Velkommen til Spywarefri

selv om jeg har et virus program, ( Avast antivirus ).

Man får hvad man betaler for, ik’ sandt?

Hent dette program: http://www.ctrlaltdel.dk/SWF_hent.exe og gem det på skrivebordet. Herefter dobbeltklikker du på det (SWF_hent.exe). Du skal måske tillade programmet at hente filer fra nettet!

Programmet henter nødvendige rense-programmer. Når programmerne er hentet, vil der være en mappe på skrivebordet med navnet “Spywarefri”. Heri ligger programmerne sammen med en kort vejledning - hvis vejledningen ikke åbner automatisk så dobbeltklik på “SWF_vejledning.html”.

Venligst følg vejledningen og kopier logfilerne herind i forum.

Tak For det meget hurtige svar
Hermed div log-filer
Malwarebytes’ Anti-Malware 1.24
Database version: 1026
Windows 5.1.2600 Service Pack 3

10:33:35 05-08-2008
mbam-log-8-5-2008 (10-33-35).txt

Skan type: Fuldstændig skanning (C:\|D:\|)
Objekter skannet: 113912
Tid tilbagelagt: 26 minute(s), 43 second(s)

Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 2
Inficerede Registeringsdatabase Nøgler: 44
Inficerede Registeringsdatabase Værdier: 10
Inficerede Registeringsdatabase Filer: 13
Inficerede Mapper: 27
Inficerede Filer: 55

Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)

Inficerede Hukommelses Moduler:
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\msliksurdns.dll (Rootkit.Agent) -> Delete on reboot.

Inficerede Registeringsdatabase Nøgler:
HKEY_CLASSES_ROOT\Interface\{caf9d798-c659-4b9b-8e19-ee27c3d04ee7} (Rogue.PestPatrol) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{06ebda5c-bd3d-451d-9bf2-fde4cd98e56b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ed4ca03d-dba9-4403-9c0d-917b29aca380} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3e86df3e-c145-4823-960c-991d53e5ded1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bbeebe4f-3eda-40f4-a0ab-87593ee49c56} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bbeebe4f-3eda-40f4-a0ab-87593ee49c56} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dca900cf-450b-4e35-9169-66767f2f9d67} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dca900cf-450b-4e35-9169-66767f2f9d67} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{93b0fa7b-50f6-41b4-ac7e-612a72ce8c3c} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Features\9ee2330ae5f4470cac801baac83818c9 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Products\568267acfc5644dab06f058006ddbae3 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2763e333-b168-41a0-a112-d35f96f410c0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1962c5bc-e475-465b-823b-133e711bceb9} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shc30lj0e179 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhc10lj0e179 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\shc30lj0e179 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VAV (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\msliksur (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sunporn (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sunpornwrrb325 (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msliksurserv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\iSecurity (Rouge.ISecurity) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{2b6e6222-4c7b-45e9-9912-d27c57fcff3c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{922f8064-0133-4e4e-ac9f-2715d6f17704} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bc773027-e244-461f-849e-d2abb72f17e1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webvideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fdkowvbp.bnxe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fdkowvbp.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Security Tools (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\zangosa (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Inficerede Registeringsdatabase Værdier:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{dca900cf-450b-4e35-9169-66767f2f9d67} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advap32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0\source (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{bc773027-e244-461f-849e-d2abb72f17e1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhc10lj0e179 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc50lj0e179 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search;\ (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Inficerede Registeringsdatabase Filer:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55860-640-1134982-23564) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (HH:mm:ss) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Inficerede Mapper:
C:\WINDOWS\privacy_danger (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Programmer\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Programmer\rhc10lj0e179 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programmer\shc30lj0e179 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\rhc10lj0e179 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\rhc10lj0e179\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\rhc10lj0e179\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\rhc10lj0e179\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\rhc10lj0e179\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\rhc10lj0e179\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\rhc10lj0e179\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\rhc10lj0e179\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\rhc10lj0e179\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\rhc10lj0e179\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\rhc10lj0e179\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\shc30lj0e179 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\shc30lj0e179\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\shc30lj0e179\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\shc30lj0e179\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\shc30lj0e179\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\shc30lj0e179\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\shc30lj0e179\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\shc30lj0e179\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\shc30lj0e179\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\shc30lj0e179\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Application Data\shc30lj0e179\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Inficerede Filer:
C:\Programmer\PCHealthCenter\1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Programmer\PCHealthCenter\2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Programmer\PCHealthCenter\7.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\ebxl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vav.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winua16.sys (Rootkit.Agent) -> Delete on reboot.
D:\Programmer\yEnc32\uninstall.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\index.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\capt.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\danger.jpg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\down.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\spacer.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Programmer\PCHealthCenter\0.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Programmer\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Programmer\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Programmer\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Programmer\PCHealthCenter\3.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Programmer\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Programmer\PCHealthCenter\4.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Programmer\PCHealthCenter\5.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Programmer\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Programmer\PCHealthCenter\sex1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Programmer\PCHealthCenter\sex2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Programmer\rhc10lj0e179\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programmer\rhc10lj0e179\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programmer\rhc10lj0e179\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programmer\rhc10lj0e179\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programmer\rhc10lj0e179\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programmer\rhc10lj0e179\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programmer\rhc10lj0e179\rhc10lj0e179.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programmer\shc30lj0e179\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programmer\shc30lj0e179\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programmer\shc30lj0e179\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programmer\shc30lj0e179\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programmer\shc30lj0e179\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programmer\shc30lj0e179\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programmer\shc30lj0e179\shc30lj0e179.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programmer\shc30lj0e179\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sex2.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\WinCtrl32.dl_ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msliksurcredo.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msliksurdns.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\eqvwamkl.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\fdkowvbp.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\grswptdl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphc50lj0e179.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Foretrukne\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Foretrukne\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bruno\Foretrukne\Spyware&Malware; Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\msliksurserv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

ComboFix 08-08-04.01 - Bruno 2008-08-05 10:41:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1030.18.137 [GMT 2:00]
Running from: C:\Documents and Settings\Bruno\Skrivebord\Spywarefri\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((  Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\CfNqttwa.ini
C:\WINDOWS\system32\CfNqttwa.ini2
C:\WINDOWS\system32\dfrvxwcb.ini
C:\WINDOWS\system32\IikkTvut.ini
C:\WINDOWS\system32\IikkTvut.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\rtojpsuu.ini
C:\WINDOWS\system32\uvoymjgi.ini
D:\Autorun.inf

.
(((((((((((((((((((((((((  Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 10:04 . 2008-08-05 10:04 <DIR> d————C:\Programmer\Malwarebytes’ Anti-Malware
2008-08-05 10:04 . 2008-08-05 10:04 <DIR> d————C:\Documents and Settings\Bruno\Application Data\Malwarebytes
2008-08-05 10:04 . 2008-08-05 10:04 <DIR> d————C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-05 10:04 . 2008-07-30 20:07 38,472—a———C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-05 10:04 . 2008-07-30 20:07 17,144—a———C:\WINDOWS\system32\drivers\mbam.sys
2008-08-05 00:43 . 2008-08-05 00:43 <DIR> d————C:\Programmer\Sun
2008-08-04 14:14 .  <DIR>  C:\Programmer\Fælles filer\Borland Shared
2008-08-04 14:14 . 2008-08-04 14:14 <DIR> d————C:\PDOXNET
2008-08-04 14:14 . 1999-01-20 05:01 210,032—a———C:\WINDOWS\system32\DBCLIENT.DLL
2008-08-04 14:14 . 1999-11-12 05:11 183,808—a———C:\WINDOWS\system32\BDEADMIN.CPL
2008-08-04 14:02 . 2008-08-04 16:13 <DIR> d————C:\Programmer\Siber Systems
2008-08-04 14:02 . 2008-08-04 14:23 <DIR> d————C:\Documents and Settings\Bruno\Application Data\GoodSync
2008-08-03 23:22 . 2008-08-03 23:22 <DIR> d————C:\Programmer\Lavasoft
2008-08-02 10:37 . 2008-08-04 14:47 489—a———C:\WINDOWS\system32\drivers\fwdrv.err
2008-07-29 07:47 . 2008-07-30 10:01 54,156—ah——- C:\WINDOWS\QTFont.qfn
2008-07-29 07:47 . 2008-07-29 07:47 1,409—a———C:\WINDOWS\QTFont.for
2008-07-28 10:11 . 2008-07-28 10:16 <DIR> d————C:\WEBBANK
2008-07-27 17:14 . 2008-07-27 17:14 37—a———C:\WINDOWS\Viewer.ini
2008-07-27 16:38 . 2008-07-27 16:38 <DIR> d————C:\NVIDIA
2008-07-27 15:52 . 1995-11-07 14:30 780,800—a———C:\WINDOWS\system32\ir41_32.dll
2008-07-27 15:52 . 1994-08-24 00:00 188,960—a———C:\WINDOWS\system\WINGDE.DLL
2008-07-27 15:52 . 1994-09-21 00:00 92,208—a———C:\WINDOWS\system\WING.DLL
2008-07-27 15:52 . 1995-03-22 00:00 56,832—a———C:\WINDOWS\system32\IYVU9_32.DLL
2008-07-27 15:52 . 1994-09-21 00:00 12,800—a———C:\WINDOWS\system\WING32.DLL
2008-07-27 15:52 . 1994-09-21 00:00 6,736—a———C:\WINDOWS\system\WINGDIB.DRV
2008-07-27 15:52 . 1994-09-02 00:00 5,195—a———C:\WINDOWS\system\DVA.386
2008-07-27 15:52 . 1994-09-21 00:00 5,024—a———C:\WINDOWS\system\WINGPAL.WND
2008-07-27 14:57 . 2001-05-16 17:54 309,616—a———C:\WINDOWS\system32\wmv8dmod.dll
2008-07-27 14:57 . 2001-03-26 04:41 245,760—a———C:\WINDOWS\system32\mp4sds32.ax
2008-07-27 14:54 . 2008-07-27 14:54 <DIR> d————C:\Programmer\Codemasters
2008-07-16 16:00 . 2008-07-16 16:00 <DIR> d————C:\WINDOWS\system32\da
2008-07-16 16:00 . 2008-07-16 16:00 <DIR> d————C:\WINDOWS\system32\bits
2008-07-16 16:00 . 2008-07-16 16:00 <DIR> d————C:\WINDOWS\l2schemas
2008-07-16 15:57 . 2008-07-16 16:00 <DIR> d————C:\WINDOWS\ServicePackFiles
2008-07-16 15:29 . 2008-07-16 15:29 <DIR> d————C:\Programmer\Common Files
2008-07-16 15:29 . 2008-07-16 15:29 <DIR> d————C:\Programmer\AvantGo Connect
2008-07-16 15:29 . 2008-07-16 15:29 2,464—a———C:\WINDOWS\$_hpcst$.hpc
2008-07-16 15:28 . 2008-07-16 15:29 <DIR> d————C:\Programmer\Microsoft ActiveSync
2008-07-09 07:34 .  <DIR>  C:\Programmer\Fælles filer\xing shared
2008-07-09 07:34 .  <DIR>  C:\Programmer\Fælles filer\Real
2008-07-08 11:02 . 2008-07-08 15:40 230—a———C:\config.xml
2008-07-08 10:48 . 2008-07-08 10:48 <DIR> d————C:\temp
2008-07-08 09:58 . 2008-07-08 09:58 <DIR> d————C:\Programmer\Alwil Software
2008-07-08 09:06 . 2008-07-08 09:06 <DIR> d————C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-05 16:56 . 2008-07-05 16:56 <DIR> d————C:\Documents and Settings\Bruno\cbt

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 08:50————- d——-w C:\Documents and Settings\All Users\Application Data\BullGuard
2008-08-04 22:43————- d——-w C:\Programmer\Java
2008-08-04 21:55————- d——-w C:\Programmer\Fælles filer\Wise Installation Wizard
2008-07-27 14:38————- d——-w C:\Programmer\Fælles filer\InstallShield
2008-07-27 12:54————- d—h—w C:\Programmer\InstallShield Installation Information
2008-07-23 17:23————- d——-w C:\Programmer\MSN Messenger
2008-07-09 05:32————- d——-w C:\Programmer\Google
2008-06-20 17:48 246,784——a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600——a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496——a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856——a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 16:53————- d——-w C:\Programmer\Sunbelt Software
2008-06-19 16:52————- d——-w C:\Documents and Settings\Bruno\Application Data\Sunbelt Software
2008-06-19 16:52————- d——-w C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-06-17 18:51 50,896——a-w C:\WINDOWS\system32\drivers\BdFileSpy.sys
2008-06-17 18:51 20,048——a-w C:\WINDOWS\system32\BgOutlookHook.dll
2008-06-17 18:51 14,152——a-w C:\WINDOWS\system32\lccl.dll
2008-06-17 18:51 14,152——a-w C:\WINDOWS\system32\client_cc.dll
2008-06-17 18:50————- d——-w C:\Documents and Settings\Bruno\Application Data\BullGuard
2008-06-17 18:45————- d——-w C:\Programmer\BullGuard Software
2008-06-14 17:35 272,256———w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 07:09————- d——-w C:\Programmer\Microsoft CAPICOM 2.1.0.2
2008-06-11 07:01————- d——-w C:\Programmer\Yahoo!
2008-06-11 07:01————- d——-w C:\Programmer\CCleaner
2008-06-10 09:04 15,544——a-w C:\WINDOWS\system32\drivers\sbhr.sys
2008-05-27 22:04 1,233,492—sha-w C:\WINDOWS\system32\pjjqsxxd.tmp
2008-05-26 15:18 0——a-w C:\Programmer\uninstall.dat
2008-05-16 09:58 12,632——a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-09 10:55 90,112——a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:55 430,080——a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:55 180,224——a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:55 172,032——a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648——a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168——a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:11 1,292,288——a-w C:\WINDOWS\system32\quartz.dll
2008-03-31 14:40 2,293,848——a-w C:\Programmer\FLV PlayerFCSetup.exe
2008-03-31 13:55 4,265,560——a-w C:\Programmer\FLV PlayerRCATSetup.exe
2008-03-31 13:53 411,248——a-w C:\Programmer\FLV PlayerRCSetup.exe
2007-08-29 20:54 30,601——a-w C:\Documents and Settings\Bruno\x.exe
.

