1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive google redirect virus

Discussion in 'Malware and Virus Removal Archive' started by light, 2010/11/24.

Thread Status:
Not open for further replies.
Page 2 of 3
  1. 2010/11/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yes...
     
    broni,
    #21
  2. 2010/11/25
    light

    light Inactive Thread Starter

    Joined:
    2010/04/09
    Messages:
    106
    Likes Received:
    0
    Did you even read the last post
    Should i press clean or apply action
     
    light,
    #22


  3. to hide this advert.

  4. 2010/11/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You can press "Clean ", but I've been asking you to run Combofix in safe mode and you're doing some other things.
     
    broni,
    #23
  5. 2010/11/25
    light

    light Inactive Thread Starter

    Joined:
    2010/04/09
    Messages:
    106
    Likes Received:
    0
    Sry broni, ill do it now, im just so confiused...
    I have 5 error message and 2 antivirus message and 1 spammy little popup message :D

    Security essential says unable to remove should i press scan onli as it suggest?
    Or restart and do combofix
     
    light,
    #24
  6. 2010/11/25
    light

    light Inactive Thread Starter

    Joined:
    2010/04/09
    Messages:
    106
    Likes Received:
    0
    Ok ok sry i do combofix in safe mode
    But how?
    The start button isnt here and ctrl - alt - del doesent work it chrases after a half sec... Should i manually restart, any suggestion?
     
    light,
    #25
  7. 2010/11/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Restart manually and keep tapping F8 key until menu appears.
    Select "Safe Mode ".
     
    broni,
    #26
  8. 2010/11/25
    light

    light Inactive Thread Starter

    Joined:
    2010/04/09
    Messages:
    106
    Likes Received:
    0
    Hm luckily i was able to restart in safemode whitout manually restarting i remembered
    Windows key + L

    Ok anothere problem... Combofix wont run after i pressed ok when it says antivir is actived and then again then it says

    You cant change name on combofix
    Use anothere name that uses alphabetnumer signs

    Sry my bad translation but you se what i mean right?
    Btw i didnt change name of the file

    Ah wait... It works ok it runs now, btw im posting from my ipod so it wont disturb combofix
     
    Last edited: 2010/11/25
    light,
    #27
  9. 2010/11/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK, I'm getting little bit annoyed by you don't following my instructions.

    This is what I said, didn't I?
     
    broni,
    #28
  10. 2010/11/25
    light

    light Inactive Thread Starter

    Joined:
    2010/04/09
    Messages:
    106
    Likes Received:
    0
    Ok anothere problem combofix wants to install recovery console but it cant as theres no internet in safe mode it saus press ok only when connected to internet, what should i do?
     
    light,
    #29
  11. 2010/11/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Skip recovery console installation for now.
     
    broni,
    #30
  12. 2010/11/25
    light

    light Inactive Thread Starter

    Joined:
    2010/04/09
    Messages:
    106
    Likes Received:
    0
    ok, heres the combofix log
    i didnt install recovery conole (no internet)
    i started combofix in safe mode, but combofix completed in normal
    also somhow avira antivir was turned on after restart


    ComboFix 10-11-24.04 - magnus gunnarsson 2010-11-25 22:18:30.3.2 - x86 MINIMAL
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.1015.752 [GMT 1:00]
    Körs från: c:\documents and settings\magnus gunnarsson\Skrivbord\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ADS - system32: deleted 202520 bytes in 1 streams.

    ((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\MAGNUS~1\LOKALA~1\Temp\debug.exe
    c:\docume~1\MAGNUS~1\LOKALA~1\Temp\nvsvc32.exe
    c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate
    c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\B64.dtd
    c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\Flags.dtd
    c:\documents and settings\All Users\Dokument\Server\admin.txt
    c:\documents and settings\magnus gunnarsson\Application Data\hotfix.exe
    c:\documents and settings\magnus gunnarsson\Application Data\Microsoft\stor.cfg
    c:\documents and settings\magnus gunnarsson\Application Data\Microsoft\svchost.exe
    c:\documents and settings\magnus gunnarsson\Application Data\Microsoft\Windows\shell.exe
    c:\documents and settings\magnus gunnarsson\Application Data\scvhost.exe
    c:\documents and settings\magnus gunnarsson\netread.dll
    C:\Documents
    c:\windows\desktop
    c:\windows\desktop\TS GDI Theme Pack Readme.txt
    c:\windows\services.exe
    c:\windows\system32\crt.dat
    c:\windows\system32\cryptnet32.dll
    c:\windows\system32\otcoyd.dll
    c:\windows\system32\shimg.dll
    c:\windows\system32\Thumbs.db
    c:\windows\system32\w9udc.dll
    c:\windows\win32.exe
    c:\windows\winamp.exe

    Infekterad kopia av c:\windows\explorer.exe hittades och desinficerades.
    Återställd kopia från - c:\windows\ERDNT\cache\explorer.exe

    Infekterad kopia av c:\windows\system32\winlogon.exe hittades och desinficerades.
    Återställd kopia från - c:\windows\ERDNT\cache\winlogon.exe

    .
    (((((((((((((((((((((((( Filer Skapade från 2010-10-25 till 2010-11-25 ))))))))))))))))))))))))))))))
    .

