Author Topic: Atapi.sys infected - Trojan Horse Packed.Protector.C (Read 17221 times)

Andrimner · « **on:** December 08, 2009, 01:51:22 PM »

Hello.

AVG is telling me that my atapi.sys file is infected, and that it cannot be removed because it is an essensial file.
The infection is listed as Trojan Horse Packed.Protector.C, and the "process name" is C:\WINDOWS\system32\svchost.exe

I ran a malwarebytes-scan, and it seemed to remove it. The latest scans reported no infections, yet the AVG threat detection still pops up from time to time.

Unfortunately, the logs from the first scans are in norwegian. I'll post the last log in english.

Malwarebytes' Anti-Malware 1.42
Databaseversjon: 3308
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

07.12.2009 12:43:11
mbam-log-2009-12-07 (12-43-11).txt

Skanntype: Rask Skann
Objekter skannet: 118791
Tid tilbakelagt: 47 minute(s), 50 second(s)

Minneprosesser infisert: 2
Minnemoduler infisert: 0
Registernøkler infisert: 5
Registerverdier infisert: 3
Registerfiler infisert: 1
Mapper infisert: 5
Filer infisert: 21

Minneprosesser infisert:
C:\WINDOWS\system32\av_md.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\system32\config\systemprofile\av_md.exe (Backdoor.Bot) -> Unloaded process successfully.

Minnemoduler infisert:
(Ingen mistenkelige filer funnet)

Registernøkler infisert:
HKEY_CLASSES_ROOT\D (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\D.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Intelli Mouse Pro Version 2.0B (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d753d127-92ef-3a49-bc7b-b5682875155e} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d753d127-92ef-3a49-bc7b-b5682875155e} (Trojan.BHO) -> Quarantined and deleted successfully.

Registerverdier infisert:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\av_md (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regedit32 (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\av_md (Trojan.Dropper) -> Quarantined and deleted successfully.

Registerfiler infisert:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Mapper infisert:
C:\Programfiler\NewDotNet (Adware.NewDotNet) -> Quarantined and deleted successfully.
C:\Programfiler\Video ActiveX Access (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Programfiler\VirusProtectPro 3.5 (Rogue.VirusProtect) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\splm (Backdoor.Bot) -> Quarantined and deleted successfully.

Filer infisert:
C:\WINDOWS\system32\av_md.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\av_md.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\~TM766.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Programfiler\NewDotNet\newnet.log (Adware.NewDotNet) -> Quarantined and deleted successfully.
C:\Programfiler\NewDotNet\readme.txt (Adware.NewDotNet) -> Quarantined and deleted successfully.
C:\Programfiler\Video ActiveX Access\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Programfiler\Video ActiveX Access\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Programfiler\VirusProtectPro 3.5\vpp.ini (Rogue.VirusProtect) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\ecls.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\ekrn.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\ekrnAmon.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\ekrnEmon.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\ekrnEpfw.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\ekrnScan.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\em000_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\em001_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nScan\em002_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Eier\Favoritter\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start-meny\Online Security Guide.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start-meny\Security Troubleshooting.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully.

_______________________________________ _______________________________________ _________
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXX

Here is the newest Malwarebytes-log:

Malwarebytes' Anti-Malware 1.42
Database version: 3308
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

08.12.2009 16:57:06
mbam-log-2009-12-08 (16-57-06).txt

Scan type: Quick Scan
Objects scanned: 118790
Time elapsed: 48 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

This was completed yesterday, yet AVG is still detecting threats.

harry 48 · « **Reply #1 on:** December 08, 2009, 02:13:01 PM »

http://www.computerhope.com/forum/index.php/topic,46313.0.html

please go to above and post the hijack this log

Andrimner · « **Reply #2 on:** December 09, 2009, 08:58:11 AM »

Ok, I've gone thru all the steps down to Hijack this, here is the Hijack-log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:55:00, on 09.12.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programfiler\Java\jre6\bin\jqs.exe
c:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe
C:\Programfiler\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programfiler\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Java\jre6\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ps2.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
C:\Programfiler\Saitek\Software\Profiler.exe
C:\Programfiler\Saitek\Software\SaiSmart.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\WINDOWS\system32\av_md.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\WINDOWS\system32\config\systemprofile\av_md.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programfiler\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\DesktopEarth\DesktopEarth.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\Programfiler\Windows Live\Toolbar\wltuser.exe
C:\Programfiler\Trend Micro\HijackThis\Sniper.exe.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Programfiler\AVG\AVG8\avgcsrvx.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NB_NO&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NB_NO&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NB_NO&c=Q105&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NB_NO&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NB_NO&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NB_NO&c=Q105&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Programfiler\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programfiler\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programfiler\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Programfiler\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programfiler\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programfiler\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programfiler\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP-visning - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Programfiler\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Programfiler\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programfiler\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Programfiler\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programfiler\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Profiler] C:\Programfiler\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Programfiler\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [sysgif32] C:\WINDOWS\TEMP\~TM10.tmp
O4 - HKLM\..\Run: [av_md] C:\WINDOWS\system32\av_md.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus Photo RX585 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICLE.EXE /FU "C:\WINDOWS\TEMP\E_S222.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [DAEMON Tools Lite] C:\Programfiler\DAEMON Tools Lite\daemon.exe -autorun
O4 - HKCU\..\Run: [av_md] C:\Documents and Settings\HP_Eier\av_md.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - Startup: DesktopEarth AutoStart.lnk = ?
O4 - Startup: siszyd32.exe
O4 - Global Startup: CodeMeter Control Center.lnk = C:\Programfiler\CodeMeter\Runtime\bin\CodeMeterCC.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programfiler\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Programfiler\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/229?db7fb6bca09c413ea8f65a39ed34d332
O8 - Extra context menu item: Open in new foreground tab - res://C:\Programfiler\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/230?db7fb6bca09c413ea8f65a39ed34d332
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196693014196
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programfiler\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate1c9b16eefa1d850) (gupdate1c9b16eefa1d850) - Google Inc. - C:\Programfiler\Google\Update\GoogleUpdate.exe
O23 - Service: iPod-tjeneste (iPodService) - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programfiler\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe

--
End of file - 9998 bytes

Problems are getting worse now, it seems. The computer froze after the last threat warning and had to be rebooted. Now the Firefox-shortcuts don't work, it seems the Firefox.exe-file has disappeared.

evilfantasy · « **Reply #3 on:** December 09, 2009, 09:12:03 AM »

Hello Andrimner.

You still have a lot of malware on this computer. Let's start with this.

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

Andrimner · « **Reply #4 on:** December 09, 2009, 11:07:34 AM »

Ok, thanks. I ran combofix, it detected the atapi.sys-infection and said it managed to restore it succesfully. Here is the log:(unfortunately it is in norwegian, I hope the necessary parts can still be understood)

ComboFix 09-12-08.07 - HP_Eier 09.12.2009 18:42:53.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.47.1044.18.1022.622 [GMT 1:00]
Kjører fra: c:\documents and settings\HP_Eier\Skrivebord\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Eier\Mine dokumenter\Backup 26.08.reg
c:\documents and settings\HP_Eier\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\HP_Eier\Start-meny\Programmer\Oppstart\siszyd32.exe
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\recycler\S-1-5-21-2556594972-2907386874-4071176635-1007
c:\recycler\S-1-5-21-3604367771-1522360832-4133542967-1007
c:\recycler\S-1-5-21-46762705-2809939523-1879981336-1007
c:\windows\system32\av_md.exe
c:\windows\system32\config\systemprofile\av_md.exe
c:\windows\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\windows\system32\ps2.bat
D:\Autorun.inf

Infisert kopi av c:\windows\system32\Drivers\atapi.sys ble funnet og desinfisert
Gjenopprettet kopi fra - c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys

.
((((((((((((((((((((((((((( Filer Opprettet Fra 2009-11-09 til 2009-12-09 )))))))))))))))))))))))))))))))))
.