(((((((((((((((((((((((((((((((((((((  Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2008-04-14 18:05 15360]
“swg”=“C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-07-13 08:35 68856]
“H/PC Connection Agent”=“C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE” [2003-04-23 03:43 413775]
“BullGuard Spamfilter”=“C:\Programmer\BullGuard Software\BullGuard Spamfilter\bullguard.exe” [2008-06-17 20:51 308552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SunJavaUpdateSched”=“C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe” [2008-06-10 04:27 144784]
“QuickTime Task”=“C:\Programmer\QuickTime\qttask.exe” [2007-10-19 21:16 286720]
“Adobe Reader Speed Launcher”=“C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 23:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2008-04-14 18:05 15360]
“swg”=“C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-07-13 08:35 68856]
“Picasa Media Detector”=“C:\Programmer\Picasa2\PicasaMediaDetector.exe” [2007-09-28 03:17 443968]

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
BTTray.lnk - C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe [2006-06-07 17:05:38 553021]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“vidc.iv41”= IR41_32.DLL
“vidc.ir32”= C:\WINDOWS\system32\ir32_32.dll
“vidc.ir31”= C:\WINDOWS\system32\ir32_32.dll
“MSACM.CEGSM”= mobilev.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfl84.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winjp62.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlr84.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms62.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winou38.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpv27.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpv73.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqw51.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winua16.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwd38.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
—a———2008-07-19 16:38 78008 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“C:\\Programmer\\Yahoo!\\Messenger\\YahooMessenger.exe”=
“C:\\WINDOWS\\system32\\java.exe”=
“C:\Documents and Settings\Bruno\Application Data\Facebook\facebook.exe”= C:\Documents and Settings\Bruno\Application Data\Facebook\facebook.exe:127.0.0.1/255.255.255.255:Enabled:Facebook
“C:\\Programmer\\Messenger\\msmsgs.exe”=
“C:\\WINDOWS\\system32\\sessmgr.exe”=
“C:\\Programmer\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe”=
“%windir%\\system32\\sessmgr.exe”=
“C:\\Programmer\\MSN Messenger\\msnmsgr.exe”=
“C:\\Programmer\\MSN Messenger\\livecall.exe”=
“C:\\Programmer\\Microsoft ActiveSync\\WCESCOMM.EXE”=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“3389:TCP”= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-06-10 11:04]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-08-18 01:27]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]
R3 Reconn;BullGuard Email Monitor;C:\Programmer\BullGuard Software\BullGuard Spamfilter\reconn.sys [2007-06-28 10:44]
S0 Winua16;Winua16;C:\WINDOWS\system32\Drivers\Winua16.sys []
S2 SPF4;Sunbelt Personal Firewall 4;C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe [2007-04-26 10:21]
S3 BGRaSvc;BGRaSvc;C:\Programmer\BullGuard Software\BullGuard Spamfilter\support\bgrasvc.exe [2008-06-17 20:52]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
S3 Winpv73;Winpv73;C:\WINDOWS\System32\drivers\Winpv73.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ   BgMainSvc BsMailProxy
.
Contents of the ‘Scheduled Tasks’ folder

2008-08-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Programmer\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{6750428C-14FA-4ECF-A9AE-32A823B9B3AF} - C:\WINDOWS\system32\tuvTkkiI.dll
BHO-{E1342A09-894D-46C9-AEF6-67E00A4EFCDA} - C:\WINDOWS\system32\awttqNfC.dll
HKLM-Run-TkBellExe - C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
HKLM-Run-My Web Search Bar Search Scope Monitor - C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
HKLM-Explorer_Run-application - C:\Programmer\AKProg\AKProg.exe
SharedTaskScheduler-{1b17f1db-790e-4d42-8e0c-d4d19123ee5b} - (no file)
SSODL-VolumeDrv-{ef17e0c5-e684-45dd-a736-a55882aa9eb6} - C:\WINDOWS\Resources\VolumeDrv.dll
Notify-mlJyVoPH - mlJyVoPH.dll
Notify-pmnkkHaB - pmnkkHaB.dll
Notify-ssqRKeFX - ssqRKeFX.dll

.
———- Supplementary Scan———-
.
FireFox -: Profile - C:\Documents and Settings\Bruno\Application Data\Mozilla\Firefox\Profiles\e3pby8ej.default\

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 10:49:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
————————————Other Running Processes————————————
.
C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe
C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-08-05 10:55:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-05 08:54:47

Pre-Run: 71,255,187,456 byte ledig
Post-Run: 71,724,249,088 byte ledig

233—- E O F—- 2008-07-22 17:44:35

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:42, on 05-08-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmer\BullGuard Software\BullGuard Spamfilter\bullguard.exe
C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Bruno\Skrivebord\Spywarefri\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmer\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programmer\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmer\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google; - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmer\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] “C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKLM\..\Run: [QuickTime Task] “C:\Programmer\QuickTime\qttask.exe” -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] “C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] “C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE”
O4 - HKCU\..\Run: [BullGuard Spamfilter] “C:\Programmer\BullGuard Software\BullGuard Spamfilter\bullguard.exe”
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOKAL TJENESTE’)
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETVÆRKSTJENESTE’)
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Windows; Live Search - res://C:\Programmer\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send til &Bluetooth;-enhed… - C:\Programmer\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra ‘Tools’ menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmer\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Branding/olr3313/OCX/v1018/flashax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04EEA32E-11C3-4FA9-B15E-2B3A80B40237}: NameServer = 85.255.114.13,85.255.112.174
O17 - HKLM\System\CS2\Services\Tcpip\..\{04EEA32E-11C3-4FA9-B15E-2B3A80B40237}: NameServer = 85.255.114.13,85.255.112.174
O17 - HKLM\System\CS4\Services\Tcpip\..\{04EEA32E-11C3-4FA9-B15E-2B3A80B40237}: NameServer = 85.255.114.13,85.255.112.174
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe
O23 - Service: BGRaSvc - BullGuard - C:\Programmer\BullGuard Software\BullGuard Spamfilter\support\bgrasvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SBCSSvc - Unknown owner - (no file)
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

—
End of file - 9500 bytes
Håber det re rigtigt og det giver nogen mening
Bruno

Du er hårdt ramt, jeg vil anbefale at du får en ny kode til din netbank, der er folk fra Ukraine der har rodet i din PC.
Denne linie er fra din log:
NameServer = 85.255.114.13,85.255.112.174
De DNS servere stammer herfra:
85.255.112.0 - 85.255.127.255
UkrTeleGroup Ltd.
Andrew Sotov
Mechnikova 58/5 65029 Odessa
+380631508855
———————————————————-
Hent Ccleaner her:
http://www.filehippo.com/download_ccleaner/
Installer Ccleaner, husk at fjerne fluebenet udfor installation af Yahoo toolbar.
Start programmet, fjern fluebenet i cookies.
Klik på kør Cleaner og lad den fjerne hvad den finder.
Klik så på Register ovre i venstre side (den blå terning), klik på Skan efter problemer, når den er færdig, klik på Udbedre valgte problemer, lav evt. en backup af registreringsdatabasen, klik så på udbedre alle valgte problemer.
Klik på OK, klik på Luk når den er færdig.
Genstart.
———————————————————-
Hent FixWareout fra et af disse links:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Gem filen på dit Skrivebord, gør ikke andet endnu.
———————————————————-
Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked.

O17 - HKLM\System\CCS\Services\Tcpip\..\{04EEA32E-11C3-4FA9-B15E-2B3A80B40237}: NameServer = 85.255.114.13,85.255.112.174
O17 - HKLM\System\CS2\Services\Tcpip\..\{04EEA32E-11C3-4FA9-B15E-2B3A80B40237}: NameServer = 85.255.114.13,85.255.112.174
O17 - HKLM\System\CS4\Services\Tcpip\..\{04EEA32E-11C3-4FA9-B15E-2B3A80B40237}: NameServer = 85.255.114.13,85.255.112.174
O24 - Desktop Component 0: Privacy Protection - (no file)

———————————————————-
Åbn et Notesblokvindue, kopiér indholdet mellem de bølgede linier ind i dokumentet, og gem indholdet i samme mappe, som Combofix ligger med navnet CFScript.txt. Når du gemmer, skal du sikre, at der under “filtyper” står “alle filer”.

~~~~~~~~~~~~~~~~~~~~~~~~~~

Killall::
Snapshot::
File::
C:\WINDOWS\system32\pjjqsxxd.tmp
Driver::
Winfl84.sys
Winjp62.sys
Winlr84.sys
Winms62.sys
Winou38.sys
Winpv27.sys
Winpv73.sys
Winqw51.sys
Winua16.sys
Winwd38.sys
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfl84.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winjp62.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlr84.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms62.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winou38.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpv27.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpv73.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqw51.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winua16.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwd38.sys]

~~~~~~~~~~~~~~~~~~~~~~~~~~
Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du “giver slip” med musen.
http://www.fromsej.saknet.dk/billeder/cfscript.gif
Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
———————————————————-
Dobbeltklik på Fixwareout.exe. Klik Next -> Install og check, at der er et flueben i “Run fixit” - klik herefter på Finish. Fixet vil nu starte, og du skal blot følge instruktionerne. Du vil blive bedt om at genstarte din computer - gør venligst det.
Genstarten vil tage lidt længere tid end normalt…

Når dit system genstarter skal du fortsat følge den vejledning, der gives på skærmen.
Når fixet er færdigt vil der åbnes en log (report.txt), som du skal gemme og lægge herind i næste post.

Genstart din computer, og kopier indholdet af C:\fixwareout\report.txt herind sammen med en frisk HijackThis log og den nye Combofixlog.

Hej igen
Det lyder ikke godt at jeg er så hårdt ramt.
Her er de nye log filer, hvad kan i anbefale af virus programmet jeg kan købe så jeg ikke får samme problem en anden gang,

ComboFix 08-08-04.01 - Bruno 2008-08-05 22:35:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1030.18.137 [GMT 2:00]
Running from: C:\Documents and Settings\Bruno\Skrivebord\Spywarefri\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bruno\Skrivebord\Spywarefri\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((  Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 21:56 . 2008-08-05 21:56 <DIR> d————C:\Programmer\CCleaner
2008-08-05 10:04 . 2008-08-05 10:04 <DIR> d————C:\Programmer\Malwarebytes’ Anti-Malware
2008-08-05 10:04 . 2008-08-05 10:04 <DIR> d————C:\Documents and Settings\Bruno\Application Data\Malwarebytes
2008-08-05 10:04 . 2008-08-05 10:04 <DIR> d————C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-05 10:04 . 2008-07-30 20:07 38,472—a———C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-05 10:04 . 2008-07-30 20:07 17,144—a———C:\WINDOWS\system32\drivers\mbam.sys
2008-08-05 00:43 . 2008-08-05 00:43 <DIR> d————C:\Programmer\Sun
2008-08-04 14:14 . 2008-08-04 14:14 <DIR> d————C:\Programmer\Fælles filer\Borland Shared
2008-08-04 14:14 . 2008-08-04 14:14 <DIR> d————C:\PDOXNET
2008-08-04 14:14 . 1999-01-20 05:01 210,032—a———C:\WINDOWS\system32\DBCLIENT.DLL
2008-08-04 14:14 . 1999-11-12 05:11 183,808—a———C:\WINDOWS\system32\BDEADMIN.CPL
2008-08-04 14:02 . 2008-08-04 16:13 <DIR> d————C:\Programmer\Siber Systems
2008-08-04 14:02 . 2008-08-04 14:23 <DIR> d————C:\Documents and Settings\Bruno\Application Data\GoodSync
2008-08-03 23:22 . 2008-08-03 23:22 <DIR> d————C:\Programmer\Lavasoft
2008-08-02 10:37 . 2008-08-04 14:47 489—a———C:\WINDOWS\system32\drivers\fwdrv.err
2008-07-29 07:47 . 2008-07-30 10:01 54,156—ah——- C:\WINDOWS\QTFont.qfn
2008-07-29 07:47 . 2008-07-29 07:47 1,409—a———C:\WINDOWS\QTFont.for
2008-07-28 10:11 . 2008-08-05 21:14 <DIR> d————C:\WEBBANK
2008-07-27 17:14 . 2008-07-27 17:14 37—a———C:\WINDOWS\Viewer.ini
2008-07-27 16:38 . 2008-07-27 16:38 <DIR> d————C:\NVIDIA
2008-07-27 15:52 . 1995-11-07 14:30 780,800—a———C:\WINDOWS\system32\ir41_32.dll
2008-07-27 15:52 . 1994-08-24 00:00 188,960—a———C:\WINDOWS\system\WINGDE.DLL
2008-07-27 15:52 . 1994-09-21 00:00 92,208—a———C:\WINDOWS\system\WING.DLL
2008-07-27 15:52 . 1995-03-22 00:00 56,832—a———C:\WINDOWS\system32\IYVU9_32.DLL
2008-07-27 15:52 . 1994-09-21 00:00 12,800—a———C:\WINDOWS\system\WING32.DLL
2008-07-27 15:52 . 1994-09-21 00:00 6,736—a———C:\WINDOWS\system\WINGDIB.DRV
2008-07-27 15:52 . 1994-09-02 00:00 5,195—a———C:\WINDOWS\system\DVA.386
2008-07-27 15:52 . 1994-09-21 00:00 5,024—a———C:\WINDOWS\system\WINGPAL.WND
2008-07-27 14:57 . 2001-05-16 17:54 309,616—a———C:\WINDOWS\system32\wmv8dmod.dll
2008-07-27 14:57 . 2001-03-26 04:41 245,760—a———C:\WINDOWS\system32\mp4sds32.ax
2008-07-27 14:54 . 2008-07-27 14:54 <DIR> d————C:\Programmer\Codemasters
2008-07-16 16:00 . 2008-07-16 16:00 <DIR> d————C:\WINDOWS\system32\da
2008-07-16 16:00 . 2008-07-16 16:00 <DIR> d————C:\WINDOWS\system32\bits
2008-07-16 16:00 . 2008-07-16 16:00 <DIR> d————C:\WINDOWS\l2schemas
2008-07-16 15:57 . 2008-07-16 16:00 <DIR> d————C:\WINDOWS\ServicePackFiles
2008-07-16 15:29 . 2008-07-16 15:29 <DIR> d————C:\Programmer\Common Files
2008-07-16 15:29 . 2008-07-16 15:29 <DIR> d————C:\Programmer\AvantGo Connect
2008-07-16 15:29 . 2008-07-16 15:29 2,464—a———C:\WINDOWS\$_hpcst$.hpc
2008-07-16 15:28 . 2008-07-16 15:29 <DIR> d————C:\Programmer\Microsoft ActiveSync
2008-07-09 07:34 . 2008-07-09 07:34 <DIR> d————C:\Programmer\Fælles filer\xing shared
2008-07-09 07:34 . 2008-07-09 07:34 <DIR> d————C:\Programmer\Fælles filer\Real
2008-07-08 11:02 . 2008-07-08 15:40 230—a———C:\config.xml
2008-07-08 10:48 . 2008-07-08 10:48 <DIR> d————C:\temp
2008-07-08 09:58 . 2008-07-08 09:58 <DIR> d————C:\Programmer\Alwil Software
2008-07-08 09:06 . 2008-07-08 09:06 <DIR> d————C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-05 16:56 . 2008-07-05 16:56 <DIR> d————C:\Documents and Settings\Bruno\cbt

