|
|
|
|
Så har jeg forsøgt, men vist igen desværre uden alt for meget held. Ved første step, Wipe File, meldte RKU “Unable to delete contents of file” eller noget i den stil.
Andet step, Unhook, syntes at gå godt.
Avenger opførte sig præcis som ved et tidligere forsøg: Genstartede computeren to gange, men i anden genstart blev den hængende i Windows-opstartsbilledet med den “rullende bjælke”, og jeg måtte manuelt slukke og tænde maskinen. I tredje forsøg kom Windows op, men så snart jeg loggede brugeren på, blev der logget af, og maskinen genstartede endnu en gang. Først i fjerde genstart så det ud til, at Avenger kørte, og der kom følgende log:
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Syntax error in line—- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\software\microsoft\windows\currentversion | lastupdatedate
Error: could not create zip file.
Error code: 0
//////////////////////////////////////////
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ugsafaxp
*******************
Script file located at: \??\C:\Program Files\cymxqkvt.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Could not delete file C:\WINDOWS\system32\aelupsvc32.dll
Deletion of file C:\WINDOWS\system32\aelupsvc32.dll failed!
Could not process line:
C:\WINDOWS\system32\aelupsvc32.dll
Status: 0xc0000022
File C:\WINDOWS\IEXPL0RE.exe not found!
Deletion of file C:\WINDOWS\IEXPL0RE.exe failed!
Could not process line:
C:\WINDOWS\IEXPL0RE.exe
Status: 0xc0000034
File C:\DOCUME~1\Shaola\LOKALE~1\Temp\10060_setup.exe not found!
Deletion of file C:\DOCUME~1\Shaola\LOKALE~1\Temp\10060_setup.exe failed!
Could not process line:
C:\DOCUME~1\Shaola\LOKALE~1\Temp\10060_setup.exe
Status: 0xc0000034
File C:\DOCUME~1\Shaola\LOKALE~1\Temp\setup2.exe not found!
Deletion of file C:\DOCUME~1\Shaola\LOKALE~1\Temp\setup2.exe failed!
Could not process line:
C:\DOCUME~1\Shaola\LOKALE~1\Temp\setup2.exe
Status: 0xc0000034
File C:\WINDOWS\system32\bootvid32.dll not found!
Deletion of file C:\WINDOWS\system32\bootvid32.dll failed!
Could not process line:
C:\WINDOWS\system32\bootvid32.dll
Status: 0xc0000034
File C:\WINDOWS\system32\cmpbk.dll not found!
Deletion of file C:\WINDOWS\system32\cmpbk.dll failed!
Could not process line:
C:\WINDOWS\system32\cmpbk.dll
Status: 0xc0000034
Could not delete file C:\WINDOWS\system32\drivers\wsfit32.sys
Deletion of file C:\WINDOWS\system32\drivers\wsfit32.sys failed!
Could not process line:
C:\WINDOWS\system32\drivers\wsfit32.sys
Status: 0xc0000022
File C:\WINDOWS\system32\msplus.dll not found!
Deletion of file C:\WINDOWS\system32\msplus.dll failed!
Could not process line:
C:\WINDOWS\system32\msplus.dll
Status: 0xc0000034
File C:\WINDOWS\system32\msplus1.dll not found!
Deletion of file C:\WINDOWS\system32\msplus1.dll failed!
Could not process line:
C:\WINDOWS\system32\msplus1.dll
Status: 0xc0000034
File C:\WINDOWS\system32\msplus2.dll not found!
Deletion of file C:\WINDOWS\system32\msplus2.dll failed!
Could not process line:
C:\WINDOWS\system32\msplus2.dll
Status: 0xc0000034
File C:\WINDOWS\system32\msplus3.dll not found!
Deletion of file C:\WINDOWS\system32\msplus3.dll failed!
Could not process line:
C:\WINDOWS\system32\msplus3.dll
Status: 0xc0000034
File C:\WINDOWS\system32\msplus4.dll not found!
Deletion of file C:\WINDOWS\system32\msplus4.dll failed!
Could not process line:
C:\WINDOWS\system32\msplus4.dll
Status: 0xc0000034
File C:\WINDOWS\system32\PSWEdit.dll not found!
Deletion of file C:\WINDOWS\system32\PSWEdit.dll failed!
Could not process line:
C:\WINDOWS\system32\PSWEdit.dll
Status: 0xc0000034
File C:\WINDOWS\system32\wshcon32.dll not found!
Deletion of file C:\WINDOWS\system32\wshcon32.dll failed!
Could not process line:
C:\WINDOWS\system32\wshcon32.dll
Status: 0xc0000034
Could not open file %windows%\system\setup-238.exe for deletion
Deletion of file %windows%\system\setup-238.exe failed!
Could not process line:
%windows%\system\setup-238.exe
Status: 0xc000003a
File C:\WINDOWS\system32\exmple.dll not found!
Deletion of file C:\WINDOWS\system32\exmple.dll failed!
Could not process line:
C:\WINDOWS\system32\exmple.dll
Status: 0xc0000034
File C:\WINDOWS\system32\sexmple.exe not found!
Deletion of file C:\WINDOWS\system32\sexmple.exe failed!
Could not process line:
C:\WINDOWS\system32\sexmple.exe
Status: 0xc0000034
File C:\WINDOWS\exmple.dll not found!
Deletion of file C:\WINDOWS\exmple.dll failed!
Could not process line:
C:\WINDOWS\exmple.dll
Status: 0xc0000034
File C:\WINDOWS\sexmple.exe not found!
Deletion of file C:\WINDOWS\sexmple.exe failed!
Could not process line:
C:\WINDOWS\sexmple.exe
Status: 0xc0000034
//////////////////////////////////////////
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ugsafaxp
*******************
Script file located at: \??\C:\Program Files\cymxqkvt.txt
Script file not found! Error
Could not open script file! Status: 0xc0000034 Abort!
Og her kommer en ny log fra RKU:
RkUnhooker report generator v0.5c
==============================================
Rootkit Unhooker kernel version: 3.20.130.388
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
NtDeleteKey Actual Address 0xF762F6B6 Hooked by: wsfit32.sys
NtDeleteValueKey Actual Address 0xF762FB4A Hooked by: wsfit32.sys
NtOpenProcess Actual Address 0x9EB0D8AC Hooked by: C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.sys
NtSetValueKey Actual Address 0xF7630028 Hooked by: wsfit32.sys
NtTerminateProcess Actual Address 0x9EB0D812 Hooked by: C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.sys
==============================================
>Processes
Process: System Process Id: 4 EPROCESS Address: 0x863C45F0
Process: C:\WINDOWS\system32\hkcmd.exe Process Id: 396 EPROCESS Address: 0x855E5B10
Process: C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe Process Id: 404 EPROCESS Address: 0x85648630
Process: C:\WINDOWS\system32\smss.exe Process Id: 476 EPROCESS Address: 0x855746E8
Process: C:\WINDOWS\system32\csrss.exe Process Id: 524 EPROCESS Address: 0x857F44F0
Process: C:\WINDOWS\system32\winlogon.exe Process Id: 548 EPROCESS Address: 0x85972DA0
Process: C:\WINDOWS\system32\services.exe Process Id: 592 EPROCESS Address: 0x8563D478
Process: C:\WINDOWS\system32\lsass.exe Process Id: 604 EPROCESS Address: 0x857F8898
Process: C:\WINDOWS\system32\igfxpers.exe Process Id: 656 EPROCESS Address: 0x85697540
Process: C:\WINDOWS\system32\svchost.exe Process Id: 752 EPROCESS Address: 0x8568D020
Process: C:\WINDOWS\system32\svchost.exe Process Id: 812 EPROCESS Address: 0x85975820
Process: C:\WINDOWS\system32\svchost.exe Process Id: 848 EPROCESS Address: 0x86318590
Process: C:\Programmer\Synaptics\SynTP\SynTPEnh.exe Process Id: 872 EPROCESS Address: 0x85526DA0
Process: C:\WINDOWS\system32\svchost.exe Process Id: 936 EPROCESS Address: 0x85890020
Process: C:\WINDOWS\system32\svchost.exe Process Id: 976 EPROCESS Address: 0x85636868
Process: C:\Programmer\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe Process Id: 1136 EPROCESS Address: 0x85744940
Process: C:\WINDOWS\system32\spoolsv.exe Process Id: 1172 EPROCESS Address: 0x85653020
Process: C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe Process Id: 1324 EPROCESS Address: 0x85799020
Process: C:\Programmer\Alwil Software\Avast4\ashServ.exe Process Id: 1336 EPROCESS Address: 0x85591020
Process: C:\WINDOWS\explorer.exe Process Id: 1372 EPROCESS Address: 0x854DC540
Process: C:\WINDOWS\system32\svchost.exe Process Id: 1408 EPROCESS Address: 0x85695020
Process: C:\WINDOWS\system32\wscntfy.exe Process Id: 1540 EPROCESS Address: 0x85519540
Process: C:\WINDOWS\system32\svchost.exe Process Id: 1616 EPROCESS Address: 0x8589B960
Process: C:\WINDOWS\system32\wdfmgr.exe Process Id: 1688 EPROCESS Address: 0x857F2DA0
Process: C:\Programmer\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe Process Id: 1772 EPROCESS Address: 0x854DC990
Process: C:\WINDOWS\system32\wbem\wmiprvse.exe Process Id: 1944 EPROCESS Address: 0x855DF540
Process: C:\WINDOWS\system32\rundll32.exe Process Id: 2068 EPROCESS Address: 0x85562540
Process: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe Process Id: 2076 EPROCESS Address: 0x85577540
Process: C:\Programmer\HP\HP Software Update\hpwuSchd2.exe Process Id: 2084 EPROCESS Address: 0x854FFBB8
Process: C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe Process Id: 2096 EPROCESS Address: 0x8567FB98
Process: C:\WINDOWS\system32\ctfmon.exe Process Id: 2152 EPROCESS Address: 0x855C8B18
Process: C:\Programmer\Skype\Phone\Skype.exe Process Id: 2160 EPROCESS Address: 0x85573540
Process: C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe Process Id: 2312 EPROCESS Address: 0x84C17BC8
Process: C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe Process Id: 2468 EPROCESS Address: 0x85548540
Process: C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe Process Id: 2488 EPROCESS Address: 0x85626338
Process: C:\Programmer\InterVideo\Common\Bin\WinCinemaMgr.exe Process Id: 2504 EPROCESS Address: 0x8631ADA0
Process: C:\Programmer\HP\Digital Imaging\bin\hpqgalry.exe Process Id: 2540 EPROCESS Address: 0x857ABDA0
Process: C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe Process Id: 1368 EPROCESS Address: 0x8574C020
Process: C:\RkUnhooker\qN57mqF7i1.exe Process Id: 3124 EPROCESS Address: 0x86319DA0
==============================================
>Drivers
Driver: ntkrnlpa.exe Address: 0x804D7000 Size: 2146304 bytes
Driver: PnpManager Address: 0x804D7000 Size: 2146304 bytes
Driver: RAW Address: 0x804D7000 Size: 2146304 bytes
Driver: WMIxWDM Address: 0x804D7000 Size: 2146304 bytes
Driver: Win32k Address: 0xBF800000 Size: 1843200 bytes
Driver: win32k.sys Address: 0xBF800000 Size: 1843200 bytes
Driver: w39n51.sys Address: 0xF6980000 Size: 1429504 bytes
Driver: ialmnt5.sys Address: 0xF6B16000 Size: 1400832 bytes
Driver: HSX_DPV.sys Address: 0xA5D9C000 Size: 1011712 bytes
Driver: ialmdd5.DLL Address: 0xBFA3E000 Size: 978944 bytes
Driver: dump_iaStor.sys Address: 0x9DC11000 Size: 876544 bytes
Driver: iaStor.sys Address: 0xF7371000 Size: 876544 bytes
Driver: HSX_CNXT.sys Address: 0xA5CE5000 Size: 749568 bytes
Driver: CHDAud.sys Address: 0xA5F8F000 Size: 598016 bytes
Driver: Ntfs.sys Address: 0xF7242000 Size: 577536 bytes
Driver: mrxsmb.sys Address: 0xA0E48000 Size: 454656 bytes
Driver: tcpip.sys Address: 0xA0F4D000 Size: 364544 bytes
Driver: srv.sys Address: 0x9DA8C000 Size: 335872 bytes
Driver: rixdptsk.sys Address: 0xF68D9000 Size: 311296 bytes
Driver: HSXHWAZL.sys Address: 0xA5E93000 Size: 237568 bytes
Driver: ialmdev5.DLL Address: 0xBFA05000 Size: 233472 bytes
Driver: update.sys Address: 0xF682B000 Size: 212992 bytes
Driver: SynTP.sys Address: 0xF68AA000 Size: 192512 bytes
Driver: ACPI.sys Address: 0xF748F000 Size: 188416 bytes
Driver: mrxdav.sys Address: 0x9DBE4000 Size: 184320 bytes
Driver: NDIS.sys Address: 0xF7215000 Size: 184320 bytes
Driver: kmixer.sys Address: 0x9C94C000 Size: 176128 bytes
Driver: rdbss.sys Address: 0xA0EB7000 Size: 176128 bytes
Driver: netbt.sys Address: 0xA0F04000 Size: 163840 bytes
Driver: e100b325.sys Address: 0xF6936000 Size: 159744 bytes
Driver: HDAudBus.sys Address: 0xF6ADD000 Size: 151552 bytes
Driver: Fastfat.SYS Address: 0x9C901000 Size: 143360 bytes
Driver: ks.sys Address: 0xF6887000 Size: 143360 bytes
Driver: USBPORT.SYS Address: 0xF695D000 Size: 143360 bytes
Driver: afd.sys Address: 0xA0EE2000 Size: 139264 bytes
Driver: ialmdnt5.dll Address: 0xBF9E3000 Size: 139264 bytes
Driver: portcls.sys Address: 0xA5F6D000 Size: 139264 bytes
Driver: ACPI_HAL Address: 0x806E3000 Size: 134272 bytes
Driver: hal.dll Address: 0x806E3000 Size: 134272 bytes
Driver: fltMgr.sys Address: 0xF72F8000 Size: 131072 bytes
Driver: ftdisk.sys Address: 0xF745F000 Size: 126976 bytes
Driver: Mup.sys Address: 0xF71FB000 Size: 106496 bytes
Driver: atapi.sys Address: 0xF7447000 Size: 98304 bytes
Driver: SCSIPORT.SYS Address: 0xF732F000 Size: 98304 bytes
Driver: KSecDD.sys Address: 0xF72CF000 Size: 94208 bytes
Driver: ndiswan.sys Address: 0xF6870000 Size: 94208 bytes
Driver: nvatabus.sys Address: 0xF735A000 Size: 94208 bytes
Driver: viamraid.sys Address: 0xF7318000 Size: 94208 bytes
Driver: aswMon2.SYS Address: 0x9DBA6000 Size: 90112 bytes
Driver: wdmaud.sys Address: 0x9D95F000 Size: 86016 bytes
Driver: VIDEOPRT.SYS Address: 0xF6B02000 Size: 81920 bytes
Driver: ipsec.sys Address: 0xA0FA6000 Size: 77824 bytes
Driver: nvraid.sys Address: 0xF7347000 Size: 77824 bytes
Driver: dxg.sys Address: 0xBF9C2000 Size: 73728 bytes
Driver: sr.sys Address: 0xF72E6000 Size: 73728 bytes
Driver: pci.sys Address: 0xF747E000 Size: 69632 bytes
Driver: psched.sys Address: 0xF685F000 Size: 69632 bytes
Driver: sdbus.sys Address: 0xF6925000 Size: 69632 bytes
Driver: Cdfs.SYS Address: 0xA6F72000 Size: 65536 bytes
Driver: drmk.sys Address: 0xA6FD2000 Size: 61440 bytes
Driver: ialmrnt5.dll Address: 0xBF9D4000 Size: 61440 bytes
Driver: ohci1394.sys Address: 0xF75CE000 Size: 61440 bytes
Driver: redbook.sys Address: 0xF777E000 Size: 61440 bytes
Driver: sysaudio.sys Address: 0x9E984000 Size: 61440 bytes
Driver: usbhub.sys Address: 0xA5F0D000 Size: 61440 bytes
Driver: VolSnap.sys Address: 0xF75FE000 Size: 57344 bytes
Driver: 1394BUS.SYS Address: 0xF75DE000 Size: 53248 bytes
Driver: cdrom.sys Address: 0xF776E000 Size: 53248 bytes
Driver: CLASSPNP.SYS Address: 0xF760E000 Size: 53248 bytes
Driver: i8042prt.sys Address: 0xF774E000 Size: 53248 bytes
Driver: rasl2tp.sys Address: 0xF778E000 Size: 53248 bytes
Driver: rimsptsk.sys Address: 0xF773E000 Size: 53248 bytes
Driver: raspptp.sys Address: 0xF77AE000 Size: 49152 bytes
Driver: SASKUTIL.sys Address: 0xA5ECD000 Size: 49152 bytes
Driver: imapi.sys Address: 0xF775E000 Size: 45056 bytes
Driver: MountMgr.sys Address: 0xF75EE000 Size: 45056 bytes
Driver: raspppoe.sys Address: 0xF779E000 Size: 45056 bytes
Driver: wsfit32.sys Address: 0xF762E000 Size: 45056 bytes
Driver: intelppm.sys Address: 0xF772E000 Size: 40960 bytes
Driver: NDProxy.SYS Address: 0xF6C6C000 Size: 40960 bytes
Driver: termdd.sys Address: 0xF6CFC000 Size: 40960 bytes
Driver: aswTdi.SYS Address: 0xA5EFD000 Size: 36864 bytes
Driver: disk.sys Address: 0xF761E000 Size: 36864 bytes
Driver: Fips.SYS Address: 0xA4E03000 Size: 36864 bytes
Driver: isapnp.sys Address: 0xF75BE000 Size: 36864 bytes
Driver: msgpc.sys Address: 0xF77BE000 Size: 36864 bytes
Driver: netbios.sys Address: 0xA5EDD000 Size: 36864 bytes
Driver: wanarp.sys Address: 0xA5EED000 Size: 36864 bytes
Driver: Modem.SYS Address: 0xA7067000 Size: 32768 bytes
Driver: Npfs.SYS Address: 0xA5A92000 Size: 32768 bytes
Driver: SiSRaid2.sys Address: 0xF784E000 Size: 32768 bytes
Driver: kbdclass.sys Address: 0xF78D6000 Size: 28672 bytes
Driver: PCIIDEX.SYS Address: 0xF783E000 Size: 28672 bytes
Driver: rimmptsk.sys Address: 0xF78CE000 Size: 28672 bytes
Driver: SASDIFSV.SYS Address: 0xA5A8A000 Size: 28672 bytes
Driver: usbehci.sys Address: 0xF78C6000 Size: 28672 bytes
Driver: USBSTOR.SYS Address: 0xA75B2000 Size: 28672 bytes
Driver: Aavmker4.SYS Address: 0xA6AB4000 Size: 24576 bytes
Driver: mouclass.sys Address: 0xF78DE000 Size: 24576 bytes
Driver: rkhdrv31.SYS Address: 0x9E205000 Size: 24576 bytes
Driver: vga.sys Address: 0xA5AA2000 Size: 24576 bytes
Driver: Msfs.SYS Address: 0xA5A9A000 Size: 20480 bytes
Driver: PartMgr.sys Address: 0xF7846000 Size: 20480 bytes
Driver: ptilink.sys Address: 0xF78EE000 Size: 20480 bytes
Driver: raspti.sys Address: 0xF78F6000 Size: 20480 bytes
Driver: TDI.SYS Address: 0xF78E6000 Size: 20480 bytes
Driver: usbuhci.sys Address: 0xF78BE000 Size: 20480 bytes
Driver: watchdog.sys Address: 0xA6AA4000 Size: 20480 bytes
Driver: aswRdr.SYS Address: 0x9DA28000 Size: 16384 bytes
Driver: BATTC.SYS Address: 0xF79D6000 Size: 16384 bytes
Driver: CmBatt.sys Address: 0xF71C7000 Size: 16384 bytes
Driver: mdmxsdk.sys Address: 0x9DB8E000 Size: 16384 bytes
Driver: mssmbios.sys Address: 0xF7166000 Size: 16384 bytes
Driver: ndisuio.sys Address: 0xF7A96000 Size: 16384 bytes
Driver: ACPIEC.sys Address: 0xF79DA000 Size: 12288 bytes
Driver: BOOTVID.dll Address: 0xF79CE000 Size: 12288 bytes
Driver: compbatt.sys Address: 0xF79D2000 Size: 12288 bytes
Driver: Dxapi.sys Address: 0x9EB40000 Size: 12288 bytes
Driver: ndistapi.sys Address: 0xF71B3000 Size: 12288 bytes
Driver: rasacd.sys Address: 0xA70CC000 Size: 12288 bytes
Driver: ws2ifsl.sys Address: 0xA6F36000 Size: 12288 bytes
Driver: Beep.SYS Address: 0xF7AD2000 Size: 8192 bytes
Driver: Fs_Rec.SYS Address: 0xF7AD0000 Size: 8192 bytes
Driver: intelide.sys Address: 0xF7AC2000 Size: 8192 bytes
Driver: KDCOM.DLL Address: 0xF7ABE000 Size: 8192 bytes
Driver: mnmdd.SYS Address: 0xF7AD4000 Size: 8192 bytes
Driver: RDPCDD.sys Address: 0xF7AD6000 Size: 8192 bytes
Driver: swenum.sys Address: 0xF7AEA000 Size: 8192 bytes
Driver: USBD.SYS Address: 0xF7AE8000 Size: 8192 bytes
Driver: WMILIB.SYS Address: 0xF7AC0000 Size: 8192 bytes
Driver: audstub.sys Address: 0xF7C6F000 Size: 4096 bytes
Driver: AvgAsCln.sys Address: 0xF7C0F000 Size: 4096 bytes
Driver: dxgthk.sys Address: 0x9DE81000 Size: 4096 bytes
Driver: guard.sys Address: 0x9EB0D000 Size: 4096 bytes
Driver: Null.SYS Address: 0xF7C0E000 Size: 4096 bytes
Driver: OPRGHDLR.SYS Address: 0xF7B87000 Size: 4096 bytes
Driver: pciide.sys Address: 0xF7B86000 Size: 4096 bytes
==============================================
>Files
==============================================
>Hooks
[1372]explorer.exe—>kernel32.dll—>GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [ShimEng.dll]
[2160]Skype.exe—>user32.dll—>ScrollWindow, Type: IAT modification at address 0x00C0383C hook handler located in [Skype.exe]
[2160]Skype.exe—>user32.dll—>ScrollWindowEx, Type: IAT modification at address 0x00C03838 hook handler located in [Skype.exe]
Det ser ikke ud til, at der er nogen bedring?
