb 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 30 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\523d056929e13eacf8392044f602e53e\BIT2.tmp"

Finished!

#7 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 03 July 2009 - 12:14 PM

Nothing suspicious found or remove.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#8 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 03 July 2009 - 12:43 PM

ComboFix 09-07-02.02 - M 07/03/2009 21:34.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.45.1030.18.2047.1321 [GMT 4:00]
Kører fra: c:\documents and settings\M\Skrivebord\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !!
.

((((((((((((((((((((((((((((((((((((((( Andet, der er slettet )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mlfcache.dat

.
((((((((((((((((((((((((((((( Filer skabt fra 2009-06-03 til 2009-07-03 )))))))))))))))))))))))))))))))))))
.

2009-07-03 14:35 . 2009-07-03 15:04 -------- d-----w- C:\SDFix
2009-07-01 11:22 . 2009-07-01 11:22 -------- d-----w- c:\documents and settings\M\Lokale indstillinger\Application Data\Temp
2009-06-28 09:56 . 2009-06-09 08:48 325896 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-06-28 09:56 . 2009-06-09 08:48 69912 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcrlpx.dll
2009-06-28 09:56 . 2009-06-09 08:48 692504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcsrvx.exe
2009-06-28 09:56 . 2009-06-09 08:48 417560 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcclix.dll
2009-06-28 09:56 . 2009-06-09 08:48 382744 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgclitx.dll
2009-06-28 09:56 . 2009-06-09 08:48 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-26 13:48 . 2009-06-23 07:06 245408 ----a-w- c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\LogMeInClient@logmein.com\plugins\unicows.dll
2009-06-26 13:48 . 2009-04-05 10:26 8784 ----a-w- c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\LogMeInClient@logmein.com\plugins\ractrlkeyhook.dll
2009-06-26 13:48 . 2009-04-05 10:26 71248 ----a-w- c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\LogMeInClient@logmein.com\plugins\LMIProxyHelper.exe
2009-06-26 13:48 . 2009-02-19 07:38 2633728 ----a-w- c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
2009-06-23 18:42 . 2009-06-23 18:42 -------- d-----w- c:\programmer\JRE
2009-06-23 11:33 . 2009-05-05 09:43 2301952 ----a-w- c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\protecapi@protecmedia.com\plugins\NPProtecAPI.dll
2009-06-22 11:23 . 2009-06-22 11:23 239088 ----a-w- c:\documents and settings\M\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-06-16 08:04 . 2009-06-16 08:04 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-10 06:58 . 2009-06-10 06:58 152576 ----a-w- c:\documents and settings\M\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-03 14:18 . 2008-01-28 22:29 73672 ----a-w- c:\documents and settings\M\Lokale indstillinger\Application Data\GDIPFONTCACHEV1.DAT
2009-07-02 08:52 . 2009-01-14 11:31 1 ----a-w- c:\documents and settings\M\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-01 16:41 . 2008-01-29 22:23 -------- d-----w- c:\documents and settings\M\Application Data\Skype
2009-07-01 12:06 . 2008-02-05 12:47 -------- d-----w- c:\documents and settings\M\Application Data\skypePM
2009-06-09 08:48 . 2009-03-05 12:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-30 22:57 . 2009-05-30 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-30 22:48 . 2008-01-29 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-30 22:48 . 2008-01-29 22:03 -------- d-----w- c:\programmer\Yahoo!
2009-05-30 22:48 . 2009-05-30 22:48 -------- d-----w- c:\documents and settings\M\Application Data\Yahoo!
2009-05-26 15:50 . 2009-05-30 22:47 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-05-26 09:20 . 2009-03-15 15:05 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 09:19 . 2009-03-15 15:05 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-23 19:44 . 2009-05-23 19:43 6389576 ----a-w- c:\documents and settings\All Users\Application Data\Birdstep Technology\EasyConnect\Update\3Connect_update_2_of2.exe
2009-05-23 19:41 . 2009-05-23 19:41 129304 ----a-w- c:\documents and settings\All Users\Application Data\Birdstep Technology\EasyConnect\Update\3Connect_update_1_of_2.exe
2009-05-23 19:40 . 2009-05-23 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Birdstep Technology
2009-05-23 19:40 . 2009-05-23 19:40 -------- d-----w- c:\documents and settings\M\Application Data\Birdstep Technology
2009-05-23 19:39 . 2009-05-23 19:39 69387 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2009-05-23 19:39 . 2009-05-23 19:39 -------- d-----w- c:\programmer\Huawei Modems
2009-05-23 19:39 . 2009-05-23 19:39 -------- d-----w- c:\programmer\3
2009-05-23 19:39 . 2007-11-12 10:06 -------- d--h--w- c:\programmer\InstallShield Installation Information
2009-05-21 07:33 . 2008-11-23 10:17 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-16 10:02 . 2008-04-11 05:53 -------- d-----w- c:\programmer\Safari
2009-05-07 15:33 . 2007-11-12 15:44 346624 ----a-w- c:\windows\system32\localspl.dll
2009-05-04 11:07 . 2009-05-19 13:01 2298680 ----a-w- c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
2009-04-19 19:50 . 2007-11-12 15:45 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:53 . 2007-11-12 15:45 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-06 19:24 . 2009-04-06 19:24 152576 ----a-w- c:\documents and settings\M\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
.

((((((((((((((((((((((((((((((((((( Start steder i reg.basen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-02-06 19:08 204248 ----a-w- c:\programmer\Hotspot Shield\HssIE\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\M\Lokale indstillinger\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"SpybotSD TeaTimer"="c:\spybot\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SynTPEnh"="c:\programmer\Synaptics\SynTP\SynTPEnh.exe" [2006-10-13 815104]
"SMSERIAL"="c:\programmer\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-23 630784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-20 8462336]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-20 81920]
"ATKOSD2"="c:\programmer\ATKOSD2\ATKOSD2.exe" [2007-07-03 7708672]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-02-26 677408]
"ATKMEDIA"="c:\programmer\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"Wireless Console 2"="c:\programmer\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"ACMON"="c:\programmer\ASUS\Splendid\ACMON.exe" [2007-06-26 851968]
"Adobe Version Cue CS2"="c:\programmer\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"Acrobat Assistant 7.0"="c:\programmer\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-22 483328]
"QuickTime Task"="c:\programmer\QuickTime\qttask.exe" [2009-01-05 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-28 1948440]
"SunJavaUpdateSched"="c:\programmer\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-06-15 1826816]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-20 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\FLLESF~1\MICROS~1\DW\dwtrig20.exe" [2007-08-23 437160]

c:\documents and settings\All Users\Menuen Start\Programmer\Start\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-1-29 25214]
Adobe Gamma.lnk - c:\programmer\F‘lles filer\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Adobe Reader Speed Launch.lnk - c:\programmer\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\programmer\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-28 09:55 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmer\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Programmer\\DNA\\btdna.exe"=
"c:\\Programmer\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programmer\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmer\\SopCast\\SopCast.exe"=
"c:\\Programmer\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\M\\Lokale indstillinger\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\M\\Lokale indstillinger\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Programmer\\TVAnts\\Tvants.exe"=
"c:\\Programmer\\ICQ6.5\\ICQ.exe"=
"c:\\Programmer\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Programmer\\Infineon\\Security Platform Software\\SpTNA.exe"=
"c:\\Programmer\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programmer\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programmer\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Programmer\\Java\\jre6\\bin\\java.exe"=
"c:\\Programmer\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmer\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Programmer\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmer\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/5/2009 4:22 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/5/2009 4:22 PM 108552]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [1/24/2007 7:07 AM 39080]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/5/2009 4:22 PM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/5/2009 4:22 PM 298776]
R2 HssSrv;Hotspot Shield Helper Service;c:\programmer\Hotspot Shield\HssWPR\hsssrv.exe [2/6/2009 1:56 AM 117208]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [5/23/2009 11:40 PM 10240]
R2 WinDefend;Windows Defender;c:\programmer\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [11/12/2007 12:05 PM 38656]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [1/31/2009 1:29 AM 31704]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [11/12/2007 12:05 PM 36608]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Indhold af mappen 'Planlagte Opgaver'

2009-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmer\Apple Software Update\SoftwareUpdate.exe [2008-07-30 08:34]

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1174632320-4108373775-285163711-1005Core.job
- c:\documents and settings\M\Lokale indstillinger\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 11:44]

2009-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1174632320-4108373775-285163711-1005UA.job
- c:\documents and settings\M\Lokale indstillinger\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 11:44]

2009-07-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\programmer\Windows Defender\MpCmdRun.exe [2006-11-03 16:20]

2009-07-03 c:\windows\Tasks\User_Feed_Synchronization-{8CBF463E-AC57-4676-9D6F-6B8D9895C2B6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 23:01]
.
.
------- Yderligere scanning -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Convert link target to Adobe PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&ksporter til Microsoft Excel
TCP: {7C3017C7-FFDF-4D15-8DB9-677319608D6E} = 213.234.192.7 195.14.50.1
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
FF - ProfilePath - c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\programmer\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\protecapi@protecmedia.com\plugins\NPProtecAPI.dll
FF - plugin: c:\documents and settings\M\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\M\Lokale indstillinger\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programmer\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\programmer\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLITIKKER ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 21:37
Windows 5.1.2600 Service Pack 3 NTFS

scanner skjulte processer ...

scanner skjulte autostarter ...

scanner skjulte filer ...

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
--------------------- LÅSTE REGISTRERINGS NØGLER ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,26,9f,d3,16,e3,03,43,bc,ac,a1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,26,9f,d3,16,e3,03,43,bc,ac,a1,\
.
Gennemført tid: 2009-07-03 21:38
ComboFix-quarantined-files.txt 2009-07-03 17:38
ComboFix2.txt 2009-03-18 11:09

Pre-Kørsel: 105,978,167,296 byte ledig
Post-Kørsel: 106,039,914,496 byte ledig

221 --- E O F --- 2009-07-03 06:34


Thank you!

#9 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 04 July 2009 - 07:43 AM

Trojan horse Generic 13 BNPB from a computer


Are you still being prompted about this possible trojan.
I do not see anything susicious on your log.

Please post the exact error message when you see it.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#10 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 05 July 2009 - 05:24 AM

Hello.

it drops this folder in the shared documents folder:
C:\Documents and Settings\All Users\Dokumenter\-= The Porn Collection =-

And besides that when the virus breaks out from time to time this is what AVG finds:

"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP67\A0011018.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP67\A0011019.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP67\A0011020.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP67\A0011021.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP67\A0011022.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\01949.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02037.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02095.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02108.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02373.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02432.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02434.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02468.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02469.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02475.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02476.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02477.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02487.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02491.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02500.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02501.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02513.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02517.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02520.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02523.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02525.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02527.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02533.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02537.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02538.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02541.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02544.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02547.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02549.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02553.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02560.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02561.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02562.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02565.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02566.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02573.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02576.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02580.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02581.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02585.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02586.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02592.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02596.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02597.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02601.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02602.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02608.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02609.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02611.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02620.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02622.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02625.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02628.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02631.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02632.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02642.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02643.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02644.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02651.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02652.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02656.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02658.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02659.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02660.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02668.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02671.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02676.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02677.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02678.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02682.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02685.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02688.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02690.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02697.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02698.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02702.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02703.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02704.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02710.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02713.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02714.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02716.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02726.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02735.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02740.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02742.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02745.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02754.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02756.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02762.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02766.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02767.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02769.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02770.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02777.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02778.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02780.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02785.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02790.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02793.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02796.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02798.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02802.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02806.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02810.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02812.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02815.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02818.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02822.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02833.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02834.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02835.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02837.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02838.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02839.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02841.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02846.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02855.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02860.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02864.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02868.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02871.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02872.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02873.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02874.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02877.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02885.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02893.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02895.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02896.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02897.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02902.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02905.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02909.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02914.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02915.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02918.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02919.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02927.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02928.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02930.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02934.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02939.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02940.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02950.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02951.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02952.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02959.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02963.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02975.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02976.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02979.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02983.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02985.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02986.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02988.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02990.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02997.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\02998.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\03003.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\03004.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\03012.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\03016.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\03023.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\03028.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\03032.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\03042.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\03044.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\03056.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\03068.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\03080.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\03090.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\03105.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\03117.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"

last time it happened was on the 2nd of July.
Thank you.

#11 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 05 July 2009 - 09:08 AM

"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP67\A0011018.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP67\A0011019.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP67\A0011020.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP67\A0011021.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP67\A0011022.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"


AVG is remove files from your System Restore point.
These file are quarantined and not doing any damage.

Time for some housekeeping
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

===

All the files in your C:\WINDOWS\system32\spool\PRINTERS\ folder are temporary created by your printer.
"C:\WINDOWS\system32\spool\PRINTERS\01949.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
Why they are not deleted after the printing is over is unknown to me.

I found this artilce but it pertains to Windows 2000. Hope it helps.
http://support.microsoft.com/kb/216221
===

Check this goolge search.
http://www.google.ca...s...ndow=1&sa=2

You may be able to find why the files are not being deleted.
Check with the manufacturer of your Printer model.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#12 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 06 July 2009 - 05:24 AM

Thank you.

If I look in the folder:

C:\WINDOWS\system32\spool\PRINTERS

I do not find the files that the AVG is finding:
"C:\WINDOWS\system32\spool\PRINTERS\03249.SPL";"Trojan horse Generic13.BNPB";"Infected"

This is what I find:
03154.shd
03155

which are supposedly shockwave files.

But not one single .spl file is in the folder.

And the curious thing about the whole issue is that I do not have a printer. I do not even think that the computer has ever been connected to a printer.
So I have no clue as to how these temporary print files may ever have emerged ?

An another question is about the "porn collection" folder which turns up from time to time and which is carrying the same infection as reported by AVG with regard to the printer files. Where does that one come from ? At least it is one very visible sign that there is still something hiding somewhere on the computer.

thank you for your time.

#13 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 06 July 2009 - 07:01 AM

I do not find the files that the AVG is finding:
"C:\WINDOWS\system32\spool\PRINTERS\03249.SPL";"


The files may be hidden.

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Delete any if found.

Delete these also.
This is what I find:
03154.shd
03155



Check in a day or two if they are recreated.
===

"porn collection"?
This folder could be created if you or someone else visit Porn site.

Google "porn collection" with the quotes.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#14 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 07 July 2009 - 02:25 AM

Thank you.

Regarding the .spl files I deleted all files which were present in the directory:
C:\WINDOWS\system32\spool\PRINTERS\
It was impossible though to delete the first file - but all the rest went away without any problem.
There were more than 6000. However, a couple of hours later there were already a hundred or more new files.
I deleted them. Next time I checked there were some 30 or 40 files in the directory again.

Regarding the porn collection directory I deleted all the files and the directories. I then deleted all private data in the browser including cache and cookies and I have not nor has anybody else visited any porn site nor any other suspect website since then. Only the most common and well trusted sites like yahoo or google or amazon.
However, everytime I delete it - it keeps coming back. There might be a time lapse so it does not turn up immediately but after a few hours or a day it is back. This is the path:
C:\Documents and Settings\All Users\Dokumenter\-= The Porn Collection =-
C:\Documents and Settings\All Users\Dokumenter\Adobe PDF\-= The Porn Collection =-
C:\Documents and Settings\All Users\Dokumenter\Musik\-= The Porn Collection =-
C:\Documents and Settings\All Users\Dokumenter\Billeder\-= The Porn Collection =-
C:\Documents and Settings\All Users\Dokumenter\Videoer\-= The Porn Collection =-
C:\Documents and Settings\All Users\Dokumenter\microsoft\-= The Porn Collection =-

Always the same folders in the same directories. And always with the same .exe files which according to the antivirus program contain the Trojan Horse Generic 13 BNPB.

Any ideas ?
Thank you for your time.

#15 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 07 July 2009 - 04:43 AM

So here is the result of the daily AVG scan:

"C:\Documents and Settings\All Users\Dokumenter\-= The Porn Collection =-\Blonde-stravaganza\VIDEO - Blonde-stravaganza.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\-= The Porn Collection =-\Casey Parker's School's Out\VIDEO - Casey Parker's School's Out.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\-= The Porn Collection =-\Extreme Ty #9 On The Prowl\VIDEO - Extreme Ty #9 On The Prowl.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\-= The Porn Collection =-\Impulsive Sex Acts\VIDEO - Impulsive Sex Acts.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\-= The Porn Collection =-\INTERNAL EXPLOSIONS 5\VIDEO - INTERNAL EXPLOSIONS 5.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Adobe PDF\-= The Porn Collection =-\Blonde-stravaganza\VIDEO - Blonde-stravaganza.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Adobe PDF\-= The Porn Collection =-\Casey Parker's School's Out\VIDEO - Casey Parker's School's Out.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Adobe PDF\-= The Porn Collection =-\Extreme Ty #9 On The Prowl\VIDEO - Extreme Ty #9 On The Prowl.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Adobe PDF\-= The Porn Collection =-\Impulsive Sex Acts\VIDEO - Impulsive Sex Acts.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Adobe PDF\-= The Porn Collection =-\INTERNAL EXPLOSIONS 5\VIDEO - INTERNAL EXPLOSIONS 5.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Adobe PDF\-= The Porn Collection =-\Pretty Young Ass\Pretty Young Ass.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Billeder\-= The Porn Collection =-\Blonde-stravaganza\VIDEO - Blonde-stravaganza.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Billeder\-= The Porn Collection =-\Casey Parker's School's Out\VIDEO - Casey Parker's School's Out.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Billeder\-= The Porn Collection =-\Extreme Ty #9 On The Prowl\VIDEO - Extreme Ty #9 On The Prowl.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Billeder\-= The Porn Collection =-\Impulsive Sex Acts\VIDEO - Impulsive Sex Acts.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Billeder\-= The Porn Collection =-\INTERNAL EXPLOSIONS 5\VIDEO - INTERNAL EXPLOSIONS 5.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Billeder\-= The Porn Collection =-\Pretty Young Ass\Pretty Young Ass.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\microsoft\-= The Porn Collection =-\Blonde-stravaganza\VIDEO - Blonde-stravaganza.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\microsoft\-= The Porn Collection =-\Casey Parker's School's Out\VIDEO - Casey Parker's School's Out.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\microsoft\-= The Porn Collection =-\Extreme Ty #9 On The Prowl\VIDEO - Extreme Ty #9 On The Prowl.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\microsoft\-= The Porn Collection =-\Impulsive Sex Acts\VIDEO - Impulsive Sex Acts.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\microsoft\-= The Porn Collection =-\INTERNAL EXPLOSIONS 5\VIDEO - INTERNAL EXPLOSIONS 5.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\microsoft\-= The Porn Collection =-\Pretty Young Ass\Pretty Young Ass.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Musik\-= The Porn Collection =-\Blonde-stravaganza\VIDEO - Blonde-stravaganza.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Musik\-= The Porn Collection =-\Casey Parker's School's Out\VIDEO - Casey Parker's School's Out.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Musik\-= The Porn Collection =-\Extreme Ty #9 On The Prowl\VIDEO - Extreme Ty #9 On The Prowl.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Musik\-= The Porn Collection =-\Impulsive Sex Acts\VIDEO - Impulsive Sex Acts.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Musik\-= The Porn Collection =-\INTERNAL EXPLOSIONS 5\VIDEO - INTERNAL EXPLOSIONS 5.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Musik\-= The Porn Collection =-\Pretty Young Ass\Pretty Young Ass.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Videoer\-= The Porn Collection =-\Blonde-stravaganza\VIDEO - Blonde-stravaganza.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Videoer\-= The Porn Collection =-\Casey Parker's School's Out\VIDEO - Casey Parker's School's Out.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Videoer\-= The Porn Collection =-\Extreme Ty #9 On The Prowl\VIDEO - Extreme Ty #9 On The Prowl.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Videoer\-= The Porn Collection =-\Impulsive Sex Acts\VIDEO - Impulsive Sex Acts.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Videoer\-= The Porn Collection =-\INTERNAL EXPLOSIONS 5\VIDEO - INTERNAL EXPLOSIONS 5.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Videoer\-= The Porn Collection =-\Pretty Young Ass\Pretty Young Ass.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013379.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013380.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013381.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013382.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013383.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013384.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013385.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013386.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013387.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013388.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013389.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013390.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013391.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013392.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013393.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013394.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013395.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013396.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013397.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013398.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013399.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013400.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013401.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013402.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013403.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013404.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013405.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013406.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013407.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013408.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013409.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013410.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013411.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013412.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013413.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013414.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013415.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013416.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013417.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013418.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013419.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013420.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013421.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013422.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013423.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013424.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013425.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013426.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013427.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013428.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013429.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013430.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013431.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013432.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013433.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013434.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013435.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013436.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013437.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013438.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013439.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013440.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013441.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013442.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP76\A0013443.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013505.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013517.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013518.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013519.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013520.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013521.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013522.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013523.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013524.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013525.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013526.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013527.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013528.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013529.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013530.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013531.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013532.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013533.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013534.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013535.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013536.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013537.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013538.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013539.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013540.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013541.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013542.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013543.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013544.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013545.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013546.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013547.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013548.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013549.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013550.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP77\A0013551.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"

Thank you.

