Spywarefri Forum | Win32/Netsky.Q worm

2 af 4

Win32/Netsky.Q worm

[ Ignorer ] [ # 16 ] f-arn TeamSpywarefri
13.03.2010 12:50:31 Administrator Team Spywarefri Antal indlæg: 3490	Nej - vent lige lidt! Signatur Undlad venligst at vedhæfte logs, medmindre du bliver bedt om det !
[ Ignorer ] [ # 17 ] JeanetteL
13.03.2010 12:56:33 Antal indlæg: 29	Hej OK
[ Ignorer ] [ # 18 ] f-arn TeamSpywarefri
13.03.2010 13:26:32 Administrator Team Spywarefri Antal indlæg: 3490	Hent Combofix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe Hent dette: http://www.microsoft.com/downloads/details.aspx?displaylang=da&FamilyID=15491f07-99f7-4a2d-983d-81c2137ff464 ——— Så trækker du sidstnævnte hen over Combofix og kopierer loggen herind Signatur Undlad venligst at vedhæfte logs, medmindre du bliver bedt om det !
[ Ignorer ] [ # 19 ] JeanetteL
13.03.2010 13:49:40 Antal indlæg: 29	Hej Jeg kan stadig ikke downloade filerne, så jeg antager at jeg kan hente det på USB. Jeg er ikke sikker på jeg forstår det sidste du skriver, kan du uddybe:_)
[ Ignorer ] [ # 20 ] Peder TeamSpywarefri
13.03.2010 13:54:48 Redaktør Team Spywarefri Antal indlæg: 12994	Prøv bare dette. Hvis du ikke kan komme på nettet med den maskine så må du lægge HijackThis og Combofix på en USB nøgle eller andet medie. Når du gemmer Combofix på din USB nøgle eller andet ekstern medie skal du gemme den som alg.exe Det er vigtigt at du gemmer den under dette navn. Sæt nu det medie som du gemte combofix på (alg.exe) i den syge pc og kør alg.exe direkte fra det medie. (Vistabrugere skal klikke med højre-musetast på filen og vælge (Kør som administrator) Vigtigt-> Deaktiver dit antivirus/antispyware program. Hvis du ikke kan deaktiver programmet, så klik bare ”Forsæt og ok” når Combofix advarer, så vil den forsætte. Du må ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse. Når Combofix er færdig, og efter det (muligvis) har genstartet, skulle der gerne åbnes en logfil: combofix.txt som ligger her C:\ Combofix txt Hvis logfilen ikke åbnes så finder du den her c:\combofix.txt Indholdet af denne fil må du gerne lægge herind. Vær tålmodig og vent til Combofix ruden lukker ned.
[ Ignorer ] [ # 21 ] JeanetteL
13.03.2010 14:04:55 Antal indlæg: 29	Hej Jeg kan ikke downloade den fil fra Microsoft er det nok med combo filen i første omgang?
[ Ignorer ] [ # 22 ] Peder TeamSpywarefri
13.03.2010 14:08:49 Redaktør Team Spywarefri Antal indlæg: 12994	Ja, prøv bare om du ikke kan køre combofix?
[ Ignorer ] [ # 23 ] JeanetteL
13.03.2010 17:11:31 Antal indlæg: 29	Hej Nu er combo fix loggen dannet, den er på ca 23 sider, så spørgsmålet er om jeg skal sende den ind som en vedhæftet fil?
[ Ignorer ] [ # 24 ] Peder TeamSpywarefri
13.03.2010 17:17:59 Redaktør Team Spywarefri Antal indlæg: 12994	Ja, vedhæft du bare den fil.