|
|
|
Redaktør
Antal indlæg: 6158
|
Nej, successen var godt nok ret begrænset [:(]. Prøv så følgende:
—Kør så RKU. Klik på Setup-“Extended mode”. Du vil så blive bedt om at genstarte, men genstart til fejlsikret tilstand.
—Når computeren er genstartet, så kør Rootkit Unhooker igen. Klik på “Tools”-“Wipe/copy file”. Klik på “Browse”, og naviger frem til følgende fil:
C:\WINDOWS\IEXPL0RE.exe
...og klik på “Open”. Herefter sætter du prik i “Direct File Content Wiping”, og klik “Do operation”.
Gentag herefter proceduren for følgende filer:
c:\windows\system32\aelupsvc32.dll
C:\WINDOWS\system32\drivers\wsfit32.sys
—Luk derefter denne dialogbox ned, og klik på fanebladet “SSDT Hooks DEtector/Restorer”. Find igen følgende “Service Names”, og marker dem, imens du holder ctrl-tasten nede:
NtDeleteKey Hooked by: wsfit32.sys
NtDeleteValueKey Hooked by: wsfit32.sys
NtSetValueKey Hooked by: wsfit32.sys
Klik herefter på “Unhook selected”
—Klik herefter på “Action”. Her har du mulighed for at vælge “Do immediately BSOD”. Denne funktion vil Crashe din computer, hvilket gør at infektionen (forhåbentlig) ikke kan nå at regenere. Du vil herefter sandsynligvis være nødt til at slukke din computer manuelt, og herefter genstarte den.
—Genstart til normal tilstand, og lav en ny log med Rootkitunhooker, som du lægger herind til check.
|
|
|
|
|
Gennemført som beskrevet, dog var filen C:\WINDOWS\IEXPL0RE.exe ikke at finde. Her kommer en nu log fra RKU:
RkUnhooker report generator v0.5c
==============================================
Rootkit Unhooker kernel version: 3.20.130.388
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
NtOpenProcess Actual Address 0xF7C438AC Hooked by: C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.sys
NtTerminateProcess Actual Address 0xF7C43812 Hooked by: C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.sys
==============================================
>Processes
Process: System Process Id: 4 EPROCESS Address: 0x863C4490
Process: C:\WINDOWS\system32\hkcmd.exe Process Id: 404 EPROCESS Address: 0x857B1540
Process: C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe Process Id: 408 EPROCESS Address: 0x855D9DA0
Process: C:\WINDOWS\system32\smss.exe Process Id: 480 EPROCESS Address: 0x85886AD0
Process: C:\WINDOWS\system32\csrss.exe Process Id: 528 EPROCESS Address: 0x8581B030
Process: C:\WINDOWS\system32\winlogon.exe Process Id: 552 EPROCESS Address: 0x8564E160
Process: C:\WINDOWS\system32\services.exe Process Id: 596 EPROCESS Address: 0x8581BC18
Process: C:\WINDOWS\system32\savedump.exe Process Id: 624 EPROCESS Address: 0x8558DC20
Process: C:\WINDOWS\system32\lsass.exe Process Id: 632 EPROCESS Address: 0x8585C030
Process: C:\WINDOWS\system32\svchost.exe Process Id: 764 EPROCESS Address: 0x8598F030
Process: C:\WINDOWS\system32\svchost.exe Process Id: 824 EPROCESS Address: 0x8566E030
Process: C:\WINDOWS\system32\svchost.exe Process Id: 856 EPROCESS Address: 0x8566B030
Process: C:\WINDOWS\system32\svchost.exe Process Id: 912 EPROCESS Address: 0x85646030
Process: C:\WINDOWS\system32\svchost.exe Process Id: 984 EPROCESS Address: 0x8565D030
Process: C:\WINDOWS\system32\igfxpers.exe Process Id: 1060 EPROCESS Address: 0x857B3540
Process: C:\WINDOWS\system32\spoolsv.exe Process Id: 1192 EPROCESS Address: 0x8581C208
Process: C:\Programmer\Synaptics\SynTP\SynTPEnh.exe Process Id: 1232 EPROCESS Address: 0x85508DA0
Process: C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe Process Id: 1332 EPROCESS Address: 0x8577DAD0
Process: C:\Programmer\Alwil Software\Avast4\ashServ.exe Process Id: 1352 EPROCESS Address: 0x85574B18
Process: C:\WINDOWS\system32\wbem\wmiprvse.exe Process Id: 1396 EPROCESS Address: 0x8569E548
Process: C:\WINDOWS\system32\svchost.exe Process Id: 1424 EPROCESS Address: 0x85580540
Process: C:\WINDOWS\system32\wscntfy.exe Process Id: 1432 EPROCESS Address: 0x85505540
Process: C:\WINDOWS\system32\svchost.exe Process Id: 1564 EPROCESS Address: 0x855C84F0
Process: C:\WINDOWS\system32\wdfmgr.exe Process Id: 1604 EPROCESS Address: 0x857E45E8
Process: C:\Programmer\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe Process Id: 1808 EPROCESS Address: 0x855FB360
Process: C:\Programmer\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe Process Id: 1860 EPROCESS Address: 0x857CC9E0
Process: C:\WINDOWS\explorer.exe Process Id: 2016 EPROCESS Address: 0x854D2DA0
Process: C:\WINDOWS\system32\rundll32.exe Process Id: 2080 EPROCESS Address: 0x8565B540
Process: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe Process Id: 2088 EPROCESS Address: 0x8565C540
Process: C:\Programmer\HP\HP Software Update\hpwuSchd2.exe Process Id: 2096 EPROCESS Address: 0x85642540
Process: C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe Process Id: 2116 EPROCESS Address: 0x854DADA0
Process: C:\WINDOWS\system32\ctfmon.exe Process Id: 2164 EPROCESS Address: 0x85682360
Process: C:\Programmer\Skype\Phone\Skype.exe Process Id: 2172 EPROCESS Address: 0x8578C558
Process: C:\Programmer\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe Process Id: 2324 EPROCESS Address: 0x855ABC20
Process: C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe Process Id: 2500 EPROCESS Address: 0x855999E0
Process: C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe Process Id: 2532 EPROCESS Address: 0x854CB9A0
Process: C:\Programmer\InterVideo\Common\Bin\WinCinemaMgr.exe Process Id: 2564 EPROCESS Address: 0x855FCBC0
Process: C:\Programmer\HP\Digital Imaging\bin\hpqgalry.exe Process Id: 2600 EPROCESS Address: 0x859BEDA0
Process: C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe Process Id: 1376 EPROCESS Address: 0x857F42F8
Process: C:\RkUnhooker\qN57mqF7i1.exe Process Id: 2884 EPROCESS Address: 0x85888BC0
==============================================
>Drivers
Driver: ntkrnlpa.exe Address: 0x804D7000 Size: 2146304 bytes
Driver: PnpManager Address: 0x804D7000 Size: 2146304 bytes
Driver: RAW Address: 0x804D7000 Size: 2146304 bytes
Driver: WMIxWDM Address: 0x804D7000 Size: 2146304 bytes
Driver: Win32k Address: 0xBF800000 Size: 1843200 bytes
Driver: win32k.sys Address: 0xBF800000 Size: 1843200 bytes
Driver: w39n51.sys Address: 0xF68D4000 Size: 1429504 bytes
Driver: ialmnt5.sys Address: 0xF6A6A000 Size: 1400832 bytes
Driver: HSX_DPV.sys Address: 0xA5DA8000 Size: 1011712 bytes
Driver: ialmdd5.DLL Address: 0xBFA3E000 Size: 978944 bytes
Driver: dump_iaStor.sys Address: 0x9DD9F000 Size: 876544 bytes
Driver: iaStor.sys Address: 0xF7371000 Size: 876544 bytes
Driver: HSX_CNXT.sys Address: 0xA5CF1000 Size: 749568 bytes
Driver: CHDAud.sys Address: 0xA5F9B000 Size: 598016 bytes
Driver: Ntfs.sys Address: 0xF7242000 Size: 577536 bytes
Driver: mrxsmb.sys Address: 0xA0EF4000 Size: 454656 bytes
Driver: tcpip.sys Address: 0xA1021000 Size: 364544 bytes
Driver: srv.sys Address: 0x9DC6A000 Size: 335872 bytes
Driver: rixdptsk.sys Address: 0xF682D000 Size: 311296 bytes
Driver: HSXHWAZL.sys Address: 0xA5E9F000 Size: 237568 bytes
Driver: ialmdev5.DLL Address: 0xBFA05000 Size: 233472 bytes
Driver: update.sys Address: 0xF4FE5000 Size: 212992 bytes
Driver: SynTP.sys Address: 0xF67FE000 Size: 192512 bytes
Driver: ACPI.sys Address: 0xF748F000 Size: 188416 bytes
Driver: mrxdav.sys Address: 0x9DD72000 Size: 184320 bytes
Driver: NDIS.sys Address: 0xF7215000 Size: 184320 bytes
Driver: rdbss.sys Address: 0xA0F63000 Size: 176128 bytes
Driver: netbt.sys Address: 0xA0FD8000 Size: 163840 bytes
Driver: e100b325.sys Address: 0xF688A000 Size: 159744 bytes
Driver: HDAudBus.sys Address: 0xF6A31000 Size: 151552 bytes
Driver: ks.sys Address: 0xF67DB000 Size: 143360 bytes
Driver: USBPORT.SYS Address: 0xF68B1000 Size: 143360 bytes
Driver: afd.sys Address: 0xA0F8E000 Size: 139264 bytes
Driver: ialmdnt5.dll Address: 0xBF9E3000 Size: 139264 bytes
Driver: portcls.sys Address: 0xA5F79000 Size: 139264 bytes
Driver: ACPI_HAL Address: 0x806E3000 Size: 134272 bytes
Driver: hal.dll Address: 0x806E3000 Size: 134272 bytes
Driver: fltMgr.sys Address: 0xF72F8000 Size: 131072 bytes
Driver: ftdisk.sys Address: 0xF745F000 Size: 126976 bytes
Driver: Mup.sys Address: 0xF71FB000 Size: 106496 bytes
Driver: atapi.sys Address: 0xF7447000 Size: 98304 bytes
Driver: SCSIPORT.SYS Address: 0xF732F000 Size: 98304 bytes
Driver: KSecDD.sys Address: 0xF72CF000 Size: 94208 bytes
Driver: ndiswan.sys Address: 0xF67C4000 Size: 94208 bytes
Driver: nvatabus.sys Address: 0xF735A000 Size: 94208 bytes
Driver: viamraid.sys Address: 0xF7318000 Size: 94208 bytes
Driver: aswMon2.SYS Address: 0x9DD34000 Size: 90112 bytes
Driver: wdmaud.sys Address: 0x9DA75000 Size: 86016 bytes
Driver: VIDEOPRT.SYS Address: 0xF6A56000 Size: 81920 bytes
Driver: ipsec.sys Address: 0xA107A000 Size: 77824 bytes
Driver: nvraid.sys Address: 0xF7347000 Size: 77824 bytes
Driver: dxg.sys Address: 0xBF9C2000 Size: 73728 bytes
Driver: sr.sys Address: 0xF72E6000 Size: 73728 bytes
Driver: pci.sys Address: 0xF747E000 Size: 69632 bytes
Driver: psched.sys Address: 0xF67B3000 Size: 69632 bytes
Driver: sdbus.sys Address: 0xF6879000 Size: 69632 bytes
Driver: Cdfs.SYS Address: 0xA6D36000 Size: 65536 bytes
Driver: drmk.sys Address: 0xA6D86000 Size: 61440 bytes
Driver: ialmrnt5.dll Address: 0xBF9D4000 Size: 61440 bytes
Driver: ohci1394.sys Address: 0xF75BE000 Size: 61440 bytes
Driver: redbook.sys Address: 0xF773E000 Size: 61440 bytes
Driver: sysaudio.sys Address: 0x9DADA000 Size: 61440 bytes
Driver: usbhub.sys Address: 0xA5F09000 Size: 61440 bytes
Driver: VolSnap.sys Address: 0xF75FE000 Size: 57344 bytes
Driver: 1394BUS.SYS Address: 0xF75CE000 Size: 53248 bytes
Driver: cdrom.sys Address: 0xF772E000 Size: 53248 bytes
Driver: CLASSPNP.SYS Address: 0xF760E000 Size: 53248 bytes
Driver: i8042prt.sys Address: 0xF770E000 Size: 53248 bytes
Driver: rasl2tp.sys Address: 0xF774E000 Size: 53248 bytes
Driver: rimsptsk.sys Address: 0xF76FE000 Size: 53248 bytes
Driver: raspptp.sys Address: 0xF776E000 Size: 49152 bytes
Driver: SASKUTIL.sys Address: 0xA4DF9000 Size: 49152 bytes
Driver: imapi.sys Address: 0xF771E000 Size: 45056 bytes
Driver: MountMgr.sys Address: 0xF75EE000 Size: 45056 bytes
Driver: raspppoe.sys Address: 0xF775E000 Size: 45056 bytes
Driver: intelppm.sys Address: 0xF76EE000 Size: 40960 bytes
Driver: NDProxy.SYS Address: 0xF6BD0000 Size: 40960 bytes
Driver: termdd.sys Address: 0xF6C30000 Size: 40960 bytes
Driver: aswTdi.SYS Address: 0xA5EF9000 Size: 36864 bytes
Driver: disk.sys Address: 0xF761E000 Size: 36864 bytes
Driver: Fips.SYS Address: 0xA4DE9000 Size: 36864 bytes
Driver: isapnp.sys Address: 0xF75DE000 Size: 36864 bytes
Driver: msgpc.sys Address: 0xF777E000 Size: 36864 bytes
Driver: netbios.sys Address: 0xA5ED9000 Size: 36864 bytes
Driver: wanarp.sys Address: 0xA5EE9000 Size: 36864 bytes
Driver: Modem.SYS Address: 0xA7087000 Size: 32768 bytes
Driver: Npfs.SYS Address: 0xA5C13000 Size: 32768 bytes
Driver: SiSRaid2.sys Address: 0xF7856000 Size: 32768 bytes
Driver: kbdclass.sys Address: 0xF78F6000 Size: 28672 bytes
Driver: PCIIDEX.SYS Address: 0xF7846000 Size: 28672 bytes
Driver: rimmptsk.sys Address: 0xF78EE000 Size: 28672 bytes
Driver: SASDIFSV.SYS Address: 0xA5C0B000 Size: 28672 bytes
Driver: usbehci.sys Address: 0xF78E6000 Size: 28672 bytes
Driver: Aavmker4.SYS Address: 0xA4F72000 Size: 24576 bytes
Driver: mouclass.sys Address: 0xF78FE000 Size: 24576 bytes
Driver: rkhdrv31.sys Address: 0xF783E000 Size: 24576 bytes
Driver: vga.sys Address: 0xA5C23000 Size: 24576 bytes
Driver: Msfs.SYS Address: 0xA5C1B000 Size: 20480 bytes
Driver: PartMgr.sys Address: 0xF784E000 Size: 20480 bytes
Driver: ptilink.sys Address: 0xF790E000 Size: 20480 bytes
Driver: raspti.sys Address: 0xF7916000 Size: 20480 bytes
Driver: TDI.SYS Address: 0xF7906000 Size: 20480 bytes
Driver: usbuhci.sys Address: 0xF78DE000 Size: 20480 bytes
Driver: watchdog.sys Address: 0xA6B9F000 Size: 20480 bytes
Driver: aswRdr.SYS Address: 0x9DB62000 Size: 16384 bytes
Driver: BATTC.SYS Address: 0xF79D6000 Size: 16384 bytes
Driver: CmBatt.sys Address: 0xF71C7000 Size: 16384 bytes
Driver: mdmxsdk.sys Address: 0x9DD56000 Size: 16384 bytes
Driver: mssmbios.sys Address: 0xF715A000 Size: 16384 bytes
Driver: ndisuio.sys Address: 0xF7A86000 Size: 16384 bytes
Driver: ACPIEC.sys Address: 0xF79DA000 Size: 12288 bytes
Driver: BOOTVID.dll Address: 0xF79CE000 Size: 12288 bytes
Driver: compbatt.sys Address: 0xF79D2000 Size: 12288 bytes
Driver: Dxapi.sys Address: 0x9EDD6000 Size: 12288 bytes
Driver: ndistapi.sys Address: 0xF71B3000 Size: 12288 bytes
Driver: rasacd.sys Address: 0xA70E0000 Size: 12288 bytes
Driver: ws2ifsl.sys Address: 0xA7053000 Size: 12288 bytes
Driver: Beep.SYS Address: 0xF7ACE000 Size: 8192 bytes
Driver: Fs_Rec.SYS Address: 0xF7ACC000 Size: 8192 bytes
Driver: intelide.sys Address: 0xF7AC2000 Size: 8192 bytes
Driver: KDCOM.DLL Address: 0xF7ABE000 Size: 8192 bytes
Driver: mnmdd.SYS Address: 0xF7AD0000 Size: 8192 bytes
Driver: RDPCDD.sys Address: 0xF7AD2000 Size: 8192 bytes
Driver: splitter.sys Address: 0xF7B20000 Size: 8192 bytes
Driver: swenum.sys Address: 0xF7AEA000 Size: 8192 bytes
Driver: USBD.SYS Address: 0xF7AE6000 Size: 8192 bytes
Driver: WMILIB.SYS Address: 0xF7AC0000 Size: 8192 bytes
Driver: audstub.sys Address: 0xF7CA3000 Size: 4096 bytes
Driver: AvgAsCln.sys Address: 0xF7C26000 Size: 4096 bytes
Driver: dxgthk.sys Address: 0x9DF97000 Size: 4096 bytes
Driver: guard.sys Address: 0xF7C43000 Size: 4096 bytes
Driver: Null.SYS Address: 0xF7C25000 Size: 4096 bytes
Driver: OPRGHDLR.SYS Address: 0xF7B87000 Size: 4096 bytes
Driver: pciide.sys Address: 0xF7B86000 Size: 4096 bytes
==============================================
>Files
==============================================
>Hooks
[2016]explorer.exe—>kernel32.dll—>GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [ShimEng.dll]
[2172]Skype.exe—>user32.dll—>ScrollWindow, Type: IAT modification at address 0x00C0383C hook handler located in [Skype.exe]
[2172]Skype.exe—>user32.dll—>ScrollWindowEx, Type: IAT modification at address 0x00C03838 hook handler located in [Skype.exe]
Tror du, vi fik ram på den?
