Solved

Think im hijacked?

Posted on 2009-05-18
27
789 Views
Last Modified: 2016-10-27
Hi.
I have a problem going to some specific pages. I cant go to microsoft.com , mcafee.com , technet.com etc.

I think i have some spyware on my computer ?

Hijackthis log is here :

Logfile of HijackThis v1.99.1
Scan saved at 14:53:39, on 18-05-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Acronis\Schedule2\schedul2.exe
C:\Programmer\Java\jre6\bin\jqs.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Programmer\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Programmer\Fælles filer\Nero\Nero BackItUp 4\NBService.exe
C:\Programmer\SiteAdvisor\6173\SAService.exe
C:\Programmer\TomTom HOME 2\TomTomHOMEService.exe
C:\Programmer\Fælles filer\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmer\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmer\Analog Devices\Core\smax4pnp.exe
C:\Programmer\Java\jre6\bin\jusched.exe
C:\Programmer\Google\Gmail Notifier\gnotify.exe
C:\Programmer\SiteAdvisor\6173\SiteAdv.exe
C:\PROGRA~1\McAfee\MANAGE~1\Agent\myAgtTry.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Programmer\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Programmer\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Programmer\Fælles filer\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Rainlendar2\Rainlendar2.exe
C:\Programmer\Microsoft ActiveSync\Wcescomm.exe
C:\Programmer\TomTom HOME 2\TomTomHOMERunner.exe
C:\PROGRA~1\ALLTOT~1\ALLTOT~1.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Programmer\Logitech\SetPoint\SetPoint.exe
C:\Programmer\Fælles filer\Logishrd\KHAL2\KHALMNPR.EXE
C:\Programmer\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Programmer\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Programmer\Windows Live\Messenger\msnmsgr.exe
C:\Programmer\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\NTR global\Console\inquiero.exe
C:\Programmer\Fælles filer\Adobe\Updater5\AdobeUpdater.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Jimmy Jensen\Skrivebord\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Programmer\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Programmer\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmer\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmer\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Programmer\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Programmer\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmer\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Programmer\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [MVS Splash] C:\Programmer\McAfee\Managed VirusScan\Agent\Splash.exe
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Programmer\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Programmer\SiteAdvisor\6173\SiteAdv.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programmer\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Programmer\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programmer\Fælles filer\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\WINDOWS\system32\9321.dll,s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Programmer\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmer\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Programmer\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [AllToTray] C:\PROGRA~1\ALLTOT~1\ALLTOT~1.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send til &Bluetooth-enhed... - C:\Programmer\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {47489CC3-B1AB-4414-A7D9-4A6380D819D8} (ConfigManager Control) - http://*IP-DELETED*:8081/Remote%20Client/3.5e/Danish/da-DK/ConfigManager.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240484129500
O16 - DPF: {817444B5-4D12-4EEB-8E78-C547E84F80B6} (EngineManager Control) - http://*IP-DELETED*:8081/Remote%20Client/3.5e/Danish/da-DK/EngineManager.cab
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - https://eu.ntrsupport.com/inquiero/mod/setup/ntractivex118_28.cab
O16 - DPF: {E7B12A6B-341F-4765-A9EA-29A745916878} (ImageViewer Control) - http://*IP-DELETED*:8081/Remote%20Client/3.5e/Danish/da-DK/ImageViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CE7E6E7-007E-4105-A6E0-58F7ABC191B9}: NameServer = 87.116.6.20,87.116.8.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{3CE7E6E7-007E-4105-A6E0-58F7ABC191B9}: NameServer = 87.116.6.20,87.116.8.20
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmer\Fælles filer\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\Programmer\McAfee\Managed VirusScan\Agent\MyRmProt4.9.2.253.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Programmer\SiteAdvisor\6173\SiteAdv.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FLLESF~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: LBTWlgn - c:\programmer\fælles filer\logishrd\bluetooth\LBTWlgn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programmer\Fælles filer\Acronis\Schedule2\schedul2.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Programmer\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programmer\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Programmer\Java\jre6\bin\jqs.exe" -service -config "C:\Programmer\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programmer\Fælles filer\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: McAfee'-tjeneste til beskyttelse mod virus og spyware (myAgtSvc) - McAfee, Inc. - C:\Programmer\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Programmer\Fælles filer\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SiteAdvisor-tjeneste (SiteAdvisor Service) - Unknown owner - C:\Programmer\SiteAdvisor\6173\SAService.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Programmer\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Programmer\Fælles filer\Acronis\Fomatik\TrueImageTryStartService.exe

Please check it ! :)
0
Comment
Question by:JarlK
  • 15
  • 7
  • 3
  • +2
27 Comments
 
LVL 16

Accepted Solution

by:
warturtle earned 160 total points
Comment Utility
I suggest installing SuperAntiSpyware (www.superantispyware.com) and scanning with it in safe mode. I will have a look at your log in the meantime.