2009-12-09 15:51 . 2009-12-09 15:51   --------   d-----w-   c:\programfiler\Trend Micro
2009-12-09 14:13 . 2009-12-09 14:12   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-12-09 14:09 . 2009-12-09 14:09   152576   ----a-w-   c:\documents and settings\HP_Eier\Programdata\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-09 14:08 . 2009-12-09 14:08   79488   ----a-w-   c:\documents and settings\HP_Eier\Programdata\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-08 23:57 . 2009-12-08 23:57   --------   d--h--r-   c:\documents and settings\HP_Eier\Siste
2009-12-08 23:35 . 2009-12-08 23:35   117760   ----a-w-   c:\documents and settings\HP_Eier\Programdata\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-08 23:35 . 2009-12-08 23:35   --------   d-----w-   c:\documents and settings\All Users\Programdata\SUPERAntiSpyware.com
2009-12-08 23:32 . 2009-12-08 23:34   --------   d-----w-   c:\programfiler\SUPERAntiSpyware
2009-12-08 23:32 . 2009-12-08 23:32   --------   d-----w-   c:\documents and settings\HP_Eier\Programdata\SUPERAntiSpyware.com
2009-12-08 22:05 . 2009-12-08 22:05   --------   d-----w-   c:\programfiler\CCleaner
2009-12-07 10:23 . 2009-12-07 10:23   --------   d-----w-   c:\documents and settings\HP_Eier\Programdata\Malwarebytes
2009-12-07 10:23 . 2009-12-03 15:14   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-07 10:23 . 2009-12-07 10:23   --------   d-----w-   c:\programfiler\Malwarebytes' Anti-Malware
2009-12-07 10:23 . 2009-12-07 10:23   --------   d-----w-   c:\documents and settings\All Users\Programdata\Malwarebytes
2009-12-07 10:23 . 2009-12-03 15:13   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-12-07 06:25 . 2009-12-08 15:06   --------   d-----w-   C:\My Shared Folder
2009-12-04 15:16 . 2009-12-04 15:16   --------   d-----w-   c:\programfiler\Fellesfiler\DivX Shared
2009-12-04 12:09 . 2009-12-04 14:36   --------   d-----w-   C:\Video og film
2009-12-03 19:15 . 2009-12-06 17:21   --------   d-----w-   c:\documents and settings\HP_Eier\Lokale innstillinger\Programdata\Temp
2009-12-03 14:12 . 2009-12-03 14:13   --------   d-----w-   c:\documents and settings\LocalService\Lokale innstillinger\Programdata\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-09 17:26 . 2006-11-03 21:07   --------   d-----w-   c:\documents and settings\HP_Eier\Programdata\Azureus
2009-12-09 15:42 . 2009-02-14 15:22   --------   d-----w-   c:\programfiler\DesktopEarth
2009-12-09 14:59 . 2009-12-09 14:59   16   ----a-w-   c:\documents and settings\HP_Eier\Programdata\fvgqad.dat
2009-12-09 14:11 . 2005-01-02 00:02   --------   d-----w-   c:\programfiler\Java
2009-12-08 23:29 . 2006-03-04 11:05   --------   d-----w-   c:\programfiler\Fellesfiler\Wise Installation Wizard
2009-12-07 11:59 . 2009-12-07 11:59   16   ----a-w-   c:\documents and settings\NetworkService\Programdata\fvgqad.dat
2009-12-07 10:13 . 2009-04-25 13:41   --------   d-----w-   c:\documents and settings\All Users\Programdata\avg8
2009-12-07 02:42 . 2009-12-07 02:42   4   ----a-w-   c:\documents and settings\HP_Eier\Programdata\avdrn.dat
2009-12-04 15:17 . 2005-09-24 13:51   --------   d-----w-   c:\programfiler\DivX
2009-12-04 11:40 . 2005-01-02 00:24   --------   d--h--w-   c:\programfiler\InstallShield Installation Information
2009-12-04 11:26 . 2008-05-10 15:56   --------   d-----w-   c:\documents and settings\HP_Eier\Programdata\Orbit
2009-12-03 17:42 . 2009-08-22 11:38   --------   d-----w-   c:\programfiler\Fellesfiler\AVSMedia
2009-12-03 14:15 . 2004-11-29 20:10   61348   ----a-w-   c:\windows\system32\perfc014.dat
2009-12-03 14:15 . 2004-11-29 20:10   386354   ----a-w-   c:\windows\system32\perfh014.dat
2009-09-25 05:59 . 2004-08-04 12:00   661504   ----a-w-   c:\windows\system32\wininet.dll
2009-09-25 05:59 . 2004-08-04 12:00   81920   ----a-w-   c:\windows\system32\ieencode.dll
2009-09-20 13:59 . 2007-08-08 15:18   17616   ----a-w-   c:\documents and settings\HP_Eier\Lokale innstillinger\Programdata\GDIPFONTCACHEV1.DAT
2009-09-11 14:37 . 2004-08-04 12:00   133632   ----a-w-   c:\windows\system32\msv1_0.dll
2005-09-24 14:16 . 2005-09-24 14:16   4878136   ----a-w-   c:\programfiler\Firefox Setup 1.0.7.exe
2005-09-24 13:51 . 2005-09-24 13:51   9346144   ----a-w-   c:\programfiler\DivXCreate.exe
2005-09-24 13:35 . 2005-09-24 13:34   9341640   ----a-w-   c:\programfiler\Install_MSN_Messenger.EXE
2005-04-13 22:11 . 2007-03-27 16:39   53283   ----a-w-   c:\programfiler\mozilla firefox\plugins\NCScnet.dll
2005-04-13 22:33 . 2007-03-27 16:39   1044514   ----a-w-   c:\programfiler\mozilla firefox\plugins\NCSEcw.dll
2005-04-13 22:11 . 2007-03-27 16:39   98339   ----a-w-   c:\programfiler\mozilla firefox\plugins\NCSUtil.dll
.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\programfiler\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 10:58   1107200   ----a-w-   c:\programfiler\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\programfiler\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\programfiler\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\programfiler\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"MSMSGS"="c:\programfiler\Messenger\msmsgs.exe" [2004-10-13 1694208]
"DAEMON Tools Lite"="c:\programfiler\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\programfiler\Java\jre6\bin\jusched.exe" [2009-12-09 149280]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\programfiler\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"iTunesHelper"="c:\programfiler\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
"ATIPTA"="c:\programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-04 344064]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"TkBellExe"="c:\programfiler\Fellesfiler\Real\Update_OB\realsched.exe" [2008-10-25 185872]
"Profiler"="c:\programfiler\Saitek\Software\Profiler.exe" [2004-07-26 159744]
"SaiSmart"="c:\programfiler\Saitek\Software\SaiSmart.exe" [2004-07-26 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-03 2029336]

c:\documents and settings\Spiller\Start-meny\Programmer\Oppstart\
PowerReg Scheduler.exe [2009-1-9 256000]