[ Ignorer ] [ # 25 ] JeanetteL
13.03.2010 17:27:16 Antal indlæg: 29	Det er ikke muligt så nu får i den i klar tekst:-( ComboFix 10-03-12.04 - Larsen 13-03-2010 13:36:20.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.45.1030.18.254.83 [GMT 1:00] Kører fra: E:\ComboFix.exe AV: Norton AntiVirus On-access scanning disabled (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8} advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !! . ((((((((((((((((((((((((((((((((((((((( Andet, der er slettet ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Larsen\Application Data\Control Manager c:\documents and settings\Larsen\Application Data\Control Manager\faq\guide.html c:\documents and settings\Larsen\Application Data\Control Manager\faq\images\05.png c:\documents and settings\Larsen\Application Data\Control Manager\faq\images\06.png c:\documents and settings\Larsen\Application Data\Control Manager\faq\images\07.png c:\documents and settings\Larsen\Application Data\Control Manager\faq\images\08.png c:\documents and settings\Larsen\Application Data\Control Manager\faq\images\09.png c:\documents and settings\Larsen\Application Data\Control Manager\faq\images\10.png c:\documents and settings\Larsen\Application Data\Control Manager\settings.ini c:\documents and settings\Larsen\Application Data\Control Manager\uninstall.exe c:\documents and settings\Larsen\Lokale indstillinger\Application Data\rdr_1268204271.exe c:\documents and settings\Larsen\Lokale indstillinger\Application Data\rdr_1268206128.exe c:\documents and settings\Larsen\Lokale indstillinger\Application Data\rdr_1268239596.exe c:\programmer\webserver c:\recycler\NPROTECT c:\windows\bill103.exe c:\windows\lgo c:\windows\ligh c:\windows\system32\drivers\imapioko.sys c:\windows\system32\erokosvc.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Tjenester ))))))))))))))))))))))))))))))))))))))))))))))))) . ———-\Legacy_APTO6KO ———-\Legacy_CPQOKO6 ———-\Service_apto6ko ———-\Service_cpqoko6 ((((((((((((((((((((((((((((( Filer skabt fra 2010-02-13 til 2010-03-13 ))))))))))))))))))))))))))))))))))) . 2010-03-11 18:34 . 2010-03-11 18:34 ———— d——-w- c:\documents and settings\Larsen\Application Data\Malwarebytes 2010-03-11 18:32 . 2010-03-11 18:32 ———— d——-w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-03-10 20:12 . 2010-03-10 20:12 ———— d——-w- c:\documents and settings\Larsen\Application Data\Tific 2010-03-10 19:03 . 2010-03-10 19:03 ———— d——-w- c:\documents and settings\All Users\Application Data\SITEguard 2010-03-10 18:56 . 2010-03-13 14:19 ———— d——-w- c:\documents and settings\All Users\Application Data\STOPzilla! 2010-03-10 17:13 . 2010-03-10 17:22 ———— d——-w- c:\documents and settings\All Users\Application Data\Norton 2010-03-10 17:11 . 2010-03-10 17:13 ———— d——-w- c:\documents and settings\All Users\Application Data\NortonInstaller . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((( Start steder i reg.basen )))))))))))))))))))))))))))))))))))))))))))))))) . . Bemærk tomme linier & lovlige standard linier vises ikke REGEDIT4 c:\documents and settings\Larsen\Menuen Start\Programmer\Start\ OPTACToolAuto.lnk - c:\programmer\SECommon\OPTACToolAutoDld.exe [2008-1-27 118784] c:\documents and settings\All Users\Menuen Start\Programmer\Start\ HP Digital Imaging Monitor.lnk - c:\programmer\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624] HP Photosmart Premier Hurtig start.lnk - c:\programmer\HP\Digital Imaging\bin\hpqthb08.exe [2005-12-15 73728] McAfee Security Scan.lnk - c:\programmer\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-28 199184] WinZip Quick Pick.lnk - c:\programmer\WinZip\WZQKPICK.EXE [2004-10-27 118784] Scriptet “Is” tog for lang tid at k›re. K›rslen blev afsluttet. [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon] “Shell”=“c:\documents and settings\Larsen\Application Data\Control” [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “LoadAppInit_DLLs”=1 (0x1) “AppInit_DLLs”=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\\system32\\sessmgr.exe”= “c:\\Programmer\\Sports Interactive\\Football Manager 2005\\fm2005.exe”= “c:\\Valve\\Condition Zero\\czero.exe”= “c:\\Programmer\\HP\\Digital Imaging\\bin\\hpqtra08.exe”= “c:\\Programmer\\HP\\Digital Imaging\\bin\\hpqste08.exe”= “c:\\Programmer\\HP\\Digital Imaging\\bin\\hpofxm08.exe”= “c:\\Programmer\\HP\\Digital Imaging\\bin\\hposfx08.exe”= “c:\\Programmer\\HP\\Digital Imaging\\bin\\hposid01.exe”= “c:\\Programmer\\HP\\Digital Imaging\\bin\\hpqscnvw.exe”= “c:\\Programmer\\HP\\Digital Imaging\\bin\\hpqkygrp.exe”= “c:\\Programmer\\HP\\Digital Imaging\\bin\\hpqCopy.exe”= “c:\\Programmer\\HP\\Digital Imaging\\bin\\hpfccopy.exe”= “c:\\Programmer\\HP\\Digital Imaging\\bin\\hpzwiz01.exe”= “c:\\Programmer\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe”= “c:\\Programmer\\HP\\Digital Imaging\\Unload\\HpqDIA.exe”= “c:\\Programmer\\HP\\Digital Imaging\\bin\\hpoews01.exe”= “c:\\Programmer\\HP\\Digital Imaging\\bin\\hpqnrs08.exe”= “c:\\Valve\\Steam\\Steam.exe”= “c:\\Programmer\\Messenger\\msmsgs.exe”= “%windir%\\Network Diagnostic\\xpnetdiag.exe”= “c:\\Programmer\\Bonjour\\mDNSResponder.exe”= “c:\\Programmer\\iTunes\\iTunes.exe”= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] “8085:TCP”= 8085:TCP:OKOToGate “80:TCP”= 80:TCP:webserver “53:TCP”= 53:TCP:webserver R0 stwlfbus;stwlfbus;c:\windows\system32\drivers\stwlfbus.sys [27-04-2003 11:39 8704] R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1100000.088\SymDS.sys [10-03-2010 18:16 328752] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1100000.088\SymEFA.sys [10-03-2010 18:16 169008] R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [07-12-2009 16:59 61328] R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [24-02-2010 14:06 173328] R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20090829.001\BHDrvx86.sys [10-03-2010 18:16 506928] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1100000.088\ccHPx86.sys [10-03-2010 18:16 501888] R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1100000.088\Ironx86.sys [10-03-2010 18:16 114736] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programmer\Fælles filer\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10-03-2010 18:16 102448] R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20090828.002\IDSxpx86.sys [10-03-2010 18:16 329080] R3 st3wolf;st3wolf;c:\windows\system32\drivers\st3wolf.sys [27-04-2003 10:43 99360] S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [07-12-2009 16:59 61328] S3 adxapie;adxapie;\??