    2010-11-18 21:34 . 2010-11-18 21:34 131584 ----a-w- c:\windows\system32\SpoonUninstall.exe
    2010-11-16 22:41 . 2010-11-16 22:41 323624 ----a-w- c:\windows\system32\wiaaut.dll
    2010-11-14 17:27 . 2010-11-14 17:29 -------- d--h--w- c:\windows\msdownld.tmp
    2010-11-14 16:04 . 2010-11-14 18:14 -------- d-----w- C:\gmod
    2010-11-14 10:26 . 2010-11-14 10:26 -------- d-----w- c:\program\CCleaner
    2010-11-11 21:03 . 2010-11-11 21:03 -------- d-----w- c:\documents and settings\NetworkService\Lokala inställningar\Application Data\uTorrentBar
    2010-11-11 20:28 . 2010-11-11 20:28 -------- d-----w- c:\documents and settings\magnus gunnarsson\Lokala inställningar\Application Data\jagexlauncher
    2010-11-11 16:28 . 2010-11-14 11:20 -------- d-----w- c:\documents and settings\magnus gunnarsson\Application Data\kikin
    2010-11-11 16:28 . 2010-11-11 16:28 -------- d-----w- c:\program\kikin
    2010-11-07 23:23 . 2008-01-15 04:10 667648 ----a-w- c:\windows\system32\tx14_doc.dll
    2010-11-07 23:23 . 2007-12-10 01:05 331776 ----a-w- c:\windows\system32\tx14_css.dll
    2010-11-07 23:23 . 2007-11-21 01:04 61440 ----a-w- c:\windows\system32\tx14_bmp.flt
    2010-11-07 23:23 . 2008-03-07 23:16 765952 ----a-w- c:\windows\system32\tx14.dll
    2010-11-06 17:54 . 2010-11-24 12:45 -------- d-----w- c:\documents and settings\magnus gunnarsson\Lokala inställningar\Application Data\Paint.NET
    2010-11-06 17:07 . 2010-11-06 17:26 269824 ----a-w- c:\windows\shdll.exe
    2010-11-05 11:48 . 2010-11-05 21:36 -------- d-----w- c:\documents and settings\magnus gunnarsson\Lokala inställningar\Application Data\Conduit
    2010-11-05 11:48 . 2010-11-05 11:48 -------- d-----w- c:\program\Conduit
    2010-11-05 11:48 . 2010-11-05 21:36 -------- d-----w- c:\documents and settings\magnus gunnarsson\Lokala inställningar\Application Data\uTorrentBar
    2010-11-05 11:48 . 2010-11-05 11:48 -------- d-----w- c:\program\uTorrentBar
    2010-11-04 14:07 . 2010-11-04 14:23 -------- d-----w- c:\documents and settings\magnus gunnarsson\Application Data\PlaneShift
    2010-11-04 14:07 . 2010-11-04 14:08 -------- d-----w- c:\documents and settings\magnus gunnarsson\Application Data\CrystalApp
    2010-11-04 14:07 . 2010-11-04 14:07 -------- d-----w- c:\documents and settings\magnus gunnarsson\Application Data\CrystalSpace
    2010-11-04 13:51 . 2010-11-24 09:04 -------- d-----w- c:\documents and settings\magnus gunnarsson\Application Data\treasurechest
    2010-11-02 18:22 . 2010-11-02 18:22 -------- d-----w- c:\documents and settings\magnus gunnarsson\Lokala inställningar\Application Data\Myst V Demo
    2010-11-02 18:22 . 2010-11-02 18:22 -------- d--h--r- c:\documents and settings\magnus gunnarsson\Application Data\SecuROM
    2010-11-02 18:22 . 2010-11-02 18:22 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
    2010-11-01 19:14 . 2010-11-24 11:22 -------- d-----w- c:\documents and settings\magnus gunnarsson\Application Data\.minecraft
    2010-10-30 08:54 . 2010-10-30 08:54 -------- d-----w- c:\program\Microsoft XNA
    2010-10-27 18:33 . 2010-10-27 18:34 -------- d-----w- c:\documents and settings\magnus gunnarsson\.idlerc

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-05 21:31 . 2009-11-25 05:33 444952 ----a-w- c:\windows\system32\wrap_oal.dll
    2010-11-05 21:31 . 2009-11-25 05:33 109080 ----a-w- c:\windows\system32\OpenAL32.dll
    2010-09-27 19:29 . 2010-09-25 19:53 4 ----a-w- C:\timestmp.tmp
    2010-09-18 10:23 . 2009-09-01 03:52 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2009-09-01 03:52 974848 ------w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2009-09-01 03:52 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2009-09-01 03:52 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-15 03:50 . 2010-04-15 13:28 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-15 01:29 . 2010-04-01 07:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-09-10 05:52 . 2009-09-01 03:52 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:52 . 2009-09-01 03:52 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:52 . 2009-09-01 03:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 09:17 . 2010-09-08 09:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 09:17 . 2010-09-08 09:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:52 . 2009-09-01 03:52 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-09-01 07:57 . 2009-09-01 03:52 1852800 ----a-w- c:\windows\system32\win32k.sys
    .

    (((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not* Tomma poster & legitima standardposter visas inte.
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} "= "c:\program\uTorrentBar\tbuTor.dll" [2010-10-10 3906656]

    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} "= "c:\program\uTorrentBar\tbuTor.dll" [2010-10-10 3906656]
    "{30F9B915-B755-4826-820B-08FBA6BD249D} "= "c:\program\ConduitEngine\ConduitEngine.dll" [2010-10-10 3906656]

    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} "= "c:\program\uTorrentBar\tbuTor.dll" [2010-10-10 3906656]

    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Gadwin PrintScreen "= "d:\gadwin systems\PrintScreen\PrintScreen.exe" [2010-10-14 487424]
    "swg "= "c:\program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-24 39408]
    "DAEMON Tools Lite "= "d:\daemon tools lite\DTLite.exe" [2010-04-01 357696]
    "SandboxieControl "= "d:\sanboxie 3.50\SbieCtrl.exe" [2010-07-04 398568]
    "Steam "= "d:\steam\Steam.exe" [2003-09-11 958464]
    "Advanced SystemCare 3 "= "d:\advanced systemcare 3\AWC.exe" [2010-09-28 2407632]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL "= "RTHDCPL.EXE" [2009-04-27 17881088]
    "SynTPEnh "= "c:\program\Synaptics\SynTP\SynTPEnh.exe" [2009-04-09 1512744]
    "SynAsusAcpi "= "c:\program\Synaptics\SynTP\SynAsusAcpi.exe" [2009-04-09 79144]
    "AsusACPIServer "= "c:\program\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-16 630784]
    "AsusEPCMonitor "= "c:\program\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]
    "AsusTray "= "c:\program\EeePC\ACPI\AsTray.exe" [2009-04-16 118784]
    "KMCONFIG "= "c:\program\Mouse Driver\StartAutorun.exe" [2008-05-30 212992]
    "ISUSPM Startup "= "c:\program\DELADE~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]
    "avgnt "= "d:\avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
    "ISUSScheduler "= "c:\program\DELADE~1\INSTAL~1\UPDATE~1\issch.exe" [2005-08-11 81920]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
    "Persistence "= "c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
    "SunJavaUpdateSched "= "c:\program\Delade filer\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoPopUpsOnBoot "= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "d:\superantispyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "UIHost "= "c:\windows\system32\logonui.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- d:\superantispyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @= "Driver "