Jeg vil selvfølgelig også meget gerne have hjælp til at genetablere net-forbindelsen og re-aktivere firewallen, når vi når så langt.
|
|
|
Redaktør
Antal indlæg: 6158
|
Det ser rigtig lovende ud [^]. Jeg tror at rootkittet er blevet nakket. Så skal vi have ryddet op efter de ting, som den måtte have skjult.
Men inden vi gør det, skal du lige prøve om du kan genetablere netforbindelsen med LSPfix:
—Hent dette program fra en fremmed computer, gem det på en usbpen, cdrom el.lign, og overfør det til den syge computer. Pak det ud på skrivebordet:
http://cexx.org/lspfix.zip
Kør LSPfix, sæt flueben i “I know what I am doing”, klik på “Finish”. Genstart computeren. Så skulle netforbindelsen gerne være genetableret.
—Hent så Oldtimer’s WinPFind3 herfra:
http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe
Dobbeltklik på WinPFind3u, som du hentede, og klik på Extract. Så udpakkes programmet i en særskilt mappe. Gå ind i denne mappe, og dobbeltklik på WinPFind3U.exe. Sæt så flueben og prikker på følgende måde:
Processes: Non-Microsoft
Win32 Services: Non-Microsoft
Driver Services: Non-Microsoft
Registry: Non-Microsoft
Files Created Within: 30 Days, Non-Microsoft Only
Files Modified Within: 30 Days, Non-Microsoft Only
File String Search: Non-Microsoft
Klik herefter på “Run Scan”. Efter noget tid vil der dukke en logfil op, som du gerne må paste herind. Muligvis vil loggen være så lang, at den ikke kan være i en enkelt post. Så må du lægge den ind i flere dele.
|
|
|
|
|
Godt at høre, at der er fremskridt [:D] ! Helt godt er det nu stadig ikke: Under opstart af computeren kommer en fejl-boks fra skype.exe med beskeden:
Programmet eller DLL’en C:\WINDOWS\System32\aelupsvc32.dll er ikke et gyldigt Windows-billede. Kontroller dette med din installationsdiskette.
Skype er ganske rigtig indstillet til at starte op sammen med maskinen, men det går altså ikke godt.
LSPFix melder “No problems found”, men aelupsvc32.dll står stadig i listen i venstre søjle. Hvis jeg ikke tager meget fejl, var denne fil en del af infektionen? Når jeg klikker på finish melder LSPFix “No changes necessary.” Men net-forbindelsen er ikke tilbage efter genstart.
Her kommer den efterlyste log fra WinPFind3u:
WinPFind3 logfile created on: 01-03-2007 22:03:17
WinPFind3U by OldTimer - Version 1.0.19 Folder = C:\Documents and Settings\Shaola\Skrivebord\Spywarefri\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)
1038444 Kb Total Physical Memory | 706056 Kb Available Physical Memory | 67,99% Memory free
2498768 Kb Paging File | 2227480 Kb Available in Paging File | 89,14% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programmer
Drive C: | 78148160 Kb Total Space | 63811860 Kb Free Space | 81,65% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
[Processes - Non-Microsoft Only]
acrobat_sl.exe -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 32256 bytes | Modified Date = 24-09-2005 07:05:38 | Attr = ]
acrotray.exe -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe -> Adobe Systems Inc. [Ver = 7.0.7.2006011200 | Size = 483328 bytes | Modified Date = 12-01-2006 19:52:32 | Attr = ]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> [Ver = 4, 7, 936, 0 | Size = 108160 bytes | Modified Date = 15-01-2007 18:28:58 | Attr = ]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 936, 0 | Size = 255616 bytes | Modified Date = 15-01-2007 18:28:32 | Attr = ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> [Ver = 4, 7, 936, 0 | Size = 132736 bytes | Modified Date = 15-01-2007 18:28:52 | Attr = ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> [Ver = | Size = 59008 bytes | Modified Date = 05-08-2006 16:10:10 | Attr = ]
avgas.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 6266880 bytes | Modified Date = 28-09-2006 15:13:50 | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 28-09-2006 15:13:20 | Attr = ]
hkcmd.exe -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4497 | Size = 77824 bytes | Modified Date = 07-02-2006 08:36:06 | Attr = ]
hpqgalry.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqgalry.exe -> Hewlett-Packard Co. [Ver = 045.004.157.000 | Size = 425984 bytes | Modified Date = 04-11-2004 18:36:46 | Attr = ]
hpqtra08.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 45.4.157.000 | Size = 258048 bytes | Modified Date = 04-11-2004 18:28:24 | Attr = ]
hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Company [Ver = 5, 0, 0, 0 | Size = 49152 bytes | Modified Date = 13-09-2004 14:49:00 | Attr = ]
igfxpers.exe -> %System32%\igfxpers.exe -> Intel Corporation [Ver = 3.0.0.4497 | Size = 118784 bytes | Modified Date = 07-02-2006 08:40:02 | Attr = ]
reader_sl.exe -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 23-09-2005 21:05:26 | Attr = ]
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 8.2.12 13Jan06 | Size = 761946 bytes | Modified Date = 13-01-2006 16:33:38 | Attr = ]
versioncuecs2tray.exe -> %ProgramFiles%\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe -> Adobe Sytems Incorporated [Ver = 2, 0, 0, 0 | Size = 856064 bytes | Modified Date = 06-04-2005 15:53:04 | Attr = ]
wincinemamgr.exe -> %ProgramFiles%\InterVideo\Common\Bin\WinCinemaMgr.exe -> InterVideo Inc. [Ver = IVI_MAJOR_VERSION.IVI_MINOR_VERSION | Size = 278528 bytes | Modified Date = 06-02-2006 10:41:00 | Attr = ]
winpfind3u.exe -> %UserDesktop%\Spywarefri\WinPFind3u\WinPFind3U.exe -> Oldtimer Tools [Ver = 1.0.19.0 | Size = 310784 bytes | Modified Date = 25-02-2007 19:40:22 | Attr = ]
[Win32 Services - Non-Microsoft Only]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> Adobe Systems [Ver = 2.67.010 | Size = 72704 bytes | Modified Date = 10-06-2006 06:17:00 | Attr = ]
(Adobe Version Cue CS2) Adobe Version Cue CS2 [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe -> Adobe Systems Incorporated [Ver = 2, 0, 0, 0 | Size = 163840 bytes | Modified Date = 06-04-2005 15:53:02 | Attr = ]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> [Ver = | Size = 59008 bytes | Modified Date = 05-08-2006 16:10:10 | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> [Ver = 4, 7, 936, 0 | Size = 132736 bytes | Modified Date = 15-01-2007 18:28:52 | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 936, 0 | Size = 255616 bytes | Modified Date = 15-01-2007 18:28:32 | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 936, 0 | Size = 370304 bytes | Modified Date = 15-01-2007 18:27:52 | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 28-09-2006 15:13:20 | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 225280 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Auto | Stopped] -> %System32%\HPZipm12.exe -> HP [Ver = 9, 0, 0, 0 | Size = 69632 bytes | Modified Date = 29-09-2004 11:14:36 | Attr = ]
[Driver Services - Non-Microsoft Only]
(Aavmker4) avast! Asynchronous Virus Monitor [Kernel | System | Running] -> %System32%\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.892.0 | Size = 31560 bytes | Modified Date = 21-12-2006 00:51:58 | Attr = ]
(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] -> -> File not found
(abp480n5) abp480n5 [Kernel | Disabled | Stopped] -> -> File not found
(adpu160m) adpu160m [Kernel | Disabled | Stopped] -> -> File not found
(Aha154x) Aha154x [Kernel | Disabled | Stopped] -> -> File not found
(aic78u2) aic78u2 [Kernel | Disabled | Stopped] -> -> File not found
(aic78xx) aic78xx [Kernel | Disabled | Stopped] -> -> File not found
(AliIde) AliIde [Kernel | Disabled | Stopped] -> -> File not found
(amsint) amsint [Kernel | Disabled | Stopped] -> -> File not found
(asc) asc [Kernel | Disabled | Stopped] -> -> File not found
(asc3350p) asc3350p [Kernel | Disabled | Stopped] -> -> File not found
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> -> File not found
(aswMon2) avast! Standard Shield Support [File_System | Auto | Running] -> %System32%\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.892.0 | Size = 94424 bytes | Modified Date = 21-12-2006 00:56:00 | Attr = ]
(aswRdr) aswRdr [Kernel | On_Demand | Running] -> %System32%\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.936.0 | Size = 23352 bytes | Modified Date = 15-01-2007 18:26:08 | Attr = ]
(aswTdi) avast! Network Shield Support [Kernel | System | Running] -> %System32%\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.936.0 | Size = 43176 bytes | Modified Date = 15-01-2007 18:25:24 | Attr = ]
(Atdisk) Atdisk [Kernel | Disabled | Stopped] -> -> File not found
(AVG Anti-Spyware Driver) AVG Anti-Spyware Driver [Kernel | System | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.sys -> [Ver = | Size = 4096 bytes | Modified Date = 28-09-2006 15:13:34 | Attr = ]
(AvgAsCln) AVG Anti-Spyware Clean Driver [Kernel | System | Running] -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Modified Date = 05-09-2006 17:03:16 | Attr = ]
(cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped] -> -> File not found
(Changer) Changer [Kernel | System | Stopped] -> -> File not found
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> -> File not found
(Cpqarray) Cpqarray [Kernel | Disabled | Stopped] -> -> File not found
(dac960nt) dac960nt [Kernel | Disabled | Stopped] -> -> File not found
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %System32%\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 800000 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
(dmio) dmio [Kernel | Disabled | Stopped] -> %System32%\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 153600 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
(dmload) dmload [Kernel | Disabled | Stopped] -> %System32%\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
(dpti2o) dpti2o [Kernel | Disabled | Stopped] -> -> File not found
(E100B) Intel(R) PRO Network Connection Driver [Kernel | On_Demand | Running] -> %System32%\drivers\e100b325.sys -> Intel Corporation [Ver = 8.0.19.0 built by: WinDDK | Size = 157696 bytes | Modified Date = 26-07-2005 04:26:52 | Attr = ]
(HdAudAddService) Microsoft UAA Function Driver for High Definition Audio Service [Kernel | On_Demand | Running] -> %System32%\drivers\CHDAud.sys -> Conexant Systems Inc. [Ver = 3.12.0.0 built by: WinDDK | Size = 561664 bytes | Modified Date = 05-01-2006 10:30:42 | Attr = ]
(HDAudBus) Microsoft UAA-busdriver til High Definition Audio [Kernel | On_Demand | Running] -> %System32%\drivers\Hdaudbus.sys -> Windows (R) Server 2003 DDK provider [Ver = 5.10.01.5013 built by: WinDDK | Size = 138752 bytes | Modified Date = 07-01-2005 16:07:18 | Attr = ]
(hpn) hpn [Kernel | Disabled | Stopped] -> -> File not found
(HPZid412) IEEE-1284.4 Driver HPZid412 [Kernel | On_Demand | Stopped] -> %System32%\drivers\HPZid412.sys -> HP [Ver = 9, 0, 0, 0 | Size = 51120 bytes | Modified Date = 14-12-2004 18:35:42 | Attr = R ]
(HPZipr12) Print Class Driver for IEEE-1284.4 HPZipr12 [Kernel | On_Demand | Stopped] -> %System32%\drivers\HPZipr12.sys -> HP [Ver = 9, 0, 0, 0 | Size = 16496 bytes | Modified Date = 14-12-2004 18:35:42 | Attr = R ]
(HPZius12) USB to IEEE-1284.4 Translation Driver HPZius12 [Kernel | On_Demand | Stopped] -> %System32%\drivers\HPZius12.sys -> HP [Ver = 9, 0, 0, 0 | Size = 21744 bytes | Modified Date = 14-12-2004 18:35:42 | Attr = R ]
(HSF_DPV) HSF_DPV [Kernel | On_Demand | Running] -> %System32%\drivers\HSX_DPV.sys -> Conexant Systems, Inc. [Ver = 7.41.00 built by: WinDDK | Size = 935424 bytes | Modified Date = 11-01-2006 16:13:00 | Attr = ]
(HSXHWAZL) HSXHWAZL [Kernel | On_Demand | Running] -> %System32%\drivers\HSXHWAZL.sys -> Conexant Systems, Inc. [Ver = 7.41.00 built by: WinDDK | Size = 194048 bytes | Modified Date = 11-01-2006 16:12:00 | Attr = ]
(i2omgmt) i2omgmt [Kernel | System | Stopped] -> -> File not found
(i2omp) i2omp [Kernel | Disabled | Stopped] -> -> File not found
(ialm) ialm [Kernel | On_Demand | Running] -> %System32%\drivers\ialmnt5.sys -> Intel Corporation [Ver = 6.14.10.4497 | Size = 1399615 bytes | Modified Date = 07-02-2006 09:04:34 | Attr = ]
(iaStor) Intel AHCI Controller [Kernel | Boot | Running] -> %System32%\drivers\iaStor.sys -> Intel Corporation [Ver = 5.5.0.1035 | Size = 874240 bytes | Modified Date = 12-10-2005 12:07:12 | Attr = ]
(ini910u) ini910u [Kernel | Disabled | Stopped] -> -> File not found
(lbrtfdc) lbrtfdc [Kernel | System | Stopped] -> -> File not found
(mdmxsdk) mdmxsdk [Kernel | Auto | Running] -> %System32%\drivers\mdmxsdk.sys -> Conexant [Ver = 1.0.2.010 | Size = 12544 bytes | Modified Date = 05-10-2005 16:57:00 | Attr = ]
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> -> File not found
(nvatabus) nvatabus [Kernel | Boot | Running] -> %System32%\drivers\nvatabus.sys -> NVIDIA Corporation [Ver = 5.10.2600.0552 built by: WinDDK | Size = 93568 bytes | Modified Date = 18-08-2005 16:52:06 | Attr = ]
(nvraid) nvraid [Kernel | Boot | Running] -> %System32%\drivers\nvraid.sys -> NVIDIA Corporation [Ver = 5.10.2600.0552 built by: WinDDK | Size = 77056 bytes | Modified Date = 18-08-2005 16:52:08 | Attr = ]
(PCIDump) PCIDump [Kernel | System | Stopped] -> -> File not found
(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped] -> -> File not found
(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(PDRELI) PDRELI [Kernel | On_Demand | Stopped] -> -> File not found
(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(perc2) perc2 [Kernel | Disabled | Stopped] -> -> File not found
(perc2hib) perc2hib [Kernel | Disabled | Stopped] -> -> File not found
(Ptilink) Driver til direkte, parallel forbindelse [Kernel | On_Demand | Running] -> %System32%\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> -> File not found
(Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped] -> -> File not found
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> -> File not found
(ql1240) ql1240 [Kernel | Disabled | Stopped] -> -> File not found
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> -> File not found
(rimmptsk) rimmptsk [Kernel | On_Demand | Running] -> %System32%\drivers\rimmptsk.sys -> REDC [Ver = 1.0.0.8 | Size = 28672 bytes | Modified Date = 17-09-2005 11:01:50 | Attr = ]
(rimsptsk) rimsptsk [Kernel | On_Demand | Running] -> %System32%\drivers\rimsptsk.sys -> REDC [Ver = 1.00.02.02 | Size = 50560 bytes | Modified Date = 14-09-2005 12:45:24 | Attr = ]
(rismxdp) Ricoh xD-Picture Card Driver [Kernel | On_Demand | Running] -> %System32%\drivers\rixdptsk.sys -> REDC [Ver = 1.00.02.07 | Size = 310016 bytes | Modified Date = 30-09-2005 10:34:10 | Attr = ]
(rkhdrv31) Rootkit Unhooker Driver [Kernel | Boot | Running] -> %System32%\drivers\rkhdrv31.sys -> [Ver = 3, 2, 120, 0 | Size = 24448 bytes | Modified Date = 01-03-2007 17:46:04 | Attr = H ]
(SASDIFSV) SASDIFSV [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\sasdifsv.sys -> [Ver = 1, 0, 0, 1006 | Size = 5632 bytes | Modified Date = 10-10-2006 12:53:48 | Attr = ]
(SASENUM) SASENUM [Kernel | On_Demand | Stopped] -> %ProgramFiles%\SUPERAntiSpyware\SASENUM.SYS -> SuperAdBlocker, Inc. [Ver = 1, 0, 0, 1002 | Size = 4096 bytes | Modified Date = 16-02-2006 16:51:08 | Attr = R ]
(SASKUTIL) SASKUTIL [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASKUTIL.SYS -> [Ver = 1, 0, 0, 1034 | Size = 30720 bytes | Modified Date = 09-01-2007 14:09:48 | Attr = ]
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %System32%\drivers\secdrv.sys -> [Ver = | Size = 27440 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
(Simbad) Simbad [Kernel | Disabled | Stopped] -> -> File not found
(SiSRaid2) SiSRaid2 [Kernel | Boot | Running] -> %System32%\drivers\SiSRaid2.sys -> Silicon Integrated Systems Corp [Ver = 2.03.00 | Size = 30976 bytes | Modified Date = 11-01-2005 16:58:48 | Attr = ]
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> -> File not found
(symc810) symc810 [Kernel | Disabled | Stopped] -> -> File not found
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> -> File not found
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> -> File not found
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> -> File not found
(SynTP) Synaptics TouchPad Driver [Kernel | On_Demand | Running] -> %System32%\drivers\SynTP.sys -> Synaptics, Inc. [Ver = 8.2.12 13Jan06 | Size = 191936 bytes | Modified Date = 13-01-2006 16:12:18 | Attr = ]
(TosIde) TosIde [Kernel | Disabled | Stopped] -> -> File not found
(ultra) ultra [Kernel | Disabled | Stopped] -> -> File not found
(ViaIde) ViaIde [Kernel | Disabled | Stopped] -> -> File not found
(viamraid) viamraid [Kernel | Boot | Running] -> %System32%\drivers\viamraid.sys -> VIA Technologies inc,.ltd [Ver = 5.1.2600.520 | Size = 92672 bytes | Modified Date = 23-11-2005 10:12:12 | Attr = ]
(w39n51) Intel(R) PRO/Wireless 3945ABG Adapter Driver [Kernel | On_Demand | Running] -> %System32%\drivers\w39n51.sys -> Intel® Corporation [Ver = 10010-13 Driver | Size = 1428096 bytes | Modified Date = 05-12-2005 00:55:30 | Attr = ]
(WDICA) WDICA [Kernel | On_Demand | Stopped] -> -> File not found
(winachsf) winachsf [Kernel | On_Demand | Running] -> %System32%\drivers\HSX_CNXT.sys -> Conexant Systems, Inc. [Ver = 7.41.00 built by: WinDDK | Size = 671232 bytes | Modified Date = 11-01-2006 16:12:00 | Attr = ]