c:\documents and settings\HP_Eier\Start-meny\Programmer\Oppstart\
DesktopEarth AutoStart.lnk - c:\documents and settings\HP_Eier\Programdata\Microsoft\Installer\{DBA5E973-660D-4CBE-A469-F5C37FBF0CE4}\_C1A9BF9D98647632ED5172.exe [2009-2-14 29926]

c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\
CodeMeter Control Center.lnk - c:\programfiler\CodeMeter\Runtime\bin\CodeMeterCC.exe [2007-3-23 4984832]
HP Digital Imaging Monitor.lnk - c:\programfiler\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-5 258048]
WinZip Quick Pick.lnk - c:\programfiler\WinZip\WZQKPICK.EXE [2007-8-3 394856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21   548352   ----a-w-   c:\programfiler\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-15 09:06   11952   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Programfiler\\iTunes\\iTunes.exe"=
"c:\\Programfiler\\Azureus\\Azureus.exe"=
"c:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [03.03.2008 22:00 721904]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [25.04.2009 14:42 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [25.04.2009 14:42 108552]
R1 SASDIFSV;SASDIFSV;c:\programfiler\SUPERAntiSpyware\sasdifsv.sys [23.11.2009 08:43 9968]
R1 SASKUTIL;SASKUTIL;c:\programfiler\SUPERAntiSpyware\SASKUTIL.SYS [23.11.2009 08:43 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [25.04.2009 14:42 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [25.04.2009 14:42 297752]
S2 gupdate1c9b16eefa1d850;Google Update Service (gupdate1c9b16eefa1d850);c:\programfiler\Google\Update\GoogleUpdate.exe [30.03.2009 20:37 133104]
S3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\drivers\imhidusb.sys [06.01.2009 13:58 30984]
S3 SaiH2541;SaiH2541;c:\windows\system32\drivers\SaiH2541.sys [01.05.2007 16:10 132232]
S3 SaiHFFB5;SaiHFFB5;c:\windows\system32\drivers\SaiHFFB5.sys [06.01.2009 13:57 56576]
S3 SASENUM;SASENUM;c:\programfiler\SUPERAntiSpyware\SASENUM.SYS [23.11.2009 08:43 7408]
.
------- Tilleggsskanning -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NB_NO&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NB_NO&c=Q105&bd=pavilion&pf=desktop
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Open in new background tab - c:\programfiler\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/229?db7fb6bca09c413ea8f65a39ed34d332
IE: Open in new foreground tab - c:\programfiler\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/230?db7fb6bca09c413ea8f65a39ed34d332
.
- - - - TOMME PEKERE FJERNET - - - -

AddRemove-Close Combat IV - c:\windows\IsUninst.exe -fc:\programfiler\Close Combat IV\Uninst.isu
AddRemove-HijackThis - c:\programfiler\Trend Micro\HijackThis\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-09 18:55
Windows 5.1.2600 Service Pack 2 NTFS

skanner skjulte prosesser ...

skanner skjulte autostart-oppføringer ...

skanner skjulte filer ...

skanning vellykket
skjulte filer: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys sfsync02.sys hal.dll >>UNKNOWN [0x8656E1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7674fc3
\Driver\ACPI -> ACPI.sys @ 0xf73cecb8
\Driver\atapi -> sfsync02.sys @ 0xf78a0d60
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0
SecurityProcedure -> ntkrnlpa.exe @ 0x80578264
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0
SecurityProcedure -> ntkrnlpa.exe @ 0x80578264
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf7293bc3
PacketIndicateHandler -> NDIS.sys @ 0xf729fb21
SendHandler -> NDIS.sys @ 0xf7293d33
user & kernel MBR OK

**************************************************************************
.
--------------------- LÅSTE REGISTERNØKLER ---------------------

[HKEY_USERS\S-1-5-21-2708978570-3192926764-780308440-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:7f,c7,c7,f5,13,05,cb,ea,7f,63,78,da,c6,44,db,80,13,6a,61,40,0f,df,61,
0b,75,f6,1b,e5,47,3f,af,53,fc,dd,5c,e0,1d,ee,d0,9f,cc,6c,6a,e5,8a,3d,92,7f,\
"??"=hex:9d,69,f2,3c,9c,f5,ef,9a,be,14,41,e0,7e,6a,c5,06

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{55F992BA-1D26-E5AF-0907C8AEF5A56624}\{F1333513-8015-AAF3-FD42BD84CFB0024A}\{F02E7673-B596-886F-5D7515D1DE7A7F98}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c,
a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{866E5309-4DE4-EC1D-5303B5015403F078}\{E4D7DA31-B59C-2F42-84703E9617E7637D}\{F8D6A80B-EA06-4220-85CE61582D500BD8}*]
"L5OTYL4OSK54QTZWOGJWMONWTG1"=hex:01,00,01,00,00,00,00,00,4f,1a,34,b6,a9,51,c3,
92,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{91EC4B89-4AF2-1685-8B077627C8A43419}\{2EE609D8-52A7-5ABD-6D921F70AFC106D5}\{F0CB3253-4F19-C88D-A2C81B3BBC751916}*]
"PK3IM51V2WPW5YOPIRJ365XEIG1"=hex:01,00,01,00,00,00,00,00,c3,a2,73,89,0b,39,ad,
69,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{92E364B2-3C99-8131-FA38C55A9DF469B6}\{ED083C7B-BB22-E038-94448FA9BD51D19E}\{5592BF6F-6CA4-ED79-1454C42B0B348E21}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,1d,0b,78,
dd,02,85,a5,85,f2,b9,06,f7,25,56,f6,d2,a3,91,db,fa,9b,3c,b7,a0,8f,48,60,e9,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A76448FF-EA59-23D3-98F3B9C94A7EC293}\{51B7BFF3-30C4-3859-72DBC6993BF1721D}\{60FC5D85-3D13-ED0E-8811CBE6817E353D}*]
"L5OTYL4OSK54QTZWOGJWMONWTG1"=hex:01,00,01,00,00,00,00,00,4f,1a,34,b6,a9,51,c3,
92,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AD212F18-226F-19C5-6836DC0F322A8CD1}\{165CDB28-57BC-2FFB-C17032E84F1598CE}\{1D773DA2-1E07-1A59-CFCCE9D8E9744932}*]
"PK3IM51V2WPW5YOPIRJ365XEIG1"=hex:01,00,01,00,00,00,00,00,c3,a2,73,89,0b,39,ad,
69,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C53C8AFE-780B-A095-1875A9D39C824CF2}\{151E6624-94D7-6041-A2A26FFA6BDDEF0C}\{8D08884B-CD31-5FF0-CA8CAC497363EFC4}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,1d,0b,78,
dd,02,85,a5,85,f2,b9,06,f7,25,56,f6,d2,a3,91,db,fa,9b,3c,b7,a0,8f,48,60,e9,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F9E7FB8A-7FC0-F5C6-C2C005BCC6E52A75}\{38D64012-6403-EA81-41E60280EAB79558}\{8D4E630B-001F-4733-DF87B943421629E7}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c,
a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

- - - - - - - > 'winlogon.exe'(584)
c:\programfiler\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1940)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andre Kjørende Prosesser ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\programfiler\Java\jre6\bin\jqs.exe
c:\programfiler\Fellesfiler\LightScribe\LSSrvc.exe
c:\programfiler\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\programfiler\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\devldr32.exe
c:\programfiler\iPod\bin\iPodService.exe
c:\programfiler\DesktopEarth\DesktopEarth.exe
.
**************************************************************************
.
Tidspunkt ferdig: 2009-12-09 19:01:38 - maskinen ble startet på nytt
ComboFix-quarantined-files.txt 2009-12-09 18:01

Pre-Run: 77 868 072 960 byte ledig
Post-Run: 81 330 630 656 byte ledig

- - End Of File - - 44EFA18A48A87E1A1D439A92870031BC

Andrimner · « **Reply #5 on:** December 09, 2009, 11:11:59 AM »

Infisert kopi av c:\windows\system32\Drivers\atapi.sys ble funnet og desinfisert
Gjenopprettet kopi fra - c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys

Translates to:

Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
Restored copy from - c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys

Does this mean the malware is now all gone...?

evilfantasy · « **Reply #6 on:** December 09, 2009, 01:29:06 PM »

Quote from: Andrimner on December 09, 2009, 11:11:59 AM

Infisert kopi av c:\windows\system32\Drivers\atapi.sys ble funnet og desinfisert
Gjenopprettet kopi fra - c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys

Translates to:

Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
Restored copy from - c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys

Thank you.