#16 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 07 July 2009 - 09:57 AM

I found the description of your infection.

http://www.threatexp...01dbd432182bc88

Please run the ComboFix programs again and post the results.
Include a fresh HijackThis log.

We may have to change some of the registry settings to get rid it.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#17 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 07 July 2009 - 03:52 PM

OK. sounds great!
Below are the two log-files.

The combofix program tried to re-instate a regeneration point but failed to do so (advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !!). After that it ran the various procedures and generated the log-file.

thank you.

ComboFix 09-07-07.A2 - M 07/08/2009 0:38.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.45.1030.18.2047.1280 [GMT 4:00]
Kører fra: c:\documents and settings\M\Skrivebord\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Dannede nyt systemgendannelsespunkt

advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !!
.

((((((((((((((((((((((((((((( Filer skabt fra 2009-06-07 til 2009-07-07 )))))))))))))))))))))))))))))))))))
.

2009-07-01 11:22 . 2009-07-01 11:22 -------- d-----w- c:\documents and settings\M\Lokale indstillinger\Application Data\Temp
2009-06-28 09:56 . 2009-06-09 08:48 325896 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-06-28 09:56 . 2009-06-09 08:48 69912 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcrlpx.dll
2009-06-28 09:56 . 2009-06-09 08:48 692504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcsrvx.exe
2009-06-28 09:56 . 2009-06-09 08:48 417560 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcclix.dll
2009-06-28 09:56 . 2009-06-09 08:48 382744 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgclitx.dll
2009-06-28 09:56 . 2009-06-09 08:48 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-26 13:48 . 2009-06-23 07:06 245408 ----a-w- c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\LogMeInClient@logmein.com\plugins\unicows.dll
2009-06-26 13:48 . 2009-04-05 10:26 8784 ----a-w- c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\LogMeInClient@logmein.com\plugins\ractrlkeyhook.dll
2009-06-26 13:48 . 2009-04-05 10:26 71248 ----a-w- c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\LogMeInClient@logmein.com\plugins\LMIProxyHelper.exe
2009-06-26 13:48 . 2009-02-19 07:38 2633728 ----a-w- c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
2009-06-23 18:42 . 2009-06-23 18:42 -------- d-----w- c:\programmer\JRE
2009-06-23 11:33 . 2009-05-05 09:43 2301952 ----a-w- c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\protecapi@protecmedia.com\plugins\NPProtecAPI.dll
2009-06-22 11:23 . 2009-06-22 11:23 239088 ----a-w- c:\documents and settings\M\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-06-16 08:04 . 2009-06-16 08:04 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-10 06:58 . 2009-06-10 06:58 152576 ----a-w- c:\documents and settings\M\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 11:26 . 2008-01-29 22:23 -------- d-----w- c:\documents and settings\M\Application Data\Skype
2009-07-07 10:36 . 2009-01-14 11:31 1 ----a-w- c:\documents and settings\M\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-07 08:48 . 2008-02-05 12:47 -------- d-----w- c:\documents and settings\M\Application Data\skypePM
2009-07-03 14:18 . 2008-01-28 22:29 73672 ----a-w- c:\documents and settings\M\Lokale indstillinger\Application Data\GDIPFONTCACHEV1.DAT
2009-06-09 08:48 . 2009-03-05 12:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-30 22:57 . 2009-05-30 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-30 22:48 . 2008-01-29 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-30 22:48 . 2008-01-29 22:03 -------- d-----w- c:\programmer\Yahoo!
2009-05-30 22:48 . 2009-05-30 22:48 -------- d-----w- c:\documents and settings\M\Application Data\Yahoo!
2009-05-26 15:50 . 2009-05-30 22:47 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-05-26 09:20 . 2009-03-15 15:05 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 09:19 . 2009-03-15 15:05 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-23 19:44 . 2009-05-23 19:43 6389576 ----a-w- c:\documents and settings\All Users\Application Data\Birdstep Technology\EasyConnect\Update\3Connect_update_2_of2.exe
2009-05-23 19:41 . 2009-05-23 19:41 129304 ----a-w- c:\documents and settings\All Users\Application Data\Birdstep Technology\EasyConnect\Update\3Connect_update_1_of_2.exe
2009-05-23 19:40 . 2009-05-23 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Birdstep Technology
2009-05-23 19:40 . 2009-05-23 19:40 -------- d-----w- c:\documents and settings\M\Application Data\Birdstep Technology
2009-05-23 19:39 . 2009-05-23 19:39 69387 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2009-05-23 19:39 . 2009-05-23 19:39 -------- d-----w- c:\programmer\Huawei Modems
2009-05-23 19:39 . 2009-05-23 19:39 -------- d-----w- c:\programmer\3
2009-05-23 19:39 . 2007-11-12 10:06 -------- d--h--w- c:\programmer\InstallShield Installation Information
2009-05-21 07:33 . 2008-11-23 10:17 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-16 10:02 . 2008-04-11 05:53 -------- d-----w- c:\programmer\Safari
2009-05-07 15:33 . 2007-11-12 15:44 346624 ----a-w- c:\windows\system32\localspl.dll
2009-05-04 11:07 . 2009-05-19 13:01 2298680 ----a-w- c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
2009-04-19 19:50 . 2007-11-12 15:45 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:53 . 2007-11-12 15:45 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

------- Sigcheck -------

[7] 2004-08-27 12:00 14336 46FE2ED518FDFBFD289F014A3078575C c:\windows\$NtServicePackUninstall$\svchost.exe
[7] 2008-04-14 16:06 14336 555F8F4CB284FE94059DCACF6074F9EC c:\windows\ServicePackFiles\i386\svchost.exe
[7] 2008-04-14 16:06 14336 555F8F4CB284FE94059DCACF6074F9EC c:\windows\system32\svchost.exe

[-] 2005-03-02 18:20 577024 B0C3B7A16FC7779566843E9EE1912649 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:51 578048 5B48D00DB4C1D0C3D3AF83A984A13020 c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:38 577536 4E3D092A2600B8888F1874E7C9A7E0B7 c:\windows\$NtServicePackUninstall$\user32.dll
[7] 2004-08-27 12:00 577024 B9730010E7364F87234D23CE0E05F0C3 c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2005-03-02 18:18 577024 0C1CDB3D46E1EAADF16269FA7DFAF490 c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2008-04-14 16:05 578560 A45B00E0410E44E7177A403ECAD4B12A c:\windows\ServicePackFiles\i386\user32.dll
[7] 2008-04-14 16:05 578560 A45B00E0410E44E7177A403ECAD4B12A c:\windows\system32\user32.dll
[7] 2009-03-19 08:43 578560 A45B00E0410E44E7177A403ECAD4B12A c:\windows\system32\dllcache\user32.dll

[7] 2004-08-27 12:00 82944 3C83A9029BC93E4CDCF7975DECFDAE5D c:\windows\$NtServicePackUninstall$\ws2_32.dll
[7] 2008-04-14 16:05 82432 4C92DB1CD4ABC8A986896FCD3070B4CE c:\windows\ServicePackFiles\i386\ws2_32.dll
[7] 2008-04-14 16:05 82432 4C92DB1CD4ABC8A986896FCD3070B4CE c:\windows\system32\ws2_32.dll

[-] 2004-09-29 18:46 658432 C934C5B3B35ED9DC9283730569696A3B c:\windows\$hf_mig$\KB834707\SP2QFE\wininet.dll
[-] 2005-01-27 17:13 659456 3CC06202B9930C58A17F8AA722567C0C c:\windows\$hf_mig$\KB867282\SP2QFE\wininet.dll
[-] 2005-05-02 20:58 660480 CC87712147FC5B8EB890DEC908D26812 c:\windows\$hf_mig$\KB883939\SP2QFE\wininet.dll
[-] 2005-03-10 07:48 659456 9431D4017A535EFD8DDD17AAD23417C4 c:\windows\$hf_mig$\KB890923\SP2QFE\wininet.dll
[-] 2005-09-03 00:08 662016 CA6C0E1EF698128DAE9E2322798D08D2 c:\windows\$hf_mig$\KB896688\SP2QFE\wininet.dll
[-] 2005-07-03 02:11 660992 87E146DF1315D7E431BCCD3ABDE6FC20 c:\windows\$hf_mig$\KB896727\SP2QFE\wininet.dll
[-] 2005-10-21 03:39 663040 E041B0263B9011977C74DB9D95BEA544 c:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
[7] 2007-08-20 09:50 825344 80790419916845D6D7BA01C1726B166F c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
[7] 2007-10-10 23:23 825344 081C26E082490AE3BC24E14DCBED2EF4 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
[7] 2007-12-07 01:58 825344 2E10953A4A322ABCE58FC602D1341C11 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
[7] 2008-03-01 12:35 827392 CD10C2876CE742D2D998CFFAFE976DBC c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
[7] 2008-04-23 04:21 827392 5A11FF73AB8B92316B23C96EF5CCC950 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
[7] 2008-06-23 15:41 827904 B0F9A247E0DD203ADD954FE5A7278A9A c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[7] 2008-08-26 09:10 827904 AACAD8C0FB31D641B9BB9D749F4FBCDD c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[7] 2008-10-16 19:33 827904 FF5680AE65242D96FF06E2435F0898A1 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[7] 2008-12-20 23:48 827904 254C27DC2719B7C3D6037E64A9A57F7C c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[7] 2004-08-27 12:00 657920 D65B07B3A1072B7E2199A50E62472957 c:\windows\$NtUninstallKB834707$\wininet.dll
[-] 2004-09-29 18:49 658432 EBB98125FC49BBD4C22C909474114403 c:\windows\$NtUninstallKB867282$\wininet.dll
[-] 2005-03-10 08:04 658432 03AA98848E29BE186F23D282B70575AC c:\windows\$NtUninstallKB883939$\wininet.dll
[-] 2005-01-27 17:14 658432 86C94B1CAF5D46E08E7082CA20989322 c:\windows\$NtUninstallKB890923$\wininet.dll
[-] 2005-07-03 02:16 659968 D722D7E51DCCA29FFC838DAAF732EDA5 c:\windows\$NtUninstallKB896688$\wininet.dll
[-] 2005-05-02 20:57 659456 F76B2FC2655901484E69752165834D04 c:\windows\$NtUninstallKB896727$\wininet.dll
[-] 2005-09-03 00:05 659968 43F7D84FA93F6999CC7223BD3A8CD1B8 c:\windows\$NtUninstallKB905915$\wininet.dll
[-] 2006-01-09 18:04 663552 72E7F1504E6DFD0879305AED4F6EFC54 c:\windows\$NtUninstallKB912812$\wininet.dll
[-] 2005-10-21 03:41 659968 A730F6D0D35B869CB2B6878082701340 c:\windows\$NtUninstallKB912945$\wininet.dll
[-] 2006-03-04 04:00 665088 4AD66ABA8E6FB139D469599BB3646E34 c:\windows\$NtUninstallKB916281$\wininet.dll
[-] 2006-05-10 05:26 665088 2A9D7D10558B3761A0EB6B075240B64A c:\windows\$NtUninstallKB918899$\wininet.dll
[-] 2006-06-23 11:26 666112 19DBA255F2C6457B657407726C7C45AE c:\windows\$NtUninstallKB922760$\wininet.dll
[-] 2006-09-14 08:37 666112 420EFD35F3C662F29983FC6CB42C8BEF c:\windows\$NtUninstallKB925454$\wininet.dll
[-] 2006-10-23 15:35 666112 77BDE9D0D69641079B69CC377B114598 c:\windows\$NtUninstallKB928090$\wininet.dll
[-] 2007-01-04 14:05 666624 702CE6FCF3C010EA120AC7E9B98FAECF c:\windows\$NtUninstallKB931768$\wininet.dll
[-] 2007-02-19 15:23 667136 EAD008381CBF84F35B6DEFEB52348691 c:\windows\$NtUninstallKB933566$\wininet.dll
[-] 2007-04-18 12:46 667136 E2239A1969EC56917CE7C943F88E48C1 c:\windows\$NtUninstallKB939653$\wininet.dll
[-] 2007-08-22 12:57 667136 93A4A24F5F6F06B52CD3C273AE68810A c:\windows\ie7\wininet.dll
[7] 2006-11-07 20:03 818688 92995334F993E6E49C25C6D02EC04401 c:\windows\ie7updates\KB939653-IE7\wininet.dll
[7] 2007-08-20 10:00 824832 63A14DEFBD7AB9641AC9C6B4DBEE52A7 c:\windows\ie7updates\KB942615-IE7\wininet.dll
[7] 2007-10-10 23:52 824832 B0CF46ACEDF41147EC61838CCF7B1600 c:\windows\ie7updates\KB944533-IE7\wininet.dll
[7] 2007-12-07 02:13 824832 1EF69C7E7ABA88D5BAC2EAF4F8219412 c:\windows\ie7updates\KB947864-IE7\wininet.dll
[7] 2008-03-01 12:58 826368 2226F23358B9974122BA1511C5051716 c:\windows\ie7updates\KB950759-IE7\wininet.dll
[7] 2008-04-23 07:20 826368 A672BBFBEBB4555886718D3B4C618CD2 c:\windows\ie7updates\KB953838-IE7\wininet.dll
[7] 2008-06-23 16:33 826368 89DC1AA493D9335800FC44DC4A9129EC c:\windows\ie7updates\KB956390-IE7\wininet.dll
[7] 2008-08-26 08:27 826368 3F2A9A2EC2AB5A7F2EA19A42DB087154 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[7] 2008-10-16 20:18 826368 40738305921211D60D3D2B09FEA42D23 c:\windows\ie7updates\KB961260-IE7\wininet.dll
[7] 2008-12-20 23:03 826368 DC9C654F7845AF02341A7D5D36B62481 c:\windows\ie8\wininet.dll
[7] 2008-04-14 16:05 667648 14B6321E0C8748C02B5B38BA03FD1B99 c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2009-01-14 23:05 911872 203C05A174A45270A30CDD593092D91E c:\windows\system32\wininet.dll
[7] 2009-01-14 23:05 911872 203C05A174A45270A30CDD593092D91E c:\windows\system32\dllcache\wininet.dll

[-] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-27 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2005-05-25 19:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2006-01-13 02:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys

[7] 2004-08-27 12:00 502272 713AD65B9FF9CEE0A43181B442D846EB c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 16:06 507904 E0339362391BF6AC04D1622EF8E3A61B c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2008-04-14 16:06 507904 E0339362391BF6AC04D1622EF8E3A61B c:\windows\system32\winlogon.exe

[7] 2004-08-27 12:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[7] 2004-08-27 12:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
[7] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[7] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[-] 2005-03-02 09:13 2059520 610527B58729660EC06ECC71302E9490 c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[7] 2009-02-09 11:18 2068736 E2178A1BE5BC1C25643CC6BF6E266316 c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 15:27 2068608 879F6F04D5BBC90B261F8C25AB68539D c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2007-02-28 16:08 2019840 F76416618989F49E8A52988944EA6C65 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[7] 2004-08-27 12:00 2017792 659C696F88E4FD786B4E450FD08E31BD c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
[-] 2005-03-02 18:08 2017792 B4DA3B6762270B2F3EDAE3F51DC5BE9F c:\windows\$NtUninstallKB896256$\ntkrnlpa.exe
[-] 2005-09-29 18:28 2018304 BBF20F90B6E43A600B2C02DC3859F0FE c:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
[-] 2006-12-19 18:46 2019840 33F70E4530CC3536A7A99DE8BD26ABD9 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[7] 2008-08-14 13:25 2026496 00315E597422FEFB19B6586323933CE2 c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[7] 2008-04-14 15:45 2026496 A1BA9C3748329ACB5C5A0E39004042F8 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[7] 2009-02-10 15:08 2068608 87B97AAC0DADD48DCD17EEF88DDC8FDE c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2008-04-14 15:44 2068480 1F9E582438207CCA71A85C4B80E8A6C9 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[7] 2009-02-09 11:26 2026496 E881E08DADE696CBB53499DCCE37F95F c:\windows\system32\ntkrnlpa.exe
[7] 2009-02-10 15:08 2068608 87B97AAC0DADD48DCD17EEF88DDC8FDE c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2005-03-02 18:13 2182144 1A7CB4EA702393225B2A21E610D3D91A c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[7] 2009-02-10 15:17 2191744 313294107BC23806951B31AB0C3FA7DE c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 15:27 2191744 F88F5258032106D211EC7B1167D4B434 c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2007-02-28 16:08 2140160 B74FA7071DD2F090670A68F86C7666BC c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2004-08-27 12:00 2150912 E9E9283182050EBDD28386ADD2311DF3 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
[-] 2005-03-02 18:08 2138112 05BB4A026F7F555D9488F0217543BB24 c:\windows\$NtUninstallKB896256$\ntoskrnl.exe
[-] 2005-09-29 18:28 2138624 089C0ADF44ED30138CD23C994373883B c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
[-] 2006-12-19 18:46 2140160 9819056466A44062AFC2801B1D492D6B c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[7] 2008-08-14 13:25 2147840 0706E1752A43CE555D73D8931367756C c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[7] 2008-04-14 15:44 2147840 1AAE08DE2AE92E1244E94C6BAD07E248 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[7] 2009-02-09 11:26 2191616 229CF57722A96ED3702FEEBFE40BB57E c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2008-04-14 15:45 2191616 A930FBFA6E70267EF3ABB0BB59AF74C1 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[7] 2009-02-09 11:25 2147840 B6E658B64F244551B53EE0E4365BB7B6 c:\windows\system32\ntoskrnl.exe
[7] 2009-02-09 11:26 2191616 229CF57722A96ED3702FEEBFE40BB57E c:\windows\system32\dllcache\ntoskrnl.exe