(wsfit32) wsfit32 [File_System | Boot | Stopped] -> %System32%\drivers\wsfit32.sys -> [Ver = | Size = 29184 bytes | Modified Date = 28-02-2007 16:59:50 | Attr = ]
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
-> -> File not found
!AVG Anti-Spyware -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 6266880 bytes | Modified Date = 28-09-2006 15:13:50 | Attr = ]
Acrobat Assistant 7.0 -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe -> Adobe Systems Inc. [Ver = 7.0.7.2006011200 | Size = 483328 bytes | Modified Date = 12-01-2006 19:52:32 | Attr = ]
Adobe Version Cue CS2 -> %ProgramFiles%\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe -> Adobe Sytems Incorporated [Ver = 2, 0, 0, 0 | Size = 856064 bytes | Modified Date = 06-04-2005 15:53:04 | Attr = ]
avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> [Ver = 4, 7, 936, 0 | Size = 108160 bytes | Modified Date = 15-01-2007 18:28:58 | Attr = ]
High Definition Audio Property Page Shortcut -> %System32%\CHDAudPropShortcut.exe -> Windows (R) Server 2003 DDK provider [Ver = 5.10.00.5010 built by: WinDDK | Size = 61952 bytes | Modified Date = 05-01-2006 10:30:58 | Attr = ]
HP Software Update -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Company [Ver = 5, 0, 0, 0 | Size = 49152 bytes | Modified Date = 13-09-2004 14:49:00 | Attr = ]
igfxhkcmd -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4497 | Size = 77824 bytes | Modified Date = 07-02-2006 08:36:06 | Attr = ]
igfxpers -> %System32%\igfxpers.exe -> Intel Corporation [Ver = 3.0.0.4497 | Size = 118784 bytes | Modified Date = 07-02-2006 08:40:02 | Attr = ]
igfxtray -> %System32%\igfxtray.exe -> Intel Corporation [Ver = 3.0.0.4497 | Size = 94208 bytes | Modified Date = 07-02-2006 08:39:20 | Attr = ]
MSPY2002 -> %System32%\IME\PINTLGNT\IMSCINST.EXE -> [Ver = | Size = 59392 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
NeroFilterCheck -> %System32%\NeroCheck.exe -> Ahead Software Gmbh [Ver = 1, 0, 0, 2 | Size = 155648 bytes | Modified Date = 09-07-2001 09:50:42 | Attr = ]
SynTPEnh -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 8.2.12 13Jan06 | Size = 761946 bytes | Modified Date = 13-01-2006 16:33:38 | Attr = ]
WinStar -> %SystemRoot%\IEXPL0RE.exe -> File not found
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Skype -> %ProgramFiles%\Skype\Phone\Skype.exe -> [Ver = | Size = 20058152 bytes | Modified Date = 13-10-2006 17:20:08 | Attr = ]
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe -> File not found
< Common Startup > -> C:\Documents and Settings\All Users\Menuen Start\Programmer\Start
%AllUsersStartup%\Adobe Acrobat Hurtigstart.lnk -> %SystemRoot%\Installer\{AC76BA86-1030-D700-7760-000000000002}\SC_Acrobat.exe -> [Ver = | Size = 25214 bytes | Modified Date = 02-09-2006 15:32:38 | Attr = R ]
%AllUsersStartup%\Adobe Gamma.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 16-03-2005 19:16:50 | Attr = ]
%AllUsersStartup%\Adobe Reader Hurtigstart.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 23-09-2005 21:05:26 | Attr = ]
%AllUsersStartup%\HP Digital Imaging Monitor.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 45.4.157.000 | Size = 258048 bytes | Modified Date = 04-11-2004 18:28:24 | Attr = ]
%AllUsersStartup%\HP Image Zone Hurtig start.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqthb08.exe -> Hewlett-Packard Co. [Ver = 045.004.157.000 | Size = 53248 bytes | Modified Date = 04-11-2004 18:50:52 | Attr = ]
%AllUsersStartup%\InterVideo WinCinema Manager.lnk -> %ProgramFiles%\InterVideo\Common\Bin\WinCinemaMgr.exe -> InterVideo Inc. [Ver = IVI_MAJOR_VERSION.IVI_MINOR_VERSION | Size = 278528 bytes | Modified Date = 06-02-2006 10:41:00 | Attr = ]
< File Associations > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} ->
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} ->
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} ->
.hta [@ = htafile] -> PersistentHandler = Reg Data - Key not found ->
.html [@ = htmlfile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20} ->
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found ->
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found ->
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found ->
.txt [@ = txtfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found ->
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found ->
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found ->
< Registry Shell Spawning > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command
batfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
batfile [open] -> “%1” %* ->
batfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
cmdfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
cmdfile [open] -> “%1” %* ->
cmdfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
comfile [open] -> “%1” %* ->
cplfile [cplopen] -> rundll32.exe shell32.dll,Control_RunDLL “%1”,%* -> Microsoft Corporation [Ver = 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) | Size = 8465408 bytes | Modified Date = 19-12-2006 22:50:34 | Attr = ]
exefile [open] -> “%1” %* ->
htafile [open] -> %System32%\mshta.exe “%1” %* -> Microsoft Corporation [Ver = 7.00.5730.11 (winmain(wmbla).061017-1135) | Size = 45568 bytes | Modified Date = 17-10-2006 11:56:10 | Attr = ]
htmlfile [edit] -> “%ProgramFiles%\Microsoft Office\OFFICE11\msohtmed.exe” %1 -> Microsoft Corporation [Ver = 11.0.5510 | Size = 55360 bytes | Modified Date = 15-07-2003 04:52:56 | Attr = ]
htmlfile [open] -> “%ProgramFiles%\Internet Explorer\IEXPLORE.EXE” -nohome -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 623616 bytes | Modified Date = 08-01-2007 18:08:42 | Attr = ]
htmlfile [opennew] -> “%ProgramFiles%\Internet Explorer\IEXPLORE.EXE” %1 -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 623616 bytes | Modified Date = 08-01-2007 18:08:42 | Attr = ]
htmlfile [print] -> “%ProgramFiles%\Microsoft Office\OFFICE11\msohtmed.exe” /p %1 -> Microsoft Corporation [Ver = 11.0.5510 | Size = 55360 bytes | Modified Date = 15-07-2003 04:52:56 | Attr = ]
http [open] -> “%ProgramFiles%\Internet Explorer\IEXPLORE.EXE” -nohome -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 623616 bytes | Modified Date = 08-01-2007 18:08:42 | Attr = ]
https [open] -> “%ProgramFiles%\Internet Explorer\IEXPLORE.EXE” -nohome -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 623616 bytes | Modified Date = 08-01-2007 18:08:42 | Attr = ]
inffile [install] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 33280 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
inffile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
inffile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
inifile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
inifile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
InternetShortcut [open] -> rundll32.exe ieframe.dll,OpenURL %l -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 6054400 bytes | Modified Date = 12-01-2007 09:27:42 | Attr = ]
InternetShortcut [print] -> rundll32.exe %System32%\mshtml.dll,PrintHTML “%1” -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 3580416 bytes | Modified Date = 12-01-2007 09:27:42 | Attr = ]
jsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
jsfile [open] -> %SystemRoot%\System32\WScript.exe “%1” %* -> Microsoft Corporation [Ver = 5.6.0.8515 | Size = 110592 bytes | Modified Date = 14-01-2003 11:15:58 | Attr = ]
jsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
jsefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
jsefile [open] -> %SystemRoot%\System32\WScript.exe “%1” %* -> Microsoft Corporation [Ver = 5.6.0.8515 | Size = 110592 bytes | Modified Date = 14-01-2003 11:15:58 | Attr = ]
jsefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
piffile [open] -> “%1” %* ->
regfile [edit] -> %SystemRoot%\system32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
regfile [open] -> regedit.exe “%1” -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 150528 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
regfile [merge] -> Reg Data - Key not found ->
regfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
scrfile [config] -> “%1” ->
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 136192 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
scrfile [open] -> “%1” /S ->
txtfile [edit] -> Reg Data - Key not found ->
txtfile [open] -> %SystemRoot%\system32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
txtfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
txtfile [printto] -> %SystemRoot%\system32\notepad.exe /pt “%1” “%2” “%3” “%4” -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
vbefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
vbefile [open] -> %SystemRoot%\System32\WScript.exe “%1” %* -> Microsoft Corporation [Ver = 5.6.0.8515 | Size = 110592 bytes | Modified Date = 14-01-2003 11:15:58 | Attr = ]
vbefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
vbsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
vbsfile [open] -> %SystemRoot%\System32\WScript.exe “%1” %* -> Microsoft Corporation [Ver = 5.6.0.8515 | Size = 110592 bytes | Modified Date = 14-01-2003 11:15:58 | Attr = ]
vbsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
wsffile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
wsffile [open] -> %SystemRoot%\System32\WScript.exe “%1” %* -> Microsoft Corporation [Ver = 5.6.0.8515 | Size = 110592 bytes | Modified Date = 14-01-2003 11:15:58 | Attr = ]
wsffile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
wshfile [open] -> %SystemRoot%\System32\WScript.exe “%1” %* -> Microsoft Corporation [Ver = 5.6.0.8515 | Size = 110592 bytes | Modified Date = 14-01-2003 11:15:58 | Attr = ]
Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 -> Microsoft Corporation [Ver = 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) | Size = 8465408 bytes | Modified Date = 19-12-2006 22:50:34 | Attr = ]
Directory [find] -> %SystemRoot%\Explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.2649 (xpsp.050406-1732) | Size = 1033216 bytes | Modified Date = 07-04-2005 19:48:22 | Attr = ]
Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L -> Microsoft Corporation [Ver = 6.00.2900.2649 (xpsp.050406-1732) | Size = 1033216 bytes | Modified Date = 07-04-2005 19:48:22 | Attr = ]
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L -> Microsoft Corporation [Ver = 6.00.2900.2649 (xpsp.050406-1732) | Size = 1033216 bytes | Modified Date = 07-04-2005 19:48:22 | Attr = ]
Drive [find] -> %SystemRoot%\Explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.2649 (xpsp.050406-1732) | Size = 1033216 bytes | Modified Date = 07-04-2005 19:48:22 | Attr = ]
Applications\iexplore.exe [open] -> “%ProgramFiles%\Internet Explorer\IEXPLORE.EXE” %1 -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 623616 bytes | Modified Date = 08-01-2007 18:08:42 | Attr = ]
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> “%ProgramFiles%\Internet Explorer\iexplore.exe” -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 623616 bytes | Modified Date = 08-01-2007 18:08:42 | Attr = ]
< ActiveX StubPath [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -> ->
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} -> ->
{2C7339CF-2B09-4501-B3F3-F3508C9228ED} -> %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ->
{44BBA840-CC51-11CF-AAFA-00AA00B6015C} -> “%ProgramFiles%\Outlook Express\setup50.exe” /APP:OE /CALLER:WINNT /user /install ->
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT ->
{6BF52A52-394A-11d3-B153-00C04F79FAA6} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub ->
{73FA19D0-2D75-11D2-995D-00C04F98BBC9} -> ->
{7790769C-0471-11d2-AF11-00C04FA35D02} -> “%ProgramFiles%\Outlook Express\setup50.exe” /APP:WAB /CALLER:WINNT /user /install ->
{89820200-ECBD-11cf-8B85-00AA005B4340} -> regsvr32.exe /s /n /i:U shell32.dll ->
{89820200-ECBD-11cf-8B85-00AA005B4383} -> C:\WINDOWS\system32\ie4uinit.exe -BaseSettings ->
{89B4C1CD-B018-4511-B0A1-5476DBF70820} -> C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install ->
{8b15971b-5355-4c82-8c07-7e181ea07608} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser ->
{94de52c8-2d59-4f1b-883e-79663d2d9a8c} -> ->
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} -> C:\WINDOWS\system32\ieudinit.exe
>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} -> C:\WINDOWS\inf\unregmp2.exe /ShowWMP ->
>{26923b43-4d38-484f-9b9e-de460746276c} -> C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig ->
>{60B49E34-C7CC-11D0-8953-00A0C90347FF} -> RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP ->
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS -> RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP ->
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} -> %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE ->
< WOW Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
cmdline -> %SystemRoot%\system32\ntvdm.exe ->
wowcmdline -> %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386 ->
< Session Manager Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
BootExecute -> autocheck autochk *; ->
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 73728 bytes | Modified Date = 28-09-2006 15:13:28 | Attr = ]
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 20-12-2006 12:55:48 | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
Control_RunDLL -> -> File not found
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1028 | Size = 258048 bytes | Modified Date = 19-10-2006 09:12:20 | Attr = ]
< Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\\{17492023-C23A-453E-A040-C7C580BBF700} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
< Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer not found. -> ->
< Desktop Components > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\
0 -> [Key] ->
0 -> FriendlyName = Min aktuelle startside ->
0 -> Source = About:Home ->
0 -> SubscribedURL = About:Home ->
< HOSTS File > (723 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> ->
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://www.google.com/ie ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Bar -> http://www.google.com/ie ->
HKCU: Search Page -> http://www.google.com ->
HKCU: Start Page -> http://google.dk/ ->
HKCU: SearchAssistant -> http://www.google.com/ie ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> ->
< BHO’s > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.7.2006011200 | Size = 63128 bytes | Modified Date = 12-01-2006 19:38:22 | Attr = ]
{AE7CD045-E861-484f-8273-0445EE161910} [HKLM] -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF Conversion Toolbar Helper] -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 24-09-2005 05:41:42 | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar2.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1020, 3054 | Size = 2128960 bytes | Modified Date = 17-10-2006 15:04:18 | Attr = R ]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B} [HKLM] -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 24-09-2005 05:41:42 | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar2.dll [&Google;] -> Google Inc. [Ver = 4, 0, 1020, 3054 | Size = 2128960 bytes | Modified Date = 17-10-2006 15:04:18 | Attr = R ]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 24-09-2005 05:41:42 | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar2.dll [&Google;] -> Google Inc. [Ver = 4, 0, 1020, 3054 | Size = 2128960 bytes | Modified Date = 17-10-2006 15:04:18 | Attr = R ]
WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 24-09-2005 05:41:42 | Attr = ]
< Internet Explorer CmdMapping [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> 8193 - Reg Data - Value does not exist ->
{e2e2dd38-d088-4134-82b7-f2ba38496583} -> 8194 - @xpsp3res.dll,-20001 ->
{FB5F1910-F110-11d2-BB9E-00C04F795683} -> 8192 - @c:\Programmer\Messenger\Msgslang.dll,-61144 ->
NextId -> 8195 ->
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Opslag] -> File not found
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
?????????? -> Reg Data - Key not found -> File not found
E&ksporter; til Microsoft Excel -> -> File not found
Konverter hyperlinkdestination til Adobe PDF -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
Konverter hyperlinkdestination til eksisterende PDF -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
Konverter markering til Adobe PDF -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
Konverter markering til eksisterende PDF-fil -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
Konverter til Adobe PDF -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
Konverter til eksisterende PDF-fil -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
Konverter valgte hyperlinks til Adobe PDF -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECaptureSelLinks.htm -> File not found
Konverter valgte hyperlinks til eksisterende PDF -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppendSelLinks.htm -> File not found