Quote from: Andrimner on December 09, 2009, 11:11:59 AM

Does this mean the malware is now all gone...?

The worst part is gone but there is still more to do.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

----------

Download DeFogger by jpshortstuff and save it to your desktop.

* Double click DeFogger.exe to run the tool.
* The application window will appear.
* Click the Disable button to disable your CD Emulation drivers
* Click Yes to continue.
* A 'Finished!' message will appear.
* Click OK.
* DeFogger will now ask to reboot the machine...click OK.

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

----------

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{55F992BA-1D26-E5AF-0907C8AEF5A56624}\{F1333513-8015-AAF3-FD42BD84CFB0024A}\{F02E7673-B596-886F-5D7515D1DE7A7F98}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c,
   a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{866E5309-4DE4-EC1D-5303B5015403F078}\{E4D7DA31-B59C-2F42-84703E9617E7637D}\{F8D6A80B-EA06-4220-85CE61582D500BD8}*]
"L5OTYL4OSK54QTZWOGJWMONWTG1"=hex:01,00,01,00,00,00,00,00,4f,1a,34,b6,a9,51,c3,
   92,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{91EC4B89-4AF2-1685-8B077627C8A43419}\{2EE609D8-52A7-5ABD-6D921F70AFC106D5}\{F0CB3253-4F19-C88D-A2C81B3BBC751916}*]
"PK3IM51V2WPW5YOPIRJ365XEIG1"=hex:01,00,01,00,00,00,00,00,c3,a2,73,89,0b,39,ad,
   69,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{92E364B2-3C99-8131-FA38C55A9DF469B6}\{ED083C7B-BB22-E038-94448FA9BD51D19E}\{5592BF6F-6CA4-ED79-1454C42B0B348E21}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,1d,0b,78,
   dd,02,85,a5,85,f2,b9,06,f7,25,56,f6,d2,a3,91,db,fa,9b,3c,b7,a0,8f,48,60,e9,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A76448FF-EA59-23D3-98F3B9C94A7EC293}\{51B7BFF3-30C4-3859-72DBC6993BF1721D}\{60FC5D85-3D13-ED0E-8811CBE6817E353D}*]
"L5OTYL4OSK54QTZWOGJWMONWTG1"=hex:01,00,01,00,00,00,00,00,4f,1a,34,b6,a9,51,c3,
   92,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AD212F18-226F-19C5-6836DC0F322A8CD1}\{165CDB28-57BC-2FFB-C17032E84F1598CE}\{1D773DA2-1E07-1A59-CFCCE9D8E9744932}*]
"PK3IM51V2WPW5YOPIRJ365XEIG1"=hex:01,00,01,00,00,00,00,00,c3,a2,73,89,0b,39,ad,
   69,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C53C8AFE-780B-A095-1875A9D39C824CF2}\{151E6624-94D7-6041-A2A26FFA6BDDEF0C}\{8D08884B-CD31-5FF0-CA8CAC497363EFC4}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,1d,0b,78,
   dd,02,85,a5,85,f2,b9,06,f7,25,56,f6,d2,a3,91,db,fa,9b,3c,b7,a0,8f,48,60,e9,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F9E7FB8A-7FC0-F5C6-C2C005BCC6E52A75}\{38D64012-6403-EA81-41E60280EAB79558}\{8D4E630B-001F-4733-DF87B943421629E7}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c,
   a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

----------

Next post please add:

- New ComboFix log
- Both DDS logs

You might need two posts to get all of the logs posted.

Andrimner · « **Reply #7 on:** December 09, 2009, 02:55:04 PM »

Ok, I uninstalled messenger(although I forgot about deleting the two files), ran DeFogger and then Combofix. Combofix produced a blue window which now says:

"Scanning for infected files
This will usually not take more than 10 minutes
Scanning time may easily double on very infected computers"

It then completes level 1, level 2 and level 3. Then it stops. I tried to run it again, but the same result, and the window has now been inactive for 20 minutes. It is completely inactive after level 3 is complete, although it is not frozen. (I can still close it)

evilfantasy · « **Reply #8 on:** December 09, 2009, 02:57:46 PM »

Try this.

Stop ComboFix and create a new script.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

SkipFix::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{55F992BA-1D26-E5AF-0907C8AEF5A56624}\{F1333513-8015-AAF3-FD42BD84CFB0024A}\{F02E7673-B596-886F-5D7515D1DE7A7F98}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c,
   a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{866E5309-4DE4-EC1D-5303B5015403F078}\{E4D7DA31-B59C-2F42-84703E9617E7637D}\{F8D6A80B-EA06-4220-85CE61582D500BD8}*]
"L5OTYL4OSK54QTZWOGJWMONWTG1"=hex:01,00,01,00,00,00,00,00,4f,1a,34,b6,a9,51,c3,
   92,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{91EC4B89-4AF2-1685-8B077627C8A43419}\{2EE609D8-52A7-5ABD-6D921F70AFC106D5}\{F0CB3253-4F19-C88D-A2C81B3BBC751916}*]
"PK3IM51V2WPW5YOPIRJ365XEIG1"=hex:01,00,01,00,00,00,00,00,c3,a2,73,89,0b,39,ad,
   69,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{92E364B2-3C99-8131-FA38C55A9DF469B6}\{ED083C7B-BB22-E038-94448FA9BD51D19E}\{5592BF6F-6CA4-ED79-1454C42B0B348E21}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,1d,0b,78,
   dd,02,85,a5,85,f2,b9,06,f7,25,56,f6,d2,a3,91,db,fa,9b,3c,b7,a0,8f,48,60,e9,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A76448FF-EA59-23D3-98F3B9C94A7EC293}\{51B7BFF3-30C4-3859-72DBC6993BF1721D}\{60FC5D85-3D13-ED0E-8811CBE6817E353D}*]
"L5OTYL4OSK54QTZWOGJWMONWTG1"=hex:01,00,01,00,00,00,00,00,4f,1a,34,b6,a9,51,c3,
   92,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AD212F18-226F-19C5-6836DC0F322A8CD1}\{165CDB28-57BC-2FFB-C17032E84F1598CE}\{1D773DA2-1E07-1A59-CFCCE9D8E9744932}*]
"PK3IM51V2WPW5YOPIRJ365XEIG1"=hex:01,00,01,00,00,00,00,00,c3,a2,73,89,0b,39,ad,
   69,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C53C8AFE-780B-A095-1875A9D39C824CF2}\{151E6624-94D7-6041-A2A26FFA6BDDEF0C}\{8D08884B-CD31-5FF0-CA8CAC497363EFC4}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,1d,0b,78,
   dd,02,85,a5,85,f2,b9,06,f7,25,56,f6,d2,a3,91,db,fa,9b,3c,b7,a0,8f,48,60,e9,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F9E7FB8A-7FC0-F5C6-C2C005BCC6E52A75}\{38D64012-6403-EA81-41E60280EAB79558}\{8D4E630B-001F-4733-DF87B943421629E7}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c,
   a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

Andrimner · « **Reply #9 on:** December 09, 2009, 04:58:34 PM »

Thank you, it worked fine now

Here is the Combofix-log, let me know if there's anything I should translate:

ComboFix 09-12-09.03 - HP_Eier 10.12.2009 0:46.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.47.1044.18.1022.584 [GMT 1:00]
Kjører fra: c:\documents and settings\HP_Eier\Skrivebord\ComboFix.exe
Command switches brukt :: c:\documents and settings\HP_Eier\Skrivebord\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((( Filer Opprettet Fra 2009-11-09 til 2009-12-09 )))))))))))))))))))))))))))))))))
.