0
 
LVL 16

Expert Comment

by:warturtle
Comment Utility
I have a few questions for you based on the HijackThis log:

1. Do you know these IP's?
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CE7E6E7-007E-4105-A6E0-58F7ABC191B9}: NameServer = 87.116.6.20,87.116.8.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{3CE7E6E7-007E-4105-A6E0-58F7ABC191B9}: NameServer = 87.116.6.20,87.116.8.20

2. Could you please upload this file on www.virustotal.com for a virus scan and let me know, how many antiviruses flag it as a possible infection:

C:\WINDOWS\system32\9321.dll

A SuperAntiSpyware scan will surely help with this.
0
 

Author Comment

by:JarlK
Comment Utility
I dont know the IP. I can see it looks like a Danish IP (Where i come from) So dont know! I have looked at the two IP strings before i added it to this topic - and found it a bit strange.

I cant access http://www.virustotal.com/ ? I guess its the same problem as microsoft, mcafee etc.

I will run SuperAntiSpyware now!
0
 

Author Comment

by:JarlK
Comment Utility
0
 
LVL 16

Expert Comment

by:warturtle
Comment Utility
Aha, ok - let me give you a direct link to SuperAntiSpyware executable file: http://downloads.superantispyware.com/downloads/SUPERAntiSpyware.exe

Just click on that to start the download. Save the file as something completely different like jabba.exe and then install and run it.

If it still doesn't work, then download ComboFix from: http://download.bleepingcomputer.com/sUBs/ComboFix.exe and follow the instructions on: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Download the ComboFix.exe file and save it with a different name. Then disable your existing antivirus protection and run it. After it finishes,  it will create a log. Send that log to us and re-renable your existing antivirus and download SuperAntiSpyware and scan with that.

Do that and let me know, what you get. The file(s) have to be renamed before they come in contact wtih the infected computer. You can also download the file(s) into a USB stick and copy it over to the infected computer to run.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 20 total points
Comment Utility
Looks like a Denmark IP.
Fix this entry below:
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\WINDOWS\system32\9321.dll,s

C:\WINDOWS\system32\9321.dll <-- this file is bad by the look.

Or just run Combofix and attach the log here for us to check.
0
 

Author Comment

by:JarlK
Comment Utility
Tommorow you have an answer !
0
 

Author Comment

by:JarlK
Comment Utility
Here is a SUPERAntiSpyware log :
Combofix log comming up!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/18/2009 at 04:44 PM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type       : Complete Scan
Total Scan Time : 00:15:07

Memory items scanned      : 190
Memory threats detected   : 0
Registry items scanned    : 5913
Registry threats detected : 0
File items scanned        : 16638
File threats detected     : 21

Adware.Tracking Cookie
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy_jensen@track.adform[2].txt
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy_jensen@atdmt[1].txt
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy jensen@advertising[2].txt
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy_jensen@serving-sys[2].txt
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy_jensen@fastclick[1].txt
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy_jensen@zybcom.122.2o7[1].txt
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy_jensen@novell.112.2o7[1].txt
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy jensen@hitbox[1].txt
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy jensen@ehg-techtarget.hitbox[1].txt
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy jensen@doubleclick[1].txt
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy jensen@adtech[1].txt
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy_jensen@apmebf[2].txt
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy_jensen@tribalfusion[2].txt
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy jensen@2o7[1].txt
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy_jensen@stat.onestat[2].txt
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy_jensen@bluestreak[1].txt
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy_jensen@statse.webtrendslive[1].txt
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy_jensen@mediaplex[1].txt
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy jensen@msnportal.112.2o7[1].txt
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy_jensen@microsoftwga.112.2o7[1].txt
      C:\Documents and Settings\Jimmy Jensen\Cookies\jimmy_jensen@bs.serving-sys[2].txt
0
 

Author Comment

by:JarlK
Comment Utility
ComboFix 09-05-18.02 - Jimmy Jensen 19-05-2009  8:32.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.45.1030.18.3063.2604 [GMT 2:00]
Kører fra: c:\documents and settings\Jimmy Jensen\Skrivebord\123.exe

advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !!
.

(((((((((((((((((((((((((((((((((((((((   Andet, der er slettet   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\9321.dll

.
(((((((((((((((((((((((((((((   Filer skabt fra 2009-04-19 til 2009-05-19  )))))))))))))))))))))))))))))))))))
.