\c:\docume~1\Larsen\LOKALE~1\Temp\adxapie.sys—> c:\docume~1\Larsen\LOKALE~1\Temp\adxapie.sys [?] S3 USBAAPL;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl.sys [23-08-2008 15:39 40448] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] tapisrvs REG_MULTI_SZ cpqoko6 . Indhold af mappen ‘Planlagte Opgaver’ 2010-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\programmer\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34] 2010-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\programmer\Google\Update\GoogleUpdate.exe [2010-01-31 09:30] 2010-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\programmer\Google\Update\GoogleUpdate.exe [2010-01-31 09:30] 2010-03-13 c:\windows\Tasks\User_Feed_Synchronization-{8C9678BF-2068-4220-A547-4F5C8A57A2AB}.job - c:\windows\system32\msfeedssync.exe [2007-08-13 02:31] 2010-03-13 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 20:18] . . ———- Yderligere scanning———- . uStart Page = hxxp://www.google.dk/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = .local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/keyword/%s mSearchAssistant = hxxp://www.google.com/ie IE: E&ksporter; til Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Google Sidewiki… - c:\programmer\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.bgbank.dk/html/activex/e-Safekey/BG/e-Safekey.cab . - - - - TOMME GENVEJE FJERNET - - - - Notify-TPSvc - TPSvc.dll AddRemove-Control Manager - c:\documents and settings\Larsen\Application Data\Control Manager\uninstall.exe *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-13 15:26 Windows 5.1.2600 Service Pack 3 NTFS scanner skjulte processer ... scanner skjulte autostarter ... scanner skjulte filer ... scanning gennemført med succes skjulte filer: 0 ********************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0xFFAFB680]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf932af28 \Driver\ACPI -> ACPI.sys @ 0xf9254cb8 \Driver\atapi -> 0xffafb680 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 Warning: possible MBR rootkit infection ! user & kernel MBR OK copy of MBR has been found in sector 3 ! copy of MBR has been found in sector 11 ! ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV] “ImagePath”=”\“c:\programmer\Norton AntiVirus\Engine\17.0.0.136\ccSvcHst.exe\” /s \“NAV\” /m \“c:\programmer\Norton AntiVirus\Engine\17.0.0.136\diMaster.dll\” /prefetch:1” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET CLR Data] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET CLR Networking] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET Data Provider for Oracle] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET Data Provider for SqlServer] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NETFramework] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Abiosdsk] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\abp480n5] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI] “ImagePath”=“System32\DRIVERS\ACPI.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPIEC] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\adpu160m] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\adxapie] “ImagePath”=”\??\c:\docume~1\Larsen\LOKALE~1\Temp\adxapie.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aec] “ImagePath”=“system32\drivers\aec.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AFD] “ImagePath”=”\SystemRoot\System32\drivers\afd.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AFS2K] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Aha154x] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78u2] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78xx] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Alerter] “ServiceDll”=”%SystemRoot%\system32\alrsvc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALG] “ImagePath”=”%SystemRoot%\System32\alg.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AliIde] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\amsint] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Apple Mobile Device] “ImagePath”=”\“c:\programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe\”“ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppMgmt] “ServiceDll”=”%SystemRoot%\System32\appmgmts.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\apto6ko] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3350p] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3550] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET_1.1.4322] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET_2.0.50727] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Aspi32] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aspnet_state] “ImagePath”=”%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AsyncMac] “ImagePath”=“system32\DRIVERS\asyncmac.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi] “ImagePath”=“System32\DRIVERS\atapi.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atdisk] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atmarpc] “ImagePath”=“System32\DRIVERS\atmarpc.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AudioSrv] “ServiceDll”=”%SystemRoot%\System32\audiosrv.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\audstub] “ImagePath”=“System32\DRIVERS\audstub.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BattC] “MofImagePath”=“System32\Drivers\battc.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Beep] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BHDrvx86] “ImagePath”=”\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20090829.001\BHDrvx86.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BITS] “ServiceDll”=“c:\windows\system32\qmgr.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Bonjour Service] “ImagePath”=“c:\programmer\Bonjour\mDNSResponder.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Browser] “ServiceDll”=”%SystemRoot%\System32\browser.