< Approved Shell Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} [HKLM] -> Reg Data - Key not found [Autoplay for SlideShow] -> File not found
{0DF44EAA-FF21-4412-828E-260A8728E7F1} [HKLM] -> Reg Data - Key not found [Proceslinje og menuen Start] -> File not found
{2F603045-309F-11CF-9774-0020AFD0CFF6} [HKLM] -> %ProgramFiles%\Synaptics\SynTP\SynTPCpl.dll [Synaptics Control Panel] -> Synaptics, Inc. [Ver = 8.2.12 13Jan06 | Size = 6135898 bytes | Modified Date = 13-01-2006 16:22:24 | Attr = ]
{42071714-76d4-11d1-8b24-00a0c9068ff3} [HKLM] -> deskpan.dll [Kontrolpanel-udvidelse til skærmpanorering] -> File not found
{472083B0-C522-11CF-8763-00608CC02F24} [HKLM] -> %ProgramFiles%\Alwil Software\Avast4\ashShell.dll [avast] -> ALWIL Software [Ver = 4, 7, 936, 0 | Size = 69632 bytes | Modified Date = 15-01-2007 18:23:14 | Attr = ]
{764BF0E1-F219-11ce-972D-00AA00A14F56} [HKLM] -> Reg Data - Key not found [Grænsefladeudvidelser til filkomprimering] -> File not found
{7A9D77BD-5403-11d2-8785-2E0420524153} [HKLM] -> Reg Data - Key not found [Brugerkonti] -> File not found
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} [HKLM] -> Reg Data - Key not found [Kontekstmenu til kryptering] -> File not found
{88895560-9AA2-1069-930E-00AA0030EBC8} [HKLM] -> %System32%\hticons.dll [HyperTerminal-ikon] -> Hilgraeve, Inc. [Ver = 5.1.2600.0 | Size = 44544 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
{8DE0B272-74FA-1FD1-B7DA-0CA0C9B348D6} [HKLM] -> Reg Data - Key not found [&DoDoor; RSS Finder] -> File not found
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} [HKLM] -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat Elements\ContextMenu.dll [Adobe.Acrobat.ContextMenu] -> Adobe Systems Inc. [Ver = 7.0.7.2006011200\0 | Size = 581632 bytes | Modified Date = 12-01-2006 19:49:02 | Attr = ]
< ContextMenuHandlers - * [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\
{CA8ACAFA-5FBB-467B-B348-90DD488DE003} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASCTXMN.DLL [SASContextMenu Class] -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1002 | Size = 61440 bytes | Modified Date = 16-01-2007 13:54:10 | Attr = ]
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} [HKLM] -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat Elements\ContextMenu.dll [Adobe.Acrobat.ContextMenu] -> Adobe Systems Inc. [Ver = 7.0.7.2006011200\0 | Size = 581632 bytes | Modified Date = 12-01-2006 19:49:02 | Attr = ]
{472083B0-C522-11CF-8763-00608CC02F24} [HKLM] -> %ProgramFiles%\Alwil Software\Avast4\ashShell.dll [avast] -> ALWIL Software [Ver = 4, 7, 936, 0 | Size = 69632 bytes | Modified Date = 15-01-2007 18:23:14 | Attr = ]
{8934FCEF-F5B8-468f-951F-78A921CD3920} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\context.dll [AVG Anti-Spyware] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 98304 bytes | Modified Date = 28-09-2006 15:13:14 | Attr = ]
< ContextMenuHandlers - Directory [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\
{CA8ACAFA-5FBB-467B-B348-90DD488DE003} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASCTXMN.DLL [SASContextMenu Class] -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1002 | Size = 61440 bytes | Modified Date = 16-01-2007 13:54:10 | Attr = ]
{8934FCEF-F5B8-468f-951F-78A921CD3920} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\context.dll [AVG Anti-Spyware] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 98304 bytes | Modified Date = 28-09-2006 15:13:14 | Attr = ]
< ContextMenuHandlers - Directory\Background [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\
{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} [HKLM] -> %System32%\igfxpph.dll [igfxcui] -> Intel Corporation [Ver = 3.0.0.4497 | Size = 143360 bytes | Modified Date = 07-02-2006 08:39:06 | Attr = ]
< ContextMenuHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\
{472083B0-C522-11CF-8763-00608CC02F24} [HKLM] -> %ProgramFiles%\Alwil Software\Avast4\ashShell.dll [avast] -> ALWIL Software [Ver = 4, 7, 936, 0 | Size = 69632 bytes | Modified Date = 15-01-2007 18:23:14 | Attr = ]
< ColumnHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627} [HKLM] -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\ActiveX\pdfshell.dll [PDF Shell Extension] -> Adobe Systems, Inc. [Ver = 7.0.0.0 | Size = 110592 bytes | Modified Date = 14-12-2004 01:20:02 | Attr = ]
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{1B156F02-204A-4645-85D0-92D76A76D9EC} -> (Intel(R) PRO/100 VE Network Connection) ->
{6D165C37-CF98-4842-85A8-F5C8E55CDFF9} -> (Intel(R) PRO/Wireless 3945ABG Network Connection) ->
{9EFDD6F9-B7F3-4D16-BC0F-610F93A4C910} -> (1394-netværkskort) ->
{AB6625EC-68C4-47A6-B6D3-EA3F0CC5A1B5} -> (1394-netværkskort) ->
{D2CF0ECF-4FD8-4164-BEA1-EC5AC7E8C274} -> () ->
< Winsock2 Catalogs [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000001 -> %System32%\aelupsvc32.dll -> [Ver = | Size = 167936 bytes | Modified Date = 12-11-2006 18:40:12 | Attr = ]
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
[Files - Created Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 1063440384 bytes | Created Date = 02-01-1601 23:00:00 | Attr = HS]
AVG Anti-Spyware.lnk -> %AllUsersDesktop%\AVG Anti-Spyware.lnk -> [Ver = | Size = 834 bytes | Created Date = 19-02-2007 16:17:08 | Attr = ]
SUPERAntiSpyware Professional.lnk -> %AllUsersDesktop%\SUPERAntiSpyware Professional.lnk -> [Ver = | Size = 1741 bytes | Created Date = 19-02-2007 23:14:08 | Attr = ]
61661.htm -> %UserDesktop%\61661.htm -> [Ver = | Size = 6420 bytes | Created Date = 31-01-2007 04:53:12 | Attr = ]
abc.bat -> %UserDesktop%\abc.bat -> [Ver = | Size = 183 bytes | Created Date = 23-02-2007 08:12:01 | Attr = ]
abc.dll -> %UserDesktop%\abc.dll -> [Ver = 1, 0, 12, 12027 | Size = 185344 bytes | Created Date = 22-02-2007 15:22:00 | Attr = ]
abc.exe -> %UserDesktop%\abc.exe -> [Ver = 1, 0, 12, 12027 | Size = 573440 bytes | Created Date = 04-02-2007 21:23:26 | Attr = ]
driverchk.exe -> %UserDesktop%\driverchk.exe -> [Ver = | Size = 279181 bytes | Created Date = 22-02-2007 15:19:18 | Attr = ]
gmer.ini -> %UserDesktop%\gmer.ini -> [Ver = | Size = 250 bytes | Created Date = 22-02-2007 15:22:01 | Attr = ]
gmer_uninstall.cmd -> %SystemRoot%\gmer_uninstall.cmd -> [Ver = | Size = 80 bytes | Created Date = 22-02-2007 15:22:00 | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 19-02-2007 16:17:07 | Attr = ]
ksfqcqkg.sys -> %System32%\drivers\ksfqcqkg.sys -> [Ver = | Size = 60416 bytes | Created Date = 21-02-2007 23:12:29 | Attr = ]
njb^qdqi.sys -> %System32%\drivers\njb^qdqi.sys -> [Ver = | Size = 60416 bytes | Created Date = 21-02-2007 21:46:48 | Attr = ]
n^vidoec.sys -> %System32%\drivers\n^vidoec.sys -> [Ver = | Size = 60416 bytes | Created Date = 21-02-2007 21:37:07 | Attr = ]
rkhdrv31.sys -> %System32%\drivers\rkhdrv31.sys -> [Ver = 3, 2, 120, 0 | Size = 24448 bytes | Created Date = 01-03-2007 17:11:28 | Attr = H ]
wsfit32.sys -> %System32%\drivers\wsfit32.sys -> [Ver = | Size = 29184 bytes | Created Date = 23-02-2007 08:15:29 | Attr = ]
[Files - Modified Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 1063440384 bytes | Modified Date = 01-03-2007 22:00:20 | Attr = HS]
IconCache.db -> %LocalAppData%\IconCache.db -> [Ver = | Size = 4837630 bytes | Modified Date = 01-03-2007 21:59:10 | Attr = H ]
AVG Anti-Spyware.lnk -> %AllUsersDesktop%\AVG Anti-Spyware.lnk -> [Ver = | Size = 834 bytes | Modified Date = 19-02-2007 16:17:10 | Attr = ]
SUPERAntiSpyware Professional.lnk -> %AllUsersDesktop%\SUPERAntiSpyware Professional.lnk -> [Ver = | Size = 1741 bytes | Modified Date = 19-02-2007 23:14:10 | Attr = ]
61661.htm -> %UserDesktop%\61661.htm -> [Ver = | Size = 6420 bytes | Modified Date = 31-01-2007 04:53:14 | Attr = ]
abc.bat -> %UserDesktop%\abc.bat -> [Ver = | Size = 183 bytes | Modified Date = 23-02-2007 08:12:02 | Attr = ]
abc.dll -> %UserDesktop%\abc.dll -> [Ver = 1, 0, 12, 12027 | Size = 185344 bytes | Modified Date = 22-02-2007 15:22:02 | Attr = ]
abc.exe -> %UserDesktop%\abc.exe -> [Ver = 1, 0, 12, 12027 | Size = 573440 bytes | Modified Date = 04-02-2007 21:23:26 | Attr = ]
driverchk.exe -> %UserDesktop%\driverchk.exe -> [Ver = | Size = 279181 bytes | Modified Date = 22-02-2007 15:18:06 | Attr = ]
gmer.ini -> %UserDesktop%\gmer.ini -> [Ver = | Size = 250 bytes | Modified Date = 23-02-2007 16:51:06 | Attr = ]
Adobe Acrobat Hurtigstart.lnk -> %AllUsersStartup%\Adobe Acrobat Hurtigstart.lnk -> [Ver = | Size = 2347 bytes | Modified Date = 01-03-2007 22:00:48 | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 01-03-2007 22:00:20 | Attr = S]
gmer_uninstall.cmd -> %SystemRoot%\gmer_uninstall.cmd -> [Ver = | Size = 80 bytes | Modified Date = 22-02-2007 15:22:02 | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 1158 bytes | Modified Date = 01-03-2007 22:00:36 | Attr = ]
ksfqcqkg.sys -> %System32%\drivers\ksfqcqkg.sys -> [Ver = | Size = 60416 bytes | Modified Date = 21-02-2007 23:12:30 | Attr = ]
njb^qdqi.sys -> %System32%\drivers\njb^qdqi.sys -> [Ver = | Size = 60416 bytes | Modified Date = 21-02-2007 21:46:50 | Attr = ]
n^vidoec.sys -> %System32%\drivers\n^vidoec.sys -> [Ver = | Size = 60416 bytes | Modified Date = 21-02-2007 21:37:08 | Attr = ]
rkhdrv31.sys -> %System32%\drivers\rkhdrv31.sys -> [Ver = 3, 2, 120, 0 | Size = 24448 bytes | Modified Date = 01-03-2007 17:46:04 | Attr = H ]
wsfit32.sys -> %System32%\drivers\wsfit32.sys -> [Ver = | Size = 29184 bytes | Modified Date = 28-02-2007 16:59:50 | Attr = ]
[File String Scan - Non-Microsoft Only]
@Alternate Data Stream - 26 bytes -> %UserDocuments%\Credits.doc:Zone.Identifier ->
UPX! , UPX0 , -> %UserDesktop%\abc.dll -> [Ver = 1, 0, 12, 12027 | Size = 185344 bytes | Modified Date = 22-02-2007 15:22:02 | Attr = ]
UPX! , UPX0 , -> %System32%\aswBoot.exe -> [Ver = 4, 7, 936, 0 | Size = 689280 bytes | Modified Date = 15-01-2007 18:32:08 | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41123 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
PEC2 , PECompact2 , -> %System32%\DivX.dll -> DivXNetworks [Ver = 6,0,0,1571 | Size = 692736 bytes | Modified Date = 15-07-2005 19:36:36 | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
< End of report >
Bemærk at tråden har skiftet til side 2 
|
|
|
Redaktør
Antal indlæg: 6158
|
Ok. Denne gang er nyhederne desværre ikke helt så gode, idet det ser ud til at infektionen har fået gendannet sig selv [:(]. Derfor synes jeg nu du skal prøve følgende (lange) procedure, som er en blanding af ting, du har gjort før, og nye ting. Så må vi håbe der kan blive ryddet så godt op, at den ikke kan regenerere.
—Hent Dr. Web, og gem det på skrivebordet:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
—Tag netstikket ud af computeren.
—Kør Rootkitunhooker. Klik på Setup-“Extended mode”. Du vil så blive bedt om at genstarte, men genstart til fejlsikret tilstand.
—Når computeren er genstartet, så kør Rootkit Unhooker igen. Klik på “Tools”-“Wipe/copy file”. Klik på “Browse”, og naviger frem til følgende fil (bemærk at rækkefølgen er anderledes i forhold til sidste gang):
C:\WINDOWS\system32\drivers\wsfit32.sys
...og klik på “Open”. Herefter sætter du prik i “Direct File Content Wiping”, og klik “Do operation”.
Gentag herefter proceduren for følgende filer:
c:\windows\system32\aelupsvc32.dll
C:\WINDOWS\IEXPL0RE.exe
—Luk derefter denne dialogbox ned, og klik på fanebladet “SSDT Hooks DEtector/Restorer”. Find igen følgende “Service Names”, og marker dem, imens du holder ctrl-tasten nede:
NtDeleteKey Hooked by: wsfit32.sys
NtDeleteValueKey Hooked by: wsfit32.sys
NtSetValueKey Hooked by: wsfit32.sys
Klik herefter på “Unhook selected”
—Klik herefter på “Action”. Her har du mulighed for at vælge “Do immediately BSOD”. Denne funktion vil Crashe din computer, hvilket gør at infektionen (forhåbentlig) ikke kan nå at regenere. Du vil herefter sandsynligvis være nødt til at slukke din computer manuelt, og herefter genstarte den.
—Kør så WinPFind3U fra WinPFind3U-mappen igen. Kopier indholdet mellem de bølgede linier ind i det hvide felt til højre (højreklik på feltet og vælg “sæt ind”/“paste”):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[Kill Explorer]
[Driver Services - Non-Microsoft Only]
YY -> (wsfit32) wsfit32 [File_System | Boot | Stopped] -> %System32%\drivers\wsfit32.sys
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> WinStar -> %SystemRoot%\IEXPL0RE.exe
< Winsock2 Catalogs [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\
YY -> Protocol_Catalog9\Catalog_Entries\000000000001 -> %System32%\aelupsvc32.dll
[Files - Created Within 30 days]
NY -> ksfqcqkg.sys -> %System32%\drivers\ksfqcqkg.sys
NY -> njb^qdqi.sys -> %System32%\drivers\njb^qdqi.sys
NY -> n^vidoec.sys -> %System32%\drivers\n^vidoec.sys
NY -> wsfit32.sys -> %System32%\drivers\wsfit32.sys
[Start Explorer]
[Reboot]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Klik herefter på “Run Fix”, og følg instruksionerne, der gives. Din computer vil nu genstarte. Efter genstart skal du åbne WinPFindu-mappen igen. Her vil nu ligge en log, hvis navn består af en masse numre - den skal du kopiere herind.
—Genstart så i fejlsikret, hvis du ikke ved hvordan så kig her:
http://www.ctrlaltdel.dk/forum/forum_posts.asp?TID=23&PN=1
—Dobbeltklik på drweb-cureit.exe, den vil køre en expressscan, det siger du ja til. Lad den slette hvad den finder (say Yes to all). Undervejs i scanningen vil der dukke en grøn popup som tilbyder dig at købe Dr.Web, hvor du får mulighederne “Buy” eller “50% discount”. Her skal du bare lukke popuppen, ved at klikke på krydset øverst til højre.
Når den skriver “Select object for Scanning” nederst til venstre, skal du klikke på Options->Change settings.
Skift til fanebladet Scan, fjern fluebenet ved Heuristic analysis.
Skift til fanebladet - File Types, prik i - All Files
Skift til fanebladet Actions, her skal alle punkter under Malware sættes til Move.
Fjern flueben ved “Prompt on action”
Ved “Move path”, skriver du i tekstboksen “c:\” Så der kommer til at stå “c:\infected”.
Skift til fanbladet Log File. Der fjerner du flueben ved: “Scanned objects” og “Archivers name”.
Tryk på Anvend
Klik så på det eller de drev du vil have scannet, der kommer en rød prik for at vise det/de er valgt.
Tryk så på den grønne pil nederst til højre, så scanner den.
Lad den slette/move hvad den finder (Say yes to all)
Når scanningen er færdig, gå op i file – Tryk på- Save Report list. Så ligger der en en fil der her hedder “drweb.csv” på skrivebordet. Luk Programmet
—Genstart til normal tilstand, kopier indholdet af drweb.csv herind.
—Kør så lspfix. Sæt flueben i “I know what I am doing”. Hvis aelupsvc32.dll ligger i venstre side (Keep) skal du markerer den, og klikke på pil til venstre, for at flytte dem over i “Remove”. Klik på finish.
—Genstart igen, og lav en ny logfil med Winpfind3u, som du lægger herind.
|
|
|
|
|
Så har jeg været igennem den lange procedure, og her kommer en tilbagemelding fra de forskellige elemener:
C:\WINDOWS\IEXPL0RE.exe var stadig ikke at finde med RKU. De to andre filer blev wipet. De tre Service Names under “SSDT Hooks DEtector/Restorer” var væk og kunne derfor ikke unhookes.
Her er loggen fra WinPFind3U-fixet:
Explorer killed successfully
[Driver Services - Non-Microsoft Only]
Service wsfit32 stopped successfully.
Service wsfit32 deleted successfully.
C:\WINDOWS\SYSTEM32\drivers\wsfit32.sys moved successfully.
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\WinStar deleted successfully.
File C:\WINDOWS\IEXPL0RE.exe not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 deleted successfully.
C:\WINDOWS\SYSTEM32\aelupsvc32.dll moved successfully.
[Files - Created Within 30 days]
C:\WINDOWS\SYSTEM32\drivers\ksfqcqkg.sys moved successfully.
C:\WINDOWS\SYSTEM32\drivers\njb^qdqi.sys moved successfully.
C:\WINDOWS\SYSTEM32\drivers\n^vidoec.sys moved successfully.
File C:\WINDOWS\SYSTEM32\drivers\wsfit32.sys not found!
< End of log >
Created on 03-04-2007 15:13:53
drweb fandt ikke noget i den hurtige scan, men i den lange fandt den 8 filer. Her er loggen:
A0032544.dll;C:\System Volume Information\_restore{E8F1C1A1-7198-41A7-8698-47559F625301}\RP61;Adware.Tencent;Moved.;
A0032649.dll;C:\System Volume Information\_restore{E8F1C1A1-7198-41A7-8698-47559F625301}\RP61;Adware.Dodoor;Moved.;
A0032650.dll;C:\System Volume Information\_restore{E8F1C1A1-7198-41A7-8698-47559F625301}\RP61;Adware.Seecha;Moved.;
A0032852.exe;C:\System Volume Information\_restore{E8F1C1A1-7198-41A7-8698-47559F625301}\RP62;Adware.Caishow;Moved.;
A0033167.sys;C:\System Volume Information\_restore{E8F1C1A1-7198-41A7-8698-47559F625301}\RP62;Trojan.NtRootKit.183;Deleted.;
A0033234.sys;C:\System Volume Information\_restore{E8F1C1A1-7198-41A7-8698-47559F625301}\RP62;Trojan.NtRootKit.183;Deleted.;
A0033239.exe;C:\System Volume Information\_restore{E8F1C1A1-7198-41A7-8698-47559F625301}\RP62;Trojan.DownLoader.15468;Deleted.;
A0033326.sys;C:\System Volume Information\_restore{E8F1C1A1-7198-41A7-8698-47559F625301}\RP62;Trojan.NtRootKit.183;Deleted.;
I LSPFix stod aelupsvc32.dll allerede i højre side under “remove”. Forskellige ting blev fixet - kan ikke helt huske hvilke.