    [HKLM\~\startupfolder\C:^Documents and Settings^magnus gunnarsson^Start-meny^Program^Autostart^auto_start (5 min).exe]
    path=c:\documents and settings\magnus gunnarsson\Start-meny\Program\Autostart\auto_start (5 min).exe
    backup=c:\windows\pss\auto_start (5 min).exeStartup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HideDragon

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 18:37 932288 ----a-w- c:\program\Delade filer\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS VIBE]
    2010-03-02 02:22 102400 ----a-w- c:\program\ASUS\ASUS VIBE\ASUS VIBE.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
    2008-04-15 12:00 110592 ----a-w- c:\windows\system32\bthprops.cpl

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtTray]
    2008-06-19 15:05 231424 ----a-w- c:\program\IVT Corporation\BlueSoleil\BtTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
    2010-04-01 09:16 357696 ----a-w- d:\daemon tools lite\DTLite.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
    2009-10-27 17:18 1103216 ----a-w- d:\download manager\DLM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-09-24 00:10 421160 ----a-w- d:\itunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Java(TM) ME Platform SDK 3.0]
    2009-04-09 07:06 102400 ----a-w- c:\java_me_platform_sdk_3.0\bin\device-manager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaCie Ethernet Agent Startup]
    2008-06-19 13:09 4091904 ----a-w- c:\program\LaCie\Ethernet Agent\LaCie Ethernet Agent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveUpdate]
    2010-01-29 09:18 751592 ----a-w- c:\program\ASUS\LiveUpdate\LiveUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
    2010-03-30 09:16 1820040 ----a-w- d:\logmein hamachi\hamachi-2-ui.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
    2010-03-29 22:46 1086856 ----a-w- c:\malwarebytes' anti-malware\mbam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
    2009-11-28 15:32 2923192 ----a-w- c:\program\Pando Networks\Media Booster\PMB.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-09-08 09:17 421888 ----a-w- d:\quicktime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2009-07-16 13:46 25604904 ----a-r- c:\program\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2010-07-19 17:50 2403568 ----a-w- d:\superantispyware\SUPERAntiSpyware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2010-10-24 15:51 39408 ----a-w- c:\program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "SQLWriter "=2 (0x2)
    "SeaPort "=2 (0x2)
    "SbieSvc "=2 (0x2)
    "PnkBstrA "=2 (0x2)
    "ose "=3 (0x3)
    "odserv "=3 (0x3)
    "MSSQL$SQLEXPRESS "=2 (0x2)
    "idsvc "=3 (0x3)
    "IDriverT "=3 (0x3)
    "gupdate "=2 (0x2)
    "fsssvc "=3 (0x3)
    "BsHelpCS "=3 (0x3)
    "Bonjour Service "=2 (0x2)
    "BlueSoleilCS "=2 (0x2)
    "AntiVirSchedulerService "=2 (0x2)
    "FolderSize "=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Adobe Reader Speed Launcher "= "c:\program\Adobe\Reader 8.0\Reader\Reader_sl.exe "

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program\\Java\\jdk1.6.0_18\\bin\\javaw.exe "=
    "c:\\Program\\Pando Networks\\Media Booster\\PMB.exe "=
    "d:\\bnw\\runblack.exe "=
    "d:\\GameCQ\\.Cache\\DarkSpace\\DarkSpaceClient.exe "=
    "c:\\WINDOWS\\system32\\dpnsvr.exe "=
    "d:\\Soldat\\Soldat.exe "=
    "d:\\YSFLIGHT\\fsmaindx.exe "=
    "c:\\Program\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe "=
    "d:\\YSFLIGHT\\fsmain.exe "=
    "c:\\WINDOWS\\system32\\dplaysvr.exe "=
    "c:\\Documents and Settings\\magnus gunnarsson\\temp\\TeamViewer\\Version5\\TeamViewer.exe "=
    "c:\\Program\\TeamViewer\\Version5\\TeamViewer.exe "=
    "d:\\RndLabs\\BaboViolent 2\\bv2.exe "=
    "c:\\Documents and Settings\\magnus gunnarsson\\Mina dokument\\Downloads\\PortForward.exe "=
    "c:\\WINDOWS\\system32\\javaw.exe "=
    "c:\\Program\\Sun\\VirtualBox\\VirtualBox.exe "=
    "d:\\Command & Conquer Tiberian Sun\\GAME.EXE "=
    "d:\\darkeden\\darkeden.exe "=
    "d:\\Age of Empires II\\empires2.exe "=
    "d:\\Age of Empires II\\age2_x1\\age2_x1.exe "=
    "\\\\NETWORKSPACE\\MYSHARE\\magnus\\spel program\\rise of nation installer\\RISE.EXE "=
    "d:\\Digital Illusions CE AB\\Rally Masters\\Server\\LobbyServer.EXE "=
    "c:\\Program\\Google\\Google Earth\\client\\googleearth.exe "=
    "c:\\Program\\Bonjour\\mDNSResponder.exe "=
    "d:\\iTunes\\iTunes.exe "=
    "d:\\open_TTD\\openttd.exe "=
    "c:\\Program\\Java\\jre6\\bin\\javaw.exe "=
    "d:\\Nexuiz\\nexuiz-sdl.exe "=
    "d:\\Nexuiz\\nexuiz.exe "=
    "d:\\air_attack\\rsync.exe "=
    "c:\\gmod\\hl2.exe "=
    "c:\\gmod\\srcds.exe "=
    "c:\\WINDOWS\\system32\\java.exe "=
    "c:\\Documents and Settings\\magnus gunnarsson\\Skrivbord\\meinKraft_v2.2\\meinkraft.exe "=
    "c:\\Program\\Skype\\Phone\\Skype.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "57493:TCP "= 57493:TCP:pando Media Booster
    "57493:UDP "= 57493:UDP:pando Media Booster
    "36963:UDP "= 36963:UDP:CounterStrike2D
    "16151:TCP "= 16151:TCP:eek:pen port
    "15161:TCP "= 15161:TCP:pen port
    "16151:UDP "= 16151:UDP:eek:pen port
    "3105:TCP "= 3105:TCP:firewall/nat
    "3105:UDP "= 3105:UDP:firewall
    "2039:TCP "= 2039:TCP:Akamai NetSession Interface
    "5000:UDP "= 5000:UDP:Akamai NetSession Interface