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cbidf2k] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CCALib8] “ImagePath”=“c:\programmer\Canon\CAL\CALMAIN.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccHP] “ImagePath”=”\SystemRoot\system32\drivers\NAV\1100000.088\ccHPx86.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cd20xrnt] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdaudio] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdfs] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdrom] “ImagePath”=“System32\DRIVERS\cdrom.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Changer] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cisvc] “ImagePath”=”%SystemRoot%\system32\cisvc.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ClipSrv] “ImagePath”=”%SystemRoot%\system32\clipsrv.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clr_optimization_v2.0.50727_32] “ImagePath”=“c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmdIde] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cmpci] “ImagePath”=“system32\drivers\cmaudio.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COMSysApp] “ImagePath”=“c:\windows\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentFilter] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentIndex] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cpqarray] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cpqoko6] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CryptSvc] “ServiceDll”=”%SystemRoot%\System32\cryptsvc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac2w2k] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac960nt] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DcomLaunch] “ServiceDll”=”%SystemRoot%\system32\rpcss.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dhcp] “ServiceDll”=”%SystemRoot%\System32\dhcpcsvc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Disk] “ImagePath”=“System32\DRIVERS\disk.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmadmin] “ImagePath”=”%SystemRoot%\System32\dmadmin.exe /com” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmboot] “ImagePath”=“System32\drivers\dmboot.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmio] “ImagePath”=“System32\drivers\dmio.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmload] “ImagePath”=“System32\drivers\dmload.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmserver] “ServiceDll”=”%SystemRoot%\System32\dmserver.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DMusic] “ImagePath”=“system32\drivers\DMusic.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache] “ServiceDll”=”%SystemRoot%\System32\dnsrslvr.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dot3svc] “ServiceDll”=”%SystemRoot%\System32\dot3svc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dpti2o] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drmkaud] “ImagePath”=“system32\drivers\drmkaud.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\E100B] “ImagePath”=“System32\DRIVERS\e100b325.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EapHost] “ServiceDll”=”%SystemRoot%\System32\eapsvc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eeCtrl] “ImagePath”=”\??\c:\programmer\Fælles filer\Symantec Shared\EENGINE\eeCtrl.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EraserUtilRebootDrv] “ImagePath”=”\??\c:\programmer\Fælles filer\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ERSvc] “ServiceDll”=”%SystemRoot%\System32\ersvc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Eventlog] “ImagePath”=”%SystemRoot%\system32\services.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystem] “ServiceDll”=“c:\windows\System32\es.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fastfat] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FastUserSwitchingCompatibility] “ServiceDll”=”%SystemRoot%\System32\shsvcs.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc] “ImagePath”=“System32\DRIVERS\fdc.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fips] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk] “ImagePath”=“System32\DRIVERS\flpydisk.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FltMgr] “ImagePath”=“system32\drivers\fltmgr.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FontCache3.0.0.0] “ImagePath”=“c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fs_Rec] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ftdisk] “ImagePath”=“System32\DRIVERS\ftdisk.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gameenum] “ImagePath”=“System32\DRIVERS\gameenum.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GEARAspiWDM] “ImagePath”=“System32\Drivers\GEARAspiWDM.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GoogleDesktopManager-110309-193829] “ImagePath”=”\“c:\programmer\Google\Google Desktop Search\GoogleDesktop.exe\”“ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Gpc] “ImagePath”=“System32\DRIVERS\msgpc.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gupdate] “ImagePath”=”\“c:\programmer\Google\Update\GoogleUpdate.exe\” /svc” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gusvc] “ImagePath”=”\“c:\programmer\Google\Common\Google Updater\GoogleUpdaterService.exe\”“ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\helpsvc] “ServiceDll”=”%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidServ] “ServiceDll”=”%SystemRoot%\System32\hidserv.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidUsb] “ImagePath”=“System32\DRIVERS\hidusb.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hkmsvc] “ServiceDll”=”%SystemRoot%\System32\kmsvc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpn] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpt3xx] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZid412] “ImagePath”=“system32\DRIVERS\HPZid412.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZipr12] “ImagePath”=“system32\DRIVERS\HPZipr12.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZius12] “ImagePath”=“system32\DRIVERS\HPZius12.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTP] “ImagePath”=“System32\Drivers\HTTP.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilter] “ServiceDll”=”%SystemRoot%\System32\w3ssl.