2009-05-18 14:24 . 2009-05-18 14:24      --------      d-----w      c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-18 14:24 . 2009-05-18 14:24      --------      d-----w      c:\programmer\SUPERAntiSpyware
2009-05-18 14:24 . 2009-05-18 14:24      --------      d-----w      c:\documents and settings\Jimmy Jensen\Application Data\SUPERAntiSpyware.com
2009-05-18 14:24 . 2009-05-18 14:24      --------      d-----w      c:\programmer\Fælles filer\Wise Installation Wizard
2009-05-18 12:48 . 2009-05-18 12:48      --------      d-----w      C:\Program Files
2009-05-18 08:10 . 2009-05-18 08:10      --------      d-----w      c:\documents and settings\Jimmy Jensen\Application Data\Toffa
2009-05-18 08:08 . 2009-05-18 08:08      --------      d-----w      c:\programmer\Toffa
2009-05-16 15:26 . 2009-05-16 22:12      --------      d-----w      c:\documents and settings\Jimmy Jensen\Application Data\mIRC
2009-05-16 15:26 . 2009-05-16 15:35      --------      d-----w      c:\programmer\mIRC
2009-05-15 13:47 . 2009-05-15 13:47      --------      d-sh--w      c:\documents and settings\LocalService\PrivacIE
2009-05-15 13:11 . 2009-05-15 13:11      --------      d-sh--w      c:\documents and settings\LocalService\IETldCache
2009-05-15 13:11 . 2009-05-15 13:11      --------      d-----r      c:\documents and settings\LocalService\Foretrukne
2009-05-15 10:10 . 2009-05-15 10:10      --------      d-sh--w      c:\documents and settings\NetworkService\IETldCache
2009-05-14 06:33 . 2009-05-14 14:04      --------      d-----w      c:\documents and settings\Jimmy Jensen\Application Data\NoteTab Pro
2009-05-14 06:33 . 2009-05-14 06:33      --------      d-----w      c:\programmer\NoteTab Pro Trial
2009-05-12 12:33 . 2009-05-12 12:33      --------      d-----w      c:\documents and settings\All Users\Application Data\TomTom
2009-05-12 12:25 . 2009-05-12 12:25      --------      d-----w      c:\documents and settings\Jimmy Jensen\Application Data\TomTom
2009-05-12 12:25 . 2009-05-12 12:25      --------      d-----w      c:\documents and settings\Jimmy Jensen\Lokale indstillinger\Application Data\TomTom
2009-05-12 12:25 . 2009-05-12 12:25      --------      d-----w      c:\programmer\TomTom International B.V
2009-05-12 12:25 . 2009-05-12 12:25      --------      d-----w      c:\programmer\TomTom HOME 2
2009-05-12 10:10 . 2009-05-12 10:14      --------      d-----w      c:\programmer\MS Word Split (Divide, Save) Pages Into Separate Files Software
2009-05-12 10:05 . 2009-05-12 10:05      --------      d-----w      c:\programmer\VCardExportTool
2009-05-12 08:48 . 2009-05-12 09:02      --------      d-----w      c:\documents and settings\Jimmy Jensen\Application Data\Nero
2009-05-12 08:32 . 2009-05-12 08:32      --------      d-----w      c:\programmer\Windows Sidebar
2009-05-12 08:25 . 2009-05-12 08:33      --------      d-----w      c:\programmer\Nero
2009-05-12 08:24 . 2009-05-12 08:29      --------      d-----w      c:\documents and settings\All Users\Application Data\Nero
2009-05-12 08:24 . 2009-05-12 08:40      --------      d-----w      c:\programmer\Fælles filer\Nero
2009-05-11 23:48 . 2009-05-11 23:58      --------      d-----w      C:\arc_110509234830192
2009-05-06 10:42 . 2008-04-14 07:05      221184      ----a-w      c:\windows\system32\wmpns.dll
2009-05-06 10:40 . 2009-05-06 10:40      --------      d-----w      c:\programmer\Free M4a to MP3 Converter
2009-05-06 09:18 . 2009-05-06 09:18      --------      d-----w      c:\documents and settings\Jimmy Jensen\Application Data\Cryptomathic
2009-05-06 09:18 . 2009-05-06 09:18      --------      dc-h--w      c:\documents and settings\All Users\Application Data\{D166A25B-41F0-45EA-B10E-DE7D7B5C3455}
2009-05-06 09:18 . 2009-05-06 09:18      --------      d-----w      c:\programmer\DanID
2009-05-06 09:04 . 2009-05-06 09:05      --------      d-----w      c:\documents and settings\Jimmy Jensen\Application Data\Download Manager
2009-05-05 12:54 . 2009-05-05 12:54      --------      d-----w      c:\programmer\Microsoft ActiveSync
2009-05-05 12:52 . 2009-05-05 12:52      --------      d-----w      c:\programmer\Sprite Software
2009-05-05 08:16 . 2009-05-05 08:16      --------      d-----w      c:\documents and settings\Jimmy Jensen\Application Data\Media Player Classic
2009-05-05 08:16 . 2009-05-05 08:16      --------      d-----w      c:\programmer\Combined Community Codec Pack
2009-05-05 07:29 . 2009-05-05 07:29      --------      d-----w      c:\documents and settings\Jimmy Jensen\Application Data\ImgBurn
2009-05-05 07:27 . 2009-05-05 07:27      --------      d-----w      c:\programmer\ImgBurn
2009-05-05 07:23 . 2009-05-05 07:23      --------      d-----w      C:\SWSetup
2009-05-01 12:36 . 2009-05-01 12:36      --------      d-----w      c:\documents and settings\LocalService\Application Data\Acronis
2009-05-01 12:34 . 2009-05-01 13:19      --------      d-----w      c:\documents and settings\All Users\Application Data\Acronis
2009-05-01 12:34 . 2009-05-01 12:34      44384      ----a-w      c:\windows\system32\drivers\tifsfilt.sys
2009-05-01 12:34 . 2009-05-01 12:34      441760      ----a-w      c:\windows\system32\drivers\timntr.sys
2009-05-01 12:34 . 2009-05-01 12:34      129248      ----a-w      c:\windows\system32\drivers\snapman.sys
2009-05-01 12:34 . 2009-05-01 12:34      368544      ----a-w      c:\windows\system32\drivers\tdrpman.sys
2009-05-01 12:34 . 2009-05-01 12:34      --------      d-----w      c:\programmer\Fælles filer\Acronis
2009-05-01 12:34 . 2009-05-01 12:34      --------      d-----w      c:\programmer\Acronis
2009-04-30 14:05 . 2008-04-13 09:45      26112      -c--a-w      c:\windows\system32\dllcache\usbser.sys
2009-04-30 14:05 . 2008-04-13 09:45      26112      ----a-w      c:\windows\system32\drivers\usbser.sys
2009-04-30 12:23 . 2009-04-30 12:25      77824      ----a-w      c:\windows\zipexe_r.exe
2009-04-30 08:17 . 2009-04-30 08:17      --------      d-sh--w      c:\documents and settings\Jimmy Jensen\IECompatCache
2009-04-30 08:17 . 2009-04-30 08:17      --------      d-----w      C:\Musik
2009-04-30 08:16 . 2009-04-30 08:16      --------      d-sh--w      c:\documents and settings\Jimmy Jensen\PrivacIE
2009-04-30 08:16 . 2009-04-30 08:16      --------      d-sh--w      c:\documents and settings\Jimmy Jensen\IETldCache
2009-04-30 08:15 . 2009-04-30 08:15      --------      d-----w      c:\windows\ie8updates
2009-04-30 08:14 . 2009-02-28 04:55      105984      -c----w      c:\windows\system32\dllcache\iecompat.dll
2009-04-30 08:14 . 2009-04-30 08:14      --------      dc-h--w      c:\windows\ie8
2009-04-27 07:38 . 2009-04-27 07:38      --------      d-----w      c:\documents and settings\Jimmy Jensen\Application Data\Milestone
2009-04-23 13:17 . 2008-10-16 12:06      268648      ----a-w      c:\windows\system32\mucltui.dll
2009-04-23 13:15 . 2009-04-23 13:15      --------      d-----w      c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-04-23 13:12 . 2009-05-19 06:27      --------      d-----w      c:\documents and settings\Jimmy Jensen\.rainlendar2
2009-04-23 13:12 . 2009-04-23 13:12      --------      d-----w      c:\programmer\Rainlendar2
2009-04-23 11:16 . 2009-04-23 11:16      --------      d-----w      C:\WEBBANK
2009-04-23 11:14 . 2009-04-23 11:17      --------      d-----w      c:\documents and settings\Jimmy Jensen\Application Data\TeamViewer
2009-04-23 11:14 . 2009-04-23 11:14      --------      d-----w      c:\programmer\TeamViewer
2009-04-23 11:14 . 2009-04-23 11:14      --------      d-----w      c:\documents and settings\Jimmy Jensen\temp