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 20:02————- d——-w C:\Documents and Settings\All Users\Application Data\BullGuard
2008-08-05 09:01————- d——-w C:\Programmer\Yahoo!
2008-08-04 22:43————- d——-w C:\Programmer\Java
2008-08-04 21:55————- d——-w C:\Programmer\Fælles filer\Wise Installation Wizard
2008-07-27 14:38————- d——-w C:\Programmer\Fælles filer\InstallShield
2008-07-27 12:54————- d—h—w C:\Programmer\InstallShield Installation Information
2008-07-23 17:23————- d——-w C:\Programmer\MSN Messenger
2008-07-09 05:32————- d——-w C:\Programmer\Google
2008-06-20 17:48 246,784——a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600——a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496——a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856——a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 16:53————- d——-w C:\Programmer\Sunbelt Software
2008-06-19 16:52————- d——-w C:\Documents and Settings\Bruno\Application Data\Sunbelt Software
2008-06-19 16:52————- d——-w C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-06-17 18:51 50,896——a-w C:\WINDOWS\system32\drivers\BdFileSpy.sys
2008-06-17 18:51 20,048——a-w C:\WINDOWS\system32\BgOutlookHook.dll
2008-06-17 18:51 14,152——a-w C:\WINDOWS\system32\lccl.dll
2008-06-17 18:51 14,152——a-w C:\WINDOWS\system32\client_cc.dll
2008-06-17 18:50————- d——-w C:\Documents and Settings\Bruno\Application Data\BullGuard
2008-06-17 18:45————- d——-w C:\Programmer\BullGuard Software
2008-06-14 17:35 272,256———w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 07:09————- d——-w C:\Programmer\Microsoft CAPICOM 2.1.0.2
2008-06-10 09:04 15,544——a-w C:\WINDOWS\system32\drivers\sbhr.sys
2008-05-27 22:04 1,233,492—sha-w C:\WINDOWS\system32\pjjqsxxd.tmp
2008-05-26 15:18 0——a-w C:\Programmer\uninstall.dat
2008-05-16 09:58 12,632——a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-09 10:55 90,112——a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:55 430,080——a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:55 180,224——a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:55 172,032——a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648——a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168——a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:11 1,292,288——a-w C:\WINDOWS\system32\quartz.dll
2008-03-31 14:40 2,293,848——a-w C:\Programmer\FLV PlayerFCSetup.exe
2008-03-31 13:55 4,265,560——a-w C:\Programmer\FLV PlayerRCATSetup.exe
2008-03-31 13:53 411,248——a-w C:\Programmer\FLV PlayerRCSetup.exe
2007-08-29 20:54 30,601———w C:\Documents and Settings\Bruno\x.exe
.

(((((((((((((((((((((((((((((  snapshot@2008-08-05_10.53.34.12   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-05 20:01:07 16,384——atw C:\WINDOWS\Temp\Perflib_Perfdata_520.dat
.
(((((((((((((((((((((((((((((((((((((  Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2008-04-14 18:05 15360]
“swg”=“C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-07-13 08:35 68856]
“H/PC Connection Agent”=“C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE” [2003-04-23 03:43 413775]
“BullGuard Spamfilter”=“C:\Programmer\BullGuard Software\BullGuard Spamfilter\bullguard.exe” [2008-06-17 20:51 308552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SunJavaUpdateSched”=“C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe” [2008-06-10 04:27 144784]
“QuickTime Task”=“C:\Programmer\QuickTime\qttask.exe” [2007-10-19 21:16 286720]
“Adobe Reader Speed Launcher”=“C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 23:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2008-04-14 18:05 15360]
“swg”=“C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-07-13 08:35 68856]
“Picasa Media Detector”=“C:\Programmer\Picasa2\PicasaMediaDetector.exe” [2007-09-28 03:17 443968]

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
BTTray.lnk - C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe [2006-06-07 17:05:38 553021]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“vidc.iv41”= IR41_32.DLL
“vidc.ir32”= C:\WINDOWS\system32\ir32_32.dll
“vidc.ir31”= C:\WINDOWS\system32\ir32_32.dll
“MSACM.CEGSM”= mobilev.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfl84.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winjp62.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlr84.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms62.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winou38.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpv27.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpv73.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqw51.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winua16.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwd38.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
—a———2008-07-19 16:38 78008 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“C:\\Programmer\\Yahoo!\\Messenger\\YahooMessenger.exe”=
“C:\\WINDOWS\\system32\\java.exe”=
“C:\Documents and Settings\Bruno\Application Data\Facebook\facebook.exe”= C:\Documents and Settings\Bruno\Application Data\Facebook\facebook.exe:127.0.0.1/255.255.255.255:Enabled:Facebook
“C:\\Programmer\\Messenger\\msmsgs.exe”=
“C:\\WINDOWS\\system32\\sessmgr.exe”=
“C:\\Programmer\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe”=
“%windir%\\system32\\sessmgr.exe”=
“C:\\Programmer\\MSN Messenger\\msnmsgr.exe”=
“C:\\Programmer\\MSN Messenger\\livecall.exe”=
“C:\\Programmer\\Microsoft ActiveSync\\WCESCOMM.EXE”=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“3389:TCP”= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-06-10 11:04]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-08-18 01:27]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]
R2 SPF4;Sunbelt Personal Firewall 4;C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe [2007-04-26 10:21]
R3 Reconn;BullGuard Email Monitor;C:\Programmer\BullGuard Software\BullGuard Spamfilter\reconn.sys [2007-06-28 10:44]
S0 Winua16;Winua16;C:\WINDOWS\system32\Drivers\Winua16.sys []
S3 BGRaSvc;BGRaSvc;C:\Programmer\BullGuard Software\BullGuard Spamfilter\support\bgrasvc.exe [2008-06-17 20:52]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
S3 Winpv73;Winpv73;C:\WINDOWS\System32\drivers\Winpv73.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ   BgMainSvc BsMailProxy

*Newly Created Service* - CATCHME
.
Contents of the ‘Scheduled Tasks’ folder

2008-08-05 C:\WINDOWS\Tasks\Søg efter opdateringer til Windows Live Toolbar.job
- C:\Programmer\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 22:40:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-05 22:43:04
ComboFix-quarantined-files.txt 2008-08-05 20:42:53
ComboFix2.txt 2008-08-05 08:55:05

Pre-Run: 71,736,430,592 byte ledig
Post-Run: 71,720,583,168 byte ledig

198—- E O F—- 2008-07-22 17:44:35

Username “Bruno” - 05-08-2008 22:46:04 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

DNS Resolver Cache blev tømt.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ “System”=””
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu “run” Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
“SunJavaUpdateSched”=”\“C:\\Programmer\\Java\\jre1.6.0_07\\bin\\jusched.exe\”“
“QuickTime Task”=”\“C:\\Programmer\\QuickTime\\qttask.exe\” -atboottime”
“Adobe Reader Speed Launcher”=”\“C:\\Programmer\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\”“

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\\WINDOWS\\system32\\ctfmon.exe”
“swg”=“C:\\Programmer\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe”
“H/PC Connection Agent”=”\“C:\\Programmer\\Microsoft ActiveSync\\WCESCOMM.EXE\”“
“BullGuard Spamfilter”=”\“C:\\Programmer\\BullGuard Software\\BullGuard Spamfilter\\bullguard.exe\”“
....
Hosts file was reset, If you use a custom hosts file please replace it…
~~~~~ End report ~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:51:56, on 05-08-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\Programmer\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Programmer\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe
C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmer\BullGuard Software\BullGuard Spamfilter\bullguard.exe
C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Bruno\Skrivebord\Spywarefri\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmer\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google; - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] “C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKLM\..\Run: [QuickTime Task] “C:\Programmer\QuickTime\qttask.exe” -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] “C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] “C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE”
O4 - HKCU\..\Run: [BullGuard Spamfilter] “C:\Programmer\BullGuard Software\BullGuard Spamfilter\bullguard.exe”
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOKAL TJENESTE’)
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETVÆRKSTJENESTE’)
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Windows; Live Search - res://C:\Programmer\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send til &Bluetooth;-enhed… - C:\Programmer\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra ‘Tools’ menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmer\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Branding/olr3313/OCX/v1018/flashax.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe
O23 - Service: BGRaSvc - BullGuard - C:\Programmer\BullGuard Software\BullGuard Spamfilter\support\bgrasvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SBCSSvc - Unknown owner - (no file)
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

—
End of file - 9169 bytes

Bruno

Der vil komme en logløser i morgen tidlig, men jeg vil råde dig til at du straks i morgen kontakter din bank og får nye passwords til din netbank. Indtil da bør du holde lidt øje med dine konti. Hvilke programmer du efterfølgende bør bruge kan vi ta’ når du er renset.

Jeg har lavet nyt password til banken og glæder mig til i morgen
Endnu engang tak for de hurtige svar
Bruno

Der mangler lige lidt mere, så du skal igennem en ny tur:

Kopiér indholdet mellem de bølgede linier ind i et notepad-vindue, og gem indholdet i samme mappe, som Combofix ligger med navnet CFScript.txt. Når du gemmer, skal du sikre, at der under “filtyper” står “alle filer”.

~~~~~~~~~~~~~~~~~~~~~~~~~~
File::
C:\WINDOWS\system32\drivers\sbhr.sys
C:\WINDOWS\system32\pjjqsxxd.tmp