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omgmt] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omp] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i8042prt] “ImagePath”=“System32\DRIVERS\i8042prt.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ialm] “ImagePath”=“System32\DRIVERS\ialmnt5.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\idsvc] “ImagePath”=”\“c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe\”“ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDSxpx86] “ImagePath”=”\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20090828.002\IDSxpx86.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ILADFtmi] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Imapi] “ImagePath”=“System32\DRIVERS\imapi.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService] “ImagePath”=”%systemroot%\system32\imapi.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\inetaccs] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ini910u] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Inport] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelIde] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ip6fw] “ImagePath”=“system32\drivers\ip6fw.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpFilterDriver] “ImagePath”=“System32\DRIVERS\ipfltdrv.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpInIp] “ImagePath”=“System32\DRIVERS\ipinip.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpNat] “ImagePath”=“System32\DRIVERS\ipnat.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iPod Service] “ImagePath”=“c:\programmer\iPod\bin\iPodService.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IPSec] “ImagePath”=“System32\DRIVERS\ipsec.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IRENUM] “ImagePath”=“System32\DRIVERS\irenum.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\is3srv] “ImagePath”=“system32\drivers\is3srv.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ISAPISearch] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\isapnp] “ImagePath”=“System32\DRIVERS\isapnp.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\JavaQuickStarterService] “ImagePath”=”\“c:\programmer\Java\jre6\bin\jqs.exe\” -service -config \“c:\programmer\Java\jre6\lib\deploy\jqs\jqs.conf\”“ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Kbdclass] “ImagePath”=“System32\DRIVERS\kbdclass.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kmixer] “ImagePath”=“system32\drivers\kmixer.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KSecDD] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserver] “ServiceDll”=”%SystemRoot%\System32\srvsvc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanworkstation] “ServiceDll”=”%SystemRoot%\System32\wkssvc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lbrtfdc] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ldap] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicenseService] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LmHosts] “ServiceDll”=”%SystemRoot%\System32\lmhsvc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MDM] “ImagePath”=”\“c:\programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE\”“ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messenger] “ServiceDll”=”%SystemRoot%\System32\msgsvc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmdd] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmsrvc] “ImagePath”=“c:\windows\System32\mnmsrvc.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Modem] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mouclass] “ImagePath”=“System32\DRIVERS\mouclass.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mouhid] “ImagePath”=“System32\DRIVERS\mouhid.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MountMgr] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mraid35x] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxDAV] “ImagePath”=“System32\DRIVERS\mrxdav.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxSmb] “ImagePath”=“System32\DRIVERS\mrxsmb.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC] “ImagePath”=“c:\windows\System32\msdtc.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC Bridge 3.0.0.0] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Msfs] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIServer] “ImagePath”=“c:\windows\system32\msiexec.exe /V” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSKSSRV] “ImagePath”=“system32\drivers\MSKSSRV.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPCLOCK] “ImagePath”=“system32\drivers\MSPCLOCK.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPQM] “ImagePath”=“system32\drivers\MSPQM.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mssmbios] “ImagePath”=“System32\DRIVERS\mssmbios.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mup] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAL] “ImagePath”=”\??\c:\windows\system32\Drivers\iqvw32.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\napagent] “ServiceDll”=”%SystemRoot%\System32\qagentrt.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV] “ImagePath”=”\“c:\programmer\Norton AntiVirus\Engine\17.0.0.136\ccSvcHst.exe\” /s \“NAV\” /m \“c:\programmer\Norton AntiVirus\Engine\17.0.0.136\diMaster.dll\” /prefetch:1” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVENG] “ImagePath”=”\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20090829.019\NAVENG.SYS” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVEX15] “ImagePath”=”\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20090829.019\NAVEX15.SYS” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDIS] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisTapi] “ImagePath”=“System32\DRIVERS\ndistapi.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ndisuio] “ImagePath”=“System32\DRIVERS\ndisuio.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisWan] “ImagePath”=“System32\DRIVERS\ndiswan.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDProxy] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS] “ImagePath”=“System32\DRIVERS\netbios.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT] “ImagePath”=“System32\DRIVERS\netbt.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDE] “ImagePath”=”%SystemRoot%\system32\netdde.