Her er loggen fra Winpfind3u:
WinPFind3 logfile created on: 04-03-2007 16:20:02
WinPFind3U by OldTimer - Version 1.0.19 Folder = C:\Documents and Settings\Shaola\Skrivebord\Spywarefri\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)
1038444 Kb Total Physical Memory | 679680 Kb Available Physical Memory | 65,45% Memory free
2498768 Kb Paging File | 2213940 Kb Available in Paging File | 88,60% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programmer
Drive C: | 78148160 Kb Total Space | 63806188 Kb Free Space | 81,65% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
[Processes - Non-Microsoft Only]
acrobat_sl.exe -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 32256 bytes | Modified Date = 24-09-2005 07:05:38 | Attr = ]
acrotray.exe -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe -> Adobe Systems Inc. [Ver = 7.0.7.2006011200 | Size = 483328 bytes | Modified Date = 12-01-2006 19:52:32 | Attr = ]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> [Ver = 4, 7, 936, 0 | Size = 108160 bytes | Modified Date = 15-01-2007 18:28:58 | Attr = ]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 936, 0 | Size = 255616 bytes | Modified Date = 15-01-2007 18:28:32 | Attr = ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> [Ver = 4, 7, 936, 0 | Size = 132736 bytes | Modified Date = 15-01-2007 18:28:52 | Attr = ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> [Ver = | Size = 59008 bytes | Modified Date = 05-08-2006 16:10:10 | Attr = ]
avgas.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 6266880 bytes | Modified Date = 28-09-2006 15:13:50 | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 28-09-2006 15:13:20 | Attr = ]
hkcmd.exe -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4497 | Size = 77824 bytes | Modified Date = 07-02-2006 08:36:06 | Attr = ]
hpqgalry.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqgalry.exe -> Hewlett-Packard Co. [Ver = 045.004.157.000 | Size = 425984 bytes | Modified Date = 04-11-2004 18:36:46 | Attr = ]
hpqtra08.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 45.4.157.000 | Size = 258048 bytes | Modified Date = 04-11-2004 18:28:24 | Attr = ]
hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Company [Ver = 5, 0, 0, 0 | Size = 49152 bytes | Modified Date = 13-09-2004 14:49:00 | Attr = ]
igfxpers.exe -> %System32%\igfxpers.exe -> Intel Corporation [Ver = 3.0.0.4497 | Size = 118784 bytes | Modified Date = 07-02-2006 08:40:02 | Attr = ]
reader_sl.exe -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 23-09-2005 21:05:26 | Attr = ]
skype.exe -> %ProgramFiles%\Skype\Phone\Skype.exe -> [Ver = | Size = 20058152 bytes | Modified Date = 13-10-2006 17:20:08 | Attr = ]
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 8.2.12 13Jan06 | Size = 761946 bytes | Modified Date = 13-01-2006 16:33:38 | Attr = ]
versioncuecs2tray.exe -> %ProgramFiles%\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe -> Adobe Sytems Incorporated [Ver = 2, 0, 0, 0 | Size = 856064 bytes | Modified Date = 06-04-2005 15:53:04 | Attr = ]
wincinemamgr.exe -> %ProgramFiles%\InterVideo\Common\Bin\WinCinemaMgr.exe -> InterVideo Inc. [Ver = IVI_MAJOR_VERSION.IVI_MINOR_VERSION | Size = 278528 bytes | Modified Date = 06-02-2006 10:41:00 | Attr = ]
winpfind3u.exe -> %UserDesktop%\Spywarefri\WinPFind3u\WinPFind3U.exe -> Oldtimer Tools [Ver = 1.0.19.0 | Size = 310784 bytes | Modified Date = 25-02-2007 19:40:22 | Attr = ]
[Win32 Services - Non-Microsoft Only]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> Adobe Systems [Ver = 2.67.010 | Size = 72704 bytes | Modified Date = 10-06-2006 06:17:00 | Attr = ]
(Adobe Version Cue CS2) Adobe Version Cue CS2 [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe -> Adobe Systems Incorporated [Ver = 2, 0, 0, 0 | Size = 163840 bytes | Modified Date = 06-04-2005 15:53:02 | Attr = ]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> [Ver = | Size = 59008 bytes | Modified Date = 05-08-2006 16:10:10 | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> [Ver = 4, 7, 936, 0 | Size = 132736 bytes | Modified Date = 15-01-2007 18:28:52 | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 936, 0 | Size = 255616 bytes | Modified Date = 15-01-2007 18:28:32 | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 936, 0 | Size = 370304 bytes | Modified Date = 15-01-2007 18:27:52 | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 28-09-2006 15:13:20 | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 225280 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Auto | Stopped] -> %System32%\HPZipm12.exe -> HP [Ver = 9, 0, 0, 0 | Size = 69632 bytes | Modified Date = 29-09-2004 11:14:36 | Attr = ]
[Driver Services - Non-Microsoft Only]
(Aavmker4) avast! Asynchronous Virus Monitor [Kernel | System | Running] -> %System32%\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.892.0 | Size = 31560 bytes | Modified Date = 21-12-2006 00:51:58 | Attr = ]
(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] -> -> File not found
(abp480n5) abp480n5 [Kernel | Disabled | Stopped] -> -> File not found
(adpu160m) adpu160m [Kernel | Disabled | Stopped] -> -> File not found
(Aha154x) Aha154x [Kernel | Disabled | Stopped] -> -> File not found
(aic78u2) aic78u2 [Kernel | Disabled | Stopped] -> -> File not found
(aic78xx) aic78xx [Kernel | Disabled | Stopped] -> -> File not found
(AliIde) AliIde [Kernel | Disabled | Stopped] -> -> File not found
(amsint) amsint [Kernel | Disabled | Stopped] -> -> File not found
(asc) asc [Kernel | Disabled | Stopped] -> -> File not found
(asc3350p) asc3350p [Kernel | Disabled | Stopped] -> -> File not found
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> -> File not found
(aswMon2) avast! Standard Shield Support [File_System | Auto | Running] -> %System32%\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.892.0 | Size = 94424 bytes | Modified Date = 21-12-2006 00:56:00 | Attr = ]
(aswRdr) aswRdr [Kernel | On_Demand | Running] -> %System32%\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.936.0 | Size = 23352 bytes | Modified Date = 15-01-2007 18:26:08 | Attr = ]
(aswTdi) avast! Network Shield Support [Kernel | System | Running] -> %System32%\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.936.0 | Size = 43176 bytes | Modified Date = 15-01-2007 18:25:24 | Attr = ]
(Atdisk) Atdisk [Kernel | Disabled | Stopped] -> -> File not found
(AVG Anti-Spyware Driver) AVG Anti-Spyware Driver [Kernel | System | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.sys -> [Ver = | Size = 4096 bytes | Modified Date = 28-09-2006 15:13:34 | Attr = ]
(AvgAsCln) AVG Anti-Spyware Clean Driver [Kernel | System | Running] -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Modified Date = 05-09-2006 17:03:16 | Attr = ]
(cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped] -> -> File not found
(Changer) Changer [Kernel | System | Stopped] -> -> File not found
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> -> File not found
(Cpqarray) Cpqarray [Kernel | Disabled | Stopped] -> -> File not found
(dac960nt) dac960nt [Kernel | Disabled | Stopped] -> -> File not found
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %System32%\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 800000 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
(dmio) dmio [Kernel | Disabled | Stopped] -> %System32%\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 153600 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
(dmload) dmload [Kernel | Disabled | Stopped] -> %System32%\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
(dpti2o) dpti2o [Kernel | Disabled | Stopped] -> -> File not found
(E100B) Intel(R) PRO Network Connection Driver [Kernel | On_Demand | Running] -> %System32%\drivers\e100b325.sys -> Intel Corporation [Ver = 8.0.19.0 built by: WinDDK | Size = 157696 bytes | Modified Date = 26-07-2005 04:26:52 | Attr = ]
(HdAudAddService) Microsoft UAA Function Driver for High Definition Audio Service [Kernel | On_Demand | Running] -> %System32%\drivers\CHDAud.sys -> Conexant Systems Inc. [Ver = 3.12.0.0 built by: WinDDK | Size = 561664 bytes | Modified Date = 05-01-2006 10:30:42 | Attr = ]
(HDAudBus) Microsoft UAA-busdriver til High Definition Audio [Kernel | On_Demand | Running] -> %System32%\drivers\Hdaudbus.sys -> Windows (R) Server 2003 DDK provider [Ver = 5.10.01.5013 built by: WinDDK | Size = 138752 bytes | Modified Date = 07-01-2005 16:07:18 | Attr = ]
(hpn) hpn [Kernel | Disabled | Stopped] -> -> File not found
(HPZid412) IEEE-1284.4 Driver HPZid412 [Kernel | On_Demand | Stopped] -> %System32%\drivers\HPZid412.sys -> HP [Ver = 9, 0, 0, 0 | Size = 51120 bytes | Modified Date = 14-12-2004 18:35:42 | Attr = R ]
(HPZipr12) Print Class Driver for IEEE-1284.4 HPZipr12 [Kernel | On_Demand | Stopped] -> %System32%\drivers\HPZipr12.sys -> HP [Ver = 9, 0, 0, 0 | Size = 16496 bytes | Modified Date = 14-12-2004 18:35:42 | Attr = R ]
(HPZius12) USB to IEEE-1284.4 Translation Driver HPZius12 [Kernel | On_Demand | Stopped] -> %System32%\drivers\HPZius12.sys -> HP [Ver = 9, 0, 0, 0 | Size = 21744 bytes | Modified Date = 14-12-2004 18:35:42 | Attr = R ]
(HSF_DPV) HSF_DPV [Kernel | On_Demand | Running] -> %System32%\drivers\HSX_DPV.sys -> Conexant Systems, Inc. [Ver = 7.41.00 built by: WinDDK | Size = 935424 bytes | Modified Date = 11-01-2006 16:13:00 | Attr = ]
(HSXHWAZL) HSXHWAZL [Kernel | On_Demand | Running] -> %System32%\drivers\HSXHWAZL.sys -> Conexant Systems, Inc. [Ver = 7.41.00 built by: WinDDK | Size = 194048 bytes | Modified Date = 11-01-2006 16:12:00 | Attr = ]
(i2omgmt) i2omgmt [Kernel | System | Stopped] -> -> File not found
(i2omp) i2omp [Kernel | Disabled | Stopped] -> -> File not found
(ialm) ialm [Kernel | On_Demand | Running] -> %System32%\drivers\ialmnt5.sys -> Intel Corporation [Ver = 6.14.10.4497 | Size = 1399615 bytes | Modified Date = 07-02-2006 09:04:34 | Attr = ]
(iaStor) Intel AHCI Controller [Kernel | Boot | Running] -> %System32%\drivers\iaStor.sys -> Intel Corporation [Ver = 5.5.0.1035 | Size = 874240 bytes | Modified Date = 12-10-2005 12:07:12 | Attr = ]
(ini910u) ini910u [Kernel | Disabled | Stopped] -> -> File not found
(lbrtfdc) lbrtfdc [Kernel | System | Stopped] -> -> File not found
(mdmxsdk) mdmxsdk [Kernel | Auto | Running] -> %System32%\drivers\mdmxsdk.sys -> Conexant [Ver = 1.0.2.010 | Size = 12544 bytes | Modified Date = 05-10-2005 16:57:00 | Attr = ]
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> -> File not found
(nvatabus) nvatabus [Kernel | Boot | Running] -> %System32%\drivers\nvatabus.sys -> NVIDIA Corporation [Ver = 5.10.2600.0552 built by: WinDDK | Size = 93568 bytes | Modified Date = 18-08-2005 16:52:06 | Attr = ]
(nvraid) nvraid [Kernel | Boot | Running] -> %System32%\drivers\nvraid.sys -> NVIDIA Corporation [Ver = 5.10.2600.0552 built by: WinDDK | Size = 77056 bytes | Modified Date = 18-08-2005 16:52:08 | Attr = ]
(PCIDump) PCIDump [Kernel | System | Stopped] -> -> File not found
(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped] -> -> File not found
(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(PDRELI) PDRELI [Kernel | On_Demand | Stopped] -> -> File not found
(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(perc2) perc2 [Kernel | Disabled | Stopped] -> -> File not found
(perc2hib) perc2hib [Kernel | Disabled | Stopped] -> -> File not found
(Ptilink) Driver til direkte, parallel forbindelse [Kernel | On_Demand | Running] -> %System32%\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> -> File not found
(Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped] -> -> File not found
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> -> File not found
(ql1240) ql1240 [Kernel | Disabled | Stopped] -> -> File not found
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> -> File not found
(rimmptsk) rimmptsk [Kernel | On_Demand | Running] -> %System32%\drivers\rimmptsk.sys -> REDC [Ver = 1.0.0.8 | Size = 28672 bytes | Modified Date = 17-09-2005 11:01:50 | Attr = ]
(rimsptsk) rimsptsk [Kernel | On_Demand | Running] -> %System32%\drivers\rimsptsk.sys -> REDC [Ver = 1.00.02.02 | Size = 50560 bytes | Modified Date = 14-09-2005 12:45:24 | Attr = ]
(rismxdp) Ricoh xD-Picture Card Driver [Kernel | On_Demand | Running] -> %System32%\drivers\rixdptsk.sys -> REDC [Ver = 1.00.02.07 | Size = 310016 bytes | Modified Date = 30-09-2005 10:34:10 | Attr = ]
(rkhdrv31) Rootkit Unhooker Driver [Kernel | Boot | Running] -> %System32%\drivers\rkhdrv31.sys -> [Ver = 3, 2, 120, 0 | Size = 24448 bytes | Modified Date = 04-03-2007 14:57:58 | Attr = H ]
(SASDIFSV) SASDIFSV [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\sasdifsv.sys -> [Ver = 1, 0, 0, 1006 | Size = 5632 bytes | Modified Date = 10-10-2006 12:53:48 | Attr = ]
(SASENUM) SASENUM [Kernel | On_Demand | Stopped] -> %ProgramFiles%\SUPERAntiSpyware\SASENUM.SYS -> SuperAdBlocker, Inc. [Ver = 1, 0, 0, 1002 | Size = 4096 bytes | Modified Date = 16-02-2006 16:51:08 | Attr = R ]
(SASKUTIL) SASKUTIL [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASKUTIL.SYS -> [Ver = 1, 0, 0, 1034 | Size = 30720 bytes | Modified Date = 09-01-2007 14:09:48 | Attr = ]
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %System32%\drivers\secdrv.sys -> [Ver = | Size = 27440 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
(Simbad) Simbad [Kernel | Disabled | Stopped] -> -> File not found
(SiSRaid2) SiSRaid2 [Kernel | Boot | Running] -> %System32%\drivers\SiSRaid2.sys -> Silicon Integrated Systems Corp [Ver = 2.03.00 | Size = 30976 bytes | Modified Date = 11-01-2005 16:58:48 | Attr = ]
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> -> File not found
(symc810) symc810 [Kernel | Disabled | Stopped] -> -> File not found
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> -> File not found
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> -> File not found
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> -> File not found
(SynTP) Synaptics TouchPad Driver [Kernel | On_Demand | Running] -> %System32%\drivers\SynTP.sys -> Synaptics, Inc. [Ver = 8.2.12 13Jan06 | Size = 191936 bytes | Modified Date = 13-01-2006 16:12:18 | Attr = ]
(TosIde) TosIde [Kernel | Disabled | Stopped] -> -> File not found
(ultra) ultra [Kernel | Disabled | Stopped] -> -> File not found
(ViaIde) ViaIde [Kernel | Disabled | Stopped] -> -> File not found
(viamraid) viamraid [Kernel | Boot | Running] -> %System32%\drivers\viamraid.sys -> VIA Technologies inc,.ltd [Ver = 5.1.2600.520 | Size = 92672 bytes | Modified Date = 23-11-2005 10:12:12 | Attr = ]
(w39n51) Intel(R) PRO/Wireless 3945ABG Adapter Driver [Kernel | On_Demand | Running] -> %System32%\drivers\w39n51.sys -> Intel® Corporation [Ver = 10010-13 Driver | Size = 1428096 bytes | Modified Date = 05-12-2005 00:55:30 | Attr = ]
(WDICA) WDICA [Kernel | On_Demand | Stopped] -> -> File not found
(winachsf) winachsf [Kernel | On_Demand | Running] -> %System32%\drivers\HSX_CNXT.sys -> Conexant Systems, Inc. [Ver = 7.41.00 built by: WinDDK | Size = 671232 bytes | Modified Date = 11-01-2006 16:12:00 | Attr = ]
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
-> -> File not found
!AVG Anti-Spyware -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 6266880 bytes | Modified Date = 28-09-2006 15:13:50 | Attr = ]
Acrobat Assistant 7.0 -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe -> Adobe Systems Inc. [Ver = 7.0.7.2006011200 | Size = 483328 bytes | Modified Date = 12-01-2006 19:52:32 | Attr = ]
Adobe Version Cue CS2 -> %ProgramFiles%\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe -> Adobe Sytems Incorporated [Ver = 2, 0, 0, 0 | Size = 856064 bytes | Modified Date = 06-04-2005 15:53:04 | Attr = ]
avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> [Ver = 4, 7, 936, 0 | Size = 108160 bytes | Modified Date = 15-01-2007 18:28:58 | Attr = ]
High Definition Audio Property Page Shortcut -> %System32%\CHDAudPropShortcut.exe -> Windows (R) Server 2003 DDK provider [Ver = 5.10.00.5010 built by: WinDDK | Size = 61952 bytes | Modified Date = 05-01-2006 10:30:58 | Attr = ]
HP Software Update -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Company [Ver = 5, 0, 0, 0 | Size = 49152 bytes | Modified Date = 13-09-2004 14:49:00 | Attr = ]
igfxhkcmd -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4497 | Size = 77824 bytes | Modified Date = 07-02-2006 08:36:06 | Attr = ]
igfxpers -> %System32%\igfxpers.exe -> Intel Corporation [Ver = 3.0.0.4497 | Size = 118784 bytes | Modified Date = 07-02-2006 08:40:02 | Attr = ]
igfxtray -> %System32%\igfxtray.exe -> Intel Corporation [Ver = 3.0.0.4497 | Size = 94208 bytes | Modified Date = 07-02-2006 08:39:20 | Attr = ]
MSPY2002 -> %System32%\IME\PINTLGNT\IMSCINST.EXE -> [Ver = | Size = 59392 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
NeroFilterCheck -> %System32%\NeroCheck.exe -> Ahead Software Gmbh [Ver = 1, 0, 0, 2 | Size = 155648 bytes | Modified Date = 09-07-2001 09:50:42 | Attr = ]
SynTPEnh -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 8.2.12 13Jan06 | Size = 761946 bytes | Modified Date = 13-01-2006 16:33:38 | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Skype -> %ProgramFiles%\Skype\Phone\Skype.exe -> [Ver = | Size = 20058152 bytes | Modified Date = 13-10-2006 17:20:08 | Attr = ]
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe -> File not found
< Common Startup > -> C:\Documents and Settings\All Users\Menuen Start\Programmer\Start
%AllUsersStartup%\Adobe Acrobat Hurtigstart.lnk -> %SystemRoot%\Installer\{AC76BA86-1030-D700-7760-000000000002}\SC_Acrobat.exe -> [Ver = | Size = 25214 bytes | Modified Date = 02-09-2006 15:32:38 | Attr = R ]
%AllUsersStartup%\Adobe Gamma.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 16-03-2005 19:16:50 | Attr = ]
%AllUsersStartup%\Adobe Reader Hurtigstart.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 23-09-2005 21:05:26 | Attr = ]
%AllUsersStartup%\HP Digital Imaging Monitor.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 45.4.157.000 | Size = 258048 bytes | Modified Date = 04-11-2004 18:28:24 | Attr = ]
%AllUsersStartup%\HP Image Zone Hurtig start.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqthb08.exe -> Hewlett-Packard Co. [Ver = 045.004.157.000 | Size = 53248 bytes | Modified Date = 04-11-2004 18:50:52 | Attr = ]
%AllUsersStartup%\InterVideo WinCinema Manager.lnk -> %ProgramFiles%\InterVideo\Common\Bin\WinCinemaMgr.exe -> InterVideo Inc. [Ver = IVI_MAJOR_VERSION.IVI_MINOR_VERSION | Size = 278528 bytes | Modified Date = 06-02-2006 10:41:00 | Attr = ]
< File Associations > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} ->
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} ->
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} ->
.hta [@ = htafile] -> PersistentHandler = Reg Data - Key not found ->
.html [@ = htmlfile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20} ->
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found ->
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found ->
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found ->
.txt [@ = txtfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found ->
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found ->
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found ->
< Registry Shell Spawning > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command
batfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
batfile [open] -> “%1” %* ->
batfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
cmdfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
cmdfile [open] -> “%1” %* ->
cmdfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
comfile [open] -> “%1” %* ->
cplfile [cplopen] -> rundll32.exe shell32.dll,Control_RunDLL “%1”,%* -> Microsoft Corporation [Ver = 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) | Size = 8465408 bytes | Modified Date = 19-12-2006 22:50:34 | Attr = ]
exefile [open] -> “%1” %* ->
htafile [open] -> %System32%\mshta.exe “%1” %* -> Microsoft Corporation [Ver = 7.00.5730.11 (winmain(wmbla).061017-1135) | Size = 45568 bytes | Modified Date = 17-10-2006 11:56:10 | Attr = ]
htmlfile [edit] -> “%ProgramFiles%\Microsoft Office\OFFICE11\msohtmed.exe” %1 -> Microsoft Corporation [Ver = 11.0.5510 | Size = 55360 bytes | Modified Date = 15-07-2003 04:52:56 | Attr = ]
htmlfile [open] -> “%ProgramFiles%\Internet Explorer\IEXPLORE.EXE” -nohome -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 623616 bytes | Modified Date = 08-01-2007 18:08:42 | Attr = ]
htmlfile [opennew] -> “%ProgramFiles%\Internet Explorer\IEXPLORE.EXE” %1 -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 623616 bytes | Modified Date = 08-01-2007 18:08:42 | Attr = ]
