Hej Karin

Hvilken IP adresse var det - Kerio har vist en log du kan finde det i (?)

(Din log er ok, om end du ikke har brugt den HijackThis vi henviser til - http://www.spywarefri.dk/downloads1/alternativ.exe )

Hvor kan jeg se det henne, jeg synes ikke umiddelbart jeg kan finde det.

Jeg kender ikke “Kerio”, men har du kikket her ved nr 27.

http://www.spywarefri.dk/manualer/kerio-firewall-manual.htm

Der er ikke nogen log meddelelse fra den dato. Men når Hijack this ikke viser noget, kan jeg så gå ud fra at alt er i orden ?

Hej Karin

Har du kigget efter logs i alle 5 faneblade (med ref. til nr. 27)? Altså Web, Behavior, HIPS, NIPS og Network)...

Nej - du kan ikke gå ud fra, at alt er i orden fordi en HijackThis log er ren (det modsatte er heller ikke nødvendigvis tilfældet). Vi kan give dig et lidt bedre svar, hvis du følger HELE vejledningen herfra:

http://www.spywarefri.dk/forum/links/hjtanv.htm

... og lader os se logs fra AVG Antispyware, rootchk og ComboFix.

Ja, jeg har tjekket alle 5 faneblade.

Jeg vender tilbage når jeg har gennemgået den vejledning du skrev.

Du skal være velkommen.

Her er så mine logs. Avg antispyware viste ingenting fundet. Jeg får nu jævnligt meddelelser fra Spywareguard om en advarsel om at der er opdaget et forsøg på at ændre Internet Explorer to About.blank.

Logfile of HijackThis v1.99.1
Scan saved at 09:04:34, on 09-08-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Sana Security\Attack Shield\AttackShieldAgent.exe
C:\Programmer\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\StartupMonitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmer\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Programmer\Fælles filer\PCSuite\DataLayer\DataLayer.exe
C:\PROGRA~1\OPTICA~1\4DMAIN.EXE
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Sana Security\Attack Shield\AttackShield.exe
C:\Programmer\SpywareGuard\sgmain.exe
C:\PROGRA~1\FLLESF~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmer\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Programmer\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Documents and Settings\Karin\Skrivebord\spywarefri\alternativ.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmer\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmer\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OpwareSE2] “C:\Programmer\ScanSoft\OmniPageSE2.0\OpwareSE2.exe”
O4 - HKLM\..\Run: [OPSE reminder] “C:\Programmer\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe” -r “C:\Programmer\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini”
O4 - HKLM\..\Run: [DataLayer] C:\Programmer\Fælles filer\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\OPTICA~1\4DMAIN.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] “C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] “C:\Programmer\Messenger\msmsgs.exe” /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: SpywareGuard.lnk = C:\Programmer\SpywareGuard\sgmain.exe
O4 - Global Startup: Attack Shield.lnk = C:\Programmer\Sana Security\Attack Shield\AttackShield.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programmer\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.krifa.dk
O15 - Trusted Zone: *.nemadgang.dk
O15 - Trusted Zone: *.sputnik.dk
O15 - Trusted Zone: *.tv2.dk
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Attack Shield WS (AttackShield) - Unknown owner - C:\Programmer\Sana Security\Attack Shield\AttackShieldAgent.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe

ComboFix 07-08-07.6 - “Karin” 2007-08-09 8:53:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1030.18.205 [GMT 2:00]
* Created a new restore point

(((((((((((((((((((((((((  Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))

2007-08-09 08:51 51,200—a———C:\WINDOWS\nircmd.exe
2007-08-09 08:42 <DIR> d————C:\WINDOWS\LastGood
2007-08-08 22:03 <DIR> d————C:\WINDOWS\network diagnostic
2007-07-15 23:09 <DIR> d————C:\DOCUME~1\Karin\cbt
2007-07-13 23:40 <DIR> d————C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google