[7] 2008-04-14 16:05 1034752 1D9BD1CAA1E4CF63370F201DF742DC7D c:\windows\explorer.exe
[-] 2007-06-13 13:10 1034240 9D7A9E7F4A89AA43D108C4E4C153B561 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 13:22 1034240 91E15A22E62A11014DB521FB589B6093 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-27 12:00 1033216 DA77B9561CC9AC54584C86CAB36EBF25 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2008-04-14 16:05 1034752 1D9BD1CAA1E4CF63370F201DF742DC7D c:\windows\ServicePackFiles\i386\explorer.exe

[7] 2009-02-09 11:18 110592 F8BCC407FCB4CDBF17163FAE3C820D80 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2004-08-27 12:00 108032 55BBE54A196B1A9F99EC2E01F4AC1215 c:\windows\$NtServicePackUninstall$\services.exe
[7] 2008-04-14 16:06 108544 AB2B6ABF3FCDA803FF0E2251F9A5274E c:\windows\$NtUninstallKB956572$\services.exe
[7] 2008-04-14 16:06 108544 AB2B6ABF3FCDA803FF0E2251F9A5274E c:\windows\ServicePackFiles\i386\services.exe
[7] 2009-02-09 11:25 110592 32F091E3425759B126760F44B5E931C9 c:\windows\system32\services.exe
[7] 2009-02-09 11:25 110592 32F091E3425759B126760F44B5E931C9 c:\windows\system32\dllcache\services.exe

[7] 2004-08-27 12:00 13312 9086126FB5FD15CEB387121506400244 c:\windows\$NtServicePackUninstall$\lsass.exe
[7] 2008-04-14 16:05 13312 AC9FCA8BCD685ABDB9928B1964B731A2 c:\windows\ServicePackFiles\i386\lsass.exe
[7] 2008-04-14 16:05 13312 AC9FCA8BCD685ABDB9928B1964B731A2 c:\windows\system32\lsass.exe

[7] 2004-08-27 12:00 15360 8289923E26D00213080E3E3D7E219F4C c:\windows\$NtServicePackUninstall$\ctfmon.exe
[7] 2008-04-14 16:05 15360 CB8D8AB9CED50556501014F97A9FA270 c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2008-04-14 16:05 15360 CB8D8AB9CED50556501014F97A9FA270 c:\windows\system32\ctfmon.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-27 12:00 57856 FD532707B4C012B2B73A8104EC7D510A c:\windows\$NtUninstallKB896423$\spoolsv.exe
[7] 2008-04-14 16:06 57856 E06D0A59737CF479466A86AB5E2A0B6B c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2008-04-14 16:06 57856 E06D0A59737CF479466A86AB5E2A0B6B c:\windows\system32\spoolsv.exe

[7] 2008-04-14 16:06 111616 FE717BD907D1E18A14EF1096758FAF02 c:\windows\ServicePackFiles\i386\wuauclt.exe
[7] 2008-10-16 11:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\wuauclt.exe
[7] 2008-10-16 11:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\dllcache\wuauclt.exe

[7] 2004-08-27 12:00 24576 3A03D6433E4E5FD3430DD3431FC6AC54 c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2008-04-14 16:06 26112 7B3770DB760FBBA068454EAFCAA89772 c:\windows\ServicePackFiles\i386\userinit.exe
[7] 2008-04-14 16:06 26112 7B3770DB760FBBA068454EAFCAA89772 c:\windows\system32\userinit.exe

[7] 2004-08-27 12:00 296448 DE5B43EAFE4070FEBD050D2AA48776AF c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2008-04-14 16:05 296448 14C8EC0AA06A33CCC5407E4324F91312 c:\windows\ServicePackFiles\i386\termsrv.dll
[7] 2008-04-14 16:05 296448 14C8EC0AA06A33CCC5407E4324F91312 c:\windows\system32\termsrv.dll

[-] 2006-07-05 10:58 1001472 946A25601A3A58039A30CFA9578F3D61 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2007-04-16 16:11 1002496 D1D65B4CEC0167C44DA2EC51EC2C52CE c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[7] 2009-03-21 14:00 1008128 1BB1F3C25F95270607BB01BC98630336 c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2007-04-16 15:54 1000960 91E16E57F74E79A541A1D21D2DDCE7B0 c:\windows\$NtServicePackUninstall$\kernel32.dll
[7] 2004-08-27 12:00 999936 43D1D86DC61EEFE2A27122F132E843A7 c:\windows\$NtUninstallKB917422$\kernel32.dll
[-] 2006-07-05 10:56 1000448 310ACCCB78F3E27300D08DC027FD0866 c:\windows\$NtUninstallKB935839$\kernel32.dll
[7] 2008-04-14 16:05 1006080 99ED0BF23810EC30271A5B1A00968791 c:\windows\$NtUninstallKB959426$\kernel32.dll
[7] 2008-04-14 16:05 1006080 99ED0BF23810EC30271A5B1A00968791 c:\windows\ServicePackFiles\i386\kernel32.dll
[7] 2009-03-21 14:08 1006080 62B382FAE65071B13C955A29A7E5359C c:\windows\system32\kernel32.dll
[7] 2009-03-21 14:08 1006080 62B382FAE65071B13C955A29A7E5359C c:\windows\system32\dllcache\kernel32.dll

[7] 2004-08-27 12:00 17408 AF6CCEFAA99E42EE81290C7CC867C9B5 c:\windows\$NtServicePackUninstall$\powrprof.dll
[7] 2008-04-14 16:05 17408 71F270F3E6092CA48920FA3876ED86A2 c:\windows\ServicePackFiles\i386\powrprof.dll
[7] 2008-04-14 16:05 17408 71F270F3E6092CA48920FA3876ED86A2 c:\windows\system32\powrprof.dll

[7] 2004-08-27 12:00 110080 3C15A580CC20CD764608C04E90B5BAB4 c:\windows\$NtServicePackUninstall$\imm32.dll
[7] 2008-04-14 16:05 110080 E8C6B982597CD2BA53D73A068CDF9D8C c:\windows\ServicePackFiles\i386\imm32.dll
[7] 2008-04-14 16:05 110080 E8C6B982597CD2BA53D73A068CDF9D8C c:\windows\system32\imm32.dll

[7] 2004-08-27 12:00 1548288 F8D3A7033A6D6684C3B97CB785DBC57C c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[7] 2008-04-14 16:05 1571840 9C88478DFAFF22089045EE3B166C7809 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[7] 2008-04-14 16:05 1571840 9C88478DFAFF22089045EE3B166C7809 c:\windows\system32\sfcfiles.dll

[7] 2004-08-27 12:00 170496 7DCDC8993BC0BAC37FF74C86CFE33B15 c:\windows\$NtServicePackUninstall$\appmgmts.dll
[7] 2008-04-14 16:05 170496 E39274E0BE87E672211392A4176C4EE6 c:\windows\ServicePackFiles\i386\appmgmts.dll
[7] 2008-04-14 16:05 170496 E39274E0BE87E672211392A4176C4EE6 c:\windows\system32\appmgmts.dll

[7] 2004-08-26 16:49 24832 0B5A2F9059F01F4E1215782F3BBA7E87 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[7] 2008-04-14 15:42 24832 32E823DFD0A7F18CF3B024F78C7AA7DD c:\windows\ServicePackFiles\i386\kbdclass.sys
[7] 2008-04-14 15:42 24832 32E823DFD0A7F18CF3B024F78C7AA7DD c:\windows\system32\drivers\kbdclass.sys
[7] 2004-08-27 12:00 24832 0B5A2F9059F01F4E1215782F3BBA7E87 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\kbdclass.sys
.
((((((((((((((((((((((((((((((((((( Start steder i reg.basen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-02-06 19:08 204248 ----a-w- c:\programmer\Hotspot Shield\HssIE\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\M\Lokale indstillinger\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"SpybotSD TeaTimer"="c:\spybot\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SynTPEnh"="c:\programmer\Synaptics\SynTP\SynTPEnh.exe" [2006-10-13 815104]
"SMSERIAL"="c:\programmer\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-23 630784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-20 8462336]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-20 81920]
"ATKOSD2"="c:\programmer\ATKOSD2\ATKOSD2.exe" [2007-07-03 7708672]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-02-26 677408]
"ATKMEDIA"="c:\programmer\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"Wireless Console 2"="c:\programmer\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"ACMON"="c:\programmer\ASUS\Splendid\ACMON.exe" [2007-06-26 851968]
"Adobe Version Cue CS2"="c:\programmer\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"Acrobat Assistant 7.0"="c:\programmer\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-22 483328]
"QuickTime Task"="c:\programmer\QuickTime\qttask.exe" [2009-01-05 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-28 1948440]
"SunJavaUpdateSched"="c:\programmer\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-06-15 1826816]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-20 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\FLLESF~1\MICROS~1\DW\dwtrig20.exe" [2007-08-23 437160]

c:\documents and settings\All Users\Menuen Start\Programmer\Start\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-1-29 25214]
Adobe Gamma.lnk - c:\programmer\F‘lles filer\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Adobe Reader Speed Launch.lnk - c:\programmer\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\programmer\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-28 09:55 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmer\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Programmer\\DNA\\btdna.exe"=
"c:\\Programmer\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programmer\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmer\\SopCast\\SopCast.exe"=
"c:\\Programmer\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\M\\Lokale indstillinger\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\M\\Lokale indstillinger\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Programmer\\TVAnts\\Tvants.exe"=
"c:\\Programmer\\ICQ6.5\\ICQ.exe"=
"c:\\Programmer\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Programmer\\Infineon\\Security Platform Software\\SpTNA.exe"=
"c:\\Programmer\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programmer\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programmer\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Programmer\\Java\\jre6\\bin\\java.exe"=
"c:\\Programmer\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmer\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Programmer\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmer\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/5/2009 4:22 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/5/2009 4:22 PM 108552]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [1/24/2007 7:07 AM 39080]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/5/2009 4:22 PM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/5/2009 4:22 PM 298776]
R2 HssSrv;Hotspot Shield Helper Service;c:\programmer\Hotspot Shield\HssWPR\hsssrv.exe [2/6/2009 1:56 AM 117208]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [5/23/2009 11:40 PM 10240]
R2 WinDefend;Windows Defender;c:\programmer\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [11/12/2007 12:05 PM 38656]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [1/31/2009 1:29 AM 31704]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [11/12/2007 12:05 PM 36608]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Indhold af mappen 'Planlagte Opgaver'

2009-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmer\Apple Software Update\SoftwareUpdate.exe [2008-07-30 08:34]

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1174632320-4108373775-285163711-1005Core.job
- c:\documents and settings\M\Lokale indstillinger\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 11:44]

2009-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1174632320-4108373775-285163711-1005UA.job
- c:\documents and settings\M\Lokale indstillinger\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 11:44]

2009-07-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\programmer\Windows Defender\MpCmdRun.exe [2006-11-03 16:20]

2009-07-07 c:\windows\Tasks\User_Feed_Synchronization-{8CBF463E-AC57-4676-9D6F-6B8D9895C2B6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 23:01]
.
.
------- Yderligere scanning -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Convert link target to Adobe PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&ksporter til Microsoft Excel
TCP: {7C3017C7-FFDF-4D15-8DB9-677319608D6E} = 213.234.192.7 195.14.50.1
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
FF - ProfilePath - c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\programmer\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\protecapi@protecmedia.com\plugins\NPProtecAPI.dll
FF - plugin: c:\documents and settings\M\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\M\Lokale indstillinger\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programmer\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\programmer\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLITIKKER ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 00:43
Windows 5.1.2600 Service Pack 3 NTFS

scanner skjulte processer ...

scanner skjulte autostarter ...

scanner skjulte filer ...

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
--------------------- LÅSTE REGISTRERINGS NØGLER ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,26,9f,d3,16,e3,03,43,bc,ac,a1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,26,9f,d3,16,e3,03,43,bc,ac,a1,\
.
--------------------- DLLs startet under kørende Processer ---------------------

- - - - - - - > 'explorer.exe'(4888)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Gennemført tid: 2009-07-07 0:45
ComboFix-quarantined-files.txt 2009-07-07 20:45
ComboFix2.txt 2009-07-03 17:38

Pre-Kørsel: 109,644,275,712 byte ledig
Post-Kørsel: 109,679,149,056 byte ledig

398 --- E O F --- 2009-07-03 06:34


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:49 AM, on 7/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmer\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmer\ATKOSD2\ATKOSD2.exe
C:\Programmer\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Programmer\ASUS\Splendid\ACMON.exe
C:\Programmer\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Programmer\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programmer\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Hotspot Shield\bin\openvpnas.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Programmer\Hotspot Shield\HssWPR\hsssrv.exe
C:\WINDOWS\system32\ifxspmgt.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ifxtcs.exe
C:\Programmer\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IfxPsdSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programmer\AVG\AVG8\avgcsrvx.exe
C:\Programmer\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Programmer\Infineon\Security Platform Software\PSDrt.exe
C:\Programmer\Infineon\Security Platform Software\SpTna.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Spybot\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmer\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmer\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmer\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmer\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Programmer\Hotspot Shield\hssie\HssIE.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPEnh] "C:\Programmer\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [RTHDCPL] "RTHDCPL.EXE"
O4 - HKLM\..\Run: [SkyTel] "SkyTel.EXE"
O4 - HKLM\..\Run: [SMSERIAL] "C:\Programmer\Motorola\SMSERIAL\sm56hlpr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ATKOSD2] "C:\Programmer\ATKOSD2\ATKOSD2.exe"
O4 - HKLM\..\Run: [IFXSPMGT] "C:\WINDOWS\system32\ifxspmgt.exe" /NotifyLogon
O4 - HKLM\..\Run: [ATKMEDIA] "C:\Programmer\ASUS\ATK Media\DMEDIA.EXE"
O4 - HKLM\..\Run: [Wireless Console 2] "C:\Programmer\Wireless Console 2\wcourier.exe"
O4 - HKLM\..\Run: [Power_Gear] "C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" 1
O4 - HKLM\..\Run: [ACMON] "C:\Programmer\ASUS\Splendid\ACMON.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Programmer\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programmer\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] "%systemroot%\system32\dumprep" 0 -u
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\M\Lokale indstillinger\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FLLESF~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programmer\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmer\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programmer\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programmer\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1194865892203
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-w...agi3.0.84.2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.dans...B/e-Safekey.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C3017C7-FFDF-4D15-8DB9-677319608D6E}: NameServer = 213.234.192.7 195.14.50.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmer\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Programmer\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Programmer\ATKGFNEX\GFNEXSrv.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Programmer\Hotspot Shield\bin\openvpnas.exe

#18 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 08 July 2009 - 08:35 AM

I do not see any reference to the bad files in your log. This is strange.

Download: CCleaner (freeware)
http://www.majorgeek...wnload4191.html
Run the installer, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar).
Once installed, run CCleaner click the Windows [tab]
The following should be selected by default, if not, please select:
Posted Image
Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Then click Run Cleaner (bottom right) then Exit
*/*


Open notepad and copy/paste the text in the quote box below into it:

File::
C:\WINDOWS\System32\drivers\lsass.exe
C:\WINDOWS\System32\icondrv.exe


Save this as CFScript on your desktop.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
====

Before you post the log run this tool.

Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to Desktop.

Please close any open programs/windows!

Open the program and click on the Rootkit/Malware tab.
Posted Image

Make sure all the boxes on the right of the screen are checked, apart from 'Show All'.
Posted Image

Click on Scan (1).
Posted Image

When the scan has run click Copy (2) and paste the results (if any) into this thread.

Let me know what problem persists.
==================================
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#19 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 08 July 2009 - 03:58 PM

Thank you. I will post the log files now. Tomorrow I will run the virus scan and post the results here.

ComboFix 09-07-07.A9 - M 07/08/2009 20:56.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.45.1030.18.2047.1394 [GMT 4:00]
Kører fra: c:\documents and settings\M\Skrivebord\ComboFix.exe
Kommandoer benyttet :: c:\documents and settings\M\Skrivebord\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !!

FILE ::
"c:\windows\System32\drivers\lsass.exe"
"c:\windows\System32\icondrv.exe"
.

((((((((((((((((((((((((((((( Filer skabt fra 2009-06-08 til 2009-07-08 )))))))))))))))))))))))))))))))))))
.