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdm] “ImagePath”=”%SystemRoot%\system32\netdde.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netlogon] “ImagePath”=”%SystemRoot%\System32\lsass.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netman] “ServiceDll”=”%SystemRoot%\System32\netman.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetSvc] “ImagePath”=“c:\programmer\Intel\NCS\Sync\NetSvc.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetTcpPortSharing] “ImagePath”=”\“c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe\”“ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Nla] “ServiceDll”=”%SystemRoot%\System32\mswsock.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nmwcd] “ImagePath”=“system32\drivers\nmwcd.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nmwcdc] “ImagePath”=“system32\drivers\nmwcdc.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nmwcdcm] “ImagePath”=“system32\drivers\nmwcdcm.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Npfs] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ntfs] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtLmSsp] “ImagePath”=”%SystemRoot%\System32\lsass.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc] “ServiceDll”=”%SystemRoot%\system32\ntmssvc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Null] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFlt] “ImagePath”=“System32\DRIVERS\nwlnkflt.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFwd] “ImagePath”=“System32\DRIVERS\nwlnkfwd.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ose] “ImagePath”=”\“c:\programmer\Fælles filer\Microsoft Shared\Source Engine\OSE.EXE\”“ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Outlook] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Parport] “ImagePath”=“System32\DRIVERS\parport.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PartMgr] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ParVdm] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCI] “ImagePath”=“System32\DRIVERS\pci.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIDump] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIIde] “ImagePath”=“System32\DRIVERS\pciide.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pcmcia] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDCOMP] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDFRAME] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRELI] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRFRAME] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2hib] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfDisk] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfNet] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfOS] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfProc] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PlugPlay] “ImagePath”=”%SystemRoot%\system32\services.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pml Driver HPZ12] “ImagePath”=“c:\windows\system32\HPZipm12.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgent] “ImagePath”=”%SystemRoot%\system32\lsass.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PptpMiniport] “ImagePath”=“System32\DRIVERS\raspptp.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Processor] “ImagePath”=“System32\DRIVERS\processr.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorage] “ImagePath”=”%SystemRoot%\system32\lsass.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSched] “ImagePath”=“System32\DRIVERS\psched.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ptilink] “ImagePath”=“System32\DRIVERS\ptilink.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PxHelp20] “ImagePath”=“System32\Drivers\PxHelp20.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1080] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ql10wnt] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql12160] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1240] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1280] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAcd] “ImagePath”=“System32\DRIVERS\rasacd.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAuto] “ServiceDll”=”%SystemRoot%\System32\rasauto.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasl2tp] “ImagePath”=“System32\DRIVERS\rasl2tp.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasMan] “ServiceDll”=”%SystemRoot%\System32\rasmans.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasPppoe] “ImagePath”=“System32\DRIVERS\raspppoe.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Raspti] “ImagePath”=“System32\DRIVERS\raspti.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rdbss] “ImagePath”=“System32\DRIVERS\rdbss.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPCDD] “ImagePath”=“System32\DRIVERS\RDPCDD.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPDD] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rdpdr] “ImagePath”=“System32\DRIVERS\rdpdr.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPNP] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPWD] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgr] “ImagePath”=“c:\windows\system32\sessmgr.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook] “ImagePath”=“System32\DRIVERS\redbook.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccess] “ServiceDll”=”%SystemRoot%\System32\mprdim.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteRegistry] “ServiceDll”=”%SystemRoot%\system32\regsvc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcLocator] “ImagePath”=”%SystemRoot%\System32\locator.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSs] “ServiceDll”=”%SystemRoot%\system32\rpcss.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RSVP] “ImagePath”=”%SystemRoot%\System32\rsvp.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SamSs] “ImagePath”=”%SystemRoot%\system32\lsass.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCardSvr] “ImagePath”=”%SystemRoot%\System32\SCardSvr.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Schedule] “ServiceDll”=”%SystemRoot%\system32\schedsvc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ScsiPort] “ImagePath”=”%SystemRoot%\system32\drivers\scsiport.