((((((((((((((((((((((((((((((((((((((((  Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 23:17 493—a———C:\WINDOWS\system32\drivers\fwdrv.err
2007-08-08 22:23————- d————C:\DOCUME~1\Karin\APPLIC~1\OpenOffice.org1.9.82
2007-08-08 13:53————- d————C:\Programmer\SpywareGuard
2007-08-08 13:52————- d————C:\Programmer\SpywareBlaster
2007-07-25 17:55————- d————C:\Programmer\Magnus & Myggen - Quizkampen
2007-07-04 20:02 11376—a———C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-04 19:41————- d————C:\Programmer\Microsoft Games
2007-07-04 17:21————- d————C:\Programmer\PATRICIAN II
2007-06-28 11:38————- d————C:\Programmer\SUPERAntiSpyware
2007-06-22 14:41————- d————C:\Programmer\eGames
2007-05-16 17:14 86528—a—c—- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 17:14 85504—a—c—- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 17:14 683520—a—c—- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 17:14 683520—a———C:\WINDOWS\system32\inetcomm.dll
2007-05-16 17:14 510976—a—c—- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 17:14 1314816—a—c—- C:\WINDOWS\system32\dllcache\msoe.dll
————-  C:\Programmer\LEGO Øen
————-  C:\Programmer\Fælles filer\System

(((((((((((((((((((((((((((((((((((((  Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Run StartupMonitor”=“StartupMonitor.exe” [2000-05-20 17:23 C:\WINDOWS\StartupMonitor.exe]
“AVG7_CC”=“C:\PROGRA~1\Grisoft\AVG7\avgcc.exe” [2007-04-23 13:29]
“OpwareSE2”=“C:\Programmer\ScanSoft\OmniPageSE2.0\OpwareSE2.exe” [2003-05-08 12:00]
“OPSE reminder”=“C:\Programmer\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe” [2003-07-07 10:29]
“DataLayer”=“C:\Programmer\Fælles filer\PCSuite\DataLayer\DataLayer.exe” []
“WheelMouse”=“C:\PROGRA~1\OPTICA~1\4DMAIN.EXE” [2000-05-08 09:54]
“!AVG Anti-Spyware”=“C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-18 22:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-27 02:53]
“MSMSGS”=“C:\Programmer\Messenger\msmsgs.exe” [2004-10-13 18:24]
“SUPERAntiSpyware”=“C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-28 11:38]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
“Windows Update System Shell”=svhostcs32.exe

C:\Documents and Settings\Karin\Menuen Start\Programmer\Start\
SpywareGuard.lnk - C:\Programmer\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Attack Shield.lnk - C:\Programmer\Sana Security\Attack Shield\AttackShield.exe [2005-04-14 15:54:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Programmer\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL 2007-04-27 13:48 294912 C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL

R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Programmer\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Programmer\SUPERAntiSpyware\SASKUTIL.sys
R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS
R2 AttackShield;Attack Shield WS;C:\Programmer\Sana Security\Attack Shield\AttackShieldAgent.exe
R2 SPF4;Sunbelt Personal Firewall 4;“C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe”
R3 AttackShieldDriver;AttackShieldDriver;\??\C:\Programmer\Sana Security\Attack Shield\AttackShieldDriver.Sys
R3 AttackShieldShim;AttackShieldShim;\??\C:\Programmer\Sana Security\Attack Shield\AttackShieldShim.sys
R3 FETNDIS;NT-driver til VIA PCI 10/100Mb Fast Ethernet-netværkskort;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART-driver;C:\WINDOWS\system32\drivers\msmpu401.sys
R3 SASENUM;SASENUM;\??\C:\Programmer\SUPERAntiSpyware\SASENUM.SYS
S3 Nokia USB Generic;Nokia USB Generic;C:\WINDOWS\system32\drivers\nmwcdc.sys
S3 Nokia USB Modem;Nokia USB Modem;C:\WINDOWS\system32\drivers\nmwcdcm.sys
S3 Nokia USB Phone Parent;Nokia USB Phone Parent;C:\WINDOWS\system32\drivers\nmwcd.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D\_Autorun\DefaultIcon]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D\_Autorun\DefaultIcon- D:\fscommand/fk_icon.ico]

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 08:59:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\viaagp]
“ImagePath”=“System32\DRIVERS\viaagp.sys”

Completion time: 2007-08-09 9:03:35

—- E O F—-

********************************* ROOTCHK-(21-07-07)-LOG, by ejvindh
09-08-2007 8:46:51,59

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 08:46:52
Windows 5.1.2600 Service Pack 2
scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

hidden processes: 0
hidden files: 0

nu forsvandt min SG pludselig nede fra bjælken og når jeg prøver at åbne den under programmer kommer den ikke frem.

