Her kommer log
Hvornår var det jeg skulle trække netstikket ud?
Har jeg misforstået noget?
ComboFix 08-05-21.3 - Per Blaaberg 2008-05-25 14:11:41.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1030.18.1452 [GMT 2:00]
Running from: C:\Documents and Settings\Per Blaaberg\Skrivebord\Spywarefri Programmer\ComboFix.exe
Command switches used :: /snapshot
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.
2008-05-19 13:37 . 2008-05-19 13:37 <DIR> d————C:\Documents and Settings\Per Blaaberg\Application Data\Webroot
2008-05-12 17:48 . 2008-05-12 16:45 3,257,601—a———C:\WINDOWS\system32\fw_moments.scr
2008-05-12 17:48 . 2008-05-12 16:45 2,763,141—a———C:\WINDOWS\system32\fw_weddings.scr
2008-05-12 17:47 . 2008-05-12 16:45 2,217,203—a———C:\WINDOWS\system32\fw_girls.scr
2008-05-12 17:20 . 2008-05-12 16:51 3,339,360—a———C:\WINDOWS\system32\et_group.scr
2008-05-12 17:19 . 2008-05-12 16:52 2,360,772—a———C:\WINDOWS\system32\et_girls.scr
2008-05-09 13:18 . 2008-05-09 13:18 54,156—ah——- C:\WINDOWS\QTFont.qfn
2008-05-09 13:18 . 2008-05-09 13:18 1,409—a———C:\WINDOWS\QTFont.for
2008-05-08 10:39 . 2008-05-08 10:39 <DIR> d————C:\Documents and Settings\All Users\Application Data\Philips
2008-04-29 15:42 . 2008-04-29 15:42 <DIR> d————C:\WINDOWS\system32\Adobe
2008-04-27 11:47 . 2008-04-27 11:47 <DIR> d————C:\Programmer\Windows Media Bonus Pack for Windows XP
2008-04-27 11:47 . 2001-11-30 19:05 131,072—a———C:\WINDOWS\system32\dzip32.dll
2008-04-27 11:47 . 2001-11-30 19:05 110,592—a———C:\WINDOWS\system32\dunzip32.dll
2008-04-25 11:40 . 2008-04-25 11:48 <DIR> d————C:\Temp\J—
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 12:21————- d——-w C:\Programmer\HDD Health
2008-05-25 12:20————- d——-w C:\Programmer\TDCpakke
2008-05-20 08:37————- d——-w C:\Programmer\Microsoft Silverlight
2008-05-19 13:20————- d——-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-19 12:12————- d——-w C:\Programmer\Spybot - Search & Destroy
2008-05-12 11:59————- d——-w C:\Programmer\CaptureWiz
2008-05-08 09:19————- d——-w C:\Documents and Settings\Per Blaaberg\Application Data\AdobeUM
2008-05-08 08:39————- d——-w C:\Programmer\Philips Intelligent Agent
2008-04-28 12:48————- d——-w C:\Programmer\Fælles filer\Elecard
2008-04-27 09:05————- d——-w C:\Programmer\Windows Media Connect 2
2008-04-25 09:33————- d——-w C:\Documents and Settings\Per Blaaberg\Application Data\dvdcss
2008-04-24 17:22————- d——-w C:\Documents and Settings\Per Blaaberg\Application Data\Ahead
2008-04-23 12:53————- d——-w C:\Documents and Settings\Per Blaaberg\Application Data\VersionTracker Pro
2008-04-21 14:48 5,632——a-w C:\WINDOWS\system32\drivers\StarOpen.sys
2008-04-21 13:39————- d——-w C:\Documents and Settings\Per Blaaberg\Application Data\YouSendIt
2008-04-21 13:37————- d—h—w C:\Programmer\InstallShield Installation Information
2008-04-21 13:37————- d——-w C:\Programmer\YouSendIt
2008-04-21 11:07————- d——-w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-21 11:05 12,632——a-w C:\WINDOWS\system32\lsdelete.exe
2008-04-19 13:41 145,472——a-w C:\Documents and Settings\Per Blaaberg\Application Data\GDIPFONTCACHEV1.DAT
2008-04-17 11:19————- d——-w C:\Documents and Settings\All Users\Application Data\NPF
2008-04-07 12:59————- d——-w C:\Documents and Settings\All Users\Application Data\FOTO-C
2008-04-07 12:53————- d——-w C:\Programmer\FOTO-C
2008-04-07 11:12————- d——-w C:\Programmer\Hewlett-Packard
2008-04-01 11:40————- d——-w C:\Programmer\Canon
2008-03-31 15:46————- d——-w C:\Documents and Settings\Per Blaaberg\Application Data\HPAppData
2008-03-31 13:28————- d——-w C:\Programmer\AuctionSleuth
2008-03-29 13:52————- d——-w C:\Programmer\Fælles filer\Canon
2008-03-20 08:09 1,845,248——a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 12:58 826,368——a-w C:\WINDOWS\system32\wininet.dll