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Secdrv] “ImagePath”=“System32\DRIVERS\secdrv.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogon] “ServiceDll”=”%SystemRoot%\System32\seclogon.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SENS] “ServiceDll”=”%SystemRoot%\system32\sens.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\serenum] “ImagePath”=“System32\DRIVERS\serenum.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serial] “ImagePath”=“System32\DRIVERS\serial.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelOperation 3.0.0.0] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelService 3.0.0.0] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sfloppy] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess] “ServiceDll”=”%SystemRoot%\System32\ipnathlp.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShellHWDetection] “ServiceDll”=”%SystemRoot%\System32\shsvcs.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Simbad] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SMSvcHost 3.0.0.0] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sparrow] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\splitter] “ImagePath”=“system32\drivers\splitter.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Spooler] “ImagePath”=”%SystemRoot%\system32\spoolsv.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sr] “ImagePath”=“System32\DRIVERS\sr.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srservice] “ServiceDll”=”%SystemRoot%\system32\srsvc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SRTSP] “ImagePath”=”\SystemRoot\system32\drivers\NAV\1100000.088\SRTSP.SYS” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SRTSPX] “ImagePath”=”\SystemRoot\system32\drivers\NAV\1100000.088\SRTSPX.SYS” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Srv] “ImagePath”=“System32\DRIVERS\srv.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SSDPSRV] “ServiceDll”=”%SystemRoot%\System32\ssdpsrv.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\st3wolf] “ImagePath”=“System32\DRIVERS\st3wolf.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stisvc] “ServiceDll”=”%SystemRoot%\system32\wiaservc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stwlfbus] “ImagePath”=“System32\DRIVERS\stwlfbus.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swenum] “ImagePath”=“System32\DRIVERS\swenum.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swmidi] “ImagePath”=“system32\drivers\swmidi.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SwPrv] “ImagePath”=“c:\windows\System32\dllhost.exe /Processid:{DB6C5026-4176-4ED9-900A-BDE214274F78}” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swwd] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc810] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc8xx] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SymDS] “ImagePath”=“system32\drivers\NAV\1100000.088\SYMDS.SYS” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SymEFA] “ImagePath”=“system32\drivers\NAV\1100000.088\SYMEFA.SYS” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SymEvent] “ImagePath”=”\??\c:\windows\system32\Drivers\SYMEVENT.SYS” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SymIRON] “ImagePath”=”\SystemRoot\system32\drivers\NAV\1100000.088\Ironx86.SYS” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI] “ImagePath”=”\SystemRoot\system32\drivers\NAV\1100000.088\SYMTDI.SYS” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_hi] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_u3] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sysaudio] “ImagePath”=“system32\drivers\sysaudio.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysmonLog] “ImagePath”=”%SystemRoot%\system32\smlogsvc.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\szkg5] “ImagePath”=“system32\DRIVERS\szkg.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\szkgfs] “ImagePath”=“system32\drivers\szkgfs.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\szserver] “ImagePath”=”\“c:\programmer\Fælles filer\iS3\Anti-Spyware\SZServer.exe\”“ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TapiSrv] “ServiceDll”=”%SystemRoot%\System32\tapisrv.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip] “ImagePath”=“System32\DRIVERS\tcpip.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDPIPE] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDTCP] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermDD] “ImagePath”=“System32\DRIVERS\termdd.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermService] “ServiceDll”=”%SystemRoot%\System32\termsrv.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Themes] “ServiceDll”=”%SystemRoot%\System32\shsvcs.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TlntSvr] “ImagePath”=“c:\windows\System32\tlntsvr.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TosIde] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TrkWks] “ServiceDll”=”%SystemRoot%\system32\trkwks.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TSDDD] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Udfs] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ultra] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update] “ImagePath”=“System32\DRIVERS\update.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upnphost] “ServiceDll”=”%SystemRoot%\System32\upnphost.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS] “ImagePath”=”%SystemRoot%\System32\ups.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\USBAAPL] “ImagePath”=“System32\Drivers\usbaapl.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbccgp] “ImagePath”=“System32\DRIVERS\usbccgp.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbehci] “ImagePath”=“System32\DRIVERS\usbehci.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbhub] “ImagePath”=“System32\DRIVERS\usbhub.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbprint] “ImagePath”=“System32\DRIVERS\usbprint.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbscan] “ImagePath”=“system32\DRIVERS\usbscan.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbser] “ImagePath”=“system32\drivers\usbser.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UsbserFilt] “ImagePath”=“system32\DRIVERS\usbser_lowerfltj.