Der var godt nok en “infektion” - du kan læse lidt om den her:

http://www.sophos.com/security/analyses/w32rbotaaz.html

1. Åben Notesblok og kopier følgende (tekst med fed skrift) ind - og gem tekst-filen som CFScript.txt samme sted som du har ComboFix:

File::
C:\WINDOWS\system32\svhostcs32.exe
C:\WINDOWS\svhostcs32.exe
Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
“Windows Update System Shell”=-

Træk CFScript filen over på ComboFix ikonet - det vil starte ComboFix igen (hvis computeren vil genstarte, så lad den gøre det).

2. Læg den nye ComboFix log herind.

3. Når du har lagt den nye ComboFix log herind, så følg venligst denne instruktion med henblik på at få kigget hele computeren igennem:

a. Hent denne scanner:

ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

b. Dobbeltklik på cureit.exe, og følg vejledningen fra programmet indtil din computer er scannet og renset af programmet.

- Først laver programmet en ekspres-scanningen (sig ja til at gennemføre denne)
- Herefter luk tilbudet om at købe programmet, ved at klikke på “krydset” i den grønne boks.
- I programmets hovedvindue skal du nu klikke “Select drives” (alle drev vælges hermed).
- Klik på Start-knappen i programmets højreside (symbolet er ligesom en “play-knap” - altså en pil til højre)
- Når programmet er færdig, så klik på File -> Save report list (i øverste menu-linie) og gem rapporten på dit Skrivebord.
- Højreklik på rapporten på dit Skrivebord og vælg “Åben med” - find Notesblok på listen og åben filen. Kopier indholdet herind.

ComboFix 07-08-07.6 - “Karin” 2007-08-09 10:05:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1030.18.169 [GMT 2:00]
Command switches used ::  C:\Documents and Settings\Karin\Skrivebord\spywarefri\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\svhostcs32.exe
C:\WINDOWS\svhostcs32.exe

(((((((((((((((((((((((((  Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))

2007-08-09 08:51 51,200—a———C:\WINDOWS\nircmd.exe
2007-08-09 08:42 <DIR> d————C:\WINDOWS\LastGood
2007-08-08 22:03 <DIR> d————C:\WINDOWS\network diagnostic
2007-07-15 23:09 <DIR> d————C:\DOCUME~1\Karin\cbt
2007-07-13 23:40 <DIR> d————C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google

((((((((((((((((((((((((((((((((((((((((  Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 23:17 493—a———C:\WINDOWS\system32\drivers\fwdrv.err
2007-08-08 22:23————- d————C:\DOCUME~1\Karin\APPLIC~1\OpenOffice.org1.9.82
2007-08-08 13:53————- d————C:\Programmer\SpywareGuard
2007-08-08 13:52————- d————C:\Programmer\SpywareBlaster
2007-07-25 17:55————- d————C:\Programmer\Magnus & Myggen - Quizkampen
2007-07-04 20:02 11376—a———C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-04 19:41————- d————C:\Programmer\Microsoft Games
2007-07-04 17:21————- d————C:\Programmer\PATRICIAN II
2007-06-28 11:38————- d————C:\Programmer\SUPERAntiSpyware
2007-06-22 14:41————- d————C:\Programmer\eGames
2007-05-16 17:14 86528—a—c—- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 17:14 85504—a—c—- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 17:14 683520—a—c—- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 17:14 683520—a———C:\WINDOWS\system32\inetcomm.dll
2007-05-16 17:14 510976—a—c—- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 17:14 1314816—a—c—- C:\WINDOWS\system32\dllcache\msoe.dll
————-  C:\Programmer\LEGO Øen
————-  C:\Programmer\Fælles filer\System