.
((((((((((((((((((((((((((((((((((((((((   Find3M Rapport   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-19 06:31 . 2006-03-02 12:00      79200      ----a-w      c:\windows\system32\perfc006.dat
2009-05-19 06:31 . 2006-03-02 12:00      450868      ----a-w      c:\windows\system32\perfh006.dat
2009-05-18 08:08 . 2009-04-23 08:43      --------      d--h--w      c:\programmer\InstallShield Installation Information
2009-04-30 08:08 . 2009-04-23 09:15      69232      ----a-w      c:\documents and settings\Jimmy Jensen\Lokale indstillinger\Application Data\GDIPFONTCACHEV1.DAT
2009-04-30 08:07 . 2009-04-23 09:35      --------      d-----w      c:\programmer\Microsoft Works
2009-04-27 09:39 . 2009-04-23 09:47      --------      d-----w      c:\programmer\Fælles filer\Adobe
2009-04-23 10:35 . 2009-04-23 10:34      --------      d-----w      c:\programmer\Windows Live
2009-04-23 10:35 . 2009-04-23 10:35      --------      d-----w      c:\programmer\Microsoft
2009-04-23 10:34 . 2009-04-23 10:34      --------      d-----w      c:\programmer\Windows Live SkyDrive
2009-04-23 10:32 . 2009-04-23 10:32      --------      d-----w      c:\programmer\Fælles filer\Windows Live
2009-04-23 10:30 . 2009-04-23 10:30      --------      d-----w      c:\programmer\AllToTray
2009-04-23 10:26 . 2009-04-23 10:26      --------      d-----w      c:\programmer\uTorrent
2009-04-23 10:22 . 2009-04-23 10:22      --------      d-----w      c:\programmer\NTR global
2009-04-23 10:12 . 2009-04-23 10:12      --------      d-----w      c:\programmer\MSBuild
2009-04-23 10:12 . 2009-04-23 10:12      --------      d-----w      c:\programmer\Reference Assemblies
2009-04-23 09:58 . 2009-04-23 09:58      --------      d-----w      c:\programmer\Fælles filer\Business Objects
2009-04-23 09:58 . 2009-04-23 09:58      --------      d-----w      c:\programmer\Autolog
2009-04-23 09:56 . 2009-04-23 09:56      --------      d-----w      c:\programmer\Novell
2009-04-23 09:56 . 2009-04-23 09:56      --------      d-----w      c:\programmer\MSXML 4.0
2009-04-23 09:56 . 2009-04-23 09:56      --------      d-----w      c:\programmer\Microsoft WSE
2009-04-23 09:48 . 2009-04-23 08:43      --------      d-----w      c:\programmer\Fælles filer\InstallShield
2009-04-23 09:48 . 2009-04-23 09:48      --------      d-----w      c:\programmer\CUAgent
2009-04-23 09:46 . 2009-04-23 09:46      410984      ----a-w      c:\windows\system32\deploytk.dll
2009-04-23 09:46 . 2009-04-23 09:29      --------      d-----w      c:\programmer\Java
2009-04-23 09:44 . 2009-04-23 09:44      --------      d-----w      c:\programmer\SiteAdvisor
2009-04-23 09:42 . 2009-04-23 09:42      --------      d-----w      c:\programmer\McAfee
2009-04-23 09:33 . 2009-04-23 09:33      --------      d-----w      c:\programmer\Google
2009-04-23 09:29 . 2009-04-23 09:29      --------      d-----w      c:\programmer\Fælles filer\Java
2009-04-23 09:29 . 2009-04-23 09:29      --------      d-----w      c:\programmer\Fælles filer\Logitech
2009-04-23 09:27 . 2009-04-23 09:27      0      ---ha-w      c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-04-23 09:27 . 2009-04-23 09:27      0      ---ha-w      c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-04-23 09:27 . 2009-04-23 09:26      --------      d-----w      c:\programmer\Fælles filer\Logishrd
2009-04-23 09:26 . 2009-04-23 09:26      --------      d-----w      c:\programmer\Logitech
2009-04-23 09:19 . 2009-04-23 09:19      0      ----a-w      c:\windows\nsreg.dat
2009-04-23 09:13 . 2009-04-23 09:13      --------      d-----w      c:\programmer\Analog Devices
2009-04-23 09:02 . 2009-04-23 09:02      --------      d-----w      c:\programmer\Fingerprint Sensor
2009-04-23 09:02 . 2009-04-23 09:02      0      ---ha-w      c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-04-23 09:02 . 2009-04-23 09:02      0      ---ha-w      c:\windows\system32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf
2009-04-23 09:01 . 2009-04-23 08:41      --------      d-----w      c:\programmer\Hewlett-Packard
2009-04-23 08:40 . 2009-04-23 08:40      --------      d-----w      c:\programmer\HP PCMCIA Smart Card Reader
2009-04-23 08:30 . 2009-04-23 08:30      --------      d-----w      c:\programmer\Intel
2009-04-23 08:29 . 2009-04-23 08:29      --------      d-----w      c:\programmer\SCM Microsystems driver
2009-04-23 08:28 . 2009-04-23 08:28      --------      d-----w      c:\programmer\Broadcom
2009-04-23 08:27 . 2009-04-23 08:27      --------      d-----w      c:\programmer\WIDCOMM
2009-04-23 08:19 . 2009-04-23 08:19      --------      d-----w      c:\programmer\microsoft frontpage
2009-04-23 08:18 . 2009-04-23 08:18      --------      d-----w      c:\programmer\Onlinetjenester
2009-04-23 08:17 . 2009-04-23 08:17      --------      d-----w      c:\programmer\Fælles filer\Tjenester
2009-04-23 08:16 . 2009-04-23 08:16      21644      ----a-w      c:\windows\system32\emptyregdb.dat
2009-03-21 14:08 . 2006-03-02 12:00      163623      --sha-r      c:\windows\system32\xranlsh.dll
2009-03-13 13:57 . 2009-04-23 08:41      141336      ----a-w      c:\windows\system32\igfxtray.exe
2009-03-13 13:57 . 2009-04-23 08:41      250392      ----a-w      c:\windows\system32\igfxsrvc.exe
2009-03-13 13:57 . 2009-04-23 08:41      142360      ----a-w      c:\windows\system32\igfxpers.exe
2009-03-13 13:57 . 2009-04-23 08:41      172568      ----a-w      c:\windows\system32\igfxext.exe
2009-03-13 13:57 . 2009-04-23 08:41      652312      ----a-w      c:\windows\system32\igfxcfg.exe
2009-03-13 13:57 . 2009-04-23 08:41      173592      ----a-w      c:\windows\system32\hkcmd.exe
2009-03-13 13:57 . 2009-04-23 08:41      997912      ----a-w      c:\windows\system32\igxpun.exe
2009-03-09 07:45 . 2009-04-23 08:41      151552      ----a-w      c:\windows\system32\igfxCoIn_v5043.dll
2009-03-09 07:38 . 2009-04-23 08:41      3773952      ----a-w      c:\windows\system32\igxpdx32.dll
2009-03-09 07:38 . 2009-04-23 08:41      2686368      ----a-w      c:\windows\system32\igxpdv32.dll
2009-03-09 07:37 . 2009-04-23 08:41      57344      ----a-w      c:\windows\system32\igxprd32.dll
2009-03-09 07:37 . 2009-04-23 08:41      185856      ----a-w      c:\windows\system32\igxpgd32.dll
2009-03-09 07:37 . 2009-04-23 08:41      1498560      ----a-w      c:\windows\system32\igkrng400.bin
2009-03-09 07:36 . 2009-04-23 08:41      6278016      ----a-w      c:\windows\system32\drivers\igxpmp32.sys
2009-03-09 07:25 . 2009-04-23 08:41      2600960      ----a-w      c:\windows\system32\ig4dev32.dll
2009-03-09 07:18 . 2009-04-23 08:41      4112384      ----a-w      c:\windows\system32\ig4icd32.dll
2009-03-09 07:08 . 2009-04-23 08:41      23552      ----a-w      c:\windows\system32\igfxexps.dll
2009-03-09 07:08 . 2009-04-23 08:41      199168      ----a-w      c:\windows\system32\igfxpph.dll
2009-03-09 07:08 . 2009-04-23 08:41      130048      ----a-w      c:\windows\system32\igfxdo.dll
2009-03-09 07:07 . 2009-04-23 08:41      51712      ----a-w      c:\windows\system32\igfxsrvc.dll
2009-03-09 07:07 . 2009-04-23 08:41      93696      ----a-w      c:\windows\system32\hccutils.dll
2009-03-09 07:07 . 2009-04-23 08:41      5702656      ----a-w      c:\windows\system32\igfxress.dll
2009-03-09 07:07 . 2009-04-23 08:41      205824      ----a-w      c:\windows\system32\igfxdev.dll
2009-03-08 02:34 . 2006-03-02 12:00      914944      ----a-w      c:\windows\system32\wininet.dll
2009-03-08 02:34 . 2006-03-02 12:00      43008      ----a-w      c:\windows\system32\licmgr10.dll
2009-03-08 02:33 . 2006-03-02 12:00      18944      ----a-w      c:\windows\system32\corpol.dll
2009-03-08 02:33 . 2006-03-02 12:00      420352      ----a-w      c:\windows\system32\vbscript.dll
2009-03-08 02:32 . 2006-03-02 12:00      72704      ----a-w      c:\windows\system32\admparse.dll
2009-03-08 02:32 . 2006-03-02 12:00      71680      ----a-w      c:\windows\system32\iesetup.dll
2009-03-08 02:31 . 2006-03-02 12:00      34816      ----a-w      c:\windows\system32\imgutil.dll
2009-03-08 02:31 . 2006-03-02 12:00      48128      ----a-w      c:\windows\system32\mshtmler.dll
2009-03-08 02:31 . 2006-03-02 12:00      45568      ----a-w      c:\windows\system32\mshta.exe
2009-03-08 02:22 . 2006-03-02 12:00      156160      ----a-w      c:\windows\system32\msls31.dll
2009-03-06 14:20 . 2006-03-02 12:00      284672      ----a-w      c:\windows\system32\pdh.dll
2009-02-21 06:25 . 2008-12-31 15:04      691592      ----a-w      c:\windows\system32\OGACheckControl.DLL
.