2009-12-09 19:12 . 2009-12-09 19:12   --------   d-----w-   c:\windows\system32\LogFiles
2009-12-09 15:51 . 2009-12-09 15:51   --------   d-----w-   c:\programfiler\Trend Micro
2009-12-09 14:13 . 2009-12-09 14:12   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-12-09 14:09 . 2009-12-09 14:09   152576   ----a-w-   c:\documents and settings\HP_Eier\Programdata\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-09 14:08 . 2009-12-09 14:08   79488   ----a-w-   c:\documents and settings\HP_Eier\Programdata\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-08 23:57 . 2009-12-09 23:44   --------   d--h--r-   c:\documents and settings\HP_Eier\Siste
2009-12-08 23:35 . 2009-12-08 23:35   117760   ----a-w-   c:\documents and settings\HP_Eier\Programdata\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-08 23:35 . 2009-12-08 23:35   --------   d-----w-   c:\documents and settings\All Users\Programdata\SUPERAntiSpyware.com
2009-12-08 23:32 . 2009-12-08 23:34   --------   d-----w-   c:\programfiler\SUPERAntiSpyware
2009-12-08 23:32 . 2009-12-08 23:32   --------   d-----w-   c:\documents and settings\HP_Eier\Programdata\SUPERAntiSpyware.com
2009-12-08 22:05 . 2009-12-08 22:05   --------   d-----w-   c:\programfiler\CCleaner
2009-12-07 10:23 . 2009-12-07 10:23   --------   d-----w-   c:\documents and settings\HP_Eier\Programdata\Malwarebytes
2009-12-07 10:23 . 2009-12-03 15:14   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-07 10:23 . 2009-12-07 10:23   --------   d-----w-   c:\programfiler\Malwarebytes' Anti-Malware
2009-12-07 10:23 . 2009-12-07 10:23   --------   d-----w-   c:\documents and settings\All Users\Programdata\Malwarebytes
2009-12-07 10:23 . 2009-12-03 15:13   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-12-07 06:25 . 2009-12-08 15:06   --------   d-----w-   C:\My Shared Folder
2009-12-04 15:16 . 2009-12-04 15:16   --------   d-----w-   c:\programfiler\Fellesfiler\DivX Shared
2009-12-04 12:09 . 2009-12-04 14:36   --------   d-----w-   C:\Video og film
2009-12-03 19:15 . 2009-12-06 17:21   --------   d-----w-   c:\documents and settings\HP_Eier\Lokale innstillinger\Programdata\Temp
2009-12-03 14:12 . 2009-12-03 14:13   --------   d-----w-   c:\documents and settings\LocalService\Lokale innstillinger\Programdata\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-09 23:51 . 2009-02-14 15:22   --------   d-----w-   c:\programfiler\DesktopEarth
2009-12-09 19:19 . 2006-11-03 21:07   --------   d-----w-   c:\documents and settings\HP_Eier\Programdata\Azureus
2009-12-09 14:59 . 2009-12-09 14:59   16   ----a-w-   c:\documents and settings\HP_Eier\Programdata\fvgqad.dat
2009-12-09 14:11 . 2005-01-02 00:02   --------   d-----w-   c:\programfiler\Java
2009-12-08 23:29 . 2006-03-04 11:05   --------   d-----w-   c:\programfiler\Fellesfiler\Wise Installation Wizard
2009-12-07 11:59 . 2009-12-07 11:59   16   ----a-w-   c:\documents and settings\NetworkService\Programdata\fvgqad.dat
2009-12-07 10:13 . 2009-04-25 13:41   --------   d-----w-   c:\documents and settings\All Users\Programdata\avg8
2009-12-07 02:42 . 2009-12-07 02:42   4   ----a-w-   c:\documents and settings\HP_Eier\Programdata\avdrn.dat
2009-12-04 15:17 . 2005-09-24 13:51   --------   d-----w-   c:\programfiler\DivX
2009-12-04 11:40 . 2005-01-02 00:24   --------   d--h--w-   c:\programfiler\InstallShield Installation Information
2009-12-04 11:26 . 2008-05-10 15:56   --------   d-----w-   c:\documents and settings\HP_Eier\Programdata\Orbit
2009-12-03 17:42 . 2009-08-22 11:38   --------   d-----w-   c:\programfiler\Fellesfiler\AVSMedia
2009-12-03 14:15 . 2004-11-29 20:10   61348   ----a-w-   c:\windows\system32\perfc014.dat
2009-12-03 14:15 . 2004-11-29 20:10   386354   ----a-w-   c:\windows\system32\perfh014.dat
2009-09-25 05:59 . 2004-08-04 12:00   661504   ------w-   c:\windows\system32\wininet.dll
2009-09-25 05:59 . 2004-08-04 12:00   81920   ----a-w-   c:\windows\system32\ieencode.dll
2009-09-20 13:59 . 2007-08-08 15:18   17616   ----a-w-   c:\documents and settings\HP_Eier\Lokale innstillinger\Programdata\GDIPFONTCACHEV1.DAT
2009-09-11 14:37 . 2004-08-04 12:00   133632   ----a-w-   c:\windows\system32\msv1_0.dll
2005-09-24 14:16 . 2005-09-24 14:16   4878136   ----a-w-   c:\programfiler\Firefox Setup 1.0.7.exe
2005-09-24 13:51 . 2005-09-24 13:51   9346144   ----a-w-   c:\programfiler\DivXCreate.exe
2005-09-24 13:35 . 2005-09-24 13:34   9341640   ----a-w-   c:\programfiler\Install_MSN_Messenger.EXE
2005-04-13 22:11 . 2007-03-27 16:39   53283   ----a-w-   c:\programfiler\mozilla firefox\plugins\NCScnet.dll
2005-04-13 22:33 . 2007-03-27 16:39   1044514   ----a-w-   c:\programfiler\mozilla firefox\plugins\NCSEcw.dll
2005-04-13 22:11 . 2007-03-27 16:39   98339   ----a-w-   c:\programfiler\mozilla firefox\plugins\NCSUtil.dll
.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\programfiler\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 10:58   1107200   ----a-w-   c:\programfiler\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\programfiler\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\programfiler\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\programfiler\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\programfiler\Fellesfiler\Real\Update_OB\realsched.exe -osboot" [X]
"SunJavaUpdateSched"="c:\programfiler\Java\jre6\bin\jusched.exe" [2009-12-09 149280]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\programfiler\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"iTunesHelper"="c:\programfiler\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
"ATIPTA"="c:\programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-04 344064]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"Profiler"="c:\programfiler\Saitek\Software\Profiler.exe" [2004-07-26 159744]
"SaiSmart"="c:\programfiler\Saitek\Software\SaiSmart.exe" [2004-07-26 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-03 2029336]