(((((((((((((((((((((((((((((((((((((  Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Run StartupMonitor”=“StartupMonitor.exe” [2000-05-20 17:23 C:\WINDOWS\StartupMonitor.exe]
“AVG7_CC”=“C:\PROGRA~1\Grisoft\AVG7\avgcc.exe” [2007-04-23 13:29]
“OpwareSE2”=“C:\Programmer\ScanSoft\OmniPageSE2.0\OpwareSE2.exe” [2003-05-08 12:00]
“OPSE reminder”=“C:\Programmer\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe” [2003-07-07 10:29]
“DataLayer”=“C:\Programmer\Fælles filer\PCSuite\DataLayer\DataLayer.exe” []
“WheelMouse”=“C:\PROGRA~1\OPTICA~1\4DMAIN.EXE” [2000-05-08 09:54]
“!AVG Anti-Spyware”=“C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-18 22:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-27 02:53]
“MSMSGS”=“C:\Programmer\Messenger\msmsgs.exe” [2004-10-13 18:24]
“SUPERAntiSpyware”=“C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-28 11:38]

C:\Documents and Settings\Karin\Menuen Start\Programmer\Start\
SpywareGuard.lnk - C:\Programmer\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Attack Shield.lnk - C:\Programmer\Sana Security\Attack Shield\AttackShield.exe [2005-04-14 15:54:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Programmer\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

Hejsa

Kan det passe, at du er kommmet til at skære log’en lidt i stykker - jeg synes, at bunden mangler (der står normalt —- E O F—- i slutningen). Prøv at finde ComboFix.txt og læg den herind igen.

Nu har jeg kørt dr. web, men den skrev at den ikke fandt noget. Skulle jeg i øvrigt have haft kørt den fra fejlsikret ? Det har jeg ikke haft gjort.

ComboFix 07-08-07.6 - “Karin” 2007-08-09 8:53:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1030.18.205 [GMT 2:00]
* Created a new restore point

(((((((((((((((((((((((((  Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))

2007-08-09 08:51 51,200—a———C:\WINDOWS\nircmd.exe
2007-08-09 08:42 <DIR> d————C:\WINDOWS\LastGood
2007-08-08 22:03 <DIR> d————C:\WINDOWS\network diagnostic
2007-07-15 23:09 <DIR> d————C:\DOCUME~1\Karin\cbt
2007-07-13 23:40 <DIR> d————C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google

((((((((((((((((((((((((((((((((((((((((  Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 23:17 493—a———C:\WINDOWS\system32\drivers\fwdrv.err
2007-08-08 22:23————- d————C:\DOCUME~1\Karin\APPLIC~1\OpenOffice.org1.9.82
2007-08-08 13:53————- d————C:\Programmer\SpywareGuard
2007-08-08 13:52————- d————C:\Programmer\SpywareBlaster
2007-07-25 17:55————- d————C:\Programmer\Magnus & Myggen - Quizkampen
2007-07-04 20:02 11376—a———C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-04 19:41————- d————C:\Programmer\Microsoft Games
2007-07-04 17:21————- d————C:\Programmer\PATRICIAN II
2007-06-28 11:38————- d————C:\Programmer\SUPERAntiSpyware
2007-06-22 14:41————- d————C:\Programmer\eGames
2007-05-16 17:14 86528—a—c—- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 17:14 85504—a—c—- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 17:14 683520—a—c—- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 17:14 683520—a———C:\WINDOWS\system32\inetcomm.dll
2007-05-16 17:14 510976—a—c—- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 17:14 1314816—a—c—- C:\WINDOWS\system32\dllcache\msoe.dll
————-  C:\Programmer\LEGO Øen
————-  C:\Programmer\Fælles filer\System