(((((((((((((((((((((((((((((((((((   Start steder i reg.basen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke  
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Rainlendar2"="c:\programmer\Rainlendar2\Rainlendar2.exe" [2009-02-21 4333568]
"H/PC Connection Agent"="c:\programmer\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"TomTomHOME.exe"="c:\programmer\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-24 251240]
"SUPERAntiSpyware"="c:\programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-13 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-13 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-13 142360]
"QlbCtrl.exe"="c:\programmer\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-06-03 177456]
"SoundMAXPnP"="c:\programmer\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"SunJavaUpdateSched"="c:\programmer\Java\jre6\bin\jusched.exe" [2009-04-23 148888]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\programmer\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"MVS Splash"="c:\programmer\McAfee\Managed VirusScan\Agent\Splash.exe" [2008-12-09 558400]
"McAfee Managed Services Tray"="c:\programmer\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [2008-12-09 95552]
"SiteAdvisor"="c:\programmer\SiteAdvisor\6173\SiteAdv.exe" [2007-08-28 36640]
"Adobe Reader Speed Launcher"="c:\programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"TrueImageMonitor.exe"="c:\programmer\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-30 2595616]
"AcronisTimounterMonitor"="c:\programmer\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-30 909208]
"Acronis Scheduler2 Service"="c:\programmer\Fælles filer\Acronis\Schedule2\schedhlp.exe" [2007-10-30 140568]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]