c:\documents and settings\Spiller\Start-meny\Programmer\Oppstart\
PowerReg Scheduler.exe [2009-1-9 256000]

c:\documents and settings\HP_Eier\Start-meny\Programmer\Oppstart\
DesktopEarth AutoStart.lnk - c:\documents and settings\HP_Eier\Programdata\Microsoft\Installer\{DBA5E973-660D-4CBE-A469-F5C37FBF0CE4}\_C1A9BF9D98647632ED5172.exe [2009-2-14 29926]

c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\
CodeMeter Control Center.lnk - c:\programfiler\CodeMeter\Runtime\bin\CodeMeterCC.exe [2007-3-23 4984832]
HP Digital Imaging Monitor.lnk - c:\programfiler\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-5 258048]
WinZip Quick Pick.lnk - c:\programfiler\WinZip\WZQKPICK.EXE [2007-8-3 394856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21   548352   ----a-w-   c:\programfiler\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-15 09:06   11952   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Programfiler\\iTunes\\iTunes.exe"=
"c:\\Programfiler\\Azureus\\Azureus.exe"=
"c:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [25.04.2009 14:42 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [25.04.2009 14:42 108552]
R1 SASDIFSV;SASDIFSV;c:\programfiler\SUPERAntiSpyware\sasdifsv.sys [23.11.2009 08:43 9968]
R1 SASKUTIL;SASKUTIL;c:\programfiler\SUPERAntiSpyware\SASKUTIL.SYS [23.11.2009 08:43 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [25.04.2009 14:42 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [25.04.2009 14:42 297752]
S2 gupdate1c9b16eefa1d850;Google Update Service (gupdate1c9b16eefa1d850);c:\programfiler\Google\Update\GoogleUpdate.exe [30.03.2009 20:37 133104]
S3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\drivers\imhidusb.sys [06.01.2009 13:58 30984]
S3 SaiH2541;SaiH2541;c:\windows\system32\drivers\SaiH2541.sys [01.05.2007 16:10 132232]
S3 SaiHFFB5;SaiHFFB5;c:\windows\system32\drivers\SaiHFFB5.sys [06.01.2009 13:57 56576]
S3 SASENUM;SASENUM;c:\programfiler\SUPERAntiSpyware\SASENUM.SYS [23.11.2009 08:43 7408]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [03.03.2008 22:00 721904]
.
------- Tilleggsskanning -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NB_NO&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NB_NO&c=Q105&bd=pavilion&pf=desktop
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Open in new background tab - c:\programfiler\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/229?db7fb6bca09c413ea8f65a39ed34d332
IE: Open in new foreground tab - c:\programfiler\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/230?db7fb6bca09c413ea8f65a39ed34d332
FF - ProfilePath - c:\documents and settings\HP_Eier\Programdata\Mozilla\Firefox\Profiles\tzvdvu5c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.startsiden.no/
FF - prefs.js: keyword.URL - hxxp://no.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_no&p=
FF - component: c:\programfiler\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\programfiler\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\programfiler\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\programfiler\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\programfiler\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programfiler\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\programfiler\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programfiler\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programfiler\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\programfiler\Mozilla Firefox\plugins\NP_NCS6.dll
FF - plugin: c:\programfiler\Mozilla Firefox\plugins\NP_NCSPB6.dll
FF - plugin: c:\programfiler\Mozilla Firefox\plugins\NP_NCSTB6.dll
FF - plugin: c:\programfiler\Mozilla Firefox\plugins\npitunes.dll

---- FIREFOX POLICIES ----
c:\programfiler\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-10 00:50
Windows 5.1.2600 Service Pack 2 NTFS

skanner skjulte prosesser ...

skanner skjulte autostart-oppføringer ...

skanner skjulte filer ...

skanning vellykket
skjulte filer: 0

**************************************************************************
.
--------------------- LÅSTE REGISTERNØKLER ---------------------

[HKEY_USERS\S-1-5-21-2708978570-3192926764-780308440-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:7f,c7,c7,f5,13,05,cb,ea,7f,63,78,da,c6,44,db,80,13,6a,61,40,0f,df,61,
0b,75,f6,1b,e5,47,3f,af,53,fc,dd,5c,e0,1d,ee,d0,9f,cc,6c,6a,e5,8a,3d,92,7f,\
"??"=hex:9d,69,f2,3c,9c,f5,ef,9a,be,14,41,e0,7e,6a,c5,06

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{55F992BA-1D26-E5AF-0907C8AEF5A56624}\{F1333513-8015-AAF3-FD42BD84CFB0024A}\{F02E7673-B596-886F-5D7515D1DE7A7F98}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c,
a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{866E5309-4DE4-EC1D-5303B5015403F078}\{E4D7DA31-B59C-2F42-84703E9617E7637D}\{F8D6A80B-EA06-4220-85CE61582D500BD8}*]
"L5OTYL4OSK54QTZWOGJWMONWTG1"=hex:01,00,01,00,00,00,00,00,4f,1a,34,b6,a9,51,c3,
92,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{91EC4B89-4AF2-1685-8B077627C8A43419}\{2EE609D8-52A7-5ABD-6D921F70AFC106D5}\{F0CB3253-4F19-C88D-A2C81B3BBC751916}*]
"PK3IM51V2WPW5YOPIRJ365XEIG1"=hex:01,00,01,00,00,00,00,00,c3,a2,73,89,0b,39,ad,
69,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{92E364B2-3C99-8131-FA38C55A9DF469B6}\{ED083C7B-BB22-E038-94448FA9BD51D19E}\{5592BF6F-6CA4-ED79-1454C42B0B348E21}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,1d,0b,78,
dd,02,85,a5,85,f2,b9,06,f7,25,56,f6,d2,a3,91,db,fa,9b,3c,b7,a0,8f,48,60,e9,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A76448FF-EA59-23D3-98F3B9C94A7EC293}\{51B7BFF3-30C4-3859-72DBC6993BF1721D}\{60FC5D85-3D13-ED0E-8811CBE6817E353D}*]
"L5OTYL4OSK54QTZWOGJWMONWTG1"=hex:01,00,01,00,00,00,00,00,4f,1a,34,b6,a9,51,c3,
92,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AD212F18-226F-19C5-6836DC0F322A8CD1}\{165CDB28-57BC-2FFB-C17032E84F1598CE}\{1D773DA2-1E07-1A59-CFCCE9D8E9744932}*]
"PK3IM51V2WPW5YOPIRJ365XEIG1"=hex:01,00,01,00,00,00,00,00,c3,a2,73,89,0b,39,ad,
69,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C53C8AFE-780B-A095-1875A9D39C824CF2}\{151E6624-94D7-6041-A2A26FFA6BDDEF0C}\{8D08884B-CD31-5FF0-CA8CAC497363EFC4}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,1d,0b,78,
dd,02,85,a5,85,f2,b9,06,f7,25,56,f6,d2,a3,91,db,fa,9b,3c,b7,a0,8f,48,60,e9,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F9E7FB8A-7FC0-F5C6-C2C005BCC6E52A75}\{38D64012-6403-EA81-41E60280EAB79558}\{8D4E630B-001F-4733-DF87B943421629E7}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c,
a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