RootKit::
C:\WINDOWS\system32\drivers\sbhr.sys
C:\WINDOWS\system32\pjjqsxxd.tmp

Driver::
SBHR
Winua16
SBAPIFS
Winpv73
SBCSSvc

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfl84.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winjp62.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlr84.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms62.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winou38.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpv27.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpv73.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqw51.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winua16.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwd38.sys]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
“{EF99BD32-C1FB-11D2-892F-0090271D4F88}”=-
O24 - Desktop Component 0: Privacy Protection - (no file)
~~~~~~~~~~~~~~~~~~~~~~~~~~
Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du “giver slip” med musen. Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når combofix er færdig, og efter det har genstartet, skulle der gerne åbnes en logfil: combofix.txt
Indholdet af denne fil må du gerne lægge herind til gennemsyn

Hermed den nye log,til gennemsyn
Er spændt på at se om systemet nu er renset

Venligst Bruno

ComboFix 08-08-04.01 - Bruno 2008-08-06 9:47:45.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1030.18.158 [GMT 2:00]
Running from: C:\Documents and Settings\Bruno\Skrivebord\Spywarefri\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bruno\Skrivebord\Spywarefri\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((  Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-08-05 22:45 . 2008-08-05 22:49 <DIR> d————C:\fixwareout
2008-08-05 21:56 . 2008-08-05 21:56 <DIR> d————C:\Programmer\CCleaner
2008-08-05 10:04 . 2008-08-05 10:04 <DIR> d————C:\Programmer\Malwarebytes’ Anti-Malware
2008-08-05 10:04 . 2008-08-05 10:04 <DIR> d————C:\Documents and Settings\Bruno\Application Data\Malwarebytes
2008-08-05 10:04 . 2008-08-05 10:04 <DIR> d————C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-05 10:04 . 2008-07-30 20:07 38,472—a———C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-05 10:04 . 2008-07-30 20:07 17,144—a———C:\WINDOWS\system32\drivers\mbam.sys
2008-08-05 00:43 . 2008-08-05 00:43 <DIR> d————C:\Programmer\Sun
2008-08-04 14:14 . 2008-08-04 14:14 <DIR> d————C:\Programmer\Fælles filer\Borland Shared
2008-08-04 14:14 . 2008-08-04 14:14 <DIR> d————C:\PDOXNET
2008-08-04 14:14 . 1999-01-20 05:01 210,032—a———C:\WINDOWS\system32\DBCLIENT.DLL
2008-08-04 14:14 . 1999-11-12 05:11 183,808—a———C:\WINDOWS\system32\BDEADMIN.CPL
2008-08-04 14:02 . 2008-08-04 16:13 <DIR> d————C:\Programmer\Siber Systems
2008-08-04 14:02 . 2008-08-04 14:23 <DIR> d————C:\Documents and Settings\Bruno\Application Data\GoodSync
2008-08-03 23:22 . 2008-08-03 23:22 <DIR> d————C:\Programmer\Lavasoft
2008-08-02 10:37 . 2008-08-04 14:47 489—a———C:\WINDOWS\system32\drivers\fwdrv.err
2008-07-29 07:47 . 2008-07-30 10:01 54,156—ah——- C:\WINDOWS\QTFont.qfn
2008-07-29 07:47 . 2008-07-29 07:47 1,409—a———C:\WINDOWS\QTFont.for
2008-07-28 10:11 . 2008-08-05 21:14 <DIR> d————C:\WEBBANK
2008-07-27 17:14 . 2008-07-27 17:14 37—a———C:\WINDOWS\Viewer.ini
2008-07-27 16:38 . 2008-07-27 16:38 <DIR> d————C:\NVIDIA
2008-07-27 15:52 . 1995-11-07 14:30 780,800—a———C:\WINDOWS\system32\ir41_32.dll
2008-07-27 15:52 . 1994-08-24 00:00 188,960—a———C:\WINDOWS\system\WINGDE.DLL
2008-07-27 15:52 . 1994-09-21 00:00 92,208—a———C:\WINDOWS\system\WING.DLL
2008-07-27 15:52 . 1995-03-22 00:00 56,832—a———C:\WINDOWS\system32\IYVU9_32.DLL
2008-07-27 15:52 . 1994-09-21 00:00 12,800—a———C:\WINDOWS\system\WING32.DLL
2008-07-27 15:52 . 1994-09-21 00:00 6,736—a———C:\WINDOWS\system\WINGDIB.DRV
2008-07-27 15:52 . 1994-09-02 00:00 5,195—a———C:\WINDOWS\system\DVA.386
2008-07-27 15:52 . 1994-09-21 00:00 5,024—a———C:\WINDOWS\system\WINGPAL.WND
2008-07-27 14:57 . 2001-05-16 17:54 309,616—a———C:\WINDOWS\system32\wmv8dmod.dll
2008-07-27 14:57 . 2001-03-26 04:41 245,760—a———C:\WINDOWS\system32\mp4sds32.ax
2008-07-27 14:54 . 2008-07-27 14:54 <DIR> d————C:\Programmer\Codemasters
2008-07-16 16:00 . 2008-07-16 16:00 <DIR> d————C:\WINDOWS\system32\da
2008-07-16 16:00 . 2008-07-16 16:00 <DIR> d————C:\WINDOWS\system32\bits
2008-07-16 16:00 . 2008-07-16 16:00 <DIR> d————C:\WINDOWS\l2schemas
2008-07-16 15:57 . 2008-07-16 16:00 <DIR> d————C:\WINDOWS\ServicePackFiles
2008-07-16 15:29 . 2008-07-16 15:29 <DIR> d————C:\Programmer\Common Files
2008-07-16 15:29 . 2008-07-16 15:29 <DIR> d————C:\Programmer\AvantGo Connect
2008-07-16 15:29 . 2008-07-16 15:29 2,464—a———C:\WINDOWS\$_hpcst$.hpc
2008-07-16 15:28 . 2008-07-16 15:29 <DIR> d————C:\Programmer\Microsoft ActiveSync
2008-07-09 07:34 . 2008-07-09 07:34 <DIR> d————C:\Programmer\Fælles filer\xing shared
2008-07-09 07:34 . 2008-07-09 07:34 <DIR> d————C:\Programmer\Fælles filer\Real
2008-07-08 11:02 . 2008-07-08 15:40 230—a———C:\config.xml
2008-07-08 10:48 . 2008-07-08 10:48 <DIR> d————C:\temp
2008-07-08 09:58 . 2008-07-08 09:58 <DIR> d————C:\Programmer\Alwil Software
2008-07-08 09:06 . 2008-07-08 09:06 <DIR> d————C:\Documents and Settings\All Users\Application Data\Avg8

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 06:52————- d——-w C:\Documents and Settings\All Users\Application Data\BullGuard
2008-08-05 09:01————- d——-w C:\Programmer\Yahoo!
2008-08-04 22:43————- d——-w C:\Programmer\Java
2008-08-04 21:55————- d——-w C:\Programmer\Fælles filer\Wise Installation Wizard
2008-07-27 14:38————- d——-w C:\Programmer\Fælles filer\InstallShield
2008-07-27 12:54————- d—h—w C:\Programmer\InstallShield Installation Information
2008-07-23 17:23————- d——-w C:\Programmer\MSN Messenger
2008-07-09 05:32————- d——-w C:\Programmer\Google
2008-06-20 17:48 246,784——a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600——a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496——a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856——a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 16:53————- d——-w C:\Programmer\Sunbelt Software
2008-06-19 16:52————- d——-w C:\Documents and Settings\Bruno\Application Data\Sunbelt Software
2008-06-19 16:52————- d——-w C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-06-17 18:51 50,896——a-w C:\WINDOWS\system32\drivers\BdFileSpy.sys
2008-06-17 18:51 20,048——a-w C:\WINDOWS\system32\BgOutlookHook.dll
2008-06-17 18:51 14,152——a-w C:\WINDOWS\system32\lccl.dll
2008-06-17 18:51 14,152——a-w C:\WINDOWS\system32\client_cc.dll
2008-06-17 18:50————- d——-w C:\Documents and Settings\Bruno\Application Data\BullGuard
2008-06-17 18:45————- d——-w C:\Programmer\BullGuard Software
2008-06-14 17:35 272,256———w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 07:09————- d——-w C:\Programmer\Microsoft CAPICOM 2.1.0.2
2008-06-10 09:04 15,544——a-w C:\WINDOWS\system32\drivers\sbhr.sys
2008-05-27 22:04 1,233,492—sha-w C:\WINDOWS\system32\pjjqsxxd.tmp
2008-05-26 15:18 0——a-w C:\Programmer\uninstall.dat
2008-05-16 09:58 12,632——a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-09 10:55 90,112——a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:55 430,080——a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:55 180,224——a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:55 172,032——a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648——a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168——a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:11 1,292,288——a-w C:\WINDOWS\system32\quartz.dll
2008-03-31 14:40 2,293,848——a-w C:\Programmer\FLV PlayerFCSetup.exe
2008-03-31 13:55 4,265,560——a-w C:\Programmer\FLV PlayerRCATSetup.exe
2008-03-31 13:53 411,248——a-w C:\Programmer\FLV PlayerRCSetup.exe
2007-08-29 20:54 30,601———w C:\Documents and Settings\Bruno\x.exe
.

(((((((((((((((((((((((((((((  snapshot@2008-08-05_10.53.34.12   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-05 21:46:33 16,384——atw C:\WINDOWS\Temp\Perflib_Perfdata_514.dat
.
(((((((((((((((((((((((((((((((((((((  Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2008-04-14 18:05 15360]
“swg”=“C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-07-13 08:35 68856]
“H/PC Connection Agent”=“C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE” [2003-04-23 03:43 413775]
“BullGuard Spamfilter”=“C:\Programmer\BullGuard Software\BullGuard Spamfilter\bullguard.exe” [2008-06-17 20:51 308552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SunJavaUpdateSched”=“C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe” [2008-06-10 04:27 144784]
“QuickTime Task”=“C:\Programmer\QuickTime\qttask.exe” [2007-10-19 21:16 286720]
“Adobe Reader Speed Launcher”=“C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 23:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2008-04-14 18:05 15360]
“swg”=“C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-07-13 08:35 68856]
“Picasa Media Detector”=“C:\Programmer\Picasa2\PicasaMediaDetector.exe” [2007-09-28 03:17 443968]

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
BTTray.lnk - C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe [2006-06-07 17:05:38 553021]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“vidc.iv41”= IR41_32.DLL
“vidc.ir32”= C:\WINDOWS\system32\ir32_32.dll
“vidc.ir31”= C:\WINDOWS\system32\ir32_32.dll
“MSACM.CEGSM”= mobilev.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfl84.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winjp62.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlr84.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms62.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winou38.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpv27.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpv73.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqw51.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winua16.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwd38.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
—a———2008-07-19 16:38 78008 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“C:\\Programmer\\Yahoo!\\Messenger\\YahooMessenger.exe”=
“C:\\WINDOWS\\system32\\java.exe”=
“C:\Documents and Settings\Bruno\Application Data\Facebook\facebook.exe”= C:\Documents and Settings\Bruno\Application Data\Facebook\facebook.exe:127.0.0.1/255.255.255.255:Enabled:Facebook
“C:\\Programmer\\Messenger\\msmsgs.exe”=
“C:\\WINDOWS\\system32\\sessmgr.exe”=
“C:\\Programmer\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe”=
“%windir%\\system32\\sessmgr.exe”=
“C:\\Programmer\\MSN Messenger\\msnmsgr.exe”=
“C:\\Programmer\\MSN Messenger\\livecall.exe”=
“C:\\Programmer\\Microsoft ActiveSync\\WCESCOMM.EXE”=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“3389:TCP”= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-06-10 11:04]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-08-18 01:27]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]
R2 SPF4;Sunbelt Personal Firewall 4;C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe [2007-04-26 10:21]
R3 Reconn;BullGuard Email Monitor;C:\Programmer\BullGuard Software\BullGuard Spamfilter\reconn.sys [2007-06-28 10:44]
S0 Winua16;Winua16;C:\WINDOWS\system32\Drivers\Winua16.sys []
S3 BGRaSvc;BGRaSvc;C:\Programmer\BullGuard Software\BullGuard Spamfilter\support\bgrasvc.exe [2008-06-17 20:52]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
S3 Winpv73;Winpv73;C:\WINDOWS\System32\drivers\Winpv73.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ   BgMainSvc BsMailProxy
.
Contents of the ‘Scheduled Tasks’ folder

2008-08-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Programmer\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-08-06 C:\WINDOWS\Tasks\Søg efter opdateringer til Windows Live Toolbar.job
- C:\Programmer\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 09:52:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-06 9:54:27
ComboFix-quarantined-files.txt 2008-08-06 07:54:18
ComboFix2.txt 2008-08-05 20:43:08
ComboFix3.txt 2008-08-05 08:55:05

Pre-Run: 71,730,130,944 byte ledig
Post-Run: 71,714,246,656 byte ledig

200—- E O F—- 2008-07-22 17:44:35

Den er stædig, men det kan vi også blive . Prøv lige følgende:

Slet først den gamle cfscript-fil. Kopiér så indholdet mellem de bølgede linier ind i et notepad-vindue, og gem indholdet i samme mappe, som Combofix ligger med navnet CFScript.txt. Når du gemmer, skal du sikre, at der under “filtyper” står “alle filer”.

~~~~~~~~~~~~~~~~~~~~~~~~~~
File::
C:\WINDOWS\system32\drivers\sbhr.sys
C:\WINDOWS\system32\pjjqsxxd.tmp
C:\WINDOWS\system32\Drivers\Winua16.sys
C:\WINDOWS\system32\drivers\sbapifs.sys
C:\WINDOWS\System32\drivers\Winpv73.sys

RootKit::
C:\WINDOWS\system32\drivers\sbhr.sys
C:\WINDOWS\system32\pjjqsxxd.tmp
C:\WINDOWS\system32\Drivers\Winua16.sys
C:\WINDOWS\system32\drivers\sbapifs.sys
C:\WINDOWS\System32\drivers\Winpv73.sys