2008-02-23 16:05 1,538——a-w C:\Documents and Settings\Per Blaaberg\Application Data\filterclsid.dat
2007-12-29 12:58 82——a-w C:\Documents and Settings\All Users\Application Data\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
2004-09-15 21:39 1,570——a-w C:\Programmer\license.txt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}]
2007-11-06 02:50 542016—a———C:\Programmer\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“HDDHealth”=“C:\Programmer\HDD Health\hddhealth.exe” [2005-06-24 10:17 715264]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-27 14:00 15360]
“Registry Cleaner”=“C:\Programmer\Registry Cleaner Trial\RegClean.exe” [2005-11-04 02:31 1531904]
“WMPNSCFG”=“C:\Programmer\Windows Media Player\WMPNSCFG.exe” [2006-11-15 10:30 204288]
“Philips Intelligent Agent”=“C:\Programmer\Philips Intelligent Agent\Philips Intelligent Agent.exe” [2008-02-21 17:19 613792]
“SpybotSD TeaTimer”=“C:\Programmer\Spybot - Search & Destroy\TeaTimer.exe” [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SW20”=“C:\WINDOWS\system32\sw20.exe” [2005-06-29 17:08 212992]
“SW24”=“C:\WINDOWS\system32\sw24.exe” [2005-07-04 13:29 69632]
“Norman ZANDA”=“C:\Programmer\TDCpakke\Npm\bin\ZLH.exe” [2007-12-17 23:37 273520]
“QuickTime Task”=“C:\Programmer\QuickTime\qttask.exe” [2007-07-21 14:44 286720]
“NvCplDaemon”=“RUNDLL32.exe” [2004-08-27 14:00 33280 C:\WINDOWS\system32\rundll32.exe]
“nwiz”=“nwiz.exe” [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
“NeroFilterCheck”=“C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe” [2007-03-01 15:57 153136]
“NvMediaCenter”=“RUNDLL32.exe” [2004-08-27 14:00 33280 C:\WINDOWS\system32\rundll32.exe]
“SunJavaUpdateSched”=“C:\Programmer\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 05:25 144784]
“SoundMan”=“SOUNDMAN.EXE” [2007-04-16 16:28 577536 C:\WINDOWS\SOUNDMAN.EXE]
“itype”=“C:\Programmer\Microsoft IntelliType Pro\itype.exe” [2005-12-04 17:38 437008]
“IntelliPoint”=“C:\Programmer\Microsoft IntelliPoint\ipoint.exe” [2005-12-04 17:39 461584]
“Google Desktop Search”=“C:\Programmer\Google\Google Desktop Search\GoogleDesktop.exe” [2008-02-27 12:57 29744]
“NPCTray”=“C:\Programmer\TDCpakke\npc\bin\npc_tray.exe” [2007-09-17 23:28 199736]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-27 14:00 15360]
C:\Documents and Settings\Per Blaaberg\Menuen Start\Programmer\Start\
CaptureWiz.lnk - C:\Programmer\CaptureWiz\Pro\CaptureWiz.exe [2008-01-28 14:58:27 2011168]
Watch.lnk - C:\Programmer\PVR Series\Watch.exe [2006-03-22 12:31:10 217088]
C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Adobe Reader Hurtigstart.lnk - C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Autobase.pif [2007-08-05 10:36:59 2855]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“msacm.Mi-sc4”= Mi-sc4.acm
“VIDC.JPEG”= JPEGCODE.DLL
“vidc.ffds”= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
“VIDC.MJPG”= Pvmjpg30.dll
“msacm.l3fhg”= mp3fhg.acm
“VIDC.X264”= x264vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“C:\\Programmer\\Bonjour\\mDNSResponder.exe”=
“C:\\Programmer\\Pinnacle\\Studio 11\\programs\\RM.exe”=
“C:\\Programmer\\Pinnacle\\Studio 11\\programs\\Studio.exe”=
“C:\\Programmer\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe”=
“C:\\Programmer\\Pinnacle\\Studio 11\\programs\\umi.exe”=
“C:\\Programmer\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\Win32\\RpcDataSrv.exe”=
“C:\\Programmer\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\RpcSandraSrv.exe”=
“%windir%\\system32\\sessmgr.exe”=
“C:\\Programmer\\Internet Explorer\\iexplore.exe”=
“C:\\Programmer\\Veoh Networks\\Veoh\\VeohClient.exe”=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