htmlfile [print] -> “%ProgramFiles%\Microsoft Office\OFFICE11\msohtmed.exe” /p %1 -> Microsoft Corporation [Ver = 11.0.5510 | Size = 55360 bytes | Modified Date = 15-07-2003 04:52:56 | Attr = ]
http [open] -> “%ProgramFiles%\Internet Explorer\IEXPLORE.EXE” -nohome -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 623616 bytes | Modified Date = 08-01-2007 18:08:42 | Attr = ]
https [open] -> “%ProgramFiles%\Internet Explorer\IEXPLORE.EXE” -nohome -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 623616 bytes | Modified Date = 08-01-2007 18:08:42 | Attr = ]
inffile [install] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 33280 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
inffile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
inffile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
inifile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
inifile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
InternetShortcut [open] -> rundll32.exe ieframe.dll,OpenURL %l -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 6054400 bytes | Modified Date = 12-01-2007 09:27:42 | Attr = ]
InternetShortcut [print] -> rundll32.exe %System32%\mshtml.dll,PrintHTML “%1” -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 3580416 bytes | Modified Date = 12-01-2007 09:27:42 | Attr = ]
jsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
jsfile [open] -> %SystemRoot%\System32\WScript.exe “%1” %* -> Microsoft Corporation [Ver = 5.6.0.8515 | Size = 110592 bytes | Modified Date = 14-01-2003 11:15:58 | Attr = ]
jsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
jsefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
jsefile [open] -> %SystemRoot%\System32\WScript.exe “%1” %* -> Microsoft Corporation [Ver = 5.6.0.8515 | Size = 110592 bytes | Modified Date = 14-01-2003 11:15:58 | Attr = ]
jsefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
piffile [open] -> “%1” %* ->
regfile [edit] -> %SystemRoot%\system32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
regfile [open] -> regedit.exe “%1” -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 150528 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
regfile [merge] -> Reg Data - Key not found ->
regfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
scrfile [config] -> “%1” ->
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 136192 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
scrfile [open] -> “%1” /S ->
txtfile [edit] -> Reg Data - Key not found ->
txtfile [open] -> %SystemRoot%\system32\NOTEPAD.EXE %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
txtfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
txtfile [printto] -> %SystemRoot%\system32\notepad.exe /pt “%1” “%2” “%3” “%4” -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
vbefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
vbefile [open] -> %SystemRoot%\System32\WScript.exe “%1” %* -> Microsoft Corporation [Ver = 5.6.0.8515 | Size = 110592 bytes | Modified Date = 14-01-2003 11:15:58 | Attr = ]
vbefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
vbsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
vbsfile [open] -> %SystemRoot%\System32\WScript.exe “%1” %* -> Microsoft Corporation [Ver = 5.6.0.8515 | Size = 110592 bytes | Modified Date = 14-01-2003 11:15:58 | Attr = ]
vbsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
wsffile [edit] -> %SystemRoot%\System32\Notepad.exe %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
wsffile [open] -> %SystemRoot%\System32\WScript.exe “%1” %* -> Microsoft Corporation [Ver = 5.6.0.8515 | Size = 110592 bytes | Modified Date = 14-01-2003 11:15:58 | Attr = ]
wsffile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69632 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
wshfile [open] -> %SystemRoot%\System32\WScript.exe “%1” %* -> Microsoft Corporation [Ver = 5.6.0.8515 | Size = 110592 bytes | Modified Date = 14-01-2003 11:15:58 | Attr = ]
Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 -> Microsoft Corporation [Ver = 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) | Size = 8465408 bytes | Modified Date = 19-12-2006 22:50:34 | Attr = ]
Directory [find] -> %SystemRoot%\Explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.2649 (xpsp.050406-1732) | Size = 1033216 bytes | Modified Date = 07-04-2005 19:48:22 | Attr = ]
Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L -> Microsoft Corporation [Ver = 6.00.2900.2649 (xpsp.050406-1732) | Size = 1033216 bytes | Modified Date = 07-04-2005 19:48:22 | Attr = ]
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L -> Microsoft Corporation [Ver = 6.00.2900.2649 (xpsp.050406-1732) | Size = 1033216 bytes | Modified Date = 07-04-2005 19:48:22 | Attr = ]
Drive [find] -> %SystemRoot%\Explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.2649 (xpsp.050406-1732) | Size = 1033216 bytes | Modified Date = 07-04-2005 19:48:22 | Attr = ]
Applications\iexplore.exe [open] -> “%ProgramFiles%\Internet Explorer\IEXPLORE.EXE” %1 -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 623616 bytes | Modified Date = 08-01-2007 18:08:42 | Attr = ]
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> “%ProgramFiles%\Internet Explorer\iexplore.exe” -> Microsoft Corporation [Ver = 7.00.6000.16414 (vista_gdr.070108-1520) | Size = 623616 bytes | Modified Date = 08-01-2007 18:08:42 | Attr = ]
< ActiveX StubPath [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -> ->
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} -> ->
{2C7339CF-2B09-4501-B3F3-F3508C9228ED} -> %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ->
{44BBA840-CC51-11CF-AAFA-00AA00B6015C} -> “%ProgramFiles%\Outlook Express\setup50.exe” /APP:OE /CALLER:WINNT /user /install ->
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT ->
{6BF52A52-394A-11d3-B153-00C04F79FAA6} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub ->
{73FA19D0-2D75-11D2-995D-00C04F98BBC9} -> ->
{7790769C-0471-11d2-AF11-00C04FA35D02} -> “%ProgramFiles%\Outlook Express\setup50.exe” /APP:WAB /CALLER:WINNT /user /install ->
{89820200-ECBD-11cf-8B85-00AA005B4340} -> regsvr32.exe /s /n /i:U shell32.dll ->
{89820200-ECBD-11cf-8B85-00AA005B4383} -> C:\WINDOWS\system32\ie4uinit.exe -BaseSettings ->
{89B4C1CD-B018-4511-B0A1-5476DBF70820} -> C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install ->
{8b15971b-5355-4c82-8c07-7e181ea07608} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser ->
{94de52c8-2d59-4f1b-883e-79663d2d9a8c} -> ->
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} -> C:\WINDOWS\system32\ieudinit.exe
>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} -> C:\WINDOWS\inf\unregmp2.exe /ShowWMP ->
>{26923b43-4d38-484f-9b9e-de460746276c} -> C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig ->
>{60B49E34-C7CC-11D0-8953-00A0C90347FF} -> RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP ->
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS -> RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP ->
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} -> %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE ->
< WOW Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
cmdline -> %SystemRoot%\system32\ntvdm.exe ->
wowcmdline -> %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386 ->
< Session Manager Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
BootExecute -> autocheck autochk *; ->
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 73728 bytes | Modified Date = 28-09-2006 15:13:28 | Attr = ]
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 20-12-2006 12:55:48 | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
Control_RunDLL -> -> File not found
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1028 | Size = 258048 bytes | Modified Date = 19-10-2006 09:12:20 | Attr = ]
< Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\\{17492023-C23A-453E-A040-C7C580BBF700} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
< Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer not found. -> ->
< Desktop Components > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\
0 -> [Key] ->
0 -> FriendlyName = Min aktuelle startside ->
0 -> Source = About:Home ->
0 -> SubscribedURL = About:Home ->
< HOSTS File > (723 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> ->
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://www.google.com/ie ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Bar -> http://www.google.com/ie ->
HKCU: Search Page -> http://www.google.com ->
HKCU: Start Page -> http://google.dk/ ->
HKCU: SearchAssistant -> http://www.google.com/ie ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> ->
< BHO’s > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.7.2006011200 | Size = 63128 bytes | Modified Date = 12-01-2006 19:38:22 | Attr = ]
{AE7CD045-E861-484f-8273-0445EE161910} [HKLM] -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF Conversion Toolbar Helper] -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 24-09-2005 05:41:42 | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar2.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1020, 3054 | Size = 2128960 bytes | Modified Date = 17-10-2006 15:04:18 | Attr = R ]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B} [HKLM] -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 24-09-2005 05:41:42 | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar2.dll [&Google;] -> Google Inc. [Ver = 4, 0, 1020, 3054 | Size = 2128960 bytes | Modified Date = 17-10-2006 15:04:18 | Attr = R ]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 24-09-2005 05:41:42 | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar2.dll [&Google;] -> Google Inc. [Ver = 4, 0, 1020, 3054 | Size = 2128960 bytes | Modified Date = 17-10-2006 15:04:18 | Attr = R ]
WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 231160 bytes | Modified Date = 24-09-2005 05:41:42 | Attr = ]
< Internet Explorer CmdMapping [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> 8193 - Reg Data - Value does not exist ->
{e2e2dd38-d088-4134-82b7-f2ba38496583} -> 8194 - @xpsp3res.dll,-20001 ->
{FB5F1910-F110-11d2-BB9E-00C04F795683} -> 8192 - @c:\Programmer\Messenger\Msgslang.dll,-61144 ->
NextId -> 8195 ->
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Opslag] -> File not found
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
?????????? -> Reg Data - Key not found -> File not found
E&ksporter; til Microsoft Excel -> -> File not found
Konverter hyperlinkdestination til Adobe PDF -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
Konverter hyperlinkdestination til eksisterende PDF -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
Konverter markering til Adobe PDF -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
Konverter markering til eksisterende PDF-fil -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
Konverter til Adobe PDF -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
Konverter til eksisterende PDF-fil -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
Konverter valgte hyperlinks til Adobe PDF -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECaptureSelLinks.htm -> File not found
Konverter valgte hyperlinks til eksisterende PDF -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppendSelLinks.htm -> File not found
< Approved Shell Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} [HKLM] -> Reg Data - Key not found [Autoplay for SlideShow] -> File not found
{0DF44EAA-FF21-4412-828E-260A8728E7F1} [HKLM] -> Reg Data - Key not found [Proceslinje og menuen Start] -> File not found
{2F603045-309F-11CF-9774-0020AFD0CFF6} [HKLM] -> %ProgramFiles%\Synaptics\SynTP\SynTPCpl.dll [Synaptics Control Panel] -> Synaptics, Inc. [Ver = 8.2.12 13Jan06 | Size = 6135898 bytes | Modified Date = 13-01-2006 16:22:24 | Attr = ]
{42071714-76d4-11d1-8b24-00a0c9068ff3} [HKLM] -> deskpan.dll [Kontrolpanel-udvidelse til skærmpanorering] -> File not found
{472083B0-C522-11CF-8763-00608CC02F24} [HKLM] -> %ProgramFiles%\Alwil Software\Avast4\ashShell.dll [avast] -> ALWIL Software [Ver = 4, 7, 936, 0 | Size = 69632 bytes | Modified Date = 15-01-2007 18:23:14 | Attr = ]
{764BF0E1-F219-11ce-972D-00AA00A14F56} [HKLM] -> Reg Data - Key not found [Grænsefladeudvidelser til filkomprimering] -> File not found
{7A9D77BD-5403-11d2-8785-2E0420524153} [HKLM] -> Reg Data - Key not found [Brugerkonti] -> File not found
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} [HKLM] -> Reg Data - Key not found [Kontekstmenu til kryptering] -> File not found
{88895560-9AA2-1069-930E-00AA0030EBC8} [HKLM] -> %System32%\hticons.dll [HyperTerminal-ikon] -> Hilgraeve, Inc. [Ver = 5.1.2600.0 | Size = 44544 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
{8DE0B272-74FA-1FD1-B7DA-0CA0C9B348D6} [HKLM] -> Reg Data - Key not found [&DoDoor; RSS Finder] -> File not found
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} [HKLM] -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat Elements\ContextMenu.dll [Adobe.Acrobat.ContextMenu] -> Adobe Systems Inc. [Ver = 7.0.7.2006011200\0 | Size = 581632 bytes | Modified Date = 12-01-2006 19:49:02 | Attr = ]
< ContextMenuHandlers - * [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\
{CA8ACAFA-5FBB-467B-B348-90DD488DE003} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASCTXMN.DLL [SASContextMenu Class] -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1002 | Size = 61440 bytes | Modified Date = 16-01-2007 13:54:10 | Attr = ]
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} [HKLM] -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\Acrobat Elements\ContextMenu.dll [Adobe.Acrobat.ContextMenu] -> Adobe Systems Inc. [Ver = 7.0.7.2006011200\0 | Size = 581632 bytes | Modified Date = 12-01-2006 19:49:02 | Attr = ]
{472083B0-C522-11CF-8763-00608CC02F24} [HKLM] -> %ProgramFiles%\Alwil Software\Avast4\ashShell.dll [avast] -> ALWIL Software [Ver = 4, 7, 936, 0 | Size = 69632 bytes | Modified Date = 15-01-2007 18:23:14 | Attr = ]
{8934FCEF-F5B8-468f-951F-78A921CD3920} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\context.dll [AVG Anti-Spyware] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 98304 bytes | Modified Date = 28-09-2006 15:13:14 | Attr = ]
< ContextMenuHandlers - Directory [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\
{CA8ACAFA-5FBB-467B-B348-90DD488DE003} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASCTXMN.DLL [SASContextMenu Class] -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1002 | Size = 61440 bytes | Modified Date = 16-01-2007 13:54:10 | Attr = ]
{8934FCEF-F5B8-468f-951F-78A921CD3920} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\context.dll [AVG Anti-Spyware] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 98304 bytes | Modified Date = 28-09-2006 15:13:14 | Attr = ]
< ContextMenuHandlers - Directory\Background [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\
{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} [HKLM] -> %System32%\igfxpph.dll [igfxcui] -> Intel Corporation [Ver = 3.0.0.4497 | Size = 143360 bytes | Modified Date = 07-02-2006 08:39:06 | Attr = ]
< ContextMenuHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\
{472083B0-C522-11CF-8763-00608CC02F24} [HKLM] -> %ProgramFiles%\Alwil Software\Avast4\ashShell.dll [avast] -> ALWIL Software [Ver = 4, 7, 936, 0 | Size = 69632 bytes | Modified Date = 15-01-2007 18:23:14 | Attr = ]
< ColumnHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627} [HKLM] -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\ActiveX\pdfshell.dll [PDF Shell Extension] -> Adobe Systems, Inc. [Ver = 7.0.0.0 | Size = 110592 bytes | Modified Date = 14-12-2004 01:20:02 | Attr = ]
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{1B156F02-204A-4645-85D0-92D76A76D9EC} -> (Intel(R) PRO/100 VE Network Connection) ->
{6D165C37-CF98-4842-85A8-F5C8E55CDFF9} -> (Intel(R) PRO/Wireless 3945ABG Network Connection) ->
{9EFDD6F9-B7F3-4D16-BC0F-610F93A4C910} -> (1394-netværkskort) ->
{AB6625EC-68C4-47A6-B6D3-EA3F0CC5A1B5} -> (1394-netværkskort) ->
{D2CF0ECF-4FD8-4164-BEA1-EC5AC7E8C274} -> () ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
[Files - Created Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 1063440384 bytes | Created Date = 02-01-1601 23:00:00 | Attr = HS]
AVG Anti-Spyware.lnk -> %AllUsersDesktop%\AVG Anti-Spyware.lnk -> [Ver = | Size = 834 bytes | Created Date = 19-02-2007 16:17:08 | Attr = ]
SUPERAntiSpyware Professional.lnk -> %AllUsersDesktop%\SUPERAntiSpyware Professional.lnk -> [Ver = | Size = 1741 bytes | Created Date = 19-02-2007 23:14:08 | Attr = ]
abc.bat -> %UserDesktop%\abc.bat -> [Ver = | Size = 183 bytes | Created Date = 23-02-2007 08:12:01 | Attr = ]
abc.dll -> %UserDesktop%\abc.dll -> [Ver = 1, 0, 12, 12027 | Size = 185344 bytes | Created Date = 22-02-2007 15:22:00 | Attr = ]
abc.exe -> %UserDesktop%\abc.exe -> [Ver = 1, 0, 12, 12027 | Size = 573440 bytes | Created Date = 04-02-2007 21:23:26 | Attr = ]
driverchk.exe -> %UserDesktop%\driverchk.exe -> [Ver = | Size = 279181 bytes | Created Date = 22-02-2007 15:19:18 | Attr = ]
drweb-cureit.exe -> %UserDesktop%\drweb-cureit.exe -> [Ver = | Size = 5812184 bytes | Created Date = 04-03-2007 14:57:00 | Attr = ]
gmer.ini -> %UserDesktop%\gmer.ini -> [Ver = | Size = 250 bytes | Created Date = 22-02-2007 15:22:01 | Attr = ]
gmer_uninstall.cmd -> %SystemRoot%\gmer_uninstall.cmd -> [Ver = | Size = 80 bytes | Created Date = 22-02-2007 15:22:00 | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 19-02-2007 16:17:07 | Attr = ]
rkhdrv31.sys -> %System32%\drivers\rkhdrv31.sys -> [Ver = 3, 2, 120, 0 | Size = 24448 bytes | Created Date = 01-03-2007 17:11:28 | Attr = H ]
[Files - Modified Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 1063440384 bytes | Modified Date = 04-03-2007 16:17:14 | Attr = HS]
IconCache.db -> %LocalAppData%\IconCache.db -> [Ver = | Size = 3773504 bytes | Modified Date = 04-03-2007 16:16:30 | Attr = H ]
AVG Anti-Spyware.lnk -> %AllUsersDesktop%\AVG Anti-Spyware.lnk -> [Ver = | Size = 834 bytes | Modified Date = 19-02-2007 16:17:10 | Attr = ]
SUPERAntiSpyware Professional.lnk -> %AllUsersDesktop%\SUPERAntiSpyware Professional.lnk -> [Ver = | Size = 1741 bytes | Modified Date = 19-02-2007 23:14:10 | Attr = ]
abc.bat -> %UserDesktop%\abc.bat -> [Ver = | Size = 183 bytes | Modified Date = 23-02-2007 08:12:02 | Attr = ]
abc.dll -> %UserDesktop%\abc.dll -> [Ver = 1, 0, 12, 12027 | Size = 185344 bytes | Modified Date = 22-02-2007 15:22:02 | Attr = ]
abc.exe -> %UserDesktop%\abc.exe -> [Ver = 1, 0, 12, 12027 | Size = 573440 bytes | Modified Date = 04-02-2007 21:23:26 | Attr = ]
driverchk.exe -> %UserDesktop%\driverchk.exe -> [Ver = | Size = 279181 bytes | Modified Date = 22-02-2007 15:18:06 | Attr = ]
drweb-cureit.exe -> %UserDesktop%\drweb-cureit.exe -> [Ver = | Size = 5812184 bytes | Modified Date = 04-03-2007 14:54:46 | Attr = ]
gmer.ini -> %UserDesktop%\gmer.ini -> [Ver = | Size = 250 bytes | Modified Date = 23-02-2007 16:51:06 | Attr = ]
Adobe Acrobat Hurtigstart.lnk -> %AllUsersStartup%\Adobe Acrobat Hurtigstart.lnk -> [Ver = | Size = 2347 bytes | Modified Date = 04-03-2007 16:17:54 | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 04-03-2007 16:17:14 | Attr = S]
gmer_uninstall.cmd -> %SystemRoot%\gmer_uninstall.cmd -> [Ver = | Size = 80 bytes | Modified Date = 22-02-2007 15:22:02 | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 1158 bytes | Modified Date = 04-03-2007 16:17:44 | Attr = ]
rkhdrv31.sys -> %System32%\drivers\rkhdrv31.sys -> [Ver = 3, 2, 120, 0 | Size = 24448 bytes | Modified Date = 04-03-2007 14:57:58 | Attr = H ]
[File String Scan - Non-Microsoft Only]
@Alternate Data Stream - 26 bytes -> %UserDocuments%\Credits.doc:Zone.Identifier ->
UPX! , UPX0 , -> %UserDesktop%\abc.dll -> [Ver = 1, 0, 12, 12027 | Size = 185344 bytes | Modified Date = 22-02-2007 15:22:02 | Attr = ]
UPX! , UPX0 , -> %System32%\aswBoot.exe -> [Ver = 4, 7, 936, 0 | Size = 689280 bytes | Modified Date = 15-01-2007 18:32:08 | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41123 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
PEC2 , PECompact2 , -> %System32%\DivX.dll -> DivXNetworks [Ver = 6,0,0,1571 | Size = 692736 bytes | Modified Date = 15-07-2005 19:36:36 | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 27-08-2004 13:00:00 | Attr = ]
< End of report >
Hvad er dommen? Maskinen synes at køre bedre nu, men Windows Sikkerhedscenter brokker sig stadig over, at firewallen ikke er slået til, og net-forbindelsen er ikke tilbage.