Driver::
SBHR
Winua16
SBAPIFS
Winpv73
SBCSSvc

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfl84.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winjp62.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlr84.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms62.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winou38.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpv27.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpv73.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqw51.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winua16.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwd38.sys]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
“{EF99BD32-C1FB-11D2-892F-0090271D4F88}”=-
O24 - Desktop Component 0: Privacy Protection - (no file)
~~~~~~~~~~~~~~~~~~~~~~~~~~
Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du “giver slip” med musen. Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når combofix er færdig, og efter det har genstartet, skulle der gerne åbnes en logfil: combofix.txt
Indholdet af denne fil må du gerne lægge herind til gennemsyn

Dejligt i er stædige,[:D]
Kan i i korte træk fortælle mig hvad der er galt og hvad jeg egentlig sidder og laver [:I]

Her er den nye log fil

ComboFix 08-08-04.01 - Bruno 2008-08-06 11:15:08.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1030.18.180 [GMT 2:00]
Running from: C:\Documents and Settings\Bruno\Skrivebord\Spywarefri\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bruno\Skrivebord\Spywarefri\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((  Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-08-05 22:45 . 2008-08-05 22:49 <DIR> d————C:\fixwareout
2008-08-05 21:56 . 2008-08-05 21:56 <DIR> d————C:\Programmer\CCleaner
2008-08-05 10:04 . 2008-08-05 10:04 <DIR> d————C:\Programmer\Malwarebytes’ Anti-Malware
2008-08-05 10:04 . 2008-08-05 10:04 <DIR> d————C:\Documents and Settings\Bruno\Application Data\Malwarebytes
2008-08-05 10:04 . 2008-08-05 10:04 <DIR> d————C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-05 10:04 . 2008-07-30 20:07 38,472—a———C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-05 10:04 . 2008-07-30 20:07 17,144—a———C:\WINDOWS\system32\drivers\mbam.sys
2008-08-05 00:43 . 2008-08-05 00:43 <DIR> d————C:\Programmer\Sun
2008-08-04 14:14 . 2008-08-04 14:14 <DIR> d————C:\Programmer\Fælles filer\Borland Shared
2008-08-04 14:14 . 2008-08-04 14:14 <DIR> d————C:\PDOXNET
2008-08-04 14:14 . 1999-01-20 05:01 210,032—a———C:\WINDOWS\system32\DBCLIENT.DLL
2008-08-04 14:14 . 1999-11-12 05:11 183,808—a———C:\WINDOWS\system32\BDEADMIN.CPL
2008-08-04 14:02 . 2008-08-04 16:13 <DIR> d————C:\Programmer\Siber Systems
2008-08-04 14:02 . 2008-08-04 14:23 <DIR> d————C:\Documents and Settings\Bruno\Application Data\GoodSync
2008-08-03 23:22 . 2008-08-03 23:22 <DIR> d————C:\Programmer\Lavasoft
2008-08-02 10:37 . 2008-08-04 14:47 489—a———C:\WINDOWS\system32\drivers\fwdrv.err
2008-07-29 07:47 . 2008-07-30 10:01 54,156—ah——- C:\WINDOWS\QTFont.qfn
2008-07-29 07:47 . 2008-07-29 07:47 1,409—a———C:\WINDOWS\QTFont.for
2008-07-28 10:11 . 2008-08-05 21:14 <DIR> d————C:\WEBBANK
2008-07-27 17:14 . 2008-07-27 17:14 37—a———C:\WINDOWS\Viewer.ini
2008-07-27 16:38 . 2008-07-27 16:38 <DIR> d————C:\NVIDIA
2008-07-27 15:52 . 1995-11-07 14:30 780,800—a———C:\WINDOWS\system32\ir41_32.dll
2008-07-27 15:52 . 1994-08-24 00:00 188,960—a———C:\WINDOWS\system\WINGDE.DLL
2008-07-27 15:52 . 1994-09-21 00:00 92,208—a———C:\WINDOWS\system\WING.DLL
2008-07-27 15:52 . 1995-03-22 00:00 56,832—a———C:\WINDOWS\system32\IYVU9_32.DLL
2008-07-27 15:52 . 1994-09-21 00:00 12,800—a———C:\WINDOWS\system\WING32.DLL
2008-07-27 15:52 . 1994-09-21 00:00 6,736—a———C:\WINDOWS\system\WINGDIB.DRV
2008-07-27 15:52 . 1994-09-02 00:00 5,195—a———C:\WINDOWS\system\DVA.386
2008-07-27 15:52 . 1994-09-21 00:00 5,024—a———C:\WINDOWS\system\WINGPAL.WND
2008-07-27 14:57 . 2001-05-16 17:54 309,616—a———C:\WINDOWS\system32\wmv8dmod.dll
2008-07-27 14:57 . 2001-03-26 04:41 245,760—a———C:\WINDOWS\system32\mp4sds32.ax
2008-07-27 14:54 . 2008-07-27 14:54 <DIR> d————C:\Programmer\Codemasters
2008-07-16 16:00 . 2008-07-16 16:00 <DIR> d————C:\WINDOWS\system32\da
2008-07-16 16:00 . 2008-07-16 16:00 <DIR> d————C:\WINDOWS\system32\bits
2008-07-16 16:00 . 2008-07-16 16:00 <DIR> d————C:\WINDOWS\l2schemas
2008-07-16 15:57 . 2008-07-16 16:00 <DIR> d————C:\WINDOWS\ServicePackFiles
2008-07-16 15:29 . 2008-07-16 15:29 <DIR> d————C:\Programmer\Common Files
2008-07-16 15:29 . 2008-07-16 15:29 <DIR> d————C:\Programmer\AvantGo Connect
2008-07-16 15:29 . 2008-07-16 15:29 2,464—a———C:\WINDOWS\$_hpcst$.hpc
2008-07-16 15:28 . 2008-07-16 15:29 <DIR> d————C:\Programmer\Microsoft ActiveSync
2008-07-09 07:34 . 2008-07-09 07:34 <DIR> d————C:\Programmer\Fælles filer\xing shared
2008-07-09 07:34 . 2008-07-09 07:34 <DIR> d————C:\Programmer\Fælles filer\Real
2008-07-08 11:02 . 2008-07-08 15:40 230—a———C:\config.xml
2008-07-08 10:48 . 2008-07-08 10:48 <DIR> d————C:\temp
2008-07-08 09:58 . 2008-07-08 09:58 <DIR> d————C:\Programmer\Alwil Software
2008-07-08 09:06 . 2008-07-08 09:06 <DIR> d————C:\Documents and Settings\All Users\Application Data\Avg8

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 09:07————- d——-w C:\Documents and Settings\All Users\Application Data\BullGuard
2008-08-05 09:01————- d——-w C:\Programmer\Yahoo!
2008-08-04 22:43————- d——-w C:\Programmer\Java
2008-08-04 21:55————- d——-w C:\Programmer\Fælles filer\Wise Installation Wizard
2008-07-27 14:38————- d——-w C:\Programmer\Fælles filer\InstallShield
2008-07-27 12:54————- d—h—w C:\Programmer\InstallShield Installation Information
2008-07-23 17:23————- d——-w C:\Programmer\MSN Messenger
2008-07-09 05:32————- d——-w C:\Programmer\Google
2008-06-20 17:48 246,784——a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600——a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496——a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856——a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 16:53————- d——-w C:\Programmer\Sunbelt Software
2008-06-19 16:52————- d——-w C:\Documents and Settings\Bruno\Application Data\Sunbelt Software
2008-06-19 16:52————- d——-w C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-06-17 18:51 50,896——a-w C:\WINDOWS\system32\drivers\BdFileSpy.sys
2008-06-17 18:51 20,048——a-w C:\WINDOWS\system32\BgOutlookHook.dll
2008-06-17 18:51 14,152——a-w C:\WINDOWS\system32\lccl.dll
2008-06-17 18:51 14,152——a-w C:\WINDOWS\system32\client_cc.dll
2008-06-17 18:50————- d——-w C:\Documents and Settings\Bruno\Application Data\BullGuard
2008-06-17 18:45————- d——-w C:\Programmer\BullGuard Software
2008-06-14 17:35 272,256———w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 07:09————- d——-w C:\Programmer\Microsoft CAPICOM 2.1.0.2
2008-06-10 09:04 15,544——a-w C:\WINDOWS\system32\drivers\sbhr.sys
2008-05-27 22:04 1,233,492—sha-w C:\WINDOWS\system32\pjjqsxxd.tmp
2008-05-26 15:18 0——a-w C:\Programmer\uninstall.dat
2008-05-16 09:58 12,632——a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-09 10:55 90,112——a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:55 430,080——a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:55 180,224——a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:55 172,032——a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648——a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168——a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:11 1,292,288——a-w C:\WINDOWS\system32\quartz.dll
2008-03-31 14:40 2,293,848——a-w C:\Programmer\FLV PlayerFCSetup.exe
2008-03-31 13:55 4,265,560——a-w C:\Programmer\FLV PlayerRCATSetup.exe
2008-03-31 13:53 411,248——a-w C:\Programmer\FLV PlayerRCSetup.exe
2007-08-29 20:54 30,601———w C:\Documents and Settings\Bruno\x.exe
.

(((((((((((((((((((((((((((((  snapshot@2008-08-05_10.53.34.12   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-06 09:04:59 16,384——atw C:\WINDOWS\Temp\Perflib_Perfdata_518.dat
.
(((((((((((((((((((((((((((((((((((((  Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2008-04-14 18:05 15360]
“swg”=“C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-07-13 08:35 68856]
“H/PC Connection Agent”=“C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE” [2003-04-23 03:43 413775]
“BullGuard Spamfilter”=“C:\Programmer\BullGuard Software\BullGuard Spamfilter\bullguard.exe” [2008-06-17 20:51 308552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SunJavaUpdateSched”=“C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe” [2008-06-10 04:27 144784]
“QuickTime Task”=“C:\Programmer\QuickTime\qttask.exe” [2007-10-19 21:16 286720]
“Adobe Reader Speed Launcher”=“C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 23:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2008-04-14 18:05 15360]
“swg”=“C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-07-13 08:35 68856]
“Picasa Media Detector”=“C:\Programmer\Picasa2\PicasaMediaDetector.exe” [2007-09-28 03:17 443968]

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
BTTray.lnk - C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe [2006-06-07 17:05:38 553021]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“vidc.iv41”= IR41_32.DLL
“vidc.ir32”= C:\WINDOWS\system32\ir32_32.dll
“vidc.ir31”= C:\WINDOWS\system32\ir32_32.dll
“MSACM.CEGSM”= mobilev.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfl84.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winjp62.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlr84.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms62.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winou38.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpv27.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpv73.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqw51.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winua16.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwd38.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
—a———2008-07-19 16:38 78008 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“C:\\Programmer\\Yahoo!\\Messenger\\YahooMessenger.exe”=
“C:\\WINDOWS\\system32\\java.exe”=
“C:\Documents and Settings\Bruno\Application Data\Facebook\facebook.exe”= C:\Documents and Settings\Bruno\Application Data\Facebook\facebook.exe:127.0.0.1/255.255.255.255:Enabled:Facebook
“C:\\Programmer\\Messenger\\msmsgs.exe”=
“C:\\WINDOWS\\system32\\sessmgr.exe”=
“C:\\Programmer\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe”=
“%windir%\\system32\\sessmgr.exe”=
“C:\\Programmer\\MSN Messenger\\msnmsgr.exe”=
“C:\\Programmer\\MSN Messenger\\livecall.exe”=
“C:\\Programmer\\Microsoft ActiveSync\\WCESCOMM.EXE”=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“3389:TCP”= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-06-10 11:04]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-08-18 01:27]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]
R2 SPF4;Sunbelt Personal Firewall 4;C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe [2007-04-26 10:21]
R3 Reconn;BullGuard Email Monitor;C:\Programmer\BullGuard Software\BullGuard Spamfilter\reconn.sys [2007-06-28 10:44]
S0 Winua16;Winua16;C:\WINDOWS\system32\Drivers\Winua16.sys []
S3 BGRaSvc;BGRaSvc;C:\Programmer\BullGuard Software\BullGuard Spamfilter\support\bgrasvc.exe [2008-06-17 20:52]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
S3 Winpv73;Winpv73;C:\WINDOWS\System32\drivers\Winpv73.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ   BgMainSvc BsMailProxy
.
Contents of the ‘Scheduled Tasks’ folder

2008-08-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Programmer\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-08-06 C:\WINDOWS\Tasks\Søg efter opdateringer til Windows Live Toolbar.job
- C:\Programmer\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 11:19:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-06 11:21:50
ComboFix-quarantined-files.txt 2008-08-06 09:21:41
ComboFix2.txt 2008-08-06 07:54:31
ComboFix3.txt 2008-08-05 20:43:08
ComboFix4.txt 2008-08-05 08:55:05

Pre-Run: 71,712,178,176 byte ledig
Post-Run: 71,697,620,992 byte ledig

201—- E O F—- 2008-07-22 17:44:35

Hej igen
Efter i har set den sidste log har jeg så stadig problemer ???
i plejer at være hurtige til at svare [:X] men det er lang tid siden jeg sendte loggen og ikke hørt fra jer [:(]

Kører i øjeblikket uden virus scanner

Venligst Bruno

Den er desværre stadig gal. Du har et lidt genstridigt rootkit, som vi bliver nødt til at give yderligere behandling. Jeg overfører derfor tråden til Rootkit-kategorien. Der gælder nogle særlige forhold for supporten i denne kategori, som du kan læse om her:

http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=29320

Hvis du alligevel vælger at fortsætte, så prøv følgende:

—Download Gmer-rootkit scanner, og pak den ud til skrivebordet:
http://www2.gmer.net/gmer.exe

Kør programmet, og vent imens der laves en hurtig “Quick Scan”. Klik så på “Scan”. Imens der scannes, bør du afbryde netforbindelsen, lukke alle åbne programmer, og undlade at bruge computeren til andre ting. Du bør heller ikke klikke på andre ting i Gmer-scanneren. Når scanningen er færdig, skal du klikke på “Save”, og gemme logfilen et sted, hvor du kan finde den igen. Find så logfilen, som du lige har gemt, og kopier indholdet herind i tråden.

I nogle tilfælde er logfilen så lang, at den ikke kan være i en enkelt post. Så må du lægge den af flere omgange.

—Hent RootRepeal her http://rootrepeal.googlepages.com/
Scroll ned og hent den under “Download”. Pak den ud til skrivebordet. Den er pakket i rar-programmet, så det er ikke sikkert at du kan pakke den ud uden at hente et særskilt pakkeprogram (fx Winrar).

Start RootRepeal. Dine sikkerhedsprogrammer vil måske brokke sig, fordi den er komprimeret, og installerer en driver. Klik på fanebladet Report. Klik på Scan. Sæt flueben ved Drivers, Files, og processes, og vælg at scanne dit C drev når den spørger om det. Scanningen tager et par minutter. Når den er færdig, så klik på Save Report, navngiv filen, og gem txt filen på skrivebordet, og kopier den her ind i tråden.

det lyder jo rigtigt ondt:)
Prøvede lige så her er de 2 reporter så må vi håbe det hjalp

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-06 20:33:29
Windows 5.1.2600 Service Pack 3

——System - GMER 1.0.14——

SSDT         \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                              ZwClose [0xAAA29618]
SSDT         \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Personal Firewall FWDRV/Sunbelt Software)                            ZwCreateFile [0xAAC03552]
SSDT         \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                              ZwCreateKey [0xAAA294D4]
SSDT         \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Personal Firewall FWDRV/Sunbelt Software)                            ZwCreateProcess [0xAAC02A1A]
SSDT         \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Personal Firewall FWDRV/Sunbelt Software)                            ZwCreateProcessEx [0xAAC02910]
SSDT         \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Personal Firewall FWDRV/Sunbelt Software)                            ZwCreateThread [0xAAC02F2A]
SSDT         \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Personal Firewall FWDRV/Sunbelt Software)                            ZwDeleteFile [0xAAC04034]
SSDT         \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Personal Firewall FWDRV/Sunbelt Software)                            ZwDeleteKey [0xAABFFD54]
SSDT         \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                              ZwDeleteValueKey [0xAAA299B2]
SSDT         \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                              ZwDuplicateObject [0xAAA290AC]
SSDT         \SystemRoot\system32\drivers\khips.sys (Sunbelt Personal Firewall Host Intrusion Prevention Driver/Sunbelt Software)          ZwLoadDriver [0xAAA62F64]
SSDT         \SystemRoot\system32\drivers\khips.sys (Sunbelt Personal Firewall Host Intrusion Prevention Driver/Sunbelt Software)          ZwMapViewOfSection [0xAAA6324A]
SSDT         \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Personal Firewall FWDRV/Sunbelt Software)                            ZwOpenFile [0xAAC03906]
SSDT         \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                              ZwOpenKey [0xAAA295AE]
SSDT         \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                              ZwOpenProcess [0xAAA28FEC]
SSDT         \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                              ZwOpenThread [0xAAA29050]
SSDT         \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                              ZwQueryValueKey [0xAAA296CE]
SSDT         \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                              ZwRestoreKey [0xAAA2968E]
SSDT         \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Personal Firewall FWDRV/Sunbelt Software)                            ZwResumeThread [0xAAC030DC]
SSDT         \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Personal Firewall FWDRV/Sunbelt Software)                            ZwSetInformationFile [0xAAC03CE0]