“AllowInboundEchoRequest”= 1 (0x1)
R0 NDIS_RD;Norman Firewall NDIS driver;C:\WINDOWS\system32\drivers\NDIS_RD.sys [2008-01-24 20:23]
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;C:\WINDOWS\system32\DRIVERS\nvcchflt.sys [2005-02-11 19:11]
R1 NPROSEC;Norman Security driver;C:\Programmer\TDCpakke\Ngs\bin\nprosec.sys [2007-09-06 17:37]
R1 TDI_RD;Norman Firewall TDI driver;C:\WINDOWS\system32\drivers\TDI_RD.SYS [2007-05-14 19:51]
R2 Ndiskio;Ndiskio;C:\Programmer\TDCpakke\Nse\bin\NDISKIO.SYS [2007-01-02 18:55]
R2 NPFSvc32;Norman Personal Firewall Service;“C:\Programmer\TDCpakke\npf\bin\npfsvc32.exe” [2008-01-28 19:21]
R2 NPROSECSVC;Norman Security service;“C:\Programmer\TDCpakke\Ngs\bin\NPROSEC.EXE” [2007-11-28 00:13]
R2 NVOY;Norman’s Very Own supplY of resources;“C:\Programmer\TDCpakke\npm\bin\nvoy.exe” [2008-01-23 00:04]
R3 BENDER;Pinnacle AV/DV2 Capture;C:\WINDOWS\system32\drivers\bender.sys [2006-12-04 10:36]
R3 NPC;Norman Parental Control;“C:\Programmer\TDCpakke\npc\bin\npcsvc32.exe” [2007-09-17 23:24]
R3 NUAA;Norman User Activity Agent;“C:\Programmer\TDCpakke\npc\bin\nuaa.exe” [2007-09-17 23:22]
R3 NVCScheduler;Norman Virus Control Scheduler;“C:\Programmer\TDCpakke\Npm\bin\NVCSCHED.EXE” [2007-09-18 20:41]
S2 nvTUNEP;nVidia WDM TVTuner;C:\WINDOWS\system32\DRIVERS\nvtunep.sys [2002-09-09 10:59]
S2 nvtvSND;nVidia WDM TVAudio Crossbar;C:\WINDOWS\system32\DRIVERS\nvtvsnd.sys [2002-09-09 10:59]
S3 Dual Mode;Dual Mode Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys [2002-10-09 21:24]
S3 DYNEFMC;Express Media Player Driver;C:\WINDOWS\system32\Drivers\DYNEFMC.sys [2002-05-21 11:24]
S3 GoogleDesktopManager-010108-205858;Google Desktop-administrator 5.7.801.1629;“C:\Programmer\Google\Google Desktop Search\GoogleDesktop.exe” [2008-02-27 12:57]
S3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-02-11 23:56]
S3 nvcoas;Norman Virus Control on-access component;“C:\Programmer\TDCpakke\Nvc\bin\nvcoas.exe” [2007-12-10 23:36]
S3 ubsbp2;Unibrain SBP2 Bus Driver;C:\WINDOWS\system32\DRIVERS\ubsbp2.sys [2005-07-27 18:25]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aebb6e93-a6de-11db-9bd6-0013d48e01e6}]
\Shell\AutoRun\command - P:\autorun.exe PP60DESIGN1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa0c30b6-adfa-11db-9bf1-0013d48e01e6}]
\Shell\AutoRun\command - P:\autorun.exe PP60DESIGN1
.
Contents of the ‘Scheduled Tasks’ folder
“2007-11-12 16:07:31 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job”
- C:\Programmer\Spybot - Search & Destroy\SpybotSD.exe
“2008-05-25 12:31:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job”
- C:\Programmer\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
“2007-06-30 11:37:15 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job”
- C:\Programmer\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 14:22:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
————————————Other Running Processes————————————
.
C:\Programmer\TDCpakke\Npm\Bin\elogsvc.exe
C:\Programmer\TDCpakke\Npm\Bin\Zanda.exe
C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmer\TDCpakke\npf\Bin\npfuser.exe
C:\Programmer\Bonjour\mDNSResponder.exe
C:\Programmer\Fælles filer\LightScribe\LSSrvc.exe
C:\Programmer\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmer\TDCpakke\nvc\bin\Nip.exe
C:\Programmer\Windows Media Player\wmpnetwk.exe
C:\Programmer\TDCpakke\Npm\Bin\Njeeves.exe
C:\Programmer\TDCpakke\nvc\bin\CClaw.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-25 14:32:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-25 12:31:28
ComboFix2.txt 2008-05-23 10:20:35
Pre-Run: 63,332,835,328 byte ledig
Post-Run: 63,390,236,672 byte ledig
187—- E O F—- 2008-05-20 08:37:12