    R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2008-01-21 21512]
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2010-01-01 691696]
    R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-07-11 11448]
    R1 SASDIFSV;SASDIFSV;d:\superantispyware\sasdifsv.sys [2010-02-17 12872]
    R1 SASKUTIL;SASKUTIL;d:\superantispyware\SASKUTIL.SYS [2010-05-10 67656]
    R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2010-01-31 123280]
    R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2010-01-31 41616]
    R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;d:\logmein hamachi\hamachi-2.exe [2010-03-30 1107336]
    R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program\Mouse Driver\KMWDSrv.exe [2008-06-23 208896]
    R2 Prvflder;Prvflder;c:\windows\system32\drivers\prvflder.sys [2006-04-21 70912]
    R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-01-21 26248]
    R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-12-17 110096]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-09-01 1684736]
    S3 GWHid;VL807 Hidmini driver;c:\windows\system32\DRIVERS\GWHid.sys --> c:\windows\system32\DRIVERS\GWHid.sys [?]
    S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-08-27 38912]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program\Lavasoft\Ad-Aware\KernExplorer.sys [?]
    S3 rkhdrv40;Rootkit Unhooker Driver; [x]
    S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2009-09-01 1015424]
    S3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [2009-08-27 39040]
    S3 VL807;VL807 Filter;c:\windows\system32\DRIVERS\VL807.sys --> c:\windows\system32\DRIVERS\VL807.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S4 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\avira\AntiVir Desktop\sched.exe [2010-04-22 135336]
    S4 gupdate;Google Update Service (gupdate);c:\program\Google\Update\GoogleUpdate.exe [2009-11-25 135664]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-07-23 47128]
    S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-03-30 239336]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
    .
    Innehållet i mappen 'Schemalagda aktiviteter':

    2010-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program\Apple Software Update\SoftwareUpdate.exe [2009-10-22 09:50]

    2010-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program\Google\Update\GoogleUpdate.exe [2009-11-25 15:42]

    2010-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program\Google\Update\GoogleUpdate.exe [2009-11-25 15:42]
    .
    .
    ------- Extra genomsökning -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = http=127.0.0.1:50370
    IE: E&xportera till Microsoft Excel - c:\program\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    IE: Skicka till &Bluetooth-enhet... - c:\program\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Skicka till Bluetooth - c:\program\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    IE: Sothink SWF Catcher - c:\program\Delade filer\SourceTec\SWF Catcher\InternetExplorer.htm
    IE: {{0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - {E601996F-E400-41CA-804B-CD6373A7EEE2} - c:\program\kikin\ie_kikin.dll
    DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.53.0.cab
    FF - ProfilePath - c:\documents and settings\magnus gunnarsson\Application Data\Mozilla\Firefox\Profiles\jw1t28dz.default\
    FF - prefs.js: browser.search.selectedEngine - DAEMON Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.hackthissite.org/
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 50370
    FF - prefs.js: network.proxy.type - 1
    FF - component: c:\documents and settings\magnus gunnarsson\Application Data\Mozilla\Firefox\Profiles\jw1t28dz.default\extensions\{AA994882-F391-4d2e-806F-8908DA4814ED}\platform\WINNT\components\kikin_3_0.dll
    FF - component: c:\documents and settings\magnus gunnarsson\Application Data\Mozilla\Firefox\Profiles\jw1t28dz.default\extensions\{AA994882-F391-4d2e-806F-8908DA4814ED}\platform\WINNT\components\kikin_3_6.dll
    FF - component: c:\documents and settings\magnus gunnarsson\Application Data\Mozilla\Firefox\Profiles\jw1t28dz.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\FFExternalAlert.dll
    FF - component: c:\documents and settings\magnus gunnarsson\Application Data\Mozilla\Firefox\Profiles\jw1t28dz.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCore.dll
    FF - component: c:\documents and settings\magnus gunnarsson\Application Data\Mozilla\Firefox\Profiles\jw1t28dz.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
    FF - plugin: c:\documents and settings\magnus gunnarsson\Application Data\Facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\documents and settings\magnus gunnarsson\Application Data\Mozilla\Firefox\Profiles\jw1t28dz.default\extensions\{AA994882-F391-4d2e-806F-8908DA4814ED}\platform\WINNT\plugins\npKikinIframe.dll
    FF - plugin: c:\documents and settings\magnus gunnarsson\Application Data\Mozilla\Firefox\Profiles\jw1t28dz.default\extensions\yyginstantplay@yoyogames.com\plugins\NPYYGInstantPlay.dll
    FF - plugin: c:\program\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: c:\windows\system32\npOGPPlugin.dll
    FF - plugin: c:\windows\system32\npwmsdrm.dll
    FF - plugin: d:\download manager\npfpdlm.dll
    FF - plugin: d:\itunes\Mozilla Plugins\npitunes.dll
    FF - plugin: d:\quicktime\Plugins\npqtplugin.dll
    FF - plugin: d:\quicktime\Plugins\npqtplugin2.dll
    FF - plugin: d:\quicktime\Plugins\npqtplugin3.dll
    FF - plugin: d:\quicktime\Plugins\npqtplugin4.dll
    FF - plugin: d:\quicktime\Plugins\npqtplugin5.dll
    FF - plugin: d:\quicktime\Plugins\npqtplugin6.dll
    FF - plugin: d:\quicktime\Plugins\npqtplugin7.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICY ----
    FF - user.js: network.http.max-connections-per-server - 4
    FF - user.js: nglayout.initialpaint.delay - 750
    FF - user.js: content.notify.interval - 750000
    FF - user.js: content.max.tokenizing.time - 2250000
    c:\program\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
    c:\program\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--fiqz9s ", true); // Traditional
    c:\program\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--fiqs8s ", true); // Simplified
    c:\program\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--j6w193g ", true);
    c:\program\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
    c:\program\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4a87g ", true);
    c:\program\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbqly7c0a67fbc ", true);
    c:\program\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbqly7cvafr ", true);
    c:\program\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--kpry57d ", true); // Traditional
    c:\program\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--kprw13d ", true); // Simplified
    c:\program\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref( "browser.fixup.alternate.suffix ", ".se ");
    c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
    .
    - - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -

    HKCU-Run-uPc+MV0NgWJsiv - c:\windows\system32\w9udc.dll
    HKCU-Run-MKeta - c:\windows\services.exe
    HKCU-Run-scvhost.exe - c:\documents and settings\magnus gunnarsson\Application Data\scvhost.exe
    HKCU-Run-MKfPc - c:\windows\win32.exe
    HKLM-Run-uPc+MV0NgWJsiv - c:\windows\system32\w9udc.dll
    HKLM-Run-MKeta - c:\windows\services.exe
    HKLM-Run-MKfPc - c:\windows\win32.exe
    MSConfigStartUp-SandboxieControl - d:\sandboxie\SbieCtrl.exe
    MSConfigStartUp-SpybotSD TeaTimer - d:\spybot - search & destroy\TeaTimer.exe
    ActiveSetup-{9CB5900A-8628-A49B-FEA5-DF23A5520525} - c:\windows\system32:Shdll.exe
    AddRemove-Map001 - d:\001\mapuninstall.exe
    AddRemove-RadarSync PC Updater 2011 - d:\radarsync\uninst.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-25 22:38
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LÃ…STA REGISTERNYCKLAR ---------------------

    [HKEY_USERS\S-1-5-21-880824880-3436134146-2971665550-1006\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_USERS\S-1-5-21-880824880-3436134146-2971665550-1006\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (S-1-5-21-880824880-3436134146-2971665550-1006)
    @Allowed: (Read) (S-1-5-21-880824880-3436134146-2971665550-1006)
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @= "FlashBroker "
    "LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101 "

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe "

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @= "IFlashBroker4 "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @= "{00020424-0000-0000-C000-000000000046} "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
    "Version "= "1.0 "
    .
    --------------------- DLLer som "laddats" under processer som körs ---------------------

    - - - - - - - > 'winlogon.exe'(728)
    d:\superantispyware\SASWINLO.DLL

    - - - - - - - > 'explorer.exe'(3252)
    c:\windows\system32\msi.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\BsMobileSDK.dll
    c:\windows\system32\BsLangInDepRes.dll
    c:\windows\system32\Bs2Res.dll
    c:\program\Microsoft Private Folder 1.0\ShellExt.dll
    c:\windows\system32\PFLib.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Andra processer som körs ------------------------
    .
    d:\sanboxie 3.50\SbieSvc.exe
    d:\avira\AntiVir Desktop\avguard.exe
    c:\program\Delade filer\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program\Java\jre6\bin\jqs.exe
    d:\avira\AntiVir Desktop\avshadow.exe
    c:\program\Microsoft Private Folder 1.0\PrfldSvc.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\igfxext.exe
    c:\program\Mouse Driver\KMConfig.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\system32\rundll32.exe
    c:\program\Mouse Driver\KMProcess.exe
    c:\windows\system32\rundll32.exe
    .
    **************************************************************************
    .
    Sluttid: 2010-11-25 22:45:49 - datorn startades om.
    ComboFix-quarantined-files.txt 2010-11-25 21:45
    ComboFix2.txt 2010-04-17 09:28

    Före genomsökningen: 8*411*648*000 byte ledigt
    Efter genomsökningen: 12*850*102*272 byte ledigt

    Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - D36F5C052ED9BEBFC57ECAD2F8D49F31


    some text in swedish
     
    light,
    #31
  13. 2010/11/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Very good :)

    Try to run the below fix in normal mode, so you can allow recovery console installation...

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:50370

Firefox::
FF - ProfilePath - c:\documents and settings\magnus gunnarsson\Application Data\Mozilla\Firefox\Profiles\jw1t28dz.default\
FF - prefs.js: network.proxy.http_port - 50370

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
    broni,
    #32
  14. 2010/11/25
    light

    light Inactive Thread Starter

    Joined:
    2010/04/09
    Messages:
    106
    Likes Received:
    0
    hey theres a new version of combofix now, i got the message after starting it, it ask if i should uppdate, i guess you would say yes, so i update then
     
    light,
    #33
  15. 2010/11/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Always :)
     
    broni,
    #34
  16. 2010/11/25
    light

    light Inactive Thread Starter

    Joined:
    2010/04/09
    Messages:
    106
    Likes Received:
    0
    ok, so it asked if i wanted recovery console and i pressed yes, and i accepted agrement and then it downloaded, and after about 10 sec after download complete it says

    cannot find the file

    or somheting, and nothing more happens...?

    ok, just after i posted it asked "and now then? "
    so i just continue the scanning, i post report when done
     
    Last edited: 2010/11/25
    light,
    #35
  17. 2010/11/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Ok...
     
    broni,
    #36
  18. 2010/11/25
    light

    light Inactive Thread Starter

    Joined:
    2010/04/09
    Messages:
    106
    Likes Received:
    0
    ComboFix 10-11-25.01 - magnus gunnarsson 2010-11-25 23:44:48.4.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.1015.514 [GMT 1:00]
    Körs från: c:\documents and settings\magnus gunnarsson\Skrivbord\ComboFix.exe
    Använda kommandoväxlar :: c:\documents and settings\magnus gunnarsson\Skrivbord\CFScript.txt
    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    (((((((((((((((((((((((( Filer Skapade från 2010-10-25 till 2010-11-25 ))))))))))))))))))))))))))))))
    .