(((((((((((((((((((((((((((((((((((((  Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Run StartupMonitor”=“StartupMonitor.exe” [2000-05-20 17:23 C:\WINDOWS\StartupMonitor.exe]
“AVG7_CC”=“C:\PROGRA~1\Grisoft\AVG7\avgcc.exe” [2007-04-23 13:29]
“OpwareSE2”=“C:\Programmer\ScanSoft\OmniPageSE2.0\OpwareSE2.exe” [2003-05-08 12:00]
“OPSE reminder”=“C:\Programmer\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe” [2003-07-07 10:29]
“DataLayer”=“C:\Programmer\Fælles filer\PCSuite\DataLayer\DataLayer.exe” []
“WheelMouse”=“C:\PROGRA~1\OPTICA~1\4DMAIN.EXE” [2000-05-08 09:54]
“!AVG Anti-Spyware”=“C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-18 22:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-27 02:53]
“MSMSGS”=“C:\Programmer\Messenger\msmsgs.exe” [2004-10-13 18:24]
“SUPERAntiSpyware”=“C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-28 11:38]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
“Windows Update System Shell”=svhostcs32.exe

C:\Documents and Settings\Karin\Menuen Start\Programmer\Start\
SpywareGuard.lnk - C:\Programmer\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Attack Shield.lnk - C:\Programmer\Sana Security\Attack Shield\AttackShield.exe [2005-04-14 15:54:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Programmer\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL 2007-04-27 13:48 294912 C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL

R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Programmer\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Programmer\SUPERAntiSpyware\SASKUTIL.sys
R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS
R2 AttackShield;Attack Shield WS;C:\Programmer\Sana Security\Attack Shield\AttackShieldAgent.exe
R2 SPF4;Sunbelt Personal Firewall 4;“C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe”
R3 AttackShieldDriver;AttackShieldDriver;\??\C:\Programmer\Sana Security\Attack Shield\AttackShieldDriver.Sys
R3 AttackShieldShim;AttackShieldShim;\??\C:\Programmer\Sana Security\Attack Shield\AttackShieldShim.sys
R3 FETNDIS;NT-driver til VIA PCI 10/100Mb Fast Ethernet-netværkskort;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART-driver;C:\WINDOWS\system32\drivers\msmpu401.sys
R3 SASENUM;SASENUM;\??\C:\Programmer\SUPERAntiSpyware\SASENUM.SYS
S3 Nokia USB Generic;Nokia USB Generic;C:\WINDOWS\system32\drivers\nmwcdc.sys
S3 Nokia USB Modem;Nokia USB Modem;C:\WINDOWS\system32\drivers\nmwcdcm.sys
S3 Nokia USB Phone Parent;Nokia USB Phone Parent;C:\WINDOWS\system32\drivers\nmwcd.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D\_Autorun\DefaultIcon]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D\_Autorun\DefaultIcon- D:\fscommand/fk_icon.ico]

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 08:59:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\viaagp]
“ImagePath”=“System32\DRIVERS\viaagp.sys”

Completion time: 2007-08-09 9:03:35

—- E O F—-
Nu håber jeg det hele er med.

Hilsen Karin

Desværre Karin - det er log’en fra 08:53… jeg er mere interesseret i den fra 10:05….

Her er den så

ComboFix 07-08-07.6 - “Karin” 2007-08-09 10:05:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1030.18.169 [GMT 2:00]
Command switches used ::  C:\Documents and Settings\Karin\Skrivebord\spywarefri\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\svhostcs32.exe
C:\WINDOWS\svhostcs32.exe

(((((((((((((((((((((((((  Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))

2007-08-09 08:51 51,200—a———C:\WINDOWS\nircmd.exe
2007-08-09 08:42 <DIR> d————C:\WINDOWS\LastGood
2007-08-08 22:03 <DIR> d————C:\WINDOWS\network diagnostic
2007-07-15 23:09 <DIR> d————C:\DOCUME~1\Karin\cbt
2007-07-13 23:40 <DIR> d————C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google