c:\documents and settings\All Users\Menuen Start\Programmer\Start\
BTTray.lnk - c:\programmer\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213]
Logitech SetPoint.lnk - c:\programmer\Logitech\SetPoint\SetPoint.exe [2009-4-23 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmer\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 10:41      294912      ----a-w      c:\programmer\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 00:42      72208      ----a-w      c:\programmer\Fælles filer\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0 nwv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Jimmy Jensen^Menuen Start^Programmer^Start^NTRglobal Console.lnk]
path=c:\documents and settings\Jimmy Jensen\Menuen Start\Programmer\Start\NTRglobal Console.lnk
backup=c:\windows\pss\NTRglobal Console.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmer\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\Programmer\\Novell\\GroupWise\\grpwise.exe"=
"c:\\Programmer\\Novell\\GroupWise\\notify.exe"=
"c:\\Programmer\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmer\\uTorrent\\uTorrent.exe"=
"c:\\Programmer\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmer\\NTR global\\Console\\inquiero.exe"=
"c:\\Programmer\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Programmer\\Mozilla Firefox\\firefox.exe"=
"c:\programmer\Microsoft ActiveSync\rapimgr.exe"= c:\programmer\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\programmer\Microsoft ActiveSync\wcescomm.exe"= c:\programmer\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\programmer\Microsoft ActiveSync\WCESMgr.exe"= c:\programmer\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Programmer\\mIRC\\mirc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1828:TCP"= 1828:TCP:yoyne