    2010-11-25 21:55 . 2010-11-25 21:56 -------- d-----w- c:\program\Malwarebytes' Anti-Malware
    2010-11-24 12:13 . 2010-11-24 12:13 -------- d-----w- C:\TDSSKiller_Quarantine
    2010-11-18 21:34 . 2010-11-18 21:34 131584 ----a-w- c:\windows\system32\SpoonUninstall.exe
    2010-11-16 22:41 . 2010-11-16 22:41 323624 ----a-w- c:\windows\system32\wiaaut.dll
    2010-11-14 17:27 . 2010-11-14 17:29 -------- d--h--w- c:\windows\msdownld.tmp
    2010-11-14 16:04 . 2010-11-14 18:14 -------- d-----w- C:\gmod
    2010-11-14 10:26 . 2010-11-14 10:26 -------- d-----w- c:\program\CCleaner
    2010-11-11 21:03 . 2010-11-11 21:03 -------- d-----w- c:\documents and settings\NetworkService\Lokala inställningar\Application Data\uTorrentBar
    2010-11-11 20:28 . 2010-11-11 20:28 -------- d-----w- c:\documents and settings\magnus gunnarsson\Lokala inställningar\Application Data\jagexlauncher
    2010-11-11 16:28 . 2010-11-14 11:20 -------- d-----w- c:\documents and settings\magnus gunnarsson\Application Data\kikin
    2010-11-11 16:28 . 2010-11-11 16:28 -------- d-----w- c:\program\kikin
    2010-11-07 23:23 . 2008-01-15 04:10 667648 ----a-w- c:\windows\system32\tx14_doc.dll
    2010-11-07 23:23 . 2007-12-10 01:05 331776 ----a-w- c:\windows\system32\tx14_css.dll
    2010-11-07 23:23 . 2007-11-21 01:04 61440 ----a-w- c:\windows\system32\tx14_bmp.flt
    2010-11-07 23:23 . 2008-03-07 23:16 765952 ----a-w- c:\windows\system32\tx14.dll
    2010-11-06 17:54 . 2010-11-24 12:45 -------- d-----w- c:\documents and settings\magnus gunnarsson\Lokala inställningar\Application Data\Paint.NET
    2010-11-06 17:07 . 2010-11-06 17:26 269824 ----a-w- c:\windows\shdll.exe
    2010-11-05 11:48 . 2010-11-05 21:36 -------- d-----w- c:\documents and settings\magnus gunnarsson\Lokala inställningar\Application Data\Conduit
    2010-11-05 11:48 . 2010-11-05 11:48 -------- d-----w- c:\program\Conduit
    2010-11-05 11:48 . 2010-11-05 21:36 -------- d-----w- c:\documents and settings\magnus gunnarsson\Lokala inställningar\Application Data\uTorrentBar
    2010-11-05 11:48 . 2010-11-05 11:48 -------- d-----w- c:\program\uTorrentBar
    2010-11-04 14:07 . 2010-11-04 14:23 -------- d-----w- c:\documents and settings\magnus gunnarsson\Application Data\PlaneShift
    2010-11-04 14:07 . 2010-11-04 14:08 -------- d-----w- c:\documents and settings\magnus gunnarsson\Application Data\CrystalApp
    2010-11-04 14:07 . 2010-11-04 14:07 -------- d-----w- c:\documents and settings\magnus gunnarsson\Application Data\CrystalSpace
    2010-11-04 13:51 . 2010-11-24 09:04 -------- d-----w- c:\documents and settings\magnus gunnarsson\Application Data\treasurechest
    2010-11-02 18:22 . 2010-11-02 18:22 -------- d-----w- c:\documents and settings\magnus gunnarsson\Lokala inställningar\Application Data\Myst V Demo
    2010-11-02 18:22 . 2010-11-02 18:22 -------- d--h--r- c:\documents and settings\magnus gunnarsson\Application Data\SecuROM
    2010-11-02 18:22 . 2010-11-02 18:22 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
    2010-11-01 19:14 . 2010-11-24 11:22 -------- d-----w- c:\documents and settings\magnus gunnarsson\Application Data\.minecraft
    2010-10-30 08:54 . 2010-10-30 08:54 -------- d-----w- c:\program\Microsoft XNA
    2010-10-27 18:33 . 2010-10-27 18:34 -------- d-----w- c:\documents and settings\magnus gunnarsson\.idlerc

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-05 21:31 . 2009-11-25 05:33 444952 ----a-w- c:\windows\system32\wrap_oal.dll
    2010-11-05 21:31 . 2009-11-25 05:33 109080 ----a-w- c:\windows\system32\OpenAL32.dll
    2010-09-27 19:29 . 2010-09-25 19:53 4 ----a-w- C:\timestmp.tmp
    2010-09-18 10:23 . 2009-09-01 03:52 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2009-09-01 03:52 974848 ------w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2009-09-01 03:52 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2009-09-01 03:52 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-15 03:50 . 2010-04-15 13:28 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-15 01:29 . 2010-04-01 07:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-09-10 05:52 . 2009-09-01 03:52 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:52 . 2009-09-01 03:52 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:52 . 2009-09-01 03:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 09:17 . 2010-09-08 09:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 09:17 . 2010-09-08 09:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:52 . 2009-09-01 03:52 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-09-01 07:57 . 2009-09-01 03:52 1852800 ----a-w- c:\windows\system32\win32k.sys
    .

    (((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not* Tomma poster & legitima standardposter visas inte.
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} "= "c:\program\uTorrentBar\tbuTor.dll" [2010-10-10 3906656]

    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} "= "c:\program\uTorrentBar\tbuTor.dll" [2010-10-10 3906656]
    "{30F9B915-B755-4826-820B-08FBA6BD249D} "= "c:\program\ConduitEngine\ConduitEngine.dll" [2010-10-10 3906656]

    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} "= "c:\program\uTorrentBar\tbuTor.dll" [2010-10-10 3906656]

    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Gadwin PrintScreen "= "d:\gadwin systems\PrintScreen\PrintScreen.exe" [2010-10-14 487424]
    "swg "= "c:\program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-24 39408]
    "DAEMON Tools Lite "= "d:\daemon tools lite\DTLite.exe" [2010-04-01 357696]
    "SandboxieControl "= "d:\sanboxie 3.50\SbieCtrl.exe" [2010-07-04 398568]
    "Steam "= "d:\steam\Steam.exe" [2003-09-11 958464]
    "Advanced SystemCare 3 "= "d:\advanced systemcare 3\AWC.exe" [2010-09-28 2407632]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL "= "RTHDCPL.EXE" [2009-04-27 17881088]
    "SynTPEnh "= "c:\program\Synaptics\SynTP\SynTPEnh.exe" [2009-04-09 1512744]
    "SynAsusAcpi "= "c:\program\Synaptics\SynTP\SynAsusAcpi.exe" [2009-04-09 79144]
    "AsusACPIServer "= "c:\program\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-16 630784]
    "AsusEPCMonitor "= "c:\program\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]
    "AsusTray "= "c:\program\EeePC\ACPI\AsTray.exe" [2009-04-16 118784]
    "KMCONFIG "= "c:\program\Mouse Driver\StartAutorun.exe" [2008-05-30 212992]
    "ISUSPM Startup "= "c:\program\DELADE~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]
    "avgnt "= "d:\avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
    "ISUSScheduler "= "c:\program\DELADE~1\INSTAL~1\UPDATE~1\issch.exe" [2005-08-11 81920]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
    "Persistence "= "c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
    "SunJavaUpdateSched "= "c:\program\Delade filer\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoPopUpsOnBoot "= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "d:\superantispyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "UIHost "= "c:\windows\system32\logonui.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- d:\superantispyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @= "Driver "