2009-07-01 11:22 . 2009-07-01 11:22 -------- d-----w- c:\documents and settings\M\Lokale indstillinger\Application Data\Temp
2009-06-26 13:48 . 2009-06-23 07:06 245408 ----a-w- c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\LogMeInClient@logmein.com\plugins\unicows.dll
2009-06-26 13:48 . 2009-04-05 10:26 8784 ----a-w- c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\LogMeInClient@logmein.com\plugins\ractrlkeyhook.dll
2009-06-26 13:48 . 2009-04-05 10:26 71248 ----a-w- c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\LogMeInClient@logmein.com\plugins\LMIProxyHelper.exe
2009-06-26 13:48 . 2009-02-19 07:38 2633728 ----a-w- c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
2009-06-23 18:42 . 2009-06-23 18:42 -------- d-----w- c:\programmer\JRE
2009-06-23 11:33 . 2009-05-05 09:43 2301952 ----a-w- c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\protecapi@protecmedia.com\plugins\NPProtecAPI.dll
2009-06-22 11:23 . 2009-06-22 11:23 239088 ----a-w- c:\documents and settings\M\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-06-16 08:04 . 2009-06-16 08:04 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-10 06:58 . 2009-06-10 06:58 152576 ----a-w- c:\documents and settings\M\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 16:51 . 2009-03-04 07:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-07 11:26 . 2008-01-29 22:23 -------- d-----w- c:\documents and settings\M\Application Data\Skype
2009-07-07 10:36 . 2009-01-14 11:31 1 ----a-w- c:\documents and settings\M\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-07 08:48 . 2008-02-05 12:47 -------- d-----w- c:\documents and settings\M\Application Data\skypePM
2009-07-03 14:18 . 2008-01-28 22:29 73672 ----a-w- c:\documents and settings\M\Lokale indstillinger\Application Data\GDIPFONTCACHEV1.DAT
2009-06-28 09:55 . 2009-03-05 12:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-28 09:55 . 2009-03-05 12:22 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-28 09:55 . 2009-03-05 12:22 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-23 18:42 . 2009-01-14 11:25 -------- d-----w- c:\programmer\OpenOffice.org 3
2009-06-23 18:37 . 2008-04-10 05:39 -------- d-----w- c:\programmer\Java
2009-06-16 08:04 . 2009-03-15 15:05 -------- d-----w- c:\programmer\Malwarebytes' Anti-Malware
2009-06-10 08:36 . 2007-11-12 15:45 83682 ----a-w- c:\windows\system32\perfc006.dat
2009-06-10 08:36 . 2007-11-12 15:45 459568 ----a-w- c:\windows\system32\perfh006.dat
2009-06-09 08:48 . 2009-03-05 12:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-30 22:57 . 2009-05-30 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-30 22:48 . 2008-01-29 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-30 22:48 . 2008-01-29 22:03 -------- d-----w- c:\programmer\Yahoo!
2009-05-30 22:48 . 2009-05-30 22:48 -------- d-----w- c:\documents and settings\M\Application Data\Yahoo!
2009-05-26 15:50 . 2009-05-30 22:47 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-05-26 09:20 . 2009-03-15 15:05 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 09:19 . 2009-03-15 15:05 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-23 19:44 . 2009-05-23 19:43 6389576 ----a-w- c:\documents and settings\All Users\Application Data\Birdstep Technology\EasyConnect\Update\3Connect_update_2_of2.exe
2009-05-23 19:41 . 2009-05-23 19:41 129304 ----a-w- c:\documents and settings\All Users\Application Data\Birdstep Technology\EasyConnect\Update\3Connect_update_1_of_2.exe
2009-05-23 19:40 . 2009-05-23 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Birdstep Technology
2009-05-23 19:40 . 2009-05-23 19:40 -------- d-----w- c:\documents and settings\M\Application Data\Birdstep Technology
2009-05-23 19:39 . 2009-05-23 19:39 69387 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2009-05-23 19:39 . 2009-05-23 19:39 -------- d-----w- c:\programmer\Huawei Modems
2009-05-23 19:39 . 2009-05-23 19:39 -------- d-----w- c:\programmer\3
2009-05-23 19:39 . 2007-11-12 10:06 -------- d--h--w- c:\programmer\InstallShield Installation Information
2009-05-21 07:33 . 2008-11-23 10:17 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-16 10:02 . 2008-04-11 05:53 -------- d-----w- c:\programmer\Safari
2009-05-07 15:33 . 2007-11-12 15:44 346624 ----a-w- c:\windows\system32\localspl.dll
2009-05-04 11:07 . 2009-05-19 13:01 2298680 ----a-w- c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
2009-04-19 19:50 . 2007-11-12 15:45 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:53 . 2007-11-12 15:45 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-07_20.43.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-08 16:31 . 2009-07-08 16:31 16384 c:\windows\Temp\Perflib_Perfdata_8cc.dat
.
((((((((((((((((((((((((((((((((((( Start steder i reg.basen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-02-06 19:08 204248 ----a-w- c:\programmer\Hotspot Shield\HssIE\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\M\Lokale indstillinger\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"SpybotSD TeaTimer"="c:\spybot\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SynTPEnh"="c:\programmer\Synaptics\SynTP\SynTPEnh.exe" [2006-10-13 815104]
"SMSERIAL"="c:\programmer\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-23 630784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-20 8462336]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-20 81920]
"ATKOSD2"="c:\programmer\ATKOSD2\ATKOSD2.exe" [2007-07-03 7708672]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-02-26 677408]
"ATKMEDIA"="c:\programmer\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"Wireless Console 2"="c:\programmer\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"ACMON"="c:\programmer\ASUS\Splendid\ACMON.exe" [2007-06-26 851968]
"Adobe Version Cue CS2"="c:\programmer\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"Acrobat Assistant 7.0"="c:\programmer\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-22 483328]
"QuickTime Task"="c:\programmer\QuickTime\qttask.exe" [2009-01-05 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-28 1948440]
"SunJavaUpdateSched"="c:\programmer\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-06-15 1826816]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-20 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\FLLESF~1\MICROS~1\DW\dwtrig20.exe" [2007-08-23 437160]

c:\documents and settings\All Users\Menuen Start\Programmer\Start\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-1-29 25214]
Adobe Gamma.lnk - c:\programmer\F‘lles filer\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Adobe Reader Speed Launch.lnk - c:\programmer\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\programmer\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-28 09:55 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmer\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Programmer\\DNA\\btdna.exe"=
"c:\\Programmer\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programmer\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmer\\SopCast\\SopCast.exe"=
"c:\\Programmer\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\M\\Lokale indstillinger\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\M\\Lokale indstillinger\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Programmer\\TVAnts\\Tvants.exe"=
"c:\\Programmer\\ICQ6.5\\ICQ.exe"=
"c:\\Programmer\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Programmer\\Infineon\\Security Platform Software\\SpTNA.exe"=
"c:\\Programmer\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programmer\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programmer\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Programmer\\Java\\jre6\\bin\\java.exe"=
"c:\\Programmer\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmer\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Programmer\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmer\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/5/2009 4:22 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/5/2009 4:22 PM 108552]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [1/24/2007 7:07 AM 39080]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/5/2009 4:22 PM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/5/2009 4:22 PM 298776]
R2 HssSrv;Hotspot Shield Helper Service;c:\programmer\Hotspot Shield\HssWPR\hsssrv.exe [2/6/2009 1:56 AM 117208]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [5/23/2009 11:40 PM 10240]
R2 WinDefend;Windows Defender;c:\programmer\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [11/12/2007 12:05 PM 38656]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [1/31/2009 1:29 AM 31704]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [11/12/2007 12:05 PM 36608]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Indhold af mappen 'Planlagte Opgaver'

2009-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmer\Apple Software Update\SoftwareUpdate.exe [2008-07-30 08:34]

2009-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1174632320-4108373775-285163711-1005Core.job
- c:\documents and settings\M\Lokale indstillinger\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 11:44]

2009-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1174632320-4108373775-285163711-1005UA.job
- c:\documents and settings\M\Lokale indstillinger\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 11:44]

2009-07-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\programmer\Windows Defender\MpCmdRun.exe [2006-11-03 16:20]

2009-07-08 c:\windows\Tasks\User_Feed_Synchronization-{8CBF463E-AC57-4676-9D6F-6B8D9895C2B6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 23:01]
.
.
------- Yderligere scanning -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Convert link target to Adobe PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&ksporter til Microsoft Excel
TCP: {7C3017C7-FFDF-4D15-8DB9-677319608D6E} = 213.234.192.7 195.14.50.1
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
FF - ProfilePath - c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\programmer\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\pgxeroiz.default\extensions\protecapi@protecmedia.com\plugins\NPProtecAPI.dll
FF - plugin: c:\documents and settings\M\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\M\Lokale indstillinger\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programmer\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\programmer\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLITIKKER ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 21:01
Windows 5.1.2600 Service Pack 3 NTFS

scanner skjulte processer ...

scanner skjulte autostarter ...

scanner skjulte filer ...

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
--------------------- LÅSTE REGISTRERINGS NØGLER ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,26,9f,d3,16,e3,03,43,bc,ac,a1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,26,9f,d3,16,e3,03,43,bc,ac,a1,\
.
--------------------- DLLs startet under kørende Processer ---------------------

- - - - - - - > 'explorer.exe'(444)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Gennemført tid: 2009-07-08 21:03
ComboFix-quarantined-files.txt 2009-07-08 17:03
ComboFix2.txt 2009-07-07 20:45
ComboFix3.txt 2009-07-03 17:38

Pre-Kørsel: 109,905,416,192 byte ledig
Post-Kørsel: 109,887,508,480 byte ledig

235 --- E O F --- 2009-07-03 06:34

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-08 22:46:40
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\M\LOKALE~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp mdvrmng.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

#20 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 09 July 2009 - 04:09 AM

I deleted all the porn collection directories.
Then I ran a scan and there was nothing detected.
An hour or two later the files and directories were back though.
It seems like they load every time they are deleted - can be with a time lapse but within a while they are back.
I looked at the report from ThreatExpert and they mention that there are some modifications to the registry files so that this virus starts up whenever windows is loaded and possibly also when the files are deleted.
But as far as I can tell they do not mention specifically what should be done to get rid of it.
Thank you.

#21 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 09 July 2009 - 06:03 AM

So here is the result of a new scan. The usual suspects appeared once more. And probably within the next couple of days there will be something on the .spl files since it seems to be the two issues below here + the .spl files which this case is revolving around. Thank you.

"C:\Documents and Settings\All Users\Dokumenter\-= The Porn Collection =-\Blonde-stravaganza\VIDEO - Blonde-stravaganza.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\-= The Porn Collection =-\Casey Parker's School's Out\VIDEO - Casey Parker's School's Out.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\-= The Porn Collection =-\Extreme Ty #9 On The Prowl\VIDEO - Extreme Ty #9 On The Prowl.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\-= The Porn Collection =-\Impulsive Sex Acts\VIDEO - Impulsive Sex Acts.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\-= The Porn Collection =-\INTERNAL EXPLOSIONS 5\VIDEO - INTERNAL EXPLOSIONS 5.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\-= The Porn Collection =-\Pretty Young Ass\Pretty Young Ass.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Adobe PDF\-= The Porn Collection =-\Blonde-stravaganza\VIDEO - Blonde-stravaganza.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Adobe PDF\-= The Porn Collection =-\Casey Parker's School's Out\VIDEO - Casey Parker's School's Out.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Adobe PDF\-= The Porn Collection =-\Extreme Ty #9 On The Prowl\VIDEO - Extreme Ty #9 On The Prowl.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Adobe PDF\-= The Porn Collection =-\Impulsive Sex Acts\VIDEO - Impulsive Sex Acts.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Adobe PDF\-= The Porn Collection =-\INTERNAL EXPLOSIONS 5\VIDEO - INTERNAL EXPLOSIONS 5.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Adobe PDF\-= The Porn Collection =-\Pretty Young Ass\Pretty Young Ass.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Billeder\-= The Porn Collection =-\Blonde-stravaganza\VIDEO - Blonde-stravaganza.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Billeder\-= The Porn Collection =-\Casey Parker's School's Out\VIDEO - Casey Parker's School's Out.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Billeder\-= The Porn Collection =-\Extreme Ty #9 On The Prowl\VIDEO - Extreme Ty #9 On The Prowl.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Billeder\-= The Porn Collection =-\Impulsive Sex Acts\VIDEO - Impulsive Sex Acts.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Billeder\-= The Porn Collection =-\INTERNAL EXPLOSIONS 5\VIDEO - INTERNAL EXPLOSIONS 5.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Billeder\-= The Porn Collection =-\Pretty Young Ass\Pretty Young Ass.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\microsoft\-= The Porn Collection =-\Blonde-stravaganza\VIDEO - Blonde-stravaganza.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\microsoft\-= The Porn Collection =-\Casey Parker's School's Out\VIDEO - Casey Parker's School's Out.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\microsoft\-= The Porn Collection =-\Extreme Ty #9 On The Prowl\VIDEO - Extreme Ty #9 On The Prowl.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\microsoft\-= The Porn Collection =-\Impulsive Sex Acts\VIDEO - Impulsive Sex Acts.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\microsoft\-= The Porn Collection =-\INTERNAL EXPLOSIONS 5\VIDEO - INTERNAL EXPLOSIONS 5.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\microsoft\-= The Porn Collection =-\Pretty Young Ass\Pretty Young Ass.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Musik\-= The Porn Collection =-\Blonde-stravaganza\VIDEO - Blonde-stravaganza.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Musik\-= The Porn Collection =-\Casey Parker's School's Out\VIDEO - Casey Parker's School's Out.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Musik\-= The Porn Collection =-\Extreme Ty #9 On The Prowl\VIDEO - Extreme Ty #9 On The Prowl.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Musik\-= The Porn Collection =-\Impulsive Sex Acts\VIDEO - Impulsive Sex Acts.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Musik\-= The Porn Collection =-\INTERNAL EXPLOSIONS 5\VIDEO - INTERNAL EXPLOSIONS 5.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Musik\-= The Porn Collection =-\Pretty Young Ass\Pretty Young Ass.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Videoer\-= The Porn Collection =-\Blonde-stravaganza\VIDEO - Blonde-stravaganza.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Videoer\-= The Porn Collection =-\Casey Parker's School's Out\VIDEO - Casey Parker's School's Out.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Videoer\-= The Porn Collection =-\Extreme Ty #9 On The Prowl\VIDEO - Extreme Ty #9 On The Prowl.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Videoer\-= The Porn Collection =-\Impulsive Sex Acts\VIDEO - Impulsive Sex Acts.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Videoer\-= The Porn Collection =-\INTERNAL EXPLOSIONS 5\VIDEO - INTERNAL EXPLOSIONS 5.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\Documents and Settings\All Users\Dokumenter\Videoer\-= The Porn Collection =-\Pretty Young Ass\Pretty Young Ass.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014412.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014413.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014414.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014415.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014416.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014417.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014418.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014419.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014420.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014421.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014422.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014423.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014424.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014425.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014426.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014427.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014428.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014429.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014430.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014431.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014432.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014433.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014434.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014435.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014436.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014437.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014438.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014439.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014440.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014441.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014442.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014443.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014444.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014445.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014446.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\System Volume Information\_restore{E4BE83D2-FB62-4A8A-AF58-4D727947026E}\RP79\A0014447.exe";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"

#22 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 09 July 2009 - 09:08 AM

Save this in NotePad as look.bat, choose to save as *all files and place it on your desktop.

regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
type peek1.txt >> look.txt
del peek1.txt
start notepad look.txt


Doubleclick look.bat
Notepad will open with some text in it. Copy and paste the contents in your next reply.

Lets check for a MBR (Master Boot Record) infection.

Please download this file, place it on our desktop and run it.
It will run very fast.
Let me see the results.

http://www2.gmer.net/mbr/mbr.exe
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#23 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 10 July 2009 - 04:43 AM

Just for the record the .spl infection showed up today as expected:

"C:\WINDOWS\system32\spool\PRINTERS\00001.SPL";"Trojan horse Generic13.BNPB";"Infected"
"C:\WINDOWS\system32\spool\PRINTERS\00002.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00006.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00023.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00025.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00027.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00030.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00038.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00045.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00048.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00050.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00063.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00065.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00072.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00077.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00080.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00091.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00092.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00093.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00094.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00096.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00103.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00104.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00106.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00107.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00108.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00118.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00120.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00123.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00126.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00130.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00134.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00142.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00147.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00149.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00153.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00154.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00156.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00165.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00167.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00172.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00173.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00179.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00181.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00185.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00186.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00192.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00205.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00214.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00219.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00222.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00230.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00231.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00234.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00236.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00238.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00240.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00243.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00250.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00252.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00254.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00258.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00267.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00268.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00270.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00275.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00280.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00285.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00288.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00290.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00292.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00293.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00300.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00301.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00302.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00306.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00309.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00310.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00313.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00314.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00315.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00316.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00321.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00325.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00326.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00329.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00331.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00334.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00346.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00348.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00349.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00353.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00354.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00355.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00372.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00375.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00377.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00387.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00388.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00399.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00402.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00407.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00408.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00414.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00415.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00419.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00431.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00432.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00434.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00436.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00438.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00440.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00441.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00448.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00453.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00454.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00465.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00468.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00469.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00475.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00480.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00483.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00492.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00495.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00496.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00504.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00511.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00515.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00516.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00517.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00525.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00533.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00537.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00542.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00549.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00550.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00552.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"
"C:\WINDOWS\system32\spool\PRINTERS\00565.SPL";"Trojan horse Generic13.BNPB";"Moved to Virus Vault"

#24 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 10 July 2009 - 04:46 AM

Here is the look report:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoRestartShell"=dword:00000001
"DefaultUserName"="M"
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"PowerdownAfterShutdown"="0"
"ReportBootOk"="1"
"Shell"="Explorer.exe"
"ShutdownWithoutLogon"="0"
"System"=""
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"SfcQuota"=dword:ffffffff
"allocatecdroms"="0"
"allocatedasd"="0"
"allocatefloppies"="0"
"cachedlogonscount"="10"
"forceunlocklogon"=dword:00000000
"passwordexpirywarning"=dword:0000000e
"scremoveoption"="0"
"AllowMultipleTSSessions"=dword:00000001
"UIHost"=hex(2):6c,00,6f,00,67,00,6f,00,6e,00,75,00,69,00,2e,00,65,00,78,00,65,\
00,00,00
"LogonType"=dword:00000001
"Background"="0 0 0"
"DefaultPassword"=""
"DebugServerCommand"="no"
"SFCDisable"=dword:00000000
"WinStationsDisabled"="0"
"HibernationPreviouslyEnabled"=dword:00000001
"ShowLogonOptions"=dword:00000000
"AltDefaultUserName"="M"
"AltDefaultDomainName"="MOSCOW"
"DefaultDomainName"="MOSCOW"
"ChangePasswordUseKerberos"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@="Trådløs"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=hex(2):66,00,64,00,65,00,70,00,6c,00,6f,00,79,00,2e,00,64,00,6c,00,\
6c,00,00,00
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=hex(7):28,00,46,00,6f,00,6c,00,64,00,65,00,72,00,20,00,52,00,65,\
00,64,00,69,00,72,00,65,00,63,00,74,00,69,00,6f,00,6e,00,2c,00,41,00,70,00,\
70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,00,29,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Microsoft Diskkvota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=hex(2):64,00,73,00,6b,00,71,00,75,00,6f,00,74,00,61,00,2e,00,64,00,\
6c,00,6c,00,00,00
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@="QoS-pakkeplanlægning"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@="Internet Explorer Zonemapping"
"DllName"="C:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@C:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@="Internet Explorer User Accelerators"
"DisplayName"="@C:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="C:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=hex(2):73,00,63,00,65,00,63,00,6c,00,69,00,2e,00,64,00,6c,00,6c,00,\
00,00
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="C:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@C:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=hex(2):73,00,63,00,65,00,63,00,6c,00,69,00,2e,00,64,00,6c,00,6c,00,\
00,00
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@="802.3 Group Policy"
"DisplayName"=hex(2):40,00,64,00,6f,00,74,00,33,00,67,00,70,00,63,00,6c,00,6e,\
00,74,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,31,00,30,00,30,00,00,00
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=hex(2):64,00,6f,00,74,00,33,00,67,00,70,00,63,00,6c,00,6e,00,74,00,\
2e,00,64,00,6c,00,6c,00,00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@="Microsoft Offline Files"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,\
00,73,00,63,00,75,00,69,00,2e,00,64,00,6c,00,6c,00,00,00
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@="Programinstallation"
"DllName"=hex(2):61,00,70,00,70,00,6d,00,67,00,6d,00,74,00,73,00,2e,00,64,00,\
6c,00,6c,00,00,00
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=hex(7):28,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,\
00,6f,00,6e,00,20,00,4d,00,61,00,6e,00,61,00,67,00,65,00,6d,00,65,00,6e,00,\
74,00,2c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,\
00,29,00,00,00,28,00,4d,00,73,00,69,00,49,00,6e,00,73,00,74,00,61,00,6c,00,\
6c,00,65,00,72,00,2c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,\
00,6f,00,6e,00,29,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@="Internet Explorer Machine Accelerators"
"DisplayName"="@C:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="C:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@="IP-sikkerhed"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
"DLLName"="avgrsstx.dll"
"Startup"="AvgStartup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
"Asynchronous"=dword:00000001
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\
00,69,00,6d,00,73,00,6e,00,74,00,66,00,79,00,2e,00,64,00,6c,00,6c,00,00,00
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000001
"InstallEvent"="1.9.0040.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
@=""
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,4b,ab,19,08,65,eb,f6,40,93,0c,01,08,2a,3b,06,c7,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,74,fa,d5,90,11,73,f7,9e,\
75,c5,7e,4d,0a,34,2b,c6,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,d1,\
7b,b8,22,37,9e,0c,15,fa,df,b0,41,b4,cc,46,f0,b0,01,00,00,d4,97,8c,15,13,f1,\
51,ce,3a,c0,08,b6,0b,d2,de,65,04,79,99,b2,07,28,9f,4c,43,b8,da,0f,28,86,ca,\
1a,65,7e,7a,58,92,8d,51,bf,d1,4c,a6,71,7c,8f,37,ee,26,fb,2f,c1,8d,99,de,6d,\
56,f3,51,dd,ca,4e,8b,d8,1a,38,e7,99,cc,23,73,f2,81,f2,80,4a,f1,e6,0f,72,0a,\
c2,12,6d,58,60,58,99,c9,70,57,67,58,7d,3c,7e,e3,4f,ea,97,cc,1e,1d,3d,aa,95,\
6a,1b,57,4d,d9,05,b2,34,4e,02,11,d1,39,16,65,68,e2,6e,d9,9b,9f,e4,af,8a,77,\
1b,22,00,b8,86,d2,c0,e7,69,59,51,2d,13,4e,5b,31,b4,c0,a9,99,56,2a,ae,e2,f5,\
30,c9,20,61,e4,b0,65,b9,a4,e4,87,d8,a0,f1,be,5c,f3,64,39,02,eb,ab,8f,bb,0d,\
62,42,2a,b1,ba,cd,74,2b,ea,7f,3e,52,31,77,a4,dc,fd,63,86,2c,e5,4e,4a,e7,f6,\
d1,04,b2,55,47,88,d1,dc,f6,13,72,fb,7b,d1,22,4e,48,c6,7c,11,a0,37,cb,4b,75,\
e6,f8,34,6b,10,f6,b3,8e,9a,e0,82,18,14,47,3a,1e,4b,32,e1,fa,7e,04,0a,90,fc,\
91,8f,22,31,59,4e,00,55,06,dc,23,44,49,6f,2a,8c,e7,6e,e6,6d,10,ed,ec,9e,0b,\
c2,a9,c2,8d,24,d0,14,14,8a,19,f9,a0,df,58,78,53,0c,53,d3,ce,e1,b1,a4,f2,b4,\
e7,0d,35,24,6e,d6,d6,df,e6,b8,dd,44,1e,6a,11,2c,9b,6b,fa,d1,f9,13,02,b5,44,\
54,05,4b,70,3f,28,4c,63,e2,03,24,0c,8d,f9,68,1e,8b,f4,55,c4,c3,9b,54,3c,24,\
93,5c,f6,c8,a8,b6,f6,99,6f,56,93,c6,f2,12,e5,f2,38,dd,fc,b2,16,70,6f,a9,ef,\
83,4d,82,1b,22,3c,2f,0c,51,11,c5,3c,e1,d6,c8,7f,27,0a,18,97,77,39,b4,9c,32,\
00,f4,c4,94,5b,9c,95,c8,4c,c6,7f,d7,fa,22,5e,14,d9,f4,05,ee,89,4c,f5,f5,d0,\
e9,14,00,00,00,bf,cb,91,8f,fe,f1,67,e1,2a,c4,71,1d,89,c2,5c,dd,4e,d5,55,ee