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\USBSTOR] “ImagePath”=“System32\DRIVERS\USBSTOR.SYS” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbuhci] “ImagePath”=“System32\DRIVERS\usbuhci.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VgaSave] “ImagePath”=”\SystemRoot\System32\drivers\vga.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ViaIde] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VolSnap] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSS] “ImagePath”=”%SystemRoot%\System32\vssvc.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VXD] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W32Time] “ServiceDll”=”%systemroot%\system32\w32time.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W3SVC] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wanarp] “ImagePath”=“System32\DRIVERS\wanarp.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDICA] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wdmaud] “ImagePath”=“system32\drivers\wdmaud.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebClient] “ServiceDll”=”%SystemRoot%\System32\webclnt.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Windows Workflow Foundation 3.0.0.0] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt] “ServiceDll”=”%SystemRoot%\system32\wbem\WMIsvc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock - Google Desktop Search Backup Before First Install] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock - Google Desktop Search Backup Before Last Install] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock2 - Google Desktop Search Backup Before First Install] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock2 - Google Desktop Search Backup Before Last Install] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinTrust] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmdmPmSN] “ServiceDll”=“c:\windows\system32\MsPMSNSv.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wmi] “ServiceDll”=”%SystemRoot%\System32\advapi32.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApRpl] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrv] “ImagePath”=“c:\windows\System32\wbem\wmiapsrv.exe” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WMPNetworkSvc] “ImagePath”=”\“c:\programmer\Windows Media Player\WMPNetwk.exe\”“ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WS2IFSL] “ImagePath”=”\SystemRoot\System32\drivers\ws2ifsl.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wscsvc] “ServiceDll”=”%SYSTEMROOT%\system32\wscsvc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauserv] “ServiceDll”=“c:\windows\system32\wuauserv.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf] “ImagePath”=“system32\DRIVERS\WudfPf.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd] “ImagePath”=“system32\DRIVERS\wudfrd.sys” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfSvc] “ServiceDll”=”%SystemRoot%\System32\WUDFSvc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WZCSVC] “ServiceDll”=”%SystemRoot%\System32\wzcsvc.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xmlprov] “ServiceDll”=”%SystemRoot%\System32\xmlprov.dll” [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FF1B975E-C701-43A2-A321-A647EE9EBD0A}] . ————————————Andre kørende processer———————————— . c:\programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\programmer\Java\jre6\bin\jqs.exe c:\programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE c:\programmer\Norton AntiVirus\Engine\17.0.0.136\ccSvcHst.exe c:\programmer\Norton AntiVirus\Engine\17.0.0.136\ccSvcHst.exe c:\windows\system32\WgaTray.exe c:\windows\system32\wscntfy.exe c:\windows\System32\igfxtray.exe c:\windows\System32\hkcmd.exe c:\programmer\Intel\NCS\PROSet\PRONoMgr.exe c:\programmer\D-Tools\daemon.exe c:\windows\Mixer.exe c:\programmer\HP\HP Software Update\HPWuSchd2.exe c:\programmer\Google\Google Desktop Search\GoogleDesktop.exe c:\programmer\Java\jre6\bin\jusched.exe c:\programmer\iTunes\iTunesHelper.exe c:\programmer\Messenger\msmsgs.exe c:\programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe c:\programmer\HP\Digital Imaging\bin\hpqimzone.exe c:\programmer\HP\Digital Imaging\bin\hpqSTE08.exe . ************************************************************************ . Gennemført tid: 2010-03-13 16:03:48 - maskinen blev genstartet ComboFix-quarantined-files.txt 2010-03-13 15:03 Pre-Kørsel: 19.797.450.752 byte ledig Post-Kørsel: 20.538.212.352 byte ledig - - End Of File - - 816142AFEC2771456AF63EAFBABAA288
[ Ignorer ] [ # 26 ] JeanetteL
13.03.2010 21:26:31 Antal indlæg: 29	Hej Igen Er det helt skidt med min PC’er?
[ Ignorer ] [ # 27 ] Magic Emeritus
14.03.2010 07:32:03 Administrator Supporter Emeritus Antal indlæg: 29177	Næh, men loggen indholder nogen ting vi aldrig har set før, derfor tager det længere tid end normalt. Download Gmer’s mbr.exe fra http://www2.gmer.net/mbr/mbr.exe og placer den på dit C-drev (så filen er på C: \ mbr.exe). Gå til Start - Kør Skriv cmd (og tryk på OK). Ved prompten skriv eller kopier / indsæt følgende, og tryk på Enter efter hver linje: cd \ mbr.exe-t Derefter skal du skrive exit, og tryk på Enter for at lukke kommando vinduet. Find så C: \ mbr.log. Og kopier indholdet herind.
[ Ignorer ] [ # 28 ] JeanetteL
14.03.2010 10:41:52 Antal indlæg: 29	Hej Det var bestemt heller ikke for at jage med jer:-) Her kommer indholdet af MBR.log Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK copy of MBR has been found in sector 3 ! copy of MBR has been found in sector 11 !
[ Ignorer ] [ # 29 ] Peder TeamSpywarefri
14.03.2010 11:01:18 Redaktør Team Spywarefri Antal indlæg: 12994	Der sket en fejl, prøv lige igen der skal være et mellemrum efter mbr.exe > mbr.exe -t Kom med den ny log
[ Ignorer ] [ # 30 ] JeanetteL
14.03.2010 11:08:49 Antal indlæg: 29	Den kommer så her ser også lidt anderledes ud Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0xFFAFB680]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\atapi -> 0xffafb680 Warning: possible MBR rootkit infection ! user & kernel MBR OK copy of MBR has been found in sector 3 ! copy of MBR has been found in sector 11 ! Use “Recovery Console” command “fixmbr” to clear infection !

2 af 4

Forrige

Næste