R1 SASDIFSV;SASDIFSV;c:\programmer\SUPERAntiSpyware\sasdifsv.sys [29-02-2008 16:03 8944]
R1 SASKUTIL;SASKUTIL;c:\programmer\SUPERAntiSpyware\SASKUTIL.SYS [29-02-2008 16:03 51440]
R2 myAgtSvc;McAfee'-tjeneste til beskyttelse mod virus og spyware;c:\programmer\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [23-04-2009 11:42 218432]
R2 TomTomHOMEService;TomTomHOMEService;c:\programmer\TomTom HOME 2\TomTomHOMEService.exe [24-04-2009 13:57 92008]
R3 Com4QLBEx;Com4QLBEx;c:\programmer\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [23-04-2009 11:01 193840]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [23-07-2008 11:31 44800]
R3 SASENUM;SASENUM;c:\programmer\SUPERAntiSpyware\SASENUM.SYS [16-02-2006 16:51 4096]
S2 xjbcskob;Shell Helper;c:\windows\system32\svchost.exe -k netsvcs [02-03-2006 14:00 14336]
S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\drivers\HP24X.sys [23-04-2009 10:29 35072]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
xjbcskob

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Indhold af mappen 'Planlagte Opgaver'

2009-05-18 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 15:04]

2009-05-19 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 15:04]
.
.
------- Yderligere scanning -------
.
uStart Page = hxxp://www.google.dk/
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send til &Bluetooth-enhed... - c:\programmer\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: danid.dk
TCP: {3CE7E6E7-007E-4105-A6E0-58F7ABC191B9} = 87.116.6.20,87.116.8.20
DPF: {47489CC3-B1AB-4414-A7D9-4A6380D819D8} - hxxp://***IP REMOVED***/Remote%20Client/3.5e/Danish/da-DK/ConfigManager.cab
DPF: {817444B5-4D12-4EEB-8E78-C547E84F80B6} - hxxp://***IP REMOVED***/Remote%20Client/3.5e/Danish/da-DK/EngineManager.cab
DPF: {E7B12A6B-341F-4765-A9EA-29A745916878} - hxxp://***IP REMOVED***/Remote%20Client/3.5e/Danish/da-DK/ImageViewer.cab
FF - ProfilePath - c:\documents and settings\Jimmy Jensen\Application Data\Mozilla\Firefox\Profiles\1my8ya8v.default\
FF - prefs.js: browser.startup.homepage - www.google.dk
FF - component: c:\documents and settings\Jimmy Jensen\Application Data\Mozilla\Firefox\Profiles\1my8ya8v.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\programmer\SiteAdvisor\6173\FF\components\FFHook.dll
FF - plugin: c:\documents and settings\Jimmy Jensen\Application Data\Mozilla\Firefox\Profiles\1my8ya8v.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\programmer\Mozilla Firefox\plugins\npOGAPlugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-19 08:33
Windows 5.1.2600 Service Pack 3 NTFS

scanner skjulte processer ...  

scanner skjulte autostarter ...

scanner skjulte filer ...  

scanning gennemført med succes
skjulte filer: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xjbcskob]
"ServiceDll"="c:\windows\system32\xranlsh.dll"
.
--------------------- DLLs startet under kørende Processer ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\windows\system32\NETWIN32.DLL
c:\programmer\SUPERAntiSpyware\SASWINLO.dll
c:\programmer\fælles filer\logishrd\bluetooth\LBTWlgn.dll
c:\programmer\fælles filer\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(1052)
c:\windows\system32\relog_ap.dll
.
Gennemført tid: 2009-05-19  8:34
ComboFix-quarantined-files.txt  2009-05-19 06:34