- - - - - - - > 'winlogon.exe'(564)
c:\programfiler\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3568)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andre Kjørende Prosesser ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\programfiler\Java\jre6\bin\jqs.exe
c:\programfiler\Fellesfiler\LightScribe\LSSrvc.exe
c:\programfiler\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\programfiler\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\devldr32.exe
c:\programfiler\iPod\bin\iPodService.exe
c:\programfiler\Fellesfiler\Real\Update_OB\realsched.exe
c:\programfiler\DesktopEarth\DesktopEarth.exe
c:\programfiler\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Tidspunkt ferdig: 2009-12-10 00:54:55 - maskinen ble startet på nytt
ComboFix-quarantined-files.txt 2009-12-09 23:54
ComboFix2.txt 2009-12-09 18:01

Pre-Run: 81 056 776 192 byte ledig
Post-Run: 81 058 414 592 byte ledig

- - End Of File - - E960D5CE50AE6118BF9B159CAD8B338D

Here is the DDS-log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by HP_Eier at 0:56:41,64 on 10.12.2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.2.1252.47.1044.18.1022.454 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programfiler\Java\jre6\bin\jqs.exe
c:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe
C:\Programfiler\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Programfiler\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programfiler\Java\jre6\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ps2.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
C:\Programfiler\Saitek\Software\Profiler.exe
C:\Programfiler\Saitek\Software\SaiSmart.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programfiler\Windows Live\Messenger\msnmsgr.exe
C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programfiler\WinZip\WZQKPICK.EXE
C:\Programfiler\DesktopEarth\DesktopEarth.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programfiler\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Eier\Mine dokumenter\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.daemon-search.com/startpage
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NB_NO&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NB_NO&c=Q105&bd=pavilion&pf=desktop
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\programfiler\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\programfiler\avg\avg8\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programfiler\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\programfiler\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\programfiler\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Påloggingshjelp for Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programfiler\fellesfiler\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\programfiler\avg\avg8\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programfiler\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\programfiler\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programfiler\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP-visning: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\programfiler\hp\digital imaging\bin\HPDTLK02.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\programfiler\avg\avg8\toolbar\IEToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\programfiler\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [MsnMsgr] "c:\programfiler\windows live\messenger\msnmsgr.exe" /background
mRun: [SunJavaUpdateSched] "c:\programfiler\java\jre6\bin\jusched.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPHUPD06] c:\programfiler\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [iTunesHelper] c:\programfiler\itunes\iTunesHelper.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [ATIPTA] c:\programfiler\ati technologies\ati control panel\atiptaxx.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [TkBellExe] "c:\programfiler\fellesfiler\real\update_ob\realsched.exe" -osboot
mRun: [Profiler] c:\programfiler\saitek\software\Profiler.exe
mRun: [SaiSmart] c:\programfiler\saitek\software\SaiSmart.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\hp_eier\start-~1\progra~1\oppstart\deskto~1.lnk - c:\docume~1\hp_eier\progra~1\microsoft\installer\{dba5e973-660d-4cbe-a469-f5c37fbf0ce4}\_C1A9BF9D98647632ED5172.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\progra~1\oppstart\codeme~1.lnk - c:\programfiler\codemeter\runtime\bin\CodeMeterCC.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\progra~1\oppstart\hpdigi~1.lnk - c:\programfiler\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\progra~1\oppstart\winzip~1.lnk - c:\programfiler\winzip\WZQKPICK.EXE
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Open in new background tab - c:\programfiler\windows live toolbar\components\en-ww\msntabres.dll.mui/229?db7fb6bca09c413ea8f65a39ed34d332
IE: Open in new foreground tab - c:\programfiler\windows live toolbar\components\en-ww\msntabres.dll.mui/230?db7fb6bca09c413ea8f65a39ed34d332
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196693014196
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\programfiler\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\programfiler\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\programfiler\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_eier\progra~1\mozilla\firefox\profiles\tzvdvu5c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.startsiden.no/
FF - prefs.js: keyword.URL - hxxp://no.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_no&p=
FF - component: c:\programfiler\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\programfiler\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\programfiler\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\programfiler\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\programfiler\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\programfiler\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\programfiler\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\programfiler\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programfiler\mozilla firefox\plugins\NP_NCS6.dll
FF - plugin: c:\programfiler\mozilla firefox\plugins\NP_NCSPB6.dll
FF - plugin: c:\programfiler\mozilla firefox\plugins\NP_NCSTB6.dll
FF - plugin: c:\programfiler\mozilla firefox\plugins\npitunes.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\programfiler\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\programfiler\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-25 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-12-6 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-25 108552]
R1 SASDIFSV;SASDIFSV;c:\programfiler\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\programfiler\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-25 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-25 297752]
S2 gupdate1c9b16eefa1d850;Google Update Service (gupdate1c9b16eefa1d850);c:\programfiler\google\update\GoogleUpdate.exe [2009-3-30 133104]
S3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\drivers\imhidusb.sys [2009-1-6 30984]
S3 SaiH2541;SaiH2541;c:\windows\system32\drivers\SaiH2541.sys [2007-5-1 132232]
S3 SaiHFFB5;SaiHFFB5;c:\windows\system32\drivers\SaiHFFB5.sys [2009-1-6 56576]
S3 SASENUM;SASENUM;c:\programfiler\superantispyware\SASENUM.SYS [2009-11-23 7408]

=============== Created Last 30 ================

2009-12-09 20:59:21   170   ----a-w-   c:\documents and settings\hp_eier\defogger_reenable
2009-12-09 19:12:26   1374   ----a-w-   c:\windows\imsins.BAK
2009-12-09 19:12:25   0   d-----w-   c:\windows\system32\LogFiles
2009-12-09 17:41:58   77312   ----a-w-   c:\windows\MBR.exe
2009-12-09 17:41:57   98816   ----a-w-   c:\windows\sed.exe
2009-12-09 17:41:57   261632   ----a-w-   c:\windows\PEV.exe
2009-12-09 17:41:57   161792   ----a-w-   c:\windows\SWREG.exe
2009-12-09 15:51:35   0   d-----w-   c:\programfiler\Trend Micro
2009-12-09 14:59:01   16   ----a-w-   c:\docume~1\hp_eier\progra~1\fvgqad.dat
2009-12-09 14:13:44   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2009-12-09 14:13:44   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-12-08 23:57:20   0   d--h--r-   c:\documents and settings\hp_eier\Siste
2009-12-08 23:35:13   0   d-----w-   c:\docume~1\alluse~1\progra~1\SUPERAntiSpyware.com
2009-12-08 23:32:52   0   d-----w-   c:\programfiler\SUPERAntiSpyware
2009-12-08 23:32:52   0   d-----w-   c:\docume~1\hp_eier\progra~1\SUPERAntiSpyware.com
2009-12-08 22:05:01   0   d-----w-   c:\programfiler\CCleaner
2009-12-07 10:23:32   0   d-----w-   c:\docume~1\hp_eier\progra~1\Malwarebytes
2009-12-07 10:23:16   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-07 10:23:14   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-12-07 10:23:14   0   d-----w-   c:\programfiler\Malwarebytes' Anti-Malware
2009-12-07 10:23:14   0   d-----w-   c:\docume~1\alluse~1\progra~1\Malwarebytes
2009-12-07 06:25:07   0   d-----w-   C:\My Shared Folder
2009-12-07 02:42:39   4   ----a-w-   c:\docume~1\hp_eier\progra~1\avdrn.dat
2009-12-04 15:16:56   0   d-----w-   c:\programfiler\fellesfiler\DivX Shared
2009-12-04 12:09:18   0   d-----w-   C:\Video og film