|
|
|
Redaktør
Antal indlæg: 6158
|
—Ok, nu blev Winpfind3-loggen også ren for skidt. Men vi skal også have hul igennem til nettet, og firewallen til at virke.
—Hent WinPfind2 herfra (en anden udgave af Winpfind-programmet, der kan nogle andre ting):
http://download.bleepingcomputer.com/oldtimer/winpfind2.exe
Dobbeltklik på filen, og klik på Extract, for at pakke programmet ud. Så dukker der en ny mappe op på skrivebordet, der hedder WinPfind2.
—Hent dette værktøj, og pak indholdet ud til en selvstændig mappe på skrivebordet:
http://www.sitecenter.dk/secure/nss-folder/mappe/reset.zip
—Åbn mappen FW_reset. Dobbeltklik regfilen del_Wf, og klik på OK, når du bliver spurgt om du vil tilføje oplysningerne til registreringsdatabasen. Gør det samme med de 3 andre filer i mappen. Genstart computeren
—Klik Start-kør, skriv NETSH FIREWALL RESET, og klik på OK.
—Åben så mappen SC_reset fra den mappe du lavede på baggrund af reset.zip-filen. Dobbeltklik på securitycenter.reg, og bekræft at du vil tilføje oplysningerne til registreringsdatabasen. Genstart computeren.
—Kør så SuperAntispyware. Klik på Preferences, vælge fanebladet “repairs”, og vælge punktet “Repair broken network connection (Winsock LSP Chain)”. Luk SuperAntispyware
— Inde i denne WinPfind2-mappen skal du klikke på Winpfind2.exe.
Under “Registry Options” skal du klikke på “Remove All”.
Under “File options” skal du klikke på “Remove All”
Under “AddOn options” skal du markere “Security.def” og “ShellState.def”.
Klik herefter på “Run all scans”. Så vil computeren blive scannet. Når der nederst til venstre står “Scans Complete!”, klikker du på “Simple report”, hvorefter der vil åbnes en logfil, som du skal lægge herind.
—Du må også gerne skrive, hvordan det står til med Firewallen og internetforbindelsen.
|
|
|
|
|
Herligt, hvis vi nu er sluppet af med snavset ! Desværre er net-forbindelsen stadig ikke oppe at køre (“Begrænset eller ingen adgang”), og firewallen er også stadig nede. Her kommer loggen fra WinPfind2:
Logfile created on: 04-03-2007 21:27:51
WinPFind2 by OldTimer - Version 1.0.15 Folder = C:\Documents and Settings\Shaola\Skrivebord\WinPFind2\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)
< Processes (Non-Microsoft Only) >
c:\programmer\adobe\adobe acrobat 7.0\acrobat\acrobat_sl.exe - (Adobe Systems Incorporated )
c:\programmer\adobe\adobe acrobat 7.0\distillr\acrotray.exe - (Adobe Systems Inc. )
c:\progra~1\alwils~1\avast4\ashdisp.exe - ( )
c:\programmer\alwil software\avast4\ashmaisv.exe - (ALWIL Software )
c:\programmer\alwil software\avast4\ashserv.exe - ( )
c:\programmer\alwil software\avast4\aswupdsv.exe - ( )
c:\programmer\grisoft\avg anti-spyware 7.5\avgas.exe - (Anti-Malware Development a.s. )
c:\programmer\grisoft\avg anti-spyware 7.5\guard.exe - (Anti-Malware Development a.s. )
c:\windows\system32\hkcmd.exe - (Intel Corporation )
c:\programmer\hp\digital imaging\bin\hpqgalry.exe - (Hewlett-Packard Co. )
c:\programmer\hp\digital imaging\bin\hpqtra08.exe - (Hewlett-Packard Co. )
c:\programmer\hp\hp software update\hpwuschd2.exe - (Hewlett-Packard Company )
c:\windows\system32\igfxpers.exe - (Intel Corporation )
c:\programmer\adobe\acrobat 7.0\reader\reader_sl.exe - (Adobe Systems Incorporated )
c:\programmer\skype\phone\skype.exe - ( )
c:\programmer\synaptics\syntp\syntpenh.exe - (Synaptics, Inc. )
c:\programmer\adobe\adobe version cue cs2\controlpanel\versioncuecs2tray.exe - (Adobe Sytems Incorporated )
c:\programmer\intervideo\common\bin\wincinemamgr.exe - (InterVideo Inc. )
c:\documents and settings\shaola\skrivebord\winpfind2\winpfind2.exe - (OldTimer Tools )
< Services (Non-Microsoft Only) >
avast! iAVS4 Control Service (aswUpdSv) - “C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe” ( ) [Automatic - Running - Win32, running in it’s own process]
avast! Antivirus (avast! Antivirus) - “C:\Programmer\Alwil Software\Avast4\ashServ.exe” ( ) [Automatic - Running - Win32, running in it’s own process]
avast! Mail Scanner (avast! Mail Scanner) - “C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe” /service (ALWIL Software ) [On Demand - Running - Win32, running in it’s own process]
AVG Anti-Spyware Guard (AVG Anti-Spyware Guard) - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe (Anti-Malware Development a.s. ) [Automatic - Running - Win32, running in it’s own process]
< Add On’s >
>>>>Output for AddOn file Security.def<<<<
KEY - HKLM\SOFTWARE\Microsoft\Security Center - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Security Center -
Security Center\\FirstRunDisabled - 1
Security Center\\AntiVirusDisableNotify - 0
Security Center\\FirewallDisableNotify - 0
Security Center\\UpdatesDisableNotify - 0
Security Center\\AntiVirusOverride - 0
Security Center\\FirewallOverride - 0
Security Center\Monitoring -
Security Center\Monitoring\AhnlabAntiVirus -
Security Center\Monitoring\ComputerAssociatesAntiVirus -
Security Center\Monitoring\KasperskyAntiVirus -
Security Center\Monitoring\McAfeeAntiVirus -
Security Center\Monitoring\McAfeeFirewall -
Security Center\Monitoring\PandaAntiVirus -
Security Center\Monitoring\PandaFirewall -
Security Center\Monitoring\SophosAntiVirus -
Security Center\Monitoring\SymantecAntiVirus -
Security Center\Monitoring\SymantecFirewall -
Security Center\Monitoring\TinyFirewall -
Security Center\Monitoring\TrendAntiVirus -
Security Center\Monitoring\TrendFirewall -
Security Center\Monitoring\ZoneLabsFirewall -
KEY - HKLM\SYSTEM\CurrentControlSet\Services\BITS - Include SUBKEYS
HKLM\SYSTEM\CurrentControlSet\Services\BITS -
BITS\\Type - 32
BITS\\Start - 3
BITS\\ErrorControl - 1
BITS\\ImagePath - %SystemRoot%\system32\svchost.exe -k netsvcs
BITS\\DisplayName - Tjenesten Background Intelligent Transfer
BITS\\DependOnService - RpcSs;
BITS\\DependOnGroup -
BITS\\ObjectName - LocalSystem
BITS\\Description - Overfører data mellem klienter og servere i baggrunden. Hvis BITS deaktiveres, vil programmer som f.eks. Windows Update ikke fungere korrekt.
BITS\\FailureActions - 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 68 E3 0C 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00
BITS\Parameters -
BITS\Parameters\\ServiceDll - C:\WINDOWS\system32\qmgr.dll
BITS\Security -
BITS\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
BITS\Enum -
BITS\Enum\\0 - Root\LEGACY_BITS\0000
BITS\Enum\\Count - 1
BITS\Enum\\NextInstance - 1
KEY - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess - Include SUBKEYS
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess -
SharedAccess\\DependOnGroup -
SharedAccess\\DependOnService - Netman;WinMgmt;
SharedAccess\\Description - Giver mulighed for adresseoversættelse, adressering, navnefortolkning og/eller tjenester til forebyggelse af uautoriseret brug for netværksadresser på et hjemmenetværk eller mindre kontornetværk.
SharedAccess\\DisplayName - Windows Firewall/Deling af Internetforbindelse
SharedAccess\\ErrorControl - 1
SharedAccess\\ImagePath - %SystemRoot%\system32\svchost.exe -k netsvcs
SharedAccess\\ObjectName - LocalSystem
SharedAccess\\Start - 2
SharedAccess\\Type - 32
SharedAccess\Enum -
SharedAccess\Enum\\0 - Root\LEGACY_SHAREDACCESS\0000
SharedAccess\Enum\\Count - 1
SharedAccess\Enum\\NextInstance - 1
SharedAccess\Epoch -
SharedAccess\Epoch\\Epoch - 390
SharedAccess\Parameters -
SharedAccess\Parameters\\ServiceDll - %SystemRoot%\System32\ipnathlp.dll
SharedAccess\Parameters\FirewallPolicy -
SharedAccess\Parameters\FirewallPolicy\DomainProfile -
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications -
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe - %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
SharedAccess\Parameters\FirewallPolicy\StandardProfile -
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications -
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe - %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
SharedAccess\Setup -
SharedAccess\Setup\\ServiceUpgrade - 1
SharedAccess\Setup\InterfacesUnfirewalledAtUpdate -
SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\All - 1
KEY - HKLM\SYSTEM\CurrentControlSet\Services\wuauserv - Include SUBKEYS
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv -
wuauserv\\Type - 32
wuauserv\\Start - 2
wuauserv\\ErrorControl - 1
wuauserv\\ImagePath - %systemroot%\system32\svchost.exe -k netsvcs
wuauserv\\DisplayName - Automatiske opdateringer
wuauserv\\ObjectName - LocalSystem
wuauserv\\Description - Muliggør hentning og installation af Windows-opdateringer. Hvis denne tjeneste deaktiveres, vil computeren ikke være i stand til at bruge funktionen automatiske opdateringer eller webstedet Windows Update.
wuauserv\Parameters -
wuauserv\Parameters\\ServiceDll - C:\WINDOWS\system32\wuauserv.dll
wuauserv\Security -
wuauserv\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
wuauserv\Enum -
wuauserv\Enum\\0 - Root\LEGACY_WUAUSERV\0000
wuauserv\Enum\\Count - 1
wuauserv\Enum\\NextInstance - 1
>>>>Output for AddOn file ShellState.def<<<<
KEY - HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer - No SUBKEYS
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer -
Explorer\\WebFindBandHook - {68F2D3FC-8366-4a46-8224-58EFA2749425}
Explorer\\FileFindBandHook - {FFAC7A18-EDF9-40de-BA3F-49FC2269855E}
Explorer\\Logon User Name - Shaola
Explorer\\ShellState - 24 00 00 00 30 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 0D 00 00 00 00 00 00 00 02 00 00 00
Explorer\\CleanShutdown - 0
Explorer\\FaultCount - 0
Explorer\\FaultTime - 0
Explorer\\IconUnderline - ;
Explorer\\NoFileFolderConnection - 0
Explorer\\SearchSystemDirs - 1
Explorer\\SearchHidden - 0
Explorer\\IncludeSubFolders - 1
Explorer\\CaseSensitive - 0
Explorer\\SearchSlowFiles - 0
Explorer\\Browse For Folder Width - 318
Explorer\\Browse For Folder Height - 288
Explorer\Advanced -
Explorer\AutoComplete -
Explorer\AutoplayHandlers -
Explorer\BitBucket -
Explorer\CabinetState -
Explorer\CD Burning -
Explorer\CLSID -
Explorer\ComDlg32 -
Explorer\ComputerDescriptions -
Explorer\Desktop -
Explorer\Discardable -
Explorer\FileExts -
Explorer\HideMyComputerIcons -
Explorer\MenuOrder -
Explorer\MountPoints2 -
Explorer\MyComputer -
Explorer\NewShortcutHandlers -
Explorer\PropSummary -
Explorer\RecentDocs -
Explorer\RunMRU -
Explorer\Shell Folders -
Explorer\ShellImageView -
Explorer\StartPage -
Explorer\StreamMRU -
Explorer\Streams -
Explorer\StuckRects2 -
Explorer\tips -
Explorer\TrayNotify -
Explorer\User Shell Folders -
Explorer\UserAssist -
Explorer\VisualEffects -
Explorer\WebView -
Explorer\WorkgroupCrawler -
Explorer\SessionInfo -
< End of report >
Tror du, vi kan få hul igennem til nettet?
|
|
|
Redaktør
Antal indlæg: 6158
|
Ja, jeg vil da tro at vi kan få det til at virke. Det er min opfattelse at vi nu primært skal have ryddet op i det rod, som infektionen lavede da den var aktiv. Det kan bare godt nogle gange kræve lidt detektiv-arbejde at finde ud af, hvor rodet findes
Prøv nu følgende:
—Hent dette program:
http://danborg.org/spy/Newnet/winsockxpfix.exe
Kør programmet. Klik først på Reg-backup, og gem en kopi af din regdatabase, når det er slut klik på Fix, når den er færdig så genstart computeren.
—Kopiér herefter indholdet mellem de stiplede linier ind i et notepad-vindue, og gem indholdet på skrivebordet som regfix.reg. Når du gemmer, skal du sikre, at der under “filtyper” står “alle filer”.
———————————————
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
“EnableFirewall”=dword:00000001
———————————————
Dobbeltklik så på den fil, som du lige har lavet, og bekræft at du vil tilføje oplysningerne til registreringsdatabasen.
—Genstart så igen, og se om det har hjulpet på dine 2 problemer.
|
|
|
|
|
Yes! Så er der hul igennem til nettet, og firewallen er oppe at køre [:D] ! 1000.000.000 tak for super-professionel hjælp!
Er der mere, jeg bør gøre for at rydde op på maskinen, inden jeg returnerer den til dens ejermand?
|
|
|
Redaktør
Antal indlæg: 6158
|
Det var dejligt at høre, og du er velkommen
Ja, nu synes jeg lige du skal få ryddet lidt op på computeren. Dels synes jeg du skal køre en ny scanning med SuperAntispyware (du skal sikre dig at den er opdateret først).
Det kan være en god ide og rydde op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.spywarefri.dk/virusscannere.htm#alle) - genstart din computer - aktiver systemgendannelse.
Det kan også være en god ide at få renset ud i dine midlertidige filer. Det kan gøres på en hurtig og nem måde med denne fil
http://www.spywareinfo.dk/download/cleantempxp2k.bat
—————————————-
For at forhindre gentagelser, vil jeg anbefale dig at lægge nogle små programmer ind, som forhindrer spyware i at komme ind i første omgang. Du finder links og gode råd her:
http://www.spywarefri.dk/manualer/sikkerhedspakke.htm
Jeg vil også foreslå, at ejermanden læser disse artikler om hvordan han kan undgå at blive inficeret i fremtiden:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414
http://www.ejvindh.net/viewtopic.php?t=37
Dermed lukker jeg så tråden. Du kender adressen, hvis du får brug for mere hjælp
|