((((((((((((((((((((((((((((((((((((((((  Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 23:17 493—a———C:\WINDOWS\system32\drivers\fwdrv.err
2007-08-08 22:23————- d————C:\DOCUME~1\Karin\APPLIC~1\OpenOffice.org1.9.82
2007-08-08 13:53————- d————C:\Programmer\SpywareGuard
2007-08-08 13:52————- d————C:\Programmer\SpywareBlaster
2007-07-25 17:55————- d————C:\Programmer\Magnus & Myggen - Quizkampen
2007-07-04 20:02 11376—a———C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-04 19:41————- d————C:\Programmer\Microsoft Games
2007-07-04 17:21————- d————C:\Programmer\PATRICIAN II
2007-06-28 11:38————- d————C:\Programmer\SUPERAntiSpyware
2007-06-22 14:41————- d————C:\Programmer\eGames
2007-05-16 17:14 86528—a—c—- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 17:14 85504—a—c—- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 17:14 683520—a—c—- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 17:14 683520—a———C:\WINDOWS\system32\inetcomm.dll
2007-05-16 17:14 510976—a—c—- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 17:14 1314816—a—c—- C:\WINDOWS\system32\dllcache\msoe.dll
————-  C:\Programmer\LEGO Øen
————-  C:\Programmer\Fælles filer\System

(((((((((((((((((((((((((((((((((((((  Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Run StartupMonitor”=“StartupMonitor.exe” [2000-05-20 17:23 C:\WINDOWS\StartupMonitor.exe]
“AVG7_CC”=“C:\PROGRA~1\Grisoft\AVG7\avgcc.exe” [2007-04-23 13:29]
“OpwareSE2”=“C:\Programmer\ScanSoft\OmniPageSE2.0\OpwareSE2.exe” [2003-05-08 12:00]
“OPSE reminder”=“C:\Programmer\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe” [2003-07-07 10:29]
“DataLayer”=“C:\Programmer\Fælles filer\PCSuite\DataLayer\DataLayer.exe” []
“WheelMouse”=“C:\PROGRA~1\OPTICA~1\4DMAIN.EXE” [2000-05-08 09:54]
“!AVG Anti-Spyware”=“C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-18 22:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-27 02:53]
“MSMSGS”=“C:\Programmer\Messenger\msmsgs.exe” [2004-10-13 18:24]
“SUPERAntiSpyware”=“C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-28 11:38]

C:\Documents and Settings\Karin\Menuen Start\Programmer\Start\
SpywareGuard.lnk - C:\Programmer\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Attack Shield.lnk - C:\Programmer\Sana Security\Attack Shield\AttackShield.exe [2005-04-14 15:54:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Programmer\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL 2007-04-27 13:48 294912 C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL

R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Programmer\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Programmer\SUPERAntiSpyware\SASKUTIL.sys
R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS
R2 AttackShield;Attack Shield WS;C:\Programmer\Sana Security\Attack Shield\AttackShieldAgent.exe
R2 SPF4;Sunbelt Personal Firewall 4;“C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe”
R3 AttackShieldDriver;AttackShieldDriver;\??\C:\Programmer\Sana Security\Attack Shield\AttackShieldDriver.Sys
R3 AttackShieldShim;AttackShieldShim;\??\C:\Programmer\Sana Security\Attack Shield\AttackShieldShim.sys
R3 FETNDIS;NT-driver til VIA PCI 10/100Mb Fast Ethernet-netværkskort;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART-driver;C:\WINDOWS\system32\drivers\msmpu401.sys
R3 SASENUM;SASENUM;\??\C:\Programmer\SUPERAntiSpyware\SASENUM.SYS
S3 Nokia USB Generic;Nokia USB Generic;C:\WINDOWS\system32\drivers\nmwcdc.sys
S3 Nokia USB Modem;Nokia USB Modem;C:\WINDOWS\system32\drivers\nmwcdcm.sys
S3 Nokia USB Phone Parent;Nokia USB Phone Parent;C:\WINDOWS\system32\drivers\nmwcd.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D\_Autorun\DefaultIcon]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D\_Autorun\DefaultIcon- D:\fscommand/fk_icon.ico]

*Newly Created Service* - CATCHME

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 10:11:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\viaagp]
“ImagePath”=“System32\DRIVERS\viaagp.sys”

Completion time: 2007-08-09 10:15:43
C:\ComboFix2.txt ... 2007-08-09 09:03

—- E O F—-