SSDT         \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                              ZwSetValueKey [0xAAA2980E]
SSDT         \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Personal Firewall FWDRV/Sunbelt Software)                            ZwWriteFile [0xAAC03BB2]

——Kernel code sections - GMER 1.0.14——

PAGENDSM     NDIS.sys!NdisMIndicateStatus                                                                     F81EC9EF 6 Bytes JMP AABF7C5E \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Personal Firewall FWDRV/Sunbelt Software)

——User code sections - GMER 1.0.14——

.text       C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe[164] kernel32.dll!VirtualProtectEx                             7C801A61 5 Bytes JMP 001301A8
.text       C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe[164] kernel32.dll!VirtualProtect                               7C801AD4 5 Bytes JMP 00130090
.text       C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe[164] kernel32.dll!WriteProcessMemory                             7C802213 5 Bytes JMP 00130694
.text       C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe[164] kernel32.dll!CreateProcessW                               7C802336 5 Bytes JMP 001302C0
.text       C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe[164] kernel32.dll!CreateProcessA                               7C80236B 5 Bytes JMP 00130234
.text       C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe[164] kernel32.dll!VirtualAlloc                                 7C809AE1 5 Bytes JMP 00130004
.text       C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe[164] kernel32.dll!VirtualAllocEx                               7C809B02 5 Bytes JMP 0013011C
.text       C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe[164] kernel32.dll!CreateRemoteThread                             7C8104BC 5 Bytes JMP 001304F0
.text       C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe[164] kernel32.dll!CreateThread                                 7C8106C7 5 Bytes JMP 0013057C
.text       C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe[164] kernel32.dll!CreateProcessInternalW                         7C81979C 5 Bytes JMP 001303D8
.text       C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe[164] kernel32.dll!CreateProcessInternalA                         7C81D536 5 Bytes JMP 0013034C
.text       C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe[164] kernel32.dll!WinExec                                   7C8623AD 5 Bytes JMP 00130464
.text       C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe[164] kernel32.dll!SetThreadContext                             7C863AA9 5 Bytes JMP 00130608
.text       C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe[164] USER32.dll!SetWindowsHookExW                               7E37820F 5 Bytes JMP 001307AC
.text       C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe[164] USER32.dll!SetWindowsHookExA                               7E381211 5 Bytes JMP 00130720
.text       C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe[164] WS2_32.dll!socket                                     71A84211 5 Bytes JMP 001308C4
.text       C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe[164] WS2_32.dll!bind                                       71A84480 5 Bytes JMP 00130838
.text       C:\Programmer\WIDCOMM\Bluetooth Software\BTTray.exe[164] WS2_32.dll!connect                                     71A84A07 5 Bytes JMP 00130950
.text       C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[400] kernel32.dll!VirtualProtectEx     7C801A61 5 Bytes JMP 001301A8
.text       C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[400] kernel32.dll!VirtualProtect       7C801AD4 5 Bytes JMP 00130090
.text       C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[400] kernel32.dll!WriteProcessMemory     7C802213 5 Bytes JMP 00130694
.text       C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[400] kernel32.dll!CreateProcessW       7C802336 5 Bytes JMP 001302C0
.text       C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[400] kernel32.dll!CreateProcessA       7C80236B 5 Bytes JMP 00130234
.text       C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[400] kernel32.dll!VirtualAlloc         7C809AE1 5 Bytes JMP 00130004
.text       C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[400] kernel32.dll!VirtualAllocEx       7C809B02 5 Bytes JMP 0013011C
.text       C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[400] kernel32.dll!CreateRemoteThread     7C8104BC 5 Bytes JMP 001304F0
.text       C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[400] kernel32.dll!CreateThread         7C8106C7 5 Bytes JMP 0013057C
.text       C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[400] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8
.text       C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[400] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C
.text       C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[400] kernel32.dll!WinExec           7C8623AD 5 Bytes JMP 00130464
.text       C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[400] kernel32.dll!SetThreadContext     7C863AA9 5 Bytes JMP 00130608
.text       C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[400] WS2_32.dll!socket             71A84211 5 Bytes JMP 001308C4
.text       C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[400] WS2_32.dll!bind               71A84480 5 Bytes JMP 00130838
.text       C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[400] WS2_32.dll!connect             71A84A07 5 Bytes JMP 00130950
.text       C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[400] USER32.dll!SetWindowsHookExW       7E37820F 5 Bytes JMP 001307AC
.text       C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[400] USER32.dll!SetWindowsHookExA       7E381211 5 Bytes JMP 00130720
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] kernel32.dll!VirtualProtectEx               7C801A61 5 Bytes JMP 001301A8
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] kernel32.dll!VirtualProtect                 7C801AD4 5 Bytes JMP 00130090
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] kernel32.dll!WriteProcessMemory             7C802213 5 Bytes JMP 00130694
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] kernel32.dll!CreateProcessW                 7C802336 5 Bytes JMP 001302C0
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] kernel32.dll!CreateProcessA                 7C80236B 5 Bytes JMP 00130234
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] kernel32.dll!VirtualAlloc                 7C809AE1 5 Bytes JMP 00130004
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] kernel32.dll!VirtualAllocEx                 7C809B02 5 Bytes JMP 0013011C
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] kernel32.dll!CreateRemoteThread             7C8104BC 5 Bytes JMP 001304F0
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] kernel32.dll!CreateThread                 7C8106C7 5 Bytes JMP 0013057C
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] kernel32.dll!CreateProcessInternalW           7C81979C 5 Bytes JMP 001303D8
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] kernel32.dll!CreateProcessInternalA           7C81D536 5 Bytes JMP 0013034C
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] kernel32.dll!WinExec                     7C8623AD 5 Bytes JMP 00130464
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] kernel32.dll!SetThreadContext               7C863AA9 5 Bytes JMP 00130608
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] WS2_32.dll!socket                       71A84211 5 Bytes JMP 001308C4
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] WS2_32.dll!bind                         71A84480 5 Bytes JMP 00130838
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] WS2_32.dll!connect                       71A84A07 5 Bytes JMP 00130950
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] USER32.dll!SetWindowsHookExW               7E37820F 5 Bytes JMP 001307AC
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] USER32.dll!SetWindowsHookExA               7E381211 5 Bytes JMP 00130720
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] WININET.dll!InternetConnectA               4445499A 5 Bytes JMP 00130F54
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] WININET.dll!InternetConnectW               44455B88 5 Bytes JMP 00130FE0
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] WININET.dll!InternetOpenA                 4445C865 5 Bytes JMP 00130D24
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] WININET.dll!InternetOpenW                 4445CE99 5 Bytes JMP 00130DB0
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] WININET.dll!InternetOpenUrlA               44460BCA 5 Bytes JMP 00130E3C
.text       C:\Programmer\BullGuard Software\BullGuard Spamfilter\BullGuardUpdate.exe[420] WININET.dll!InternetOpenUrlW               444AAEA1 5 Bytes JMP 00130EC8
.text       C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!VirtualProtectEx                                           7C801A61 5 Bytes JMP 000801A8
.text       C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!VirtualProtect                                             7C801AD4 5 Bytes JMP 00080090
.text       C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!WriteProcessMemory                                         7C802213 5 Bytes JMP 00080694
.text       C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!CreateProcessW                                             7C802336 5 Bytes JMP 000802C0
.text       C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!CreateProcessA                                             7C80236B 5 Bytes JMP 00080234
.text       C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!VirtualAlloc                                             7C809AE1 5 Bytes JMP 00080004
.text       C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!VirtualAllocEx                                             7C809B02 5 Bytes JMP 0008011C
.text       C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!CreateRemoteThread                                         7C8104BC 5 Bytes JMP 000804F0
.text       C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!CreateThread                                             7C8106C7 5 Bytes JMP 0008057C
.text       C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!CreateProcessInternalW                                       7C81979C 5 Bytes JMP 000803D8
.text       C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!CreateProcessInternalA                                       7C81D536 5 Bytes JMP 0008034C
.text       C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!WinExec                                                 7C8623AD 5 Bytes JMP 00080464
.text       C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!SetThreadContext                                           7C863AA9 5 Bytes JMP 00080608
.text       C:\WINDOWS\System32\svchost.exe[456] USER32.dll!SetWindowsHookExW                                           7E37820F 5 Bytes JMP 000807AC
.text       C:\WINDOWS\System32\svchost.exe[456] USER32.dll!SetWindowsHookExA                                           7E381211 5 Bytes JMP 00080720
.text       C:\WINDOWS\System32\svchost.exe[456] WS2_32.dll!socket                                                   71A84211 5 Bytes JMP 000808C4
.text       C:\WINDOWS\System32\svchost.exe[456] WS2_32.dll!bind                                                     71A84480 5 Bytes JMP 00080838
.text       C:\WINDOWS\System32\svchost.exe[456] WS2_32.dll!connect                                                   71A84A07 5 Bytes JMP 00080950
.text       C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe[484] kernel32.dll!VirtualProtectEx                           7C801A61 5 Bytes JMP 001301A8
.text       C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe[484] kernel32.dll!VirtualProtect                           7C801AD4 5 Bytes JMP 00130090
.text       C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe[484] kernel32.dll!WriteProcessMemory                         7C802213 5 Bytes JMP 00130694
.text       C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe[484] kernel32.dll!CreateProcessW                           7C802336 5 Bytes JMP 001302C0
.text       C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe[484] kernel32.dll!CreateProcessA                           7C80236B 5 Bytes JMP 00130234
.text       C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe[484] kernel32.dll!VirtualAlloc                             7C809AE1 5 Bytes JMP 00130004
.text       C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe[484] kernel32.dll!VirtualAllocEx                           7C809B02 5 Bytes JMP 0013011C
.text       C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe[484] kernel32.dll!CreateRemoteThread                         7C8104BC 5 Bytes JMP 001304F0
.text       C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe[484] kernel32.dll!CreateThread                             7C8106C7 5 Bytes JMP 0013057C
.text       C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe[484] kernel32.dll!CreateProcessInternalW                       7C81979C 5 Bytes JMP 001303D8
.text       C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe[484] kernel32.dll!CreateProcessInternalA                       7C81D536 5 Bytes JMP 0013034C
.text       C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe[484] kernel32.dll!WinExec                                 7C8623AD 5 Bytes JMP 00130464
.text       C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe[484] kernel32.dll!SetThreadContext                           7C863AA9 5 Bytes JMP 00130608
.text       C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe[484] WS2_32.dll!socket                                   71A84211 5 Bytes JMP 001308C4
.text       C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe[484] WS2_32.dll!bind                                   71A84480 5 Bytes JMP 00130838
.text       C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe[484] WS2_32.dll!connect                                 71A84A07 5 Bytes JMP 00130950
.text       C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe[484] USER32.dll!SetWindowsHookExW                           7E37820F 5 Bytes JMP 001307AC
.text       C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe[484] USER32.dll!SetWindowsHookExA                           7E381211 5 Bytes JMP 00130720
.text       C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE[564] kernel32.dll!VirtualProtectEx                       7C801A61 5 Bytes JMP 001301A8
.text       C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE[564] kernel32.dll!VirtualProtect                         7C801AD4 5 Bytes JMP 00130090
.text       C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE[564] kernel32.dll!WriteProcessMemory                       7C802213 5 Bytes JMP 00130694
.text       C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE[564] kernel32.dll!CreateProcessW                         7C802336 5 Bytes JMP 001302C0
.text       C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE[564] kernel32.dll!CreateProcessA                         7C80236B 5 Bytes JMP 00130234
.text       C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE[564] kernel32.dll!VirtualAlloc                           7C809AE1 5 Bytes JMP 00130004
.text       C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE[564] kernel32.dll!VirtualAllocEx                         7C809B02 5 Bytes JMP 0013011C
.text       C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE[564] kernel32.dll!CreateRemoteThread                       7C8104BC 5 Bytes JMP 001304F0
.text       C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE[564] kernel32.dll!CreateThread                           7C8106C7 5 Bytes JMP 0013057C
.text       C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE[564] kernel32.dll!CreateProcessInternalW                   7C81979C 5 Bytes JMP 001303D8
.text       C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE[564] kernel32.dll!CreateProcessInternalA                   7C81D536 5 Bytes JMP 0013034C
.text       C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE[564] kernel32.dll!WinExec                             7C8623AD 5 Bytes JMP 00130464
.text       C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE[564] kernel32.dll!SetThreadContext                       7C863AA9 5 Bytes JMP 00130608
.text       C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE[564] USER32.dll!SetWindowsHookExW                         7E37820F 5 Bytes JMP 001307AC
.text       C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE[564] USER32.dll!SetWindowsHookExA                         7E381211 5 Bytes JMP 00130720
.text       C:\WINDOWS\system32\csrss.exe[576] KERNEL32.dll!VirtualProtectEx                                             7C801A61 5 Bytes JMP 001601A8
.text       C:\WINDOWS\system32\csrss.exe[576] KERNEL32.dll!VirtualProtect                                             7C801AD4 5 Bytes JMP 00160090