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"Hjælpeassistent"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"HelpAssistant"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000

#25 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 10 July 2009 - 04:47 AM

here is the mbr report:
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


thank you.

#26 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 10 July 2009 - 08:39 AM

Keep running CCleaner to remove the files in the \temp folder.

Make sure you can see all hidden files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Are these files in your computer?
Just look in the folders listed below if found delete them.

C:\WINDOWS\System32\drivers\lsass.exe
C:\WINDOWS\System32\icondrv.exe

===

Please submit the file in bold to the following link for a scan, then post the results in your next message for me to see.
http://virusscan.jotti.org/

C:\WINDOWS\System32\userinit.exe
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#27 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 10 July 2009 - 10:24 AM

I did not find the 2 files even if I made all files visible.

The scan did not find anything either:
Filename: userinit.exe
Status:
Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Fri 10 Jul 2009 17:21:35 (CET)

thank you.

#28 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 10 July 2009 - 01:07 PM

Lets see what we can find in the registry that is not being reported.

Download the Registry Search Tool from here:
http://www.billsway....les/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:
Blonde-stravaganza.exe

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.

Repeat the registry search for this string also.

Prowl.exe
===

Next search all the files on your computer for these strings.
Blonde-stravaganza.exe
and
Prowl.exe

In the file box enter *.* and enter the strings (one at a time) in the string box.

Report anything you find.
===

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
===

Let's use this online scanner (don't worry, it doesn't delete anything, it only detects).

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#29 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 11 July 2009 - 07:11 AM

I did not find any of the files anywhere. They seem only to appear just after the breakout of the virus. But not after AVG has removed the threat.

Here is the Kapersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, July 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, July 11, 2009 11:31:41
Records in database: 2459788
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 121322
Threat name: 1
Infected objects: 102
Suspicious objects: 0
Duration of the scan: 02:05:13


File name / Threat name / Threats count
C:\Documents and Settings\M\.housecall6.6\Quarantine\00137.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\00316.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\00348.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\00518.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\00572.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\00632.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\00709.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\00887.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\00908.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\00920.SPL.bac_a01108 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\00920.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\00999.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01044.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01048.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01054.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01062.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01064.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01089.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01092.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01109.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01117.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01119.SPL.bac_a01108 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01119.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01144.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01145.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01151.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01163.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01201.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01231.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01233.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01255.SPL.bac_a01108 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01255.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01262.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01270.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01273.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01275.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01283.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01287.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01314.SPL.bac_a01108 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01314.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01323.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01327.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01342.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01343.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01346.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01347.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01348.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01349.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01350.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01359.SPL.bac_a01108 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01359.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01360.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01367.SPL.bac_a01108 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01367.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01368.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01370.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01372.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01374.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01377.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01378.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01382.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01384.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01392.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01394.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01398.SPL.bac_a01108 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01398.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01399.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01401.SPL.bac_a01108 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01401.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01406.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01413.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01414.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01418.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01420.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01421.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01426.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01427.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01428.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01436.SPL.bac_a01108 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01436.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01441.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01444.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01448.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01455.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01458.SPL.bac_a01108 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01458.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01459.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01460.SPL.bac_a03968 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01469.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01475.SPL.bac_a01108 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01483.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01486.SPL.bac_a01108 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01495.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01499.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01507.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01517.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01529.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01541.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01553.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01567.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01574.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1
C:\Documents and Settings\M\.housecall6.6\Quarantine\01589.SPL.bac_a05200 Infected: Worm.Win32.AutoRun.xxn 1

The selected area was scanned.

Thank you.

#30 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 11 July 2009 - 08:38 AM

The only thing found were in your Quarantine folder.
You should empty that folder also.

I hope that this tool will reveal some details of this infection.
I googled a lot in information pertaining to this infection and I cannot find any other topics on the web that can help me pinpoint the source.

Download OTL.exe by OldTimer to your Desktop.
  • Close all windows and double click OTL.exe.
  • Click Run Scan and let the program run uninterrupted.
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.

nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#31 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 11 July 2009 - 10:25 AM

Yes I agree. It seems rather strange that it is so hard to catch this virus - and that no information has been published elsewhere.

But anyway here are the logfiles:
OTL logfile created on: 7/11/2009 7:22:01 PM - Run 1
OTL by OldTimer - Version 3.0.7.1 Folder = C:\Documents and Settings\M\Skrivebord
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18372)
Locale: 00000409 | Country: USA | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.24 Gb Available Physical Memory | 62.20% Memory free
3.85 Gb Paging File | 3.18 Gb Available in Paging File | 82.61% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programmer
Drive C: | 149.04 Gb Total Space | 101.97 Gb Free Space | 68.41% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MOSCOW
Current User Name: M
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 90 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2006/11/03 20:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Programmer\Windows Defender\MsMpEng.exe
PRC - [2007/08/08 03:08:40 | 00,094,208 | ---- | M] () -- C:\Programmer\ATKGFNEX\GFNEXSrv.exe
PRC - [2008/04/14 20:05:49 | 01,034,752 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2006/10/13 05:55:00 | 00,815,104 | ---- | M] (Synaptics, Inc.) -- C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
PRC - [2007/07/06 03:08:00 | 16,380,416 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2006/11/23 04:31:00 | 00,630,784 | ---- | M] (Motorola Inc.) -- C:\Programmer\Motorola\SMSERIAL\sm56hlpr.exe
PRC - [2007/07/03 13:48:02 | 07,708,672 | ---- | M] () -- C:\Programmer\ATKOSD2\ATKOSD2.exe
PRC - [2006/11/02 11:27:32 | 00,061,440 | ---- | M] (ASUSTeK Computer INC.) -- C:\Programmer\ASUS\ATK Media\DMEDIA.EXE
PRC - [2007/07/05 19:53:44 | 01,040,384 | ---- | M] () -- C:\Programmer\Wireless Console 2\wcourier.exe
PRC - [2006/07/26 21:01:06 | 00,090,112 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
PRC - [2007/06/26 19:23:38 | 00,851,968 | ---- | M] (ATK) -- C:\Programmer\ASUS\Splendid\ACMON.exe
PRC - [2008/04/23 02:08:13 | 00,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Programmer\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
PRC - [2005/04/04 21:58:28 | 00,163,840 | ---- | M] (Adobe Systems Incorporated) -- C:\Programmer\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
PRC - [2009/06/28 13:55:26 | 01,948,440 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Programmer\AVG\AVG8\avgtray.exe
PRC - [2009/05/21 11:34:07 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programmer\Java\jre6\bin\jusched.exe
PRC - [2009/06/28 13:55:14 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Programmer\AVG\AVG8\avgwdsvc.exe
PRC - [2009/02/06 02:07:14 | 00,088,024 | ---- | M] () -- C:\Programmer\Hotspot Shield\bin\openvpnas.exe
PRC - [2009/03/05 17:07:20 | 02,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Spybot\TeaTimer.exe
PRC - [2005/07/06 18:43:42 | 00,155,648 | ---- | M] (ASUSTeK) -- C:\WINDOWS\System32\ACEngSvr.exe
PRC - [2009/02/06 01:56:14 | 00,117,208 | ---- | M] (AnchorFree Inc.) -- C:\Programmer\Hotspot Shield\HssWPR\hsssrv.exe
PRC - [2007/02/26 22:29:00 | 00,677,408 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\System32\ifxspmgt.exe
PRC - [2007/02/23 09:12:00 | 00,849,440 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\System32\ifxtcs.exe
PRC - [2009/05/21 11:34:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programmer\Java\jre6\bin\jqs.exe
PRC - [2009/06/28 13:55:29 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Programmer\AVG\AVG8\avgrsx.exe
PRC - [2009/06/09 12:48:52 | 00,594,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Programmer\AVG\AVG8\avgnsx.exe
PRC - [2007/06/20 23:21:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2007/02/23 09:32:00 | 00,140,832 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\System32\IfxPsdSv.exe
PRC - [2008/11/10 00:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Programmer\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2009/06/28 13:55:23 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Programmer\AVG\AVG8\avgemc.exe
PRC - [2009/06/28 13:55:28 | 00,692,504 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Programmer\AVG\AVG8\avgcsrvx.exe
PRC - [2005/04/04 21:58:30 | 03,502,080 | ---- | M] () -- C:\Programmer\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
PRC - [2007/01/24 07:15:00 | 00,181,792 | ---- | M] (Infineon Technologies AG) -- C:\Programmer\Infineon\Security Platform Software\PSDrt.exe
PRC - [2007/01/24 07:00:00 | 00,661,024 | ---- | M] (Infineon Technologies AG) -- C:\Programmer\Infineon\Security Platform Software\SpTna.exe
PRC - [2009/07/11 19:15:09 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\M\Skrivebord\OTL.exe
PRC - [2008/04/14 20:05:56 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\notepad.exe
PRC - [2008/04/14 20:05:56 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\notepad.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/01/29 02:52:04 | 00,072,704 | ---- | M] (Adobe Systems) -- C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
SRV - [2005/04/04 21:58:28 | 00,163,840 | ---- | M] (Adobe Systems Incorporated) -- C:\Programmer\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe -- (Adobe Version Cue CS2 [Auto | Running])
SRV - [2008/07/25 12:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2007/08/08 03:08:40 | 00,094,208 | ---- | M] () -- C:\Programmer\ATKGFNEX\GFNEXSrv.exe -- (ATKGFNEXSrv [Auto | Running])
SRV - [2009/06/28 13:55:23 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Programmer\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
SRV - [2009/06/28 13:55:14 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Programmer\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2008/07/25 12:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/29 22:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/04/14 20:05:31 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2009/02/06 02:07:14 | 00,088,024 | ---- | M] () -- C:\Programmer\Hotspot Shield\bin\openvpnas.exe -- (HotspotShieldService [Auto | Running])
SRV - [2009/02/06 01:56:14 | 00,117,208 | ---- | M] (AnchorFree Inc.) -- C:\Programmer\Hotspot Shield\HssWPR\hsssrv.exe -- (HssSrv [Auto | Running])
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Programmer\Fælles filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 20:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2007/02/26 22:29:00 | 00,677,408 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\System32\ifxspmgt.exe -- (IFXSpMgtSrv [Auto | Running])
SRV - [2007/02/23 09:12:00 | 00,849,440 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\System32\ifxtcs.exe -- (IFXTCS [Auto | Running])
SRV - [2009/05/21 11:34:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programmer\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2008/07/29 20:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/06/20 23:21:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2007/02/23 09:32:00 | 00,140,832 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\System32\IfxPsdSv.exe -- (PersonalSecureDriveService [Auto | Running])
SRV - [2006/11/03 20:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Programmer\Windows Defender\MsMpEng.exe -- (WinDefend [Auto | Running])
SRV - [2006/11/15 10:30:12 | 00,914,432 | ---- | M] (Microsoft Corporation) -- C:\Programmer\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2008/11/10 00:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Programmer\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2007/07/24 14:09:04 | 00,013,880 | ---- | M] () -- C:\Programmer\ATKGFNEX\ASMMAP.sys -- (ASMMAP [Auto | Running])
DRV - [2007/03/16 01:12:00 | 00,038,656 | ---- | M] (Attansic Technology corporation.) -- C:\WINDOWS\System32\DRIVERS\atl01_xp.sys -- (AtcL001 [On_Demand | Running])
DRV - [2009/06/28 13:55:28 | 00,327,688 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/06/28 13:55:28 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/06/09 12:48:48 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2008/04/13 20:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2009/02/06 01:55:12 | 00,031,704 | ---- | M] (AnchorFree Inc.) -- C:\WINDOWS\System32\DRIVERS\HssDrv.sys -- (HssDrv [On_Demand | Running])
DRV - [2007/08/08 14:12:40 | 00,101,120 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\WINDOWS\System32\DRIVERS\ewusbmdm.sys -- (hwdatacard [On_Demand | Stopped])
DRV - [2007/01/24 06:13:00 | 00,036,608 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\System32\DRIVERS\IFXTPM.SYS -- (IFXTPM [On_Demand | Running])
DRV - [2007/07/19 06:26:00 | 04,547,584 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2007/01/25 05:08:00 | 00,005,632 | ---- | M] ( ) -- C:\WINDOWS\System32\DRIVERS\kbfiltr.sys -- (kbfiltr [On_Demand | Running])
DRV - [2007/05/28 17:00:22 | 00,010,240 | ---- | M] () -- C:\WINDOWS\System32\drivers\mdvrmng.sys -- (mdvrmng [Auto | Running])
DRV - [2001/08/18 00:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
DRV - [2007/08/28 08:58:00 | 00,005,760 | ---- | M] () -- C:\WINDOWS\System32\DRIVERS\ATKACPI.sys -- (MTsensor [On_Demand | Running])
DRV - [2007/06/21 15:43:00 | 02,208,512 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\NETw4x32.sys -- (NETw4x32 [On_Demand | Stopped])
DRV - [2007/06/20 23:21:00 | 06,804,416 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2007/01/24 07:07:00 | 00,039,080 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\System32\drivers\psd.sys -- (PersonalSecureDrive [System | Running])
DRV - [2004/08/27 16:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2008/11/22 01:47:48 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2007/02/25 01:42:00 | 00,039,936 | ---- | M] (REDC) -- C:\WINDOWS\System32\DRIVERS\rimmptsk.sys -- (rimmptsk [Auto | Running])
DRV - [2007/01/24 03:40:00 | 00,042,496 | ---- | M] (REDC) -- C:\WINDOWS\System32\DRIVERS\rimsptsk.sys -- (rimsptsk [Auto | Running])
DRV - [2007/03/22 09:02:00 | 00,037,376 | ---- | M] (REDC) -- C:\WINDOWS\System32\DRIVERS\rixdptsk.sys -- (rismxdp [Auto | Running])
DRV - [2007/11/13 14:25:52 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2006/11/23 04:35:00 | 00,982,272 | ---- | M] (Motorola Inc.) -- C:\WINDOWS\System32\DRIVERS\smserial.sys -- (smserial [On_Demand | Running])
DRV - [2007/10/01 17:59:46 | 01,769,984 | ---- | M] () -- C:\WINDOWS\System32\DRIVERS\snp2uvc.sys -- (SNP2UVC [On_Demand | Running])
DRV - [2007/05/02 12:11:16 | 00,083,592 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\ss_bus.sys -- (ss_bus [On_Demand | Stopped])
DRV - [2007/05/02 12:11:18 | 00,015,112 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\ss_mdfl.sys -- (ss_mdfl [On_Demand | Stopped])
DRV - [2007/05/02 12:11:18 | 00,109,704 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\ss_mdm.sys -- (ss_mdm [On_Demand | Stopped])
DRV - [2008/12/31 00:19:28 | 00,005,632 | ---- | M] () -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen [System | Running])
DRV - [2006/10/13 05:28:00 | 00,198,976 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\System32\DRIVERS\SynTP.sys -- (SynTP [On_Demand | Running])
DRV - [2008/01/24 01:25:32 | 00,027,136 | ---- | M] (The OpenVPN Project) -- C:\WINDOWS\System32\DRIVERS\tapvpn.sys -- (tapvpn [On_Demand | Running])
DRV - [2008/04/13 22:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.c...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmer\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}:6.0.04
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}:6.0.10
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}:6.0.12
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: LogMeInClient@logmein.com:1.0.0.407
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: protecapi@protecmedia.com:1.5.0.5
FF - prefs.js..extensions.enabledItems: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a}:1.30
FF - prefs.js..extensions.enabledItems: seo4firefox@seobook.com:3.1.3
FF - prefs.js..extensions.enabledItems: firefox@tvunetworks.com:2
FF - prefs.js..extensions.enabledItems: 4
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.11
FF - prefs.js..network.proxy.backup.ftp: "67.69.254.251"
FF - prefs.js..network.proxy.backup.ftp_port: 80
FF - prefs.js..network.proxy.backup.gopher: "67.69.254.251"
FF - prefs.js..network.proxy.backup.gopher_port: 80
FF - prefs.js..network.proxy.backup.socks: "67.69.254.251"
FF - prefs.js..network.proxy.backup.socks_port: 80
FF - prefs.js..network.proxy.backup.ssl: "67.69.254.251"
FF - prefs.js..network.proxy.backup.ssl_port: 80
FF - prefs.js..network.proxy.ftp: "12.47.164.114"
FF - prefs.js..network.proxy.ftp_port: 8888
FF - prefs.js..network.proxy.gopher: "12.47.164.114"
FF - prefs.js..network.proxy.gopher_port: 8888
FF - prefs.js..network.proxy.http: "12.47.164.114"
FF - prefs.js..network.proxy.http_port: 8888
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "12.47.164.114"
FF - prefs.js..network.proxy.socks_port: 8888
FF - prefs.js..network.proxy.ssl: "12.47.164.114"
FF - prefs.js..network.proxy.ssl_port: 8888


FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/08/09 21:15:28 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/02/03 17:29:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Programmer\AVG\AVG8\Firefox [2009/06/28 13:56:25 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Programmer\Java\jre6\lib\deploy\jqs\ff [2009/03/06 13:23:35 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Components: C:\Programmer\Mozilla Firefox\components [2009/07/01 12:55:02 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Plugins: C:\Programmer\Mozilla Firefox\plugins [2009/06/13 23:27:53 | 00,000,000 | ---D | M]

[2008/06/24 00:25:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\M\Application Data\mozilla\Extensions
[2008/06/24 00:25:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\M\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/07/08 20:45:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\M\Application Data\mozilla\Firefox\Profiles\pgxeroiz.default\extensions
[2009/05/19 17:01:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\M\Application Data\mozilla\Firefox\Profiles\pgxeroiz.default\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
[2009/05/19 17:01:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\M\Application Data\mozilla\Firefox\Profiles\pgxeroiz.default\extensions\firefox@tvunetworks.com
[2009/06/26 17:48:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\M\Application Data\mozilla\Firefox\Profiles\pgxeroiz.default\extensions\LogMeInClient@logmein.com
[2009/06/23 15:33:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\M\Application Data\mozilla\Firefox\Profiles\pgxeroiz.default\extensions\protecapi@protecmedia.com
[2009/04/26 10:13:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\M\Application Data\mozilla\Firefox\Profiles\pgxeroiz.default\extensions\seo4firefox@seobook.com
[2009/07/08 20:45:14 | 00,000,000 | ---D | M] -- C:\Programmer\mozilla firefox\extensions
[2009/06/13 23:27:53 | 00,000,000 | ---D | M] -- C:\Programmer\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/04/10 09:39:40 | 00,000,000 | ---D | M] -- C:\Programmer\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
[2008/04/10 18:45:28 | 00,000,000 | ---D | M] -- C:\Programmer\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
[2008/07/22 21:45:51 | 00,000,000 | ---D | M] -- C:\Programmer\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2008/11/23 14:17:51 | 00,000,000 | ---D | M] -- C:\Programmer\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
[2009/03/06 13:24:03 | 00,000,000 | ---D | M] -- C:\Programmer\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
[2009/04/06 23:26:21 | 00,000,000 | ---D | M] -- C:\Programmer\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/06/10 10:59:31 | 00,000,000 | ---D | M] -- C:\Programmer\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
[2009/06/13 23:27:46 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Programmer\mozilla firefox\components\browserdirprovider.dll
[2009/06/13 23:27:46 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Programmer\mozilla firefox\components\brwsrcmp.dll
[2009/05/21 11:33:58 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programmer\mozilla firefox\plugins\npdeploytk.dll
[2008/11/22 01:45:04 | 01,332,224 | ---- | M] (DivX,Inc.) -- C:\Programmer\mozilla firefox\plugins\npdivx32.dll
[2008/11/22 01:45:26 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Programmer\mozilla firefox\plugins\npDivxPlayerPlugin.dll
[2009/02/06 13:44:28 | 01,447,296 | ---- | M] (Microsoft Corporation) -- C:\Programmer\mozilla firefox\plugins\npLegitCheckPlugin.dll
[2009/06/13 23:27:48 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Programmer\mozilla firefox\plugins\npnul32.dll
[2008/08/09 21:15:21 | 00,144,984 | ---- | M] (RealNetworks, Inc.) -- C:\Programmer\mozilla firefox\plugins\nppl3260.dll
[2009/02/14 15:02:31 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Programmer\mozilla firefox\plugins\npqtplugin.dll
[2009/02/14 15:02:31 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Programmer\mozilla firefox\plugins\npqtplugin2.dll
[2009/02/14 15:02:31 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Programmer\mozilla firefox\plugins\npqtplugin3.dll
[2009/02/14 15:02:31 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Programmer\mozilla firefox\plugins\npqtplugin4.dll
[2009/02/14 15:02:31 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Programmer\mozilla firefox\plugins\npqtplugin5.dll
[2009/02/14 15:02:31 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Programmer\mozilla firefox\plugins\npqtplugin6.dll
[2009/02/14 15:02:31 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Programmer\mozilla firefox\plugins\npqtplugin7.dll
[2008/08/09 21:15:31 | 00,008,192 | ---- | M] (RealNetworks, Inc.) -- C:\Programmer\mozilla firefox\plugins\nprjplug.dll
[2008/08/09 21:15:17 | 00,094,208 | ---- | M] (RealNetworks, Inc.) -- C:\Programmer\mozilla firefox\plugins\nprpjplug.dll
[2008/08/12 18:37:29 | 00,221,184 | ---- | M] (CNN) -- C:\Programmer\mozilla firefox\plugins\NPTURNMED.dll
[2008/05/29 18:24:14 | 00,001,394 | ---- | M] () -- C:\Programmer\mozilla firefox\searchplugins\amazondotcom.xml
[2008/05/29 18:24:14 | 00,002,193 | ---- | M] () -- C:\Programmer\mozilla firefox\searchplugins\answers.xml
[2008/05/29 18:24:14 | 00,001,534 | ---- | M] () -- C:\Programmer\mozilla firefox\searchplugins\creativecommons.xml
[2008/11/13 18:56:38 | 00,002,343 | ---- | M] () -- C:\Programmer\mozilla firefox\searchplugins\eBay.xml
[2008/05/29 18:24:14 | 00,001,706 | ---- | M] () -- C:\Programmer\mozilla firefox\searchplugins\google.xml
[2008/05/29 18:24:14 | 00,001,178 | ---- | M] () -- C:\Programmer\mozilla firefox\searchplugins\wikipedia.xml
[2008/05/29 18:24:14 | 00,000,792 | ---- | M] () -- C:\Programmer\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (686 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programmer\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmer\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmer\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Hjælp til tilmelding til Windows Live) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmer\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmer\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Programmer\Hotspot Shield\hssie\HssIE.dll (AnchorFree Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Programmer\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmer\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ACMON] C:\Programmer\ASUS\Splendid\ACMON.exe (ATK)
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Programmer\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Version Cue CS2] C:\Programmer\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe (Adobe Sytems Incorporated)
O4 - HKLM..\Run: [ATKMEDIA] C:\Programmer\ASUS\ATK Media\DMEDIA.EXE (ASUSTeK Computer INC.)
O4 - HKLM..\Run: [ATKOSD2] C:\Programmer\ATKOSD2\ATKOSD2.exe ()
O4 - HKLM..\Run: [AVG8_TRAY] C:\Programmer\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [IFXSPMGT] C:\WINDOWS\System32\ifxspmgt.exe (Infineon Technologies AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Programmer\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SMSERIAL] C:\Programmer\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKLM..\Run: [Wireless Console 2] C:\Programmer\Wireless Console 2\wcourier.exe ()
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\M\Lokale indstillinger\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Spybot\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\Adobe Gamma.lnk = C:\Programmer\Fælles filer\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Reader 8.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\Adobe Reader Synchronizer.lnk = C:\Programmer\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&ksporter til Microsoft Excel - Reg Error: Value error. File not found
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmer\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Spybot\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programmer\ICQ6.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programmer\ICQ6.5\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (Microsoft Corporation)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} http://www.ipix.com/download/ipixx.cab (iPIX ActiveX Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase6662.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1194865892203 (WUWebControl Class)
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} http://radaol-prod-w...agi3.0.84.2.cab (UnagiAx Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} https://netbank.dans...B/e-Safekey.cab (e-Safekey)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logme...trl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.234.192.8 85.21.192.3
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programmer\Fælles filer\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programmer\Fælles filer\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programmer\Fælles filer\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programmer\Fælles filer\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programmer\Fælles filer\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmer\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programmer\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programmer\Fælles filer\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programmer\Fælles filer\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programmer\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programmer\Fælles filer\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - CLSID or File not found.
O24 - Desktop Components:0 (Min aktuelle startside) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Programmer\Windows Defender\MpShHook.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/01/30 02:52:13 | 00,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 90 Days ==========

[1 C:\*.tmp files]
[2009/07/11 19:15:05 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\M\Skrivebord\OTL.exe
[2009/07/11 13:48:16 | 00,000,991 | ---- | C] () -- C:\Documents and Settings\M\Skrivebord\fixme.reg
[2009/07/11 12:19:12 | 00,001,383 | ---- | C] () -- C:\Documents and Settings\M\Skrivebord\RegSrch.zip
[2009/07/10 18:35:31 | 00,002,425 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\chelsea-hoody-top-blue-ad.jpg
[2009/07/10 18:35:14 | 00,074,223 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\chelsea-hoody-top-blue.jpg
[2009/07/10 18:28:33 | 00,001,932 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\liverpool-track-top-white-ad.jpg
[2009/07/10 18:28:07 | 00,055,289 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\liverpool-track-top-white.jpg
[2009/07/10 13:44:35 | 00,000,162 | ---- | C] () -- C:\Documents and Settings\M\Skrivebord\look.bat
[2009/07/09 22:40:41 | 00,031,252 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\real-madrid-home-ronaldo-9.jpg
[2009/07/09 17:50:14 | 00,054,022 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\liverpool-fc-t-shirt-phantom.jpg
[2009/07/09 17:10:44 | 00,071,150 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\liverpool-away-shorts-backside.jpg
[2009/07/09 16:31:49 | 00,003,055 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\liverpool-originals-jersey-ad.jpg
[2009/07/09 16:23:24 | 00,023,294 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\liverpool-away-short-9.jpg
[2009/07/09 16:18:45 | 00,001,821 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\fc-bayern-tie-ad.jpg
[2009/07/09 16:14:12 | 00,002,997 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\fc-bayern-flag-black-ad.jpg
[2009/07/09 16:09:50 | 00,002,348 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\blackburn-home-jersey-ad.jpg
[2009/07/09 15:48:35 | 00,002,344 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\werder-bremen-3rd-jersey-ad.jpg
[2009/07/09 15:42:23 | 00,002,173 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\werder-bremen-jersey-ad.jpg
[2009/07/09 00:53:24 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/07/08 20:53:56 | 00,286,208 | ---- | C] () -- C:\Documents and Settings\M\Skrivebord\gmer.exe
[2009/07/08 20:44:44 | 00,278,221 | ---- | C] () -- C:\Documents and Settings\M\Skrivebord\gmer.zip
[2009/07/08 14:22:18 | 00,014,495 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\liverpool-home-short-9.jpg
[2009/07/08 14:04:11 | 00,025,024 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\liverpool-home-shorts-9.jpg
[2009/07/08 13:20:54 | 00,021,202 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\liverpool-away-shorts-9.jpg
[2009/07/08 13:06:27 | 00,027,439 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\barcelona-home-shorts-10.jpg
[2009/07/08 12:56:47 | 00,026,853 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\barcelona-shorts-10.jpg
[2009/07/08 12:41:20 | 00,018,578 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\real-madrid-youth-short-9.jpg
[2009/07/08 12:35:15 | 00,007,352 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\real-madrid-short-number-9.jpg
[2009/07/08 12:29:55 | 00,009,166 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\real-madrid-home-shorts-9.jpg
[2009/07/08 00:37:36 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/07/08 00:37:36 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/07/08 00:37:36 | 00,155,136 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/07/08 00:37:36 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/07/08 00:37:36 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/07/08 00:37:36 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/07/08 00:37:36 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/07/08 00:37:36 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/07/08 00:37:28 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/07/08 00:35:36 | 03,046,728 | R--- | C] () -- C:\Documents and Settings\M\Skrivebord\ComboFix.exe
[2009/07/08 00:34:15 | 01,006,853 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\IMG_0280[1].jpg
[2009/07/08 00:34:13 | 01,178,858 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\IMG_0239[1].jpg
[2009/07/08 00:34:10 | 00,914,825 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\IMG_0277[1].jpg
[2009/07/08 00:34:07 | 00,956,704 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\IMG_0213[1].jpg
[2009/07/08 00:17:13 | 00,942,120 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\IMG_0363[1].jpg
[2009/07/08 00:17:11 | 00,941,446 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\IMG_0365[1].jpg
[2009/07/08 00:17:01 | 00,783,970 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\IMG_0335[1].jpg
[2009/07/08 00:07:56 | 00,883,905 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\IMG_0283[1].jpg
[2009/07/08 00:07:53 | 00,862,960 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\IMG_0276[1].jpg
[2009/07/08 00:07:50 | 01,052,817 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\IMG_0260[1].jpg
[2009/07/07 22:01:48 | 01,131,776 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\IMG_0257[1].jpg
[2009/07/07 22:01:35 | 01,146,981 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\IMG_0250[1].jpg
[2009/07/07 21:59:30 | 00,360,304 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\liverpool-sweat-top-red-youth.jpg
[2009/07/07 19:00:02 | 00,002,315 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\portugal-home-jersey-ronaldo-ad.jpg
[2009/07/07 18:36:00 | 00,002,146 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\real-madrid-home-jersey-ad.jpg
[2009/07/07 16:44:30 | 00,002,026 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\real-madrid-away-jersey-ad.jpg
[2009/07/07 16:25:07 | 00,002,172 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\real-madrid-woolie-ad.jpg
[2009/07/07 16:12:01 | 00,002,608 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\real-madrid-scarf-ad.jpg
[2009/07/07 16:06:42 | 00,001,421 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\real-madrid-home-socks-ad.jpg
[2009/07/07 15:55:51 | 00,001,792 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\real-madrid-home-short-ad.jpg
[2009/07/07 11:43:12 | 00,016,356 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\J454896.PDF
[2009/07/07 11:43:02 | 00,018,326 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\J431511.PDF
[2009/07/06 23:11:01 | 00,367,020 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\file-sharing-paper.pdf
[2009/07/06 12:15:24 | 00,396,985 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\blockbustersin-movies-paper.pdf
[2009/07/03 21:37:49 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\dllcache\cache
[2009/07/03 18:42:04 | 00,000,464 | ---- | C] () -- C:\Documents and Settings\M\Skrivebord\Genvej til RunThis.lnk
[2009/07/03 15:49:27 | 00,001,963 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\barca-3rd-kit-alves-20.jpg
[2009/07/03 15:45:14 | 00,002,254 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\barca-home-kit-custom-name.jpg
[2009/07/03 14:59:43 | 00,001,696 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\barca-3rd-kit-messi.jpg
[2009/07/03 14:57:55 | 00,002,016 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\barca-away-own-name.jpg
[2009/07/03 14:56:34 | 00,002,076 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\barca-home-kit-messi-10.jpg
[2009/07/03 14:53:42 | 00,001,863 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\barca-away-kit-henry.jpg
[2009/07/03 14:27:29 | 00,001,902 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\real-madrid-jersey-kaka-ad.jpg
[2009/07/03 13:27:14 | 00,002,858 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\real-madrid-bernabeu-logo.jpg
[2009/07/03 11:58:56 | 00,028,330 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\real-madrid-home-kaka-8.jpg
[2009/07/02 15:08:57 | 00,055,451 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\fc-barcelona-3rd-jersey-long-sleeve-messi-10.jpg
[2009/07/02 15:00:44 | 00,053,706 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\fc-barcelona-3rd-jersey-own-name.jpg
[2009/07/02 13:39:29 | 00,270,143 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\new-barcelona-jersey.jpg
[2009/07/02 12:53:06 | 00,015,872 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\money-order.doc
[2009/07/01 21:46:20 | 00,033,109 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\Detail Shipment 5273388.pdf
[2009/07/01 21:46:12 | 00,063,491 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\Detail Shipment 5273026.pdf
[2009/07/01 21:45:39 | 00,083,348 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\J101413.PDF
[2009/07/01 21:45:30 | 00,027,291 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\J114621.PDF
[2009/07/01 21:45:09 | 00,036,072 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\Detail Shipment 5293961.pdf
[2009/07/01 21:13:36 | 00,198,189 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\new-fc-barcelona-away-jersey.jpg
[2009/07/01 15:29:42 | 00,046,485 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\barcelona-home-eto-o-9.jpg
[2009/07/01 15:22:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\M\Lokale indstillinger\Application Data\Temp
[2009/07/01 14:45:35 | 00,002,103 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\italy-home-jersey-1.jpg
[2009/07/01 14:25:42 | 00,002,236 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\liverpool-away-jersey-2.jpg
[2009/07/01 14:23:44 | 00,002,736 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\fc-barcelona-home-jersey-2.jpg
[2009/07/01 10:17:35 | 00,000,974 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1174632320-4108373775-285163711-1005UA.job
[2009/07/01 10:17:35 | 00,000,922 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1174632320-4108373775-285163711-1005Core.job
[2009/06/30 16:52:56 | 00,002,247 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\new-man-united-home-jersey-pre-order.jpg
[2009/06/30 16:45:12 | 00,014,938 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\man-united-home-jersey-ls-pre-order.jpg
[2009/06/30 16:44:29 | 00,014,970 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\man-united-home-jersey-pre-order.jpg
[2009/06/30 14:17:24 | 00,002,462 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\barcelona-away-jersey-henry-14.jpg
[2009/06/30 13:50:48 | 00,001,979 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\liverpool-euro-jersey-1.jpg
[2009/06/30 13:50:31 | 00,055,601 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\liverpool-euro-jersey.jpg
[2009/06/30 13:26:53 | 00,002,434 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\arsenal-away-ls-jersey-1.jpg
[2009/06/30 13:26:31 | 00,073,309 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\arsenal-away-jersey-long-sleeve.jpg
[2009/06/30 12:43:55 | 00,002,300 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\barcelona-jersey-offer-1.jpg
[2009/06/30 12:41:28 | 00,003,845 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\champions-league-match-ball-1.jpg
[2009/06/30 12:38:04 | 00,002,955 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\ac-milan-home-jersey-2.jpg
[2009/06/30 12:32:55 | 00,002,528 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\liverpool-jersey-torres-2.jpg
[2009/06/30 12:32:39 | 00,008,784 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\liverpool-home-jersey-torre.jpg
[2009/06/30 12:27:45 | 00,002,511 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\chelsea-jersey-drogba-2.jpg
[2009/06/30 12:27:29 | 00,009,203 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\chelsea-home-jersey-drogba-.jpg
[2009/06/30 12:23:49 | 00,002,247 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\liverpool-home-jersey-torres-1.jpg
[2009/06/30 12:15:47 | 00,002,053 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\chelsea-home-jersey-2.jpg
[2009/06/30 12:00:04 | 00,002,024 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\chelsea-home-jersey-1.jpg
[2009/06/30 11:58:01 | 00,002,223 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\liverpool-away-jersey-1.jpg
[2009/06/30 11:54:55 | 00,002,636 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\fc-barcelona-home-jersey-1.jpg
[2009/06/30 00:38:57 | 00,029,495 | ---- | C] () -- C:\Documents and Settings\M\