    [HKLM\~\startupfolder\C:^Documents and Settings^magnus gunnarsson^Start-meny^Program^Autostart^auto_start (5 min).exe]
    path=c:\documents and settings\magnus gunnarsson\Start-meny\Program\Autostart\auto_start (5 min).exe
    backup=c:\windows\pss\auto_start (5 min).exeStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 18:37 932288 ----a-w- c:\program\Delade filer\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS VIBE]
    2010-03-02 02:22 102400 ----a-w- c:\program\ASUS\ASUS VIBE\ASUS VIBE.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
    2008-04-15 12:00 110592 ----a-w- c:\windows\system32\bthprops.cpl

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtTray]
    2008-06-19 15:05 231424 ----a-w- c:\program\IVT Corporation\BlueSoleil\BtTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
    2010-04-01 09:16 357696 ----a-w- d:\daemon tools lite\DTLite.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
    2009-10-27 17:18 1103216 ----a-w- d:\download manager\DLM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-09-24 00:10 421160 ----a-w- d:\itunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Java(TM) ME Platform SDK 3.0]
    2009-04-09 07:06 102400 ----a-w- c:\java_me_platform_sdk_3.0\bin\device-manager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaCie Ethernet Agent Startup]
    2008-06-19 13:09 4091904 ----a-w- c:\program\LaCie\Ethernet Agent\LaCie Ethernet Agent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveUpdate]
    2010-01-29 09:18 751592 ----a-w- c:\program\ASUS\LiveUpdate\LiveUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
    2010-03-30 09:16 1820040 ----a-w- d:\logmein hamachi\hamachi-2-ui.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
    2010-03-29 22:46 1086856 ----a-w- c:\malwarebytes' anti-malware\mbam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
    2009-11-28 15:32 2923192 ----a-w- c:\program\Pando Networks\Media Booster\PMB.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-09-08 09:17 421888 ----a-w- d:\quicktime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2009-07-16 13:46 25604904 ----a-r- c:\program\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2010-07-19 17:50 2403568 ----a-w- d:\superantispyware\SUPERAntiSpyware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2010-10-24 15:51 39408 ----a-w- c:\program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "SQLWriter "=2 (0x2)
    "SeaPort "=2 (0x2)
    "SbieSvc "=2 (0x2)
    "PnkBstrA "=2 (0x2)
    "ose "=3 (0x3)
    "odserv "=3 (0x3)
    "MSSQL$SQLEXPRESS "=2 (0x2)
    "idsvc "=3 (0x3)
    "IDriverT "=3 (0x3)
    "gupdate "=2 (0x2)
    "fsssvc "=3 (0x3)
    "BsHelpCS "=3 (0x3)
    "Bonjour Service "=2 (0x2)
    "BlueSoleilCS "=2 (0x2)
    "AntiVirSchedulerService "=2 (0x2)
    "FolderSize "=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Adobe Reader Speed Launcher "= "c:\program\Adobe\Reader 8.0\Reader\Reader_sl.exe "

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program\\Java\\jdk1.6.0_18\\bin\\javaw.exe "=
    "c:\\Program\\Pando Networks\\Media Booster\\PMB.exe "=
    "d:\\bnw\\runblack.exe "=
    "d:\\GameCQ\\.Cache\\DarkSpace\\DarkSpaceClient.exe "=
    "c:\\WINDOWS\\system32\\dpnsvr.exe "=
    "d:\\Soldat\\Soldat.exe "=
    "d:\\YSFLIGHT\\fsmaindx.exe "=
    "c:\\Program\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe "=
    "d:\\YSFLIGHT\\fsmain.exe "=
    "c:\\WINDOWS\\system32\\dplaysvr.exe "=
    "c:\\Documents and Settings\\magnus gunnarsson\\temp\\TeamViewer\\Version5\\TeamViewer.exe "=
    "c:\\Program\\TeamViewer\\Version5\\TeamViewer.exe "=
    "d:\\RndLabs\\BaboViolent 2\\bv2.exe "=
    "c:\\Documents and Settings\\magnus gunnarsson\\Mina dokument\\Downloads\\PortForward.exe "=
    "c:\\WINDOWS\\system32\\javaw.exe "=
    "c:\\Program\\Sun\\VirtualBox\\VirtualBox.exe "=
    "d:\\Command & Conquer Tiberian Sun\\GAME.EXE "=
    "d:\\darkeden\\darkeden.exe "=
    "d:\\Age of Empires II\\empires2.exe "=
    "d:\\Age of Empires II\\age2_x1\\age2_x1.exe "=
    "\\\\NETWORKSPACE\\MYSHARE\\magnus\\spel program\\rise of nation installer\\RISE.EXE "=
    "d:\\Digital Illusions CE AB\\Rally Masters\\Server\\LobbyServer.EXE "=
    "c:\\Program\\Google\\Google Earth\\client\\googleearth.exe "=
    "c:\\Program\\Bonjour\\mDNSResponder.exe "=
    "d:\\iTunes\\iTunes.exe "=
    "d:\\open_TTD\\openttd.exe "=
    "c:\\Program\\Java\\jre6\\bin\\javaw.exe "=
    "d:\\Nexuiz\\nexuiz-sdl.exe "=
    "d:\\Nexuiz\\nexuiz.exe "=
    "d:\\air_attack\\rsync.exe "=
    "c:\\gmod\\hl2.exe "=
    "c:\\gmod\\srcds.exe "=
    "c:\\WINDOWS\\system32\\java.exe "=
    "c:\\Documents and Settings\\magnus gunnarsson\\Skrivbord\\meinKraft_v2.2\\meinkraft.exe "=
    "c:\\Program\\Skype\\Phone\\Skype.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "57493:TCP "= 57493:TCP:pando Media Booster
    "57493:UDP "= 57493:UDP:pando Media Booster
    "36963:UDP "= 36963:UDP:CounterStrike2D
    "16151:TCP "= 16151:TCP:eek:pen port
    "15161:TCP "= 15161:TCP:pen port
    "16151:UDP "= 16151:UDP:eek:pen port
    "3105:TCP "= 3105:TCP:firewall/nat
    "3105:UDP "= 3105:UDP:firewall
    "2039:TCP "= 2039:TCP:Akamai NetSession Interface
    "5000:UDP "= 5000:UDP:Akamai NetSession Interface