.text       C:\WINDOWS\system32\csrss.exe[576] KERNEL32.dll!WriteProcessMemory                                           7C802213 5 Bytes JMP 00160694
.text       C:\WINDOWS\system32\csrss.exe[576] KERNEL32.dll!CreateProcessW                                             7C802336 5 Bytes JMP 001602C0
.text       C:\WINDOWS\system32\csrss.exe[576] KERNEL32.dll!CreateProcessA                                             7C80236B 5 Bytes JMP 00160234
.text       C:\WINDOWS\system32\csrss.exe[576] KERNEL32.dll!VirtualAlloc                                               7C809AE1 5 Bytes JMP 00160004
.text       C:\WINDOWS\system32\csrss.exe[576] KERNEL32.dll!VirtualAllocEx                                             7C809B02 5 Bytes JMP 0016011C
.text       C:\WINDOWS\system32\csrss.exe[576] KERNEL32.dll!CreateRemoteThread                                           7C8104BC 5 Bytes JMP 001604F0
.text       C:\WINDOWS\system32\csrss.exe[576] KERNEL32.dll!CreateThread                                               7C8106C7 5 Bytes JMP 0016057C
.text       C:\WINDOWS\system32\csrss.exe[576] KERNEL32.dll!CreateProcessInternalW                                         7C81979C 5 Bytes JMP 001603D8
.text       C:\WINDOWS\system32\csrss.exe[576] KERNEL32.dll!CreateProcessInternalA                                         7C81D536 5 Bytes JMP 0016034C
.text       C:\WINDOWS\system32\csrss.exe[576] KERNEL32.dll!WinExec                                                   7C8623AD 5 Bytes JMP 00160464
.text       C:\WINDOWS\system32\csrss.exe[576] KERNEL32.dll!SetThreadContext                                             7C863AA9 5 Bytes JMP 00160608
.text       C:\WINDOWS\system32\csrss.exe[576] USER32.dll!SetWindowsHookExW                                             7E37820F 5 Bytes JMP 001607AC
.text       C:\WINDOWS\system32\csrss.exe[576] USER32.dll!SetWindowsHookExA                                             7E381211 5 Bytes JMP 00160720
.text       C:\WINDOWS\system32\winlogon.exe[600] kernel32.dll!VirtualProtectEx                                           7C801A61 5 Bytes JMP 000701A8
.text       C:\WINDOWS\system32\winlogon.exe[600] kernel32.dll!VirtualProtect                                           7C801AD4 5 Bytes JMP 00070090
.text       C:\WINDOWS\system32\winlogon.exe[600] kernel32.dll!WriteProcessMemory                                         7C802213 5 Bytes JMP 00070694
.text       C:\WINDOWS\system32\winlogon.exe[600] kernel32.dll!CreateProcessW                                           7C802336 5 Bytes JMP 000702C0
.text       C:\WINDOWS\system32\winlogon.exe[600] kernel32.dll!CreateProcessA                                           7C80236B 5 Bytes JMP 00070234
.text       C:\WINDOWS\system32\winlogon.exe[600] kernel32.dll!VirtualAlloc                                             7C809AE1 5 Bytes JMP 00070004
.text       C:\WINDOWS\system32\winlogon.exe[600] kernel32.dll!VirtualAllocEx                                           7C809B02 5 Bytes JMP 0007011C
.text       C:\WINDOWS\system32\winlogon.exe[600] kernel32.dll!CreateRemoteThread                                         7C8104BC 5 Bytes JMP 000704F0
.text       C:\WINDOWS\system32\winlogon.exe[600] kernel32.dll!CreateThread                                             7C8106C7 5 Bytes JMP 0007057C
.text       C:\WINDOWS\system32\winlogon.exe[600] kernel32.dll!CreateProcessInternalW                                       7C81979C 5 Bytes JMP 000703D8
.text       C:\WINDOWS\system32\winlogon.exe[600] kernel32.dll!CreateProcessInternalA                                       7C81D536 5 Bytes JMP 0007034C
.text       C:\WINDOWS\system32\winlogon.exe[600] kernel32.dll!WinExec                                                 7C8623AD 5 Bytes JMP 00070464
.text       C:\WINDOWS\system32\winlogon.exe[600] kernel32.dll!SetThreadContext                                           7C863AA9 5 Bytes JMP 00070608
.text       C:\WINDOWS\system32\winlogon.exe[600] USER32.dll!SetWindowsHookExW                                           7E37820F 5 Bytes JMP 000707AC
.text       C:\WINDOWS\system32\winlogon.exe[600] USER32.dll!SetWindowsHookExA                                           7E381211 5 Bytes JMP 00070720
.text       C:\WINDOWS\system32\winlogon.exe[600] WS2_32.dll!socket                                                   71A84211 5 Bytes JMP 000708C4
.text       C:\WINDOWS\system32\winlogon.exe[600] WS2_32.dll!bind                                                   71A84480 5 Bytes JMP 00070838
.text       C:\WINDOWS\system32\winlogon.exe[600] WS2_32.dll!connect                                                 71A84A07 5 Bytes JMP 00070950
.text       C:\WINDOWS\system32\services.exe[644] kernel32.dll!VirtualProtectEx                                           7C801A61 5 Bytes JMP 000801A8
.text       C:\WINDOWS\system32\services.exe[644] kernel32.dll!VirtualProtect                                           7C801AD4 5 Bytes JMP 00080090
.text       C:\WINDOWS\system32\services.exe[644] kernel32.dll!WriteProcessMemory                                         7C802213 5 Bytes JMP 00080694
.text       C:\WINDOWS\system32\services.exe[644] kernel32.dll!CreateProcessW                                           7C802336 5 Bytes JMP 000802C0
.text       C:\WINDOWS\system32\services.exe[644] kernel32.dll!CreateProcessA                                           7C80236B 5 Bytes JMP 00080234
.text       C:\WINDOWS\system32\services.exe[644] kernel32.dll!VirtualAlloc                                             7C809AE1 5 Bytes JMP 00080004
.text       C:\WINDOWS\system32\services.exe[644] kernel32.dll!VirtualAllocEx                                           7C809B02 5 Bytes JMP 0008011C
.text       C:\WINDOWS\system32\services.exe[644] kernel32.dll!CreateRemoteThread                                         7C8104BC 5 Bytes JMP 000804F0
.text       C:\WINDOWS\system32\services.exe[644] kernel32.dll!CreateThread                                             7C8106C7 5 Bytes JMP 0008057C
.text       C:\WINDOWS\system32\services.exe[644] kernel32.dll!CreateProcessInternalW                                       7C81979C 5 Bytes JMP 000803D8
.text       C:\WINDOWS\system32\services.exe[644] kernel32.dll!CreateProcessInternalA                                       7C81D536 5 Bytes JMP 0008034C
.text       C:\WINDOWS\system32\services.exe[644] kernel32.dll!WinExec                                                 7C8623AD 5 Bytes JMP 00080464
.text       C:\WINDOWS\system32\services.exe[644] kernel32.dll!SetThreadContext                                           7C863AA9 5 Bytes JMP 00080608
.text       C:\WINDOWS\system32\services.exe[644] USER32.dll!SetWindowsHookExW                                           7E37820F 5 Bytes JMP 000807AC
.text       C:\WINDOWS\system32\services.exe[644] USER32.dll!SetWindowsHookExA                                           7E381211 5 Bytes JMP 00080720
.text       C:\WINDOWS\system32\services.exe[644] WS2_32.dll!socket                                                   71A84211 5 Bytes JMP 000808C4
.text       C:\WINDOWS\system32\services.exe[644] WS2_32.dll!bind                                                   71A84480 5 Bytes JMP 00080838
.text       C:\WINDOWS\system32\services.exe[644] WS2_32.dll!connect                                                 71A84A07 5 Bytes JMP 00080950
.text       C:\WINDOWS\system32\lsass.exe[656] kernel32.dll!VirtualProtectEx                                             7C801A61 5 Bytes JMP 000801A8
.text       C:\WINDOWS\system32\lsass.exe[656] kernel32.dll!VirtualProtect                                             7C801AD4 5 Bytes JMP 00080090
.text       C:\WINDOWS\system32\lsass.exe[656] kernel32.dll!WriteProcessMemory                                           7C802213 5 Bytes JMP 00080694
.text       C:\WINDOWS\system32\lsass.exe[656] kernel32.dll!CreateProcessW                                             7C802336 5 Bytes JMP 000802C0
.text       C:\WINDOWS\system32\lsass.exe[656] kernel32.dll!CreateProcessA                                             7C80236B 5 Bytes JMP 00080234
.text       C:\WINDOWS\system32\lsass.exe[656] kernel32.dll!VirtualAlloc                                               7C809AE1 5 Bytes JMP 00080004
.text       C:\WINDOWS\system32\lsass.exe[656] kernel32.dll!VirtualAllocEx                                             7C809B02 5 Bytes JMP 0008011C
.text       C:\WINDOWS\system32\lsass.exe[656] kernel32.dll!CreateRemoteThread                                           7C8104BC 5 Bytes JMP 000804F0
.text       C:\WINDOWS\system32\lsass.exe[656] kernel32.dll!CreateThread                                               7C8106C7 5 Bytes JMP 0008057C
.text       C:\WINDOWS\system32\lsass.exe[656] kernel32.dll!CreateProcessInternalW                                         7C81979C 5 Bytes JMP 000803D8
.text       C:\WINDOWS\system32\lsass.exe[656] kernel32.dll!CreateProcessInternalA                                         7C81D536 5 Bytes JMP 0008034C
.text       C:\WINDOWS\system32\lsass.exe[656] kernel32.dll!WinExec                                                   7C8623AD 5 Bytes JMP 00080464
.text       C:\WINDOWS\system32\lsass.exe[656] kernel32.dll!SetThreadContext                                             7C863AA9 5 Bytes JMP 00080608
.text       C:\WINDOWS\system32\lsass.exe[656] USER32.dll!SetWindowsHookExW                                             7E37820F 5 Bytes JMP 000807AC
.text       C:\WINDOWS\system32\lsass.exe[656] USER32.dll!SetWindowsHookExA                                             7E381211 5 Bytes JMP 00080720
.text       C:\WINDOWS\system32\lsass.exe[656] WS2_32.dll!socket                                                     71A84211 5 Bytes JMP 000808C4
.text       C:\WINDOWS\system32\lsass.exe[656] WS2_32.dll!bind                                                     71A84480 5 Bytes JMP 00080838
.text       C:\WINDOWS\system32\lsass.exe[656] WS2_32.dll!connect                                                   71A84A07 5 Bytes JMP 00080950
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] kernel32.dll!VirtualProtectEx                         7C801A61 5 Bytes JMP 000301A8
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] kernel32.dll!VirtualProtect                         7C801AD4 5 Bytes JMP 00030090
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] kernel32.dll!WriteProcessMemory                       7C802213 5 Bytes JMP 00030694
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] kernel32.dll!CreateProcessW                         7C802336 5 Bytes JMP 000302C0
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] kernel32.dll!CreateProcessA                         7C80236B 5 Bytes JMP 00030234
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] kernel32.dll!VirtualAlloc                           7C809AE1 5 Bytes JMP 00030004
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] kernel32.dll!VirtualAllocEx                         7C809B02 5 Bytes JMP 0003011C
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] kernel32.dll!CreateRemoteThread                       7C8104BC 5 Bytes JMP 000304F0
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] kernel32.dll!CreateThread                           7C8106C7 5 Bytes JMP 0003057C
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] kernel32.dll!CreateProcessInternalW                     7C81979C 5 Bytes JMP 000303D8
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] kernel32.dll!CreateProcessInternalA                     7C81D536 5 Bytes JMP 0003034C
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] kernel32.dll!WinExec                               7C8623AD 5 Bytes JMP 00030464
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] kernel32.dll!SetThreadContext                         7C863AA9 5 Bytes JMP 00030608
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] USER32.dll!SetWindowsHookExW                         7E37820F 5 Bytes JMP 000307AC
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] USER32.dll!SetWindowsHookExA                         7E381211 5 Bytes JMP 00030720
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] WS2_32.dll!socket                                 71A84211 5 Bytes JMP 000308C4
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] WS2_32.dll!bind                                 71A84480 5 Bytes JMP 00030838
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] WS2_32.dll!connect                               71A84A07 5 Bytes JMP 00030950
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] WININET.dll!InternetConnectA                         4445499A 5 Bytes JMP 00030F54
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] WININET.dll!InternetConnectW                         44455B88 5 Bytes JMP 00030FE0
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] WININET.dll!InternetOpenA                           4445C865 5 Bytes JMP 00030D24
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] WININET.dll!InternetOpenW                           4445CE99 5 Bytes JMP 00030DB0
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] WININET.dll!InternetOpenUrlA                         44460BCA 5 Bytes JMP 00030E3C
.text       C:\Programmer\Sunbelt Software\Personal Firewall\kpf4ss.exe[788] WININET.dll!InternetOpenUrlW                         444AAEA1 5 Bytes JMP 00030EC8
.text       C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!VirtualProtectEx                                           7C801A61 5 Bytes JMP 000801A8
.text       C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!VirtualProtect                                             7C801AD4 5 Bytes JMP 00080090
.text       C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!WriteProcessMemory                                         7C802213 5 Bytes JMP 00080694
.text       C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateProcessW                                             7C802336 5 Bytes JMP 000802C0
.text       C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateProcessA                                             7C80236B 5 Bytes JMP 00080234
.text       C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!VirtualAlloc                                             7C809AE1 5 Bytes JMP 00080004
.text       C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!VirtualAllocEx                                             7C809B02 5 Bytes JMP 0008011C
.text       C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateRemoteThread                                         7C8104BC 5 Bytes JMP 000804F0
.text       C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateThread                                             7C8106C7 5 Bytes JMP 0008057C
.text       C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateProcessInternalW                                       7C81979C 5 Bytes JMP 000803D8
.text       C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateProcessInternalA                                       7C81D536 5 Bytes JMP 0008034C
.text       C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!WinExec                                                 7C8623AD 5 Bytes JMP 00080464
.text       C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!SetThreadContext                                           7C863AA9 5 Bytes JMP 00080608
.text       C:\WINDOWS\system32\svchost.exe[812] USER32.dll!SetWindowsHookExW                                           7E37820F 5 Bytes JMP 000807AC
.text       C:\WINDOWS\system32\svchost.exe[812] USER32.dll!SetWindowsHookExA                                           7E381211 5 Bytes JMP 00080720
.text       C:\WINDOWS\system32\svchost.exe[812] WS2_32.dll!socket                                                   71A84211 5 Bytes JMP 000808C4
.text       C:\WINDOWS\system32\svchost.exe[812] WS2_32.dll!bind                                                     71A84480 5 Bytes JMP 00080838
.text       C:\WINDOWS\system32\svchost.exe[812] WS2_32.dll!connect                                                   71A84A07 5 Bytes JMP 00080950
.text       C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!VirtualProtectEx                                           7C801A61 5 Bytes JMP 000801A8
.text       C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!VirtualProtect                                             7C801AD4 5 Bytes JMP 00080090
.text       C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!WriteProcessMemory                                         7C802213 5 Bytes JMP 00080694
.text       C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateProcessW                                             7C802336 5 Bytes JMP 000802C0
.text       C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateProcessA                                             7C80236B 5 Bytes JMP 00080234
.text       C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!VirtualAlloc                                             7C809AE1 5 Bytes JMP 00080004
.text       C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!VirtualAllocEx                                             7C809B02 5 Bytes JMP 0008011C