#32 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 11 July 2009 - 10:26 AM

OTL Extras logfile created on: 7/11/2009 7:22:01 PM - Run 1
OTL by OldTimer - Version 3.0.7.1 Folder = C:\Documents and Settings\M\Skrivebord
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18372)
Locale: 00000409 | Country: USA | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.24 Gb Available Physical Memory | 62.20% Memory free
3.85 Gb Paging File | 3.18 Gb Available in Paging File | 82.61% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programmer
Drive C: | 149.04 Gb Total Space | 101.97 Gb Free Space | 68.41% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MOSCOW
Current User Name: M
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 90 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Programmer\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Programmer\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 22:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2009/02/06 18:21:00 | 00,583,024 | ---- | M] (Microsoft Corporation) -- C:\Programmer\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call
[2009/02/06 18:23:32 | 01,170,272 | ---- | M] (Microsoft Corporation) -- C:\Programmer\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync
[2009/02/06 18:51:28 | 03,885,408 | ---- | M] (Microsoft Corporation) -- C:\Programmer\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/13 22:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2005/04/04 21:58:28 | 00,163,840 | ---- | M] (Adobe Systems Incorporated) -- C:\Programmer\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe:*:Enabled:Adobe Version Cue CS2
[2008/05/08 10:19:50 | 00,289,088 | ---- | M] (BitTorrent, Inc.) -- C:\Programmer\DNA\btdna.exe:*:Enabled:DNA
[2009/05/26 21:06:32 | 04,351,216 | ---- | M] (Yahoo! Inc.) -- C:\Programmer\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
[2008/04/14 20:05:47 | 00,083,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test
[2007/03/07 14:27:12 | 00,567,384 | ---- | M] (www.sopcast.com) -- C:\Programmer\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver
[2008/04/30 12:32:48 | 01,892,352 | ---- | M] (www.sopcast.com) -- C:\Programmer\SopCast\SopCast.exe:*:Enabled:SopCast Main Application
[2009/06/13 23:27:47 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Programmer\Mozilla Firefox\firefox.exe:*:Enabled:Firefox
[2009/06/22 15:23:06 | 03,995,120 | ---- | M] (Google) -- C:\Documents and Settings\M\Lokale indstillinger\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Enabled:Google Talk Plugin
[2009/06/22 14:57:54 | 00,083,440 | ---- | M] (Google) -- C:\Documents and Settings\M\Lokale indstillinger\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin
[2008/12/29 01:22:26 | 02,202,624 | ---- | M] (Zhejiang University) -- C:\Programmer\TVAnts\Tvants.exe:*:Enabled:TVAnts
[2009/03/01 14:59:42 | 00,172,792 | ---- | M] (ICQ, LLC.) -- C:\Programmer\ICQ6.5\ICQ.exe:*:Enabled:ICQ6
[2008/11/06 17:18:32 | 02,083,920 | ---- | M] (TVU networks) -- C:\Programmer\TVUPlayer\TVUPlayer.exe:*:Enabled:TVUPlayer Component
[2007/01/24 07:00:00 | 00,661,024 | ---- | M] (Infineon Technologies AG) -- C:\Programmer\Infineon\Security Platform Software\SpTNA.exe:*:Enabled:SpTna
[2009/06/28 13:55:23 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Programmer\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe
[2009/06/28 13:53:52 | 01,085,208 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Programmer\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
[2009/06/09 12:48:52 | 00,594,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Programmer\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe
[2009/05/21 11:34:01 | 00,144,792 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programmer\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary
[2009/02/06 18:21:00 | 00,583,024 | ---- | M] (Microsoft Corporation) -- C:\Programmer\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call
[2009/02/06 18:23:32 | 01,170,272 | ---- | M] (Microsoft Corporation) -- C:\Programmer\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync
[2009/02/06 18:51:28 | 03,885,408 | ---- | M] (Microsoft Corporation) -- C:\Programmer\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2008/11/07 15:31:38 | 21,633,320 | R--- | M] (Skype Technologies S.A.) -- C:\Programmer\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0134A1A1-C283-4A47-91A1-92F19F960372}" = Adobe Creative Suite 2
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in
"{139B0FFA-187E-4BA1-BCA6-6B56B2B6AB8C}" = ATK Media
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1DBD1F12-ED93-49C0-A7CC-56CBDE488158}" = LifeFrame2
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 14
"{26A24AE4-039D-4CA4-87B4-2F83216013F0}" = Java™ 6 Update 13
"{2729C4B5-822B-43BB-9645-3E2C23F88489}" = Windows Presentation Foundation Language Pack (DAN)
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java™ 6 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C9406-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3912D529-02BC-4CA8-B5ED-0D0C20EB6003}" = ATK Hotkey
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C52E7DA-C431-4239-B66B-1BF703D5B194}" = Windows Live Photo Gallery
"{4462AD13-F2AA-4CBD-9F95-293C38EED870}" = Power4 Gear
"{46548E80-0409-0000-7E8A-45000F855001}" = Adobe GoLive CS2
"{47985AEA-2CA2-3344-851E-BA4DC9101C68}" = Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - DAN
"{5C1DB4ED-E9B4-402D-BB14-D75D97D6C1A6}" = ATKOSD2
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7F4C8163-F259-49A0-A018-2857A90578BC}" = Adobe InDesign CS2
"{82CA0A0C-A3EC-4167-B694-909205B2EDEC}" = muvee Plugin 1.0
"{83F73CB1-7705-49D1-9852-84D839CA2A45}" = Wireless Console 2
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B08E38A-73EF-4A3D-B166-EB8B7D98E0BA}" = Microsoft .NET Framework 3.0 Danish Language Pack
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{973F8409-F8DA-4A40-ACB4-12B02F3399D7}" = Microsoft .NET Framework 1.1 Danish Language Pack
"{98736A65-3C79-49EC-B7E9-A3C77774B0E6}" = Google SketchUp 6
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}" = Windows Live Sync
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A899DA1F-D626-401C-8651-F2921E3B4CB3}" = 3Connect
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AC76BA86-7AD7-1033-7B44-A80000000002}" = Adobe Reader 8
"{ADBE46EE-54E0-4610-B436-D7E93D829100}" = Adobe Version Cue CS2
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}" = Adobe Illustrator CS2
"{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}" = Google SketchUp 6
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B5080CC6-15F5-49B1-8672-F2021FF771C0}" = Tilmeldingsassistent til Windows Live
"{B69349AE-2D41-3708-8BA4-4DC22645CA04}" = Microsoft .NET Framework 3.5 Language Pack SP1 - dan
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B70DE97F-FE65-4B9E-9A1E-674CB2E18157}" = Russian (Slovenski) V
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C0FC1C14-4824-4A73-87A6-9E888C9C3102}" = ASUS Splendid Video Enhancement Technology
"{C3AE9DA1-2E44-4F11-803E-20977F0FE6B9}" = Safari
"{C49DAA9C-5BA8-459A-8244-E57B69DF0F04}" = Suite Specific
"{C4A4722E-79F9-417C-BD72-8D359A090C97}" = Samsung PC Studio 3
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D104C1CF-7C12-4D32-9850-DDC99060DE5B}" = Infineon TPM Professional Package
"{D3D54F3E-C5C3-443D-978F-87A72E5616E8}" = ATK Generic Function Service
"{D3E3F224-704C-4873-BA3E-0B8D3D4C59E8}" = Samsung PC Studio 3
"{DFCB15E0-969C-3E74-8654-F5978478E876}" = Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - DAN
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6B1D53B-2A68-377D-AC39-C8FD359FF6F1}" = Google Talk Plugin
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FAF73247-54AB-4F33-B84E-EAD36C3F3C87}" = PerSonoCall
"3ivx MPEG-4 5.0 Decoder" = 3ivx MPEG-4 5.0 Decoder (remove only)
"6194C28A8F62DD817EA1B918E6E46E806A21B452" = Windows-driverpakke - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
"65B6FE5418CE28F4D72543FB2D964C3CEC83F161" = Windows-driverpakke - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"AVG8Uninstall" = AVG 8.5
"CCleaner" = CCleaner (remove only)
"Exterminate It!" = Exterminate It!
"HijackThis" = HijackThis 2.0.2
"HotspotShield" = Hotspot Shield 1.12
"Huawei Modems" = Huawei Modems
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8 Release Candidate 1
"InstallShield_{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.0 Danish Language Pack" = Dansk sprogpakke til Microsoft .NET Framework 3.0
"Microsoft .NET Framework 3.5 Language Pack SP1 - dan" = Sprogpakke til Microsoft .NET Framework 3.5 SP1 - dansk
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.11)" = Mozilla Firefox (3.0.11)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"QIP 2005_is1" = QIP 2005 8080
"RealPlayer 6.0" = RealPlayer
"SAMSUNG Mobile Composite Device" = SAMSUNG Mobile Composite Device Software
"SAMSUNG Mobile USB Modem" = SAMSUNG Mobile USB Modem Software
"SAMSUNG Mobile USB Modem 1.0" = SAMSUNG Mobile USB Modem 1.0 Software
"SMSERIAL" = Motorola SM56 Speakerphone Modem
"SopCast" = SopCast 3.0.1
"ST6UNST #1" = Karen's Alarm Clock
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TVAnts 1.0" = TVAnts 1.0
"TVUPlayer" = TVUPlayer 2.4.1.0
"USB 2.0 1.3M UVC WebCam" = USB 2.0 1.3M UVC WebCam
"WIC" = Windows Imaging Component
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent DNA" = DNA
"Google Chrome" = Google Chrome
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/7/2009 11:08:38 AM | Computer Name = MOSCOW | Source = Application Hang | ID = 1001
Description = Fejl-bucket 1304656578.

Error - 7/8/2009 2:58:23 AM | Computer Name = MOSCOW | Source = Application Hang | ID = 1002
Description = Stoppet program firefox.exe, version 1.9.0.3439, stoppet modul hungapp,
version 0.0.0.0, stoppet adresse 0x00000000.

Error - 7/8/2009 2:58:28 AM | Computer Name = MOSCOW | Source = Application Hang | ID = 1001
Description = Fejl-bucket 1304656578.

Error - 7/9/2009 2:27:49 AM | Computer Name = MOSCOW | Source = Google Update | ID = 20
Description =

Error - 7/9/2009 6:32:11 AM | Computer Name = MOSCOW | Source = WindowsLiveMessenger | ID = 15728647
Description =

Error - 7/9/2009 6:32:11 AM | Computer Name = MOSCOW | Source = WindowsLiveMessenger | ID = 15728647
Description =

Error - 7/9/2009 7:02:46 PM | Computer Name = MOSCOW | Source = Application Hang | ID = 1002
Description = Stoppet program firefox.exe, version 1.9.0.3439, stoppet modul hungapp,
version 0.0.0.0, stoppet adresse 0x00000000.

Error - 7/9/2009 7:02:51 PM | Computer Name = MOSCOW | Source = Application Hang | ID = 1001
Description = Fejl-bucket 1304656578.

Error - 7/11/2009 7:47:24 AM | Computer Name = MOSCOW | Source = WindowsLiveMessenger | ID = 15728647
Description =

Error - 7/11/2009 7:47:27 AM | Computer Name = MOSCOW | Source = WindowsLiveMessenger | ID = 15728647
Description =

[ System Events ]
Error - 7/11/2009 6:28:00 AM | Computer Name = MOSCOW | Source = Disk | ID = 262151
Description = Enheden \Device\Harddisk0\D havde en fejlbehæftet blok.

Error - 7/11/2009 6:28:26 AM | Computer Name = MOSCOW | Source = Disk | ID = 262151
Description = Enheden \Device\Harddisk0\D havde en fejlbehæftet blok.

Error - 7/11/2009 6:28:46 AM | Computer Name = MOSCOW | Source = Disk | ID = 262151
Description = Enheden \Device\Harddisk0\D havde en fejlbehæftet blok.

Error - 7/11/2009 6:29:03 AM | Computer Name = MOSCOW | Source = Disk | ID = 262151
Description = Enheden \Device\Harddisk0\D havde en fejlbehæftet blok.

Error - 7/11/2009 6:29:21 AM | Computer Name = MOSCOW | Source = Disk | ID = 262151
Description = Enheden \Device\Harddisk0\D havde en fejlbehæftet blok.

Error - 7/11/2009 6:29:42 AM | Computer Name = MOSCOW | Source = Disk | ID = 262151
Description = Enheden \Device\Harddisk0\D havde en fejlbehæftet blok.

Error - 7/11/2009 6:30:01 AM | Computer Name = MOSCOW | Source = Disk | ID = 262151
Description = Enheden \Device\Harddisk0\D havde en fejlbehæftet blok.

Error - 7/11/2009 6:30:23 AM | Computer Name = MOSCOW | Source = Disk | ID = 262151
Description = Enheden \Device\Harddisk0\D havde en fejlbehæftet blok.

Error - 7/11/2009 6:30:41 AM | Computer Name = MOSCOW | Source = Disk | ID = 262151
Description = Enheden \Device\Harddisk0\D havde en fejlbehæftet blok.

Error - 7/11/2009 6:31:05 AM | Computer Name = MOSCOW | Source = Disk | ID = 262151
Description = Enheden \Device\Harddisk0\D havde en fejlbehæftet blok.


< End of report >

Thank you.

#33 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 11 July 2009 - 01:24 PM

Some observations.

Open NotePad and open this hosts file (no extension)
Windows XP C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS

Copy and paste the contents in your next reply.
===

Go to: http://www.funkytoad...=...=13&Itemid=


Your first log was very large and it got truncated. here.
[2009/06/30 11:54:55 | 00,002,636 | ---- | C] () -- C:\Documents and Settings\M\Dokumenter\fc-barcelona-home-jersey-1.jpg
[2009/06/30 00:38:57 | 00,029,495 | ---- | C] () -- C:\Documents and Settings\M\

Let me see the rest except for the .jpg files.

Do you know what all those .jpg files are.
They seem to be created everyday.
===

Open NotePad and open this hosts file (no extension)
Windows XP C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS

Copy and paste the contents in your next reply.
Will replace it with the default see below.

While NotePad is open copy and paste the contents of this files also.
C:\AUTOEXEC.BAT
Let me see it.
===

Go to: http://www.funkytoad...=...=13&Itemid=

Download the program HostsXpert to restore the default hosts file back onto your machine.
Unzip the program and execute it.
Select
"Restore MS Hosts File".
Close the application.

If the file is Read Only you will not be able to replace it until you remove the Read Only properties of the file.
===

O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
This file nwiz.exe is not signed.
Submit it to Jotti for a scan.
http://virusscan.jotti.org/
Let me know if it's malware. It could be related to your Audio card in which case it's fine.
===

Check with your Internet Provider and ask them if this Chcp name server is correct.

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.234.192.8 85.21.192.3
These are two IP addresses.
213.234.192.8 and
85.21.192.3
===

Go to the Add/Remove programs list and remove these old versions of Java.
Java™ 6 Update 13
6 Update 4
6 Update 5
Java™ 6 Update 7


Keep Java™ 6 Update 14
===

Let me know if this is a folder or file.
C:\*.tmp files

If a folder what's in it.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#34 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 12 July 2009 - 02:12 PM

Regarding the .jpg files those are something that I work with so there is nothing mysterious there.
Here is the reminder of the log which got truncated:

[2009/06/30 11:54:55 | 00,002,636 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\fc-barcelona-home-jersey-1.jpg
[2009/06/30 00:38:59 | 00,029,495 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\fc-barcelona-3rd-jersey-womens.jpg
[2009/06/30 00:32:41 | 00,024,042 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\fc-barcelona-3rd-shorts-youth.jpg
[2009/06/30 00:11:17 | 00,002,053 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\fc-barcelona-3rd-shorts-ad.jpg
[2009/06/29 18:06:31 | 00,001,944 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barca-away-jersey-henry-ad.jpg
[2009/06/29 17:46:33 | 00,001,848 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barcelona-goalie-shorts-ad.jpg
[2009/06/29 17:44:27 | 00,001,570 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barcelona-goalie-socks-ad.jpg
[2009/06/29 17:41:29 | 00,023,618 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\fc-barcelona-goalie-shorts-youth.jpg
[2009/06/29 17:39:02 | 00,043,083 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\fc-barcelona-jersey-womens.jpg
[2009/06/29 17:36:52 | 00,038,415 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\fc-barcelona-long-sleeve-home-jersey-youth.jpg
[2009/06/29 17:34:23 | 00,045,729 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\fc-barcelona-youth-jersey-long-sleeve.jpg
[2009/06/29 17:24:59 | 00,001,429 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barcelona-shorts-away-ad.jpg
[2009/06/29 17:16:19 | 00,002,142 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barcelona-home-shorts-ad.jpg
[2009/06/29 17:05:43 | 00,001,463 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barcelona-home-socks-ad.jpg
[2009/06/29 17:02:12 | 00,001,661 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barcelona-away-socks-ad.jpg
[2009/06/29 16:48:18 | 00,028,031 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\liverpool-tee-red-youth.jpg
[2009/06/29 16:45:09 | 00,028,843 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barcelona-shorts-test-2.jpg
[2009/06/29 16:42:59 | 00,033,297 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barcelona-shorts-test.jpg
[2009/06/28 23:04:30 | 00,036,864 | ---- | M] () -- C:\Documents and Settings\M\Lokale indstillinger\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/28 20:33:03 | 00,033,114 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\J025614.PDF
[2009/06/28 17:37:55 | 00,000,110 | -H-- | M] () -- C:\Documents and Settings\M\Dokumenter\.~lock.global-hub-city.odt#
[2009/06/28 13:55:29 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/06/28 13:55:28 | 00,327,688 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/06/28 13:55:28 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/06/28 12:38:14 | 00,895,527 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\IMG_0148[1].jpg
[2009/06/28 12:38:08 | 00,903,858 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\IMG_0174[1].jpg
[2009/06/28 12:37:59 | 00,745,154 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\IMG_0198[1].jpg
[2009/06/28 12:37:53 | 00,833,639 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\IMG_0212[1].jpg
[2009/06/28 12:35:19 | 00,790,933 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\IMG_0200[1].jpg
[2009/06/28 12:19:39 | 01,040,431 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\IMG_0122[1].jpg
[2009/06/28 12:15:28 | 00,817,464 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\IMG_0044[1].jpg
[2009/06/28 01:50:57 | 00,009,691 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\global-hub-city.odt
[2009/06/25 11:42:52 | 00,025,464 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\J779171.PDF
[2009/06/25 11:40:38 | 00,113,884 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\Detail Shipment 5242820.pdf
[2009/06/25 11:30:59 | 00,113,884 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\Detail Shipment 5242623.pdf
[2009/06/25 11:21:20 | 00,344,675 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\total-90-omni-ball-yellow-b.jpg
[2009/06/25 11:21:12 | 00,294,829 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\total-90-omni-ball-white-black-b.jpg
[2009/06/25 11:21:05 | 00,331,009 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\t90-soccer-ball-yellow-premier-league.jpg
[2009/06/25 11:20:55 | 00,252,339 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\t90-catalyst-soccer-ball.jpg
[2009/06/25 11:20:51 | 00,250,675 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\chelsea-jersey-ballack-13.jpg
[2009/06/25 11:20:46 | 00,495,530 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\uefa-cup-ball-blue-b.jpg
[2009/06/25 11:19:47 | 00,309,863 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\nike-uefa-cup-ball-b.jpg
[2009/06/25 11:19:40 | 00,198,189 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\fc-barcelona-away-jersey.jpg
[2009/06/25 11:19:35 | 00,275,793 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\fc-barcelona-long-sleeve-jersey.jpg
[2009/06/25 11:19:16 | 00,270,143 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\fc-barcelona-jersey-home.jpg
[2009/06/25 11:19:11 | 00,223,482 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\fc-barcelona-away-long-sleeve-jersey.jpg
[2009/06/25 11:19:02 | 00,331,298 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\liverpool-youth-scarf.jpg
[2009/06/25 11:18:58 | 00,235,711 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\liverpool-sweat-pants.jpg
[2009/06/25 11:18:53 | 00,316,675 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\liverpool-scarf-the-reds.jpg
[2009/06/25 11:18:32 | 00,347,526 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\liverpool-jacket-charcol.jpg
[2009/06/25 11:18:24 | 00,326,883 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\liverpool-away-shorts-back.jpg
[2009/06/25 11:18:15 | 00,260,011 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\liverpool-away-agger-5.jpg
[2009/06/25 11:18:10 | 00,316,678 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\lfp-ball-yellow-b.jpg
[2009/06/25 11:18:02 | 00,313,555 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\lega-calcio-ball-yellow-b.jpg
[2009/06/25 11:17:40 | 00,257,843 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\inter-t-shirt-blue.jpg
[2009/06/25 11:17:34 | 00,234,002 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\inter-tee-white.jpg
[2009/06/25 11:17:30 | 00,265,682 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\inter-tee-blue.jpg
[2009/06/25 11:17:21 | 00,367,120 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\europa-league-match-ball.jpg
[2009/06/25 11:17:17 | 00,209,234 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\england-world-cup-jersey.jpg
[2009/06/25 11:17:13 | 00,440,276 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\chelsea-scarf-blue.jpg
[2009/06/25 11:17:08 | 00,375,514 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\chelsea-fc-1905-scarf.jpg
[2009/06/25 11:16:55 | 00,391,966 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barcelona-minikit-babyb.jpg
[2009/06/25 11:16:47 | 00,329,152 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barcelona-jersey-womens.jpg
[2009/06/25 11:16:43 | 00,246,142 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barcelona-goalkeeper-jersey.jpg
[2009/06/25 11:16:38 | 00,268,149 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barcelona-goalie-shorts.jpg
[2009/06/25 11:16:34 | 00,379,061 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barcelona-goalie-jersey.jpg
[2009/06/25 11:16:28 | 00,258,753 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barca-jersey-messi-10-b.jpg
[2009/06/25 11:16:19 | 00,219,225 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barca-away-henry-14-b.jpg
[2009/06/25 11:15:25 | 00,254,425 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\aston-villa-away-ls-young-7.jpg
[2009/06/25 11:15:20 | 00,161,088 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\adipure-boots-gold.jpg
[2009/06/25 11:15:16 | 00,181,849 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\adidas-adipure-boots-black-gold.jpg
[2009/06/24 10:51:57 | 00,298,048 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/06/23 22:44:02 | 00,000,885 | ---- | M] () -- C:\Documents and Settings\All Users\Skrivebord\OpenOffice.org 3.1.lnk
[2009/06/23 20:53:38 | 00,002,306 | ---- | M] () -- C:\Documents and Settings\M\Skrivebord\Google Chrome.lnk
[2009/06/23 11:33:17 | 00,000,611 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/06/18 16:59:03 | 00,015,171 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barcelona-home-the-treble.jpg
[2009/06/18 16:58:49 | 00,014,660 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barcelona-away-the-treble.jpg
[2009/06/18 11:35:23 | 00,071,908 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\Detail Shipment 5187197.pdf
[2009/06/17 13:14:18 | 00,002,971 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\real-madrid-bernabeu-screen.jpg
[2009/06/16 14:01:27 | 00,316,678 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\lfp-ball-yellow.jpg
[2009/06/16 14:01:22 | 00,313,555 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\lega-calcio-ball-yellow.jpg
[2009/06/16 14:01:18 | 00,274,083 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\premier-league-ball-black.jpg
[2009/06/16 14:01:13 | 00,309,863 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\nike-uefa-cup-ball.jpg
[2009/06/16 14:01:09 | 00,495,530 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\uefa-cup-ball-blue.jpg
[2009/06/16 14:01:04 | 00,344,675 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\total-90-omni-ball-yellow.jpg
[2009/06/16 14:00:58 | 00,294,829 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\total-90-omni-ball-white-black.jpg
[2009/06/16 14:00:53 | 00,277,668 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\t90-shinguards-gold.jpg
[2009/06/16 14:00:41 | 00,323,260 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\t90-omni-soccer-ball.jpg
[2009/06/16 14:00:37 | 00,358,187 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\rooney-soccer-ball.jpg
[2009/06/16 14:00:24 | 00,084,043 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\r10-shinguards-yellow.jpg
[2009/06/11 01:34:38 | 00,391,966 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barcelona-minikit-baby.jpg
[2009/06/11 01:34:32 | 00,222,928 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barcelona-away-jersey-the-treble-09.jpg
[2009/06/11 01:34:14 | 00,218,483 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barcelona-away-shorts.jpg
[2009/06/11 01:34:09 | 00,284,724 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barcelona-home-shorts.jpg
[2009/06/11 01:34:04 | 00,258,753 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barca-jersey-messi-10.jpg
[2009/06/11 01:33:57 | 00,063,934 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barca-home-print-messi-10.jpg
[2009/06/11 01:33:50 | 00,053,229 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barca-away-print-henry-14.jpg
[2009/06/11 01:33:40 | 00,219,225 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\barca-away-henry-14.jpg
[2009/06/10 12:36:56 | 01,073,196 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/06/10 12:36:56 | 00,459,568 | ---- | M] () -- C:\WINDOWS\System32\perfh006.dat
[2009/06/10 12:36:56 | 00,444,362 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/06/10 12:36:56 | 00,083,682 | ---- | M] () -- C:\WINDOWS\System32\perfc006.dat
[2009/06/10 12:36:56 | 00,072,238 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/06/09 12:48:48 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/06/08 08:10:10 | 00,155,136 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/06/01 20:51:12 | 23,635,392 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/05/31 02:48:06 | 00,000,791 | ---- | M] () -- C:\Documents and Settings\All Users\Skrivebord\Yahoo! Messenger.lnk
[2009/05/26 13:20:08 | 00,040,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/26 13:19:56 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/24 23:38:03 | 00,010,752 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\The-Corporation.doc
[2009/05/24 23:21:53 | 00,009,216 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\Football-Soccer-World.doc
[2009/05/23 23:40:19 | 00,001,552 | ---- | M] () -- C:\Documents and Settings\All Users\Skrivebord\3Connect.lnk
[2009/05/23 23:39:18 | 00,069,387 | ---- | M] () -- C:\WINDOWS\Huawei ModemsUninstall.exe
[2009/05/22 00:54:46 | 00,010,105 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\Football-Soccer-World.odt
[2009/05/22 00:32:33 | 00,011,556 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\The-Corporation.odt
[2009/05/21 11:34:03 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/05/21 11:34:02 | 00,144,792 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/05/21 11:34:01 | 00,144,792 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/05/21 11:33:57 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/05/21 09:35:23 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/05/17 22:49:59 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\LauncherAccess.dt
[2009/05/14 14:36:52 | 00,088,063 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\WWI-Faktura.pdf
[2009/05/07 19:33:36 | 00,346,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\localspl.dll
[2009/05/07 19:33:36 | 00,346,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\localspl.dll
[2009/05/05 17:14:14 | 01,294,607 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\DC-260-7868742221.pdf
[2009/04/28 19:05:00 | 00,286,208 | ---- | M] () -- C:\Documents and Settings\M\Skrivebord\gmer.exe
[2009/04/20 21:11:50 | 00,000,913 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\My Sharing Folders.lnk
[2009/04/20 18:36:36 | 00,005,146 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\_design_menu_da.inc
[2009/04/20 18:31:09 | 00,005,976 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\_design_menu_en.inc
[2009/04/20 12:56:28 | 00,031,232 | ---- | M] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/04/19 23:50:35 | 01,847,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\win32k.sys
[2009/04/19 23:50:35 | 01,847,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\win32k.sys
[2009/04/16 14:15:25 | 00,276,770 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\mmsport-invoice-mms0005.pdf
[2009/04/16 13:14:42 | 00,049,747 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\J987842.PDF
[2009/04/16 13:04:52 | 00,047,104 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\Letter Of lien- Board Resolution - Euro-USD 08.doc
[2009/04/16 13:04:42 | 00,051,200 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\Barclays Seychelles Deferred Debit Card Guide.doc
[2009/04/15 18:53:54 | 00,585,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\rpcrt4.dll
[2009/04/15 18:53:54 | 00,585,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcrt4.dll
[2009/04/13 11:26:16 | 00,210,922 | ---- | M] () -- C:\Documents and Settings\M\Dokumenter\internetworld-sources.htm
< End of report >

#35 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 12 July 2009 - 02:14 PM

Here is the host file log:

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost

#36 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 12 July 2009 - 02:23 PM

The Jotti scan did not find anything:
Filename: nwiz.exe
Status:
Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Sun 12 Jul 2009 21:21:54 (CET) Permalink

#37 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 12 July 2009 - 02:31 PM

Download the program HostsXpert to restore the default hosts file back onto your machine.
Unzip the program and execute it.
Select
"Restore MS Hosts File".
Close the application.
DONE

Go to the Add/Remove programs list and remove these old versions of Java.
Java™ 6 Update 13
6 Update 4
6 Update 5
Java™ 6 Update 7

Keep Java™ 6 Update 14
DONE

#38 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 12 July 2009 - 02:33 PM

I could not find this file:

While NotePad is open copy and paste the contents of this files also.
C:\AUTOEXEC.BAT
Let me see it.

I could not find this file / folder either:
Let me know if this is a folder or file.
C:\*.tmp files

If a folder what's in it.

Thank you.

#39 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 13 July 2009 - 06:25 AM

Here is the answer from the ISP

Our DNS server, you should automatically receive: 213.234.192.8 and
85.21.192.3 .

#40 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 13 July 2009 - 10:15 AM

While NotePad is open copy and paste the contents of this file.
C:\AUTOEXEC.BAT
Let me see the contents.


Run HijackThis,
Click the "None of the above..." button.
Click Config button > Misc Tool > Open ADS spy.
Scan and Save the log.
Post the result of the log that will be found in your HijackThis folder back here for me to see.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#41 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 13 July 2009 - 10:20 AM

Here is the autoexec.bat

It was the only thing it would display. I do not know if this is what you are looking for.

PATH=%PATH%;C:\PROGRA~1\FLLESF~1\MUVEET~1\030625

#42 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 13 July 2009 - 10:25 AM

I tried to run the hijack this but it did not produce any results.
it just said "scan complete" and it was not possible to produce a log file.
The boxes checked were:
quick scan
ignore safe system
while the one box which was unchecked
calculate MD5 checksum of streams

I do not know if I did what I ought to do but this is the result I got.

thanks.

#43 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 13 July 2009 - 01:39 PM

This is what I have found on your entry in the Autoexec.bat file.

C:\PROGRA~1\COMMON~1\MUVEET~1\030625;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
it's a pogram called Muvee Technolgies, it's a movie maker that came with my xp media center

Can you relate to it.


Try this again.

Run HijackThis,
Click the "None of the above..." button.

Click Config button > Misc Tool > Open ADS spy.
Scan and Save the log.
Post the result of the log that will be found in your HijackThis folder back here for me to see.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#44 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 13 July 2009 - 03:03 PM

OK. I unchecked the "quick scan" option and after having done so it did provide a result.

C:\Documents and Settings\All Users\Application Data\TEMP : 7E95B6FD (101 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : DFC5A2B2 (110 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : 7E95B6FD (101 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : DFC5A2B2 (110 bytes)
C:\Documents and Settings\M\Foretrukne\Banya\Moscow Active Pursuits Baths Frommers.com.url : favicon (1406 bytes)
C:\Documents and Settings\M\Foretrukne\Banya\Professional Basketball Club CSKA Moscow Schedule Full Schedule.url : favicon (1150 bytes)
C:\Documents and Settings\M\Foretrukne\E-commerce\4Q - The Best Online Survey For A Website, Yours Free! Occam's Razor by Avinash Kaushik.url : favicon (3638 bytes)
C:\Documents and Settings\M\Foretrukne\E-commerce\9 Ecommerce Innovations What's Now & What's Next - Webinar from Elastic Path Software.url : favicon (1406 bytes)
C:\Documents and Settings\M\Foretrukne\E-commerce\Creating Synergy in Your SEO Efforts - Search Engine Watch.url : favicon (1078 bytes)
C:\Documents and Settings\M\Foretrukne\E-commerce\Free Keyword Suggestion Tool from Wordtracker.url : favicon (3638 bytes)
C:\Documents and Settings\M\Foretrukne\E-commerce\Keywords First - New Web Site Second - Search Engine Watch.url : favicon (1078 bytes)
C:\Documents and Settings\M\Foretrukne\E-commerce\twitter What are you doing.url : favicon (1406 bytes)
C:\Documents and Settings\M\Foretrukne\Hyperlinks\soncece4ever- Info.url : favicon (7406 bytes)
C:\Documents and Settings\M\Foretrukne\Links\Suggested Sites.url : favicon (25214 bytes)
C:\Documents and Settings\M\Foretrukne\MBA Moscow\Business Schools.url : favicon (894 bytes)
C:\Documents and Settings\M\Foretrukne\MBA Moscow\GSIB contacts.url : favicon (894 bytes)
C:\Documents and Settings\M\Foretrukne\MBA Moscow\http--en.mgubs.ru-files-booklet.pdf.url : favicon (1406 bytes)
C:\Documents and Settings\M\Foretrukne\MBA Moscow\Moscow Business School.url : favicon (894 bytes)
C:\Documents and Settings\M\Foretrukne\MBA Moscow\Moscow School of Management SKOLKOVO - CURRICULA.url : favicon (894 bytes)
C:\Documents and Settings\NetworkService\Foretrukne\Links\Suggested Sites.url : favicon (25214 bytes)

I do recognize most of the bookmarks. The three I am not quite sure about are:
C:\Documents and Settings\M\Foretrukne\Hyperlinks\soncece4ever- Info.url : favicon (7406 bytes)
C:\Documents and Settings\M\Foretrukne\Links\Suggested Sites.url : favicon (25214 bytes)
C:\Documents and Settings\NetworkService\Foretrukne\Links\Suggested Sites.url : favicon (25214 bytes)

#45 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 13 July 2009 - 03:13 PM

I cannot see any reference among my programs to Muvee Technolgies.

I took a look at their website and they sell movie editing software. I have no active remembrance of having ever installed this software or come across this company in any other way.

But if somehow they do something for Microsoft for their mediaplayer then maybe it has been part of a bundle or a MS download or upgrade.
I really do not know.

#46 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 13 July 2009 - 03:16 PM

1. Click Config
2. Click Misc Tools
3. OPEN ADS SPY.
4. Click Scan (this will find all hidden files that you will not see in the explorer)
5. Select all items listed below for now. (this has to me done manually)
6. CLICK REMOVE SELECTED

C:\Documents and Settings\All Users\Application Data\TEMP : 7E95B6FD (101 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : DFC5A2B2 (110 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : 7E95B6FD (101 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : DFC5A2B2 (110 bytes)


Restart the computer normally.

Submit a fresh HijackThis log.

Let me know what problem persists.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#47 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 14 July 2009 - 02:40 AM

I deleted the files. I rebooted the computer.
I ran a scan. Nothing found.
just after the scan was completed the porn collection files were back.
and I only had firefox open during that time. I thought it might be IE which would be triggering those files but apparently nothing to do.

#48 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 14 July 2009 - 08:45 AM

If this file in bold is found in the Blode-stavaganza folder
%Temp%\-= The Porn Collection =-\Blonde-stravaganza\Summary.txt
Open the file with NotePad and let me see the content.
===

Open your Autoexec.bat file and add a semi-colon in front of the line, like this.
;PATH=%PATH%;C:\PROGRA~1\FLLESF~1\MUVEET~1\030625

Save the file.
This will stop this line from being executed at start-up.
===


Go to your Firefox add-ons (under tools) Move all of them to a Temporary folder.

Restart the computer.

Move them back one by one and check after each addition if the porn collection files are back.
This may be a long process if you have many.
In that case move only half of them. If the porn collection are recreated then possibly one of the remaining add-ons is possibly the culprit.

If they do not return then one of the moved add-ons is.

Trial and error may tell you if one of the add-ons is the culprit.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#49 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 14 July 2009 - 12:53 PM

Here is the summary txt file:

Synopsis: If it's a blonde girl that sizzles your bacon, then this is the "stravaganza" for you! this 2 disc set features 12 hard hitting
scenes full of beautiful bangin' blondes. They're the hottest bitches in the house, and they're
hornier than a 2-dicked billy goat. So come and have some fun with the likes of ashlynn brooke, bree olson, carly parker, sharka blue, missy
monroe, and ahryan astyn. There are so many that you won't know what to do with them! that's what we call a "blonde-stravaganza!"
Running Time: min
Release Date: 12.18.2008
Categories: Anal, Gonzo, Blondes, Blowjobs
Directed By:
Starring: Missy Monroe, Sharka Blue, Velicity Von, Courtney Simpson, Bree Olson, Whitney Fears, Ashlynn Brooke, Carly Parker, Jamie Lamore,
Ahryan Astyn, Madison Scott, Jessica Steele

#50 virus-problem

virus-problem

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 14 July 2009 - 02:04 PM

Is it enough if I disable the plugins ? or do I have to remove them ? and if so how do I do that without uninstalling them ?
I do not have many. So it can be done if I know exactly how to do it.
thanks.

The change of autoexec.bat did not prevent the porn collection folders from appearing.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button