    R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2008-01-21 21512]
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2010-01-01 691696]
    R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-07-11 11448]
    R1 SASDIFSV;SASDIFSV;d:\superantispyware\sasdifsv.sys [2010-02-17 12872]
    R1 SASKUTIL;SASKUTIL;d:\superantispyware\SASKUTIL.SYS [2010-05-10 67656]
    R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2010-01-31 123280]
    R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2010-01-31 41616]
    R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;d:\logmein hamachi\hamachi-2.exe [2010-03-30 1107336]
    R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program\Mouse Driver\KMWDSrv.exe [2008-06-23 208896]
    R2 Prvflder;Prvflder;c:\windows\system32\drivers\prvflder.sys [2006-04-21 70912]
    R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-01-21 26248]
    R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-12-17 110096]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-09-01 1684736]
    S3 GWHid;VL807 Hidmini driver;c:\windows\system32\DRIVERS\GWHid.sys --> c:\windows\system32\DRIVERS\GWHid.sys [?]
    S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-08-27 38912]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program\Lavasoft\Ad-Aware\KernExplorer.sys [?]
    S3 rkhdrv40;Rootkit Unhooker Driver; [x]
    S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2009-09-01 1015424]
    S3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [2009-08-27 39040]
    S3 VL807;VL807 Filter;c:\windows\system32\DRIVERS\VL807.sys --> c:\windows\system32\DRIVERS\VL807.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S4 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\avira\AntiVir Desktop\sched.exe [2010-04-22 135336]
    S4 gupdate;Google Update Service (gupdate);c:\program\Google\Update\GoogleUpdate.exe [2009-11-25 135664]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-07-23 47128]
    S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-03-30 239336]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
    .
    Innehållet i mappen 'Schemalagda aktiviteter':

    2010-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program\Apple Software Update\SoftwareUpdate.exe [2009-10-22 09:50]

    2010-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program\Google\Update\GoogleUpdate.exe [2009-11-25 15:42]

    2010-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program\Google\Update\GoogleUpdate.exe [2009-11-25 15:42]
    .
    .
    ------- Extra genomsökning -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xportera till Microsoft Excel - c:\program\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    IE: Skicka till &Bluetooth-enhet... - c:\program\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Skicka till Bluetooth - c:\program\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    IE: Sothink SWF Catcher - c:\program\Delade filer\SourceTec\SWF Catcher\InternetExplorer.htm
    IE: {{0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - {E601996F-E400-41CA-804B-CD6373A7EEE2} - c:\program\kikin\ie_kikin.dll
    DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.53.0.cab
    FF - ProfilePath - c:\documents and settings\magnus gunnarsson\Application Data\Mozilla\Firefox\Profiles\jw1t28dz.default\
    FF - prefs.js: browser.search.selectedEngine - DAEMON Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.hackthissite.org/
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.type - 1
    FF - component: c:\documents and settings\magnus gunnarsson\Application Data\Mozilla\Firefox\Profiles\jw1t28dz.default\extensions\{AA994882-F391-4d2e-806F-8908DA4814ED}\platform\WINNT\components\kikin_3_0.dll
    FF - component: c:\documents and settings\magnus gunnarsson\Application Data\Mozilla\Firefox\Profiles\jw1t28dz.default\extensions\{AA994882-F391-4d2e-806F-8908DA4814ED}\platform\WINNT\components\kikin_3_6.dll
    FF - component: c:\documents and settings\magnus gunnarsson\Application Data\Mozilla\Firefox\Profiles\jw1t28dz.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\FFExternalAlert.dll
    FF - component: c:\documents and settings\magnus gunnarsson\Application Data\Mozilla\Firefox\Profiles\jw1t28dz.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCore.dll
    FF - component: c:\documents and settings\magnus gunnarsson\Application Data\Mozilla\Firefox\Profiles\jw1t28dz.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICY ----
    FF - user.js: network.http.max-connections-per-server - 4
    FF - user.js: nglayout.initialpaint.delay - 750
    FF - user.js: content.notify.interval - 750000
    FF - user.js: content.max.tokenizing.time - 2250000
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-26 00:10
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LÃ…STA REGISTERNYCKLAR ---------------------

    [HKEY_USERS\S-1-5-21-880824880-3436134146-2971665550-1006\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_USERS\S-1-5-21-880824880-3436134146-2971665550-1006\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (S-1-5-21-880824880-3436134146-2971665550-1006)
    @Allowed: (Read) (S-1-5-21-880824880-3436134146-2971665550-1006)
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @= "FlashBroker "
    "LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101 "

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe "

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @= "IFlashBroker4 "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @= "{00020424-0000-0000-C000-000000000046} "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
    "Version "= "1.0 "
    .
    --------------------- DLLer som "laddats" under processer som körs ---------------------

    - - - - - - - > 'winlogon.exe'(728)
    d:\superantispyware\SASWINLO.DLL

    - - - - - - - > 'explorer.exe'(2688)
    c:\windows\system32\msi.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Sluttid: 2010-11-26 00:17:02
    ComboFix-quarantined-files.txt 2010-11-25 23:16
    ComboFix2.txt 2010-11-25 21:45
    ComboFix3.txt 2010-04-17 09:28

    Före genomsökningen: 12*797*087*744 byte ledigt
    Efter genomsökningen: 12*778*528*768 byte ledigt

    WindowsXP-KB310994-SP2-Home-BootDisk-SVE.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug= "do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /TUTag=S6HYWO /Kernel=TUKernel.exe
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition (TuneUp Backup)" /noexecute=optin /fastdetect /TUTag=S6HYWO-BAK
    [spybotsd]
    timeout.old=3

    Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - DFCA23B192E2E14A7B7201B348744239

    heres the scanning :D
    also, still some in swedish text, my computer seems to get better and better, less error and so
     
    light,
    #37
  19. 2010/11/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Looks good :)

    How is redirection?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
    broni,
    #38
  20. 2010/11/26
    light

    light Inactive Thread Starter

    Joined:
    2010/04/09
    Messages:
    106
    Likes Received:
    0
    yep :) no redirection
    ok i use otl now
     
    light,
    #39
  21. 2010/11/26
    light

    light Inactive Thread Starter

    Joined:
    2010/04/09
    Messages:
    106
    Likes Received:
    0
    cant post


    The text that you have entered is too long (79060 characters). Please shorten it to 55000 characters long.

    should i post half then half and same at othere?
     
    light,
    #40
Page 2 of 3
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...