.text       C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateRemoteThread                                         7C8104BC 5 Bytes JMP 000804F0
.text       C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateThread                                             7C8106C7 5 Bytes JMP 0008057C
.text       C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateProcessInternalW                                       7C81979C 5 Bytes JMP 000803D8
.text       C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateProcessInternalA                                       7C81D536 5 Bytes JMP 0008034C
.text       C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!WinExec                                                 7C8623AD 5 Bytes JMP 00080464
.text       C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!SetThreadContext                                           7C863AA9 5 Bytes JMP 00080608
.text       C:\WINDOWS\system32\svchost.exe[856] USER32.dll!SetWindowsHookExW                                           7E37820F 5 Bytes JMP 000807AC
.text       C:\WINDOWS\system32\svchost.exe[856] USER32.dll!SetWindowsHookExA                                           7E381211 5 Bytes JMP 00080720
.text       C:\WINDOWS\system32\svchost.exe[856] WS2_32.dll!socket                                                   71A84211 5 Bytes JMP 000808C4
.text       C:\WINDOWS\system32\svchost.exe[856] WS2_32.dll!bind                                                     71A84480 5 Bytes JMP 00080838
.text       C:\WINDOWS\system32\svchost.exe[856] WS2_32.dll!connect                                                   71A84A07 5 Bytes JMP 00080950
.text       C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!VirtualProtectEx                                           7C801A61 5 Bytes JMP 000801A8
.text       C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!VirtualProtect                                             7C801AD4 5 Bytes JMP 00080090
.text       C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!WriteProcessMemory                                         7C802213 5 Bytes JMP 00080694
.text       C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!CreateProcessW                                             7C802336 5 Bytes JMP 000802C0
.text       C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!CreateProcessA                                             7C80236B 5 Bytes JMP 00080234
.text       C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!VirtualAlloc                                             7C809AE1 5 Bytes JMP 00080004
.text       C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!VirtualAllocEx                                             7C809B02 5 Bytes JMP 0008011C
.text       C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!CreateRemoteThread                                         7C8104BC 5 Bytes JMP 000804F0
.text       C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!CreateThread                                             7C8106C7 5 Bytes JMP 0008057C
.text       C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!CreateProcessInternalW                                       7C81979C 5 Bytes JMP 000803D8
.text       C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!CreateProcessInternalA                                       7C81D536 5 Bytes JMP 0008034C
.text       C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!WinExec                                                 7C8623AD 5 Bytes JMP 00080464
.text       C:\WINDOWS\System32\svchost.exe[924] kernel32.dll!SetThreadContext                                           7C863AA9 5 Bytes JMP 00080608
.text       C:\WINDOWS\System32\svchost.exe[924] USER32.dll!SetWindowsHookExW                                           7E37820F 5 Bytes JMP 000807AC
.text       C:\WINDOWS\System32\svchost.exe[924] USER32.dll!SetWindowsHookExA                                           7E381211 5 Bytes JMP 00080720
.text       C:\WINDOWS\System32\svchost.exe[924] WS2_32.dll!socket                                                   71A84211 5 Bytes JMP 000808C4
.text       C:\WINDOWS\System32\svchost.exe[924] WS2_32.dll!bind                                                     71A84480 5 Bytes JMP 00080838
.text       C:\WINDOWS\System32\svchost.exe[924] WS2_32.dll!connect                                                   71A84A07 5 Bytes JMP 00080950
.text       C:\WINDOWS\System32\svchost.exe[924] WININET.dll!InternetConnectA                                           4445499A 5 Bytes JMP 00080F54
.text       C:\WINDOWS\System32\svchost.exe[924] WININET.dll!InternetConnectW                                           44455B88 5 Bytes JMP 00080FE0
.text       C:\WINDOWS\System32\svchost.exe[924] WININET.dll!InternetOpenA                                             4445C865 5 Bytes JMP 00080D24
.text       C:\WINDOWS\System32\svchost.exe[924] WININET.dll!InternetOpenW                                             4445CE99 5 Bytes JMP 00080DB0
.text       C:\WINDOWS\System32\svchost.exe[924] WININET.dll!InternetOpenUrlA                                           44460BCA 5 Bytes JMP 00080E3C
.text       C:\WINDOWS\System32\svchost.exe[924] WININET.dll!InternetOpenUrlW                                           444AAEA1 5 Bytes JMP 00080EC8
.text       C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualProtectEx                                           7C801A61 5 Bytes JMP 000801A8
.text       C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualProtect                                             7C801AD4 5 Bytes JMP 00080090
.text       C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!WriteProcessMemory                                         7C802213 5 Bytes JMP 00080694
.text       C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessW                                             7C802336 5 Bytes JMP 000802C0
.text       C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessA                                             7C80236B 5 Bytes JMP 00080234
.text       C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualAlloc                                             7C809AE1 5 Bytes JMP 00080004
.text       C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualAllocEx                                             7C809B02 5 Bytes JMP 0008011C
.text       C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateRemoteThread                                         7C8104BC 5 Bytes JMP 000804F0
.text       C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateThread                                             7C8106C7 5 Bytes JMP 0008057C
.text       C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessInternalW                                       7C81979C 5 Bytes JMP 000803D8
.text       C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessInternalA                                       7C81D536 5 Bytes JMP 0008034C
.text       C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!WinExec                                                 7C8623AD 5 Bytes JMP 00080464
.text       C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!SetThreadContext                                           7C863AA9 5 Bytes JMP 00080608
.text       C:\WINDOWS\system32\svchost.exe[996] USER32.dll!SetWindowsHookExW                                           7E37820F 5 Bytes JMP 000807AC
.text       C:\WINDOWS\system32\svchost.exe[996] USER32.dll!SetWindowsHookExA                                           7E381211 5 Bytes JMP 00080720
.text       C:\WINDOWS\system32\svchost.exe[996] WS2_32.dll!socket                                                   71A84211 5 Bytes JMP 000808C4
.text       C:\WINDOWS\system32\svchost.exe[996] WS2_32.dll!bind                                                     71A84480 5 Bytes JMP 00080838
.text       C:\WINDOWS\system32\svchost.exe[996] WS2_32.dll!connect                                                   71A84A07 5 Bytes JMP 00080950
.text       C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!VirtualProtectEx                                           7C801A61 5 Bytes JMP 000801A8
.text       C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!VirtualProtect                                           7C801AD4 5 Bytes JMP 00080090
.text       C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!WriteProcessMemory                                         7C802213 5 Bytes JMP 00080694
.text       C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateProcessW                                           7C802336 5 Bytes JMP 000802C0
.text       C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateProcessA                                           7C80236B 5 Bytes JMP 00080234
.text       C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!VirtualAlloc                                             7C809AE1 5 Bytes JMP 00080004
.text       C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!VirtualAllocEx                                           7C809B02 5 Bytes JMP 0008011C
.text       C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateRemoteThread                                         7C8104BC 5 Bytes JMP 000804F0
.text       C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateThread                                             7C8106C7 5 Bytes JMP 0008057C
.text       C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateProcessInternalW                                       7C81979C 5 Bytes JMP 000803D8
.text       C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateProcessInternalA                                       7C81D536 5 Bytes JMP 0008034C
.text       C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!WinExec                                                 7C8623AD 5 Bytes JMP 00080464
.text       C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!SetThreadContext                                           7C863AA9 5 Bytes JMP 00080608
.text       C:\WINDOWS\system32\svchost.exe[1172] USER32.dll!SetWindowsHookExW                                           7E37820F 5 Bytes JMP 000807AC
.text       C:\WINDOWS\system32\svchost.exe[1172] USER32.dll!SetWindowsHookExA                                           7E381211 5 Bytes JMP 00080720
.text       C:\WINDOWS\system32\svchost.exe[1172] WS2_32.dll!socket                                                   71A84211 5 Bytes JMP 000808C4
.text       C:\WINDOWS\system32\svchost.exe[1172] WS2_32.dll!bind                                                   71A84480 5 Bytes JMP 00080838
.text       C:\WINDOWS\system32\svchost.exe[1172] WS2_32.dll!connect                                                 71A84A07 5 Bytes JMP 00080950
.text       C:\WINDOWS\system32\svchost.exe[1172] WININET.dll!InternetConnectA                                           4445499A 5 Bytes JMP 00080F54
.text       C:\WINDOWS\system32\svchost.exe[1172] WININET.dll!InternetConnectW                                           44455B88 5 Bytes JMP 00080FE0
.text       C:\WINDOWS\system32\svchost.exe[1172] WININET.dll!InternetOpenA                                             4445C865 5 Bytes JMP 00080D24
.text       C:\WINDOWS\system32\svchost.exe[1172] WININET.dll!InternetOpenW                                             4445CE99 5 Bytes JMP 00080DB0
.text       C:\WINDOWS\system32\svchost.exe[1172] WININET.dll!InternetOpenUrlA                                           44460BCA 5 Bytes JMP 00080E3C
.text       C:\WINDOWS\system32\svchost.exe[1172] WININET.dll!InternetOpenUrlW                                           444AAEA1 5 Bytes JMP 00080EC8
.text       C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtectEx                                           7C801A61 5 Bytes JMP 000801A8
.text       C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtect                                           7C801AD4 5 Bytes JMP 00080090
.text       C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!WriteProcessMemory                                         7C802213 5 Bytes JMP 00080694
.text       C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessW                                           7C802336 5 Bytes JMP 000802C0
.text       C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessA                                           7C80236B 5 Bytes JMP 00080234
.text       C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualAlloc                                             7C809AE1 5 Bytes JMP 00080004
.text       C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualAllocEx                                           7C809B02 5 Bytes JMP 0008011C
.text       C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateRemoteThread                                         7C8104BC 5 Bytes JMP 000804F0
.text       C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateThread                                             7C8106C7 5 Bytes JMP 0008057C
.text       C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessInternalW                                       7C81979C 5 Bytes JMP 000803D8
.text       C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessInternalA                                       7C81D536 5 Bytes JMP 0008034C
.text       C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!WinExec                                                 7C8623AD 5 Bytes JMP 00080464
.text       C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!SetThreadContext                                           7C863AA9 5 Bytes JMP 00080608
.text       C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!SetWindowsHookExW                                           7E37820F 5 Bytes JMP 000807AC
.text       C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!SetWindowsHookExA                                           7E381211 5 Bytes JMP 00080720
.text       C:\WINDOWS\Explorer.EXE[1336] kernel32.dll!VirtualProtectEx                                               7C801A61 5 Bytes JMP 000801A8
.text       C:\WINDOWS\Explorer.EXE[1336] kernel32.dll!VirtualProtect                                                 7C801AD4 5 Bytes JMP 00080090
.text       C:\WINDOWS\Explorer.EXE[1336] kernel32.dll!WriteProcessMemory                                               7C802213 5 Bytes JMP 00080694
.text       C:\WINDOWS\Explorer.EXE[1336] kernel32.dll!CreateProcessW                                                 7C802336 5 Bytes JMP 000802C0
.text       C:\WINDOWS\Explorer.EXE[1336] kernel32.dll!CreateProcessA                                                 7C80236B 5 Bytes JMP 00080234
.text       C:\WINDOWS\Explorer.EXE[1336] kernel32.dll!VirtualAlloc                                                   7C809AE1 5 Bytes JMP 00080004
.text       C:\WINDOWS\Explorer.EXE[1336] kernel32.dll!VirtualAllocEx                                                 7C809B02 5 Bytes JMP 0008011C
.text       C:\WINDOWS\Explorer.EXE[1336] kernel32.dll!CreateRemoteThread                                               7C8104BC 5 Bytes JMP 000804F0
.text       C:\WINDOWS\Explorer.EXE[1336] kernel32.dll!CreateThread                                                   7C8106C7 5 Bytes JMP 0008057C
.text       C:\WINDOWS\Explorer.EXE[1336] kernel32.dll!CreateProcessInternalW                                           7C81979C 5 Bytes JMP 000803D8
.text       C:\WINDOWS\Explorer.EXE[1336] kernel32.dll!CreateProcessInternalA                                           7C81D536 5 Bytes JMP 0008034C
.text       C:\WINDOWS\Explorer.EXE[1336] kernel32.dll!WinExec                                                     7C8623AD 5 Bytes JMP 00080464
.text       C:\WINDOWS\Explorer.EXE[1336] kernel32.dll!SetThreadContext                                               7C863AA9 5 Bytes JMP 00080608
.text       C:\WINDOWS\Explorer.EXE[1336] USER32.dll!SetWindowsHookExW                                                 7E37820F 5 Bytes JMP 000807AC
.text       C:\WINDOWS\Explorer.EXE[1336] USER32.dll!SetWindowsHookExA                                                 7E381211 5 Bytes JMP 00080720
.text       C:\WINDOWS\Explorer.EXE[1336] WININET.dll!InternetConnectA                                                 4445499A 5 Bytes JMP 00080F54
.text       C:\WINDOWS\Explorer.EXE[1336] WININET.dll!InternetConnectW                                                 44455B88 5 Bytes JMP 00080FE0
.text       C:\WINDOWS\Explorer.EXE[1336] WININET.dll!InternetOpenA                                                   4445C865 5 Bytes JMP 00080D24
.text       C:\WINDOWS\Explorer.EXE[1336] WININET.dll!InternetOpenW                                                   4445CE99 5 Bytes JMP 00080DB0
.text       C:\WINDOWS\Explorer.EXE[1336] WININET.dll!InternetOpenUrlA                                                 44460BCA 5 Bytes JMP 00080E3C
.text       C:\WINDOWS\Explorer.EXE[1336] WININET.d

Desværre var Gmer-loggen for lang til at være i én post. Så du må lige lægge resten herind igen, og derefter lægge logfilen fra rootrepeal herind igen også

Lukket pga. manglende tilbagemelding.