Pre-Kørsel: 165.611.069.440 byte ledig
Post-Kørsel: 165.970.198.528 byte ledig

300      --- E O F ---      2009-04-23 09:44
0
 

Author Comment

by:JarlK
Comment Utility
Microsoft, Mcafee, etc. Still dosent work !
0
 
LVL 32

Assisted Solution

by:shalomc
shalomc earned 50 total points
Comment Utility
do you have anything unusual in your windows event log?

startup the computer, after everything loads and before you do anything else run netstat and copy results here. some rootkits can hide from netstat, but it is worth a try..

run ipconfig to see what is the default gateway and nslookup to identify your dns.
copy results here.

can you get another computer to connect from your location to the problematic sites?

0
 

Author Comment

by:JarlK
Comment Utility
Hi Shalomc.

I have added some screendumps.

A computer right in front of me is working, and can fine browse to mcafee, windows, etc.
netstat.JPG
NSlookup.JPG
Logbog.JPG
0
 

Author Comment

by:JarlK
Comment Utility
I can fine go to this page : http://216.49.88.12/uk/ <-- This is the IP for MCafee´s homepage.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 32

Expert Comment

by:shalomc
Comment Utility
if you use a different browser, do you still have a problem?

if changing a browser helps - try to delete the entire browser cache, restart the browser and retry.
Preferably do this action with a tool like ccleaner, as it takes care of some extra files (like index.dat).

0
 

Author Comment

by:JarlK
Comment Utility
Its the same problem in IE and FF.

I have tried CCleaner.
0
 
LVL 16

Expert Comment

by:warturtle
Comment Utility
Hello,

Yes, you have infections on that machine, which are evident from the ComboFix logs with entries such as this:

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xjbcskob]
"ServiceDll"="c:\windows\system32\xranlsh.dll"
and presence of files such as ogaverify.exe

I am going to suggest a scan with Dr Web Scanner Live CD, it can be downloaded from: http://www.freedrweb.com/livecd/ . Download the ISO file and burn it as an image on a blank CD. Then boot your PC using this CD and do the virus scan with Dr Web. This scanner will not load any Windows files or drivers and is basically like a small linux system. It will scan your PC for infections and will give you 2 options - "Cure" or "Delete". Cure is always the best option - any object that can be cured will be, otherwise deleted. Its very powerful and accurate as well. After you finish scanning with Dr Web, reboot your PC in normal mode and then scan with McAfee Antivirus (which you already have on your PC). Dr Web scanning could take sometime, but it is very powerful.

Hope that helps.
0
 

Author Comment

by:JarlK
Comment Utility
Haha. I cant go to www.freedrweb.com :) But i will find a solotuin from another pc! I will return back with an answer!
0
 
LVL 32

Expert Comment

by:shalomc
Comment Utility
infected after all..

have fun
0
 

Author Comment

by:JarlK
Comment Utility
I just dont understand why its only some pages it cant go to.

Maybe its programmed to some specified homepages.
0
 
LVL 16

Expert Comment

by:warturtle
Comment Utility
You are not able to open selected websites like freedrweb, mcafee, microsoft, etc because all of them make antiviruses and this virus is smart enough to not allow you to open those websites to evade detection and eventual removal. Viruses are quite smart now, some will search for text such as "mcafee", "symantec", etc and will not let you go there.
0
 
LVL 1

Assisted Solution

by:jovonn
jovonn earned 20 total points
Comment Utility
delete O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\WINDOWS\system32\9321.dll,s

run msconfig and check if there are any odd entries in your startup tab and deselect it

Make sure that your proxy isn't confugered for any unknown entries.

If you can download and run

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
or if you can get here try the online virus scanner http://www.kaspersky.co.uk/virusscanner
0
 

Author Comment

by:JarlK
Comment Utility
Holy moly that was an agressive virus.

Now i can enter mcafee, microsoft and so on :)

Very nice! The last thing i want to do is scan my computer inside windows.
0
 
LVL 16

Expert Comment

by:warturtle
Comment Utility
Dr Web scanning is done already?? Wow, that was fast!!
0
 

Author Comment

by:JarlK
Comment Utility
Hehe! Took about ? 1 - 1½ hour :)
0
 
LVL 16

Expert Comment

by:warturtle
Comment Utility
Thats good stuff! Now you must scan with McAfee once after updating it to the latest definitions to make sure that things are normal again or an online scan with Kaspersky Online Scanner would be sufficient to let us know, if the PC is trouble free now. Its based at: http://www.kaspersky.co.uk/virusscanner

0
 

Author Comment

by:JarlK
Comment Utility
Both is done now! Update went fine! No virus detected! :)
0
 

Author Comment

by:JarlK
Comment Utility
I have closed!

Thank you all so much!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now