==================== Find3M ====================

2009-12-03 14:15:06   61348   ----a-w-   c:\windows\system32\perfc014.dat
2009-12-03 14:15:06   386354   ----a-w-   c:\windows\system32\perfh014.dat
2009-10-20 00:08:15   3084288   ----a-w-   c:\windows\system32\dllcache\mshtml.dll
2009-09-18 09:56:10   18432   ----a-w-   c:\windows\system32\dllcache\iedw.exe
2009-09-11 14:37:06   133632   ----a-w-   c:\windows\system32\msv1_0.dll
2009-09-11 14:37:06   133632   ----a-w-   c:\windows\system32\dllcache\msv1_0.dll
2005-09-24 14:16:16   4878136   ----a-w-   c:\programfiler\Firefox Setup 1.0.7.exe
2005-09-24 13:51:37   9346144   ----a-w-   c:\programfiler\DivXCreate.exe
2005-09-24 13:35:01   9341640   ----a-w-   c:\programfiler\Install_MSN_Messenger.EXE

============= FINISH: 0:56:48,93 ===============

And finally, this is the attach-log:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 03.12.2007 14:44:41
System Uptime: 12.10.2009 00:49:05 (1416 hours ago)

Motherboard: | | AHI2
Processor: AMD Athlon(tm) 64 Processor 3500+ | Socket 939 | 2188/199mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 226 GiB total, 75,507 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 3,75 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {678DCF40-E2E6-11D5-8CD5-E960089EA00A}
Description: Saitek Magic Mouse
Device ID: SAITEKMAGICBUS\SAITEKMOUSE\1&A2CA95B&1&0000
Manufacturer: Saitek
Name: Saitek Magic Mouse
PNP Device ID: SAITEKMAGICBUS\SAITEKMOUSE\1&A2CA95B&1&0000
Service: SaiMini

Class GUID: {678DCF40-E2E6-11D5-8CD5-E960089EA00A}
Description: Saitek Magic Keyboard
Device ID: SAITEKMAGICBUS\SAITEKKEYBOARD\1&A2CA95B&1&0000
Manufacturer: Saitek
Name: Saitek Magic Keyboard
PNP Device ID: SAITEKMAGICBUS\SAITEKKEYBOARD\1&A2CA95B&1&0000
Service: SaiMini

==== System Restore Points ===================

RP455: 11.09.2009 03:42:11 - Kontrollpunkt for system
RP456: 12.09.2009 03:43:13 - Kontrollpunkt for system
RP457: 13.09.2009 03:00:17 - Software Distribution Service 3.0
RP458: 14.09.2009 03:12:07 - Kontrollpunkt for system
RP459: 15.09.2009 04:12:33 - Kontrollpunkt for system
RP460: 16.09.2009 04:17:52 - Kontrollpunkt for system
RP461: 17.09.2009 05:03:22 - Kontrollpunkt for system
RP462: 18.09.2009 05:05:32 - Kontrollpunkt for system
RP463: 20.09.2009 22:04:06 - Kontrollpunkt for system
RP464: 21.09.2009 23:55:45 - Kontrollpunkt for system
RP465: 22.09.2009 03:00:25 - Software Distribution Service 3.0
RP466: 23.09.2009 03:13:58 - Kontrollpunkt for system
RP467: 24.09.2009 04:13:58 - Kontrollpunkt for system
RP468: 25.09.2009 04:15:05 - Kontrollpunkt for system
RP469: 26.09.2009 04:16:07 - Kontrollpunkt for system
RP470: 27.09.2009 05:16:10 - Kontrollpunkt for system
RP471: 28.09.2009 05:19:29 - Kontrollpunkt for system
RP472: 29.09.2009 06:19:30 - Kontrollpunkt for system
RP473: 30.09.2009 06:46:21 - Kontrollpunkt for system
RP474: 01.10.2009 06:47:25 - Kontrollpunkt for system
RP475: 02.10.2009 08:51:03 - Kontrollpunkt for system
RP476: 03.10.2009 09:48:33 - Kontrollpunkt for system
RP477: 10.10.2009 17:46:49 - Avg8 Update
RP478: 10.10.2009 17:47:36 - Avg8 Update
RP479: 11.10.2009 18:07:18 - Kontrollpunkt for system
RP480: 12.10.2009 19:06:13 - Kontrollpunkt for system
RP481: 13.10.2009 20:06:15 - Kontrollpunkt for system
RP482: 14.10.2009 21:06:14 - Kontrollpunkt for system
RP483: 15.10.2009 03:00:15 - Software Distribution Service 3.0
RP484: 16.10.2009 03:15:45 - Kontrollpunkt for system
RP485: 17.10.2009 04:15:44 - Kontrollpunkt for system
RP486: 17.10.2009 08:59:26 - Avg8 Update
RP487: 18.10.2009 09:15:27 - Kontrollpunkt for system
RP488: 19.10.2009 10:15:25 - Kontrollpunkt for system
RP489: 20.10.2009 10:16:30 - Kontrollpunkt for system
RP490: 21.10.2009 08:59:35 - Avg8 Update
RP491: 22.10.2009 09:16:30 - Kontrollpunkt for system
RP492: 23.10.2009 10:25:08 - Kontrollpunkt for system
RP493: 03.12.2009 15:17:44 - Avg8 Update
RP494: 04.12.2009 03:00:21 - Software Distribution Service 3.0
RP495: 04.12.2009 12:28:57 - Removed Python 2.5.2
RP496: 04.12.2009 12:38:16 - Konfigurert AirPlus G
RP497: 04.12.2009 12:50:13 - Fjernet 3DSexVilla-017.001 (Cracked)
RP498: 06.12.2009 04:15:36 - Kontrollpunkt for system
RP499: 07.12.2009 11:48:38 - Kontrollpunkt for system
RP500: 08.12.2009 12:38:43 - Kontrollpunkt for system
RP501: 09.12.2009 00:32:42 - Installed SUPERAntiSpyware Free Edition
RP502: 09.12.2009 15:11:10 - Installed Java(TM) 6 Update 17
RP503: 09.12.2009 20:11:40 - Installed Windows Media Player 11
RP504: 09.12.2009 20:12:22 - Installed Windows XP Wudf01000.
RP505: 09.12.2009 20:15:01 - Installed Windows XP MSCompPackV1.
RP506: 09.12.2009 20:16:08 - Installed Windows XP KB926239.

==== Installed Programs ======================

Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 6.0.1 - Norsk
AiO_Scan
AiOSoftware
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG 8.5
Battle of Britain II
BufferChm
CameraDrivers
CCleaner
Copy
CP_AtenaShokunin1Config
cp_dwSharkTaleAlbums1
cp_dwSharkTaleCards1
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CP_PLSBusinessFlyers
CreativeProjects
CreativeProjectsTemplates
Cucusoft YouTube Mate 7.17
CueTour
DAEMON Tools Toolbar
DesktopEarth
Destinations
Director
DivX Plus Web Player
DocProc
DocumentViewer
EPSON-skriverprogramvare
EPSON Print CD
ESP1400_1410 Brukerhåndb.
Falcon 4.0: Allied Force
Fax
Francesco's leveled creatures-items mod 4.5b
Freez FLV to MP3 Converter
GATES TO AESGAARD - Episode 1
Google Earth
Google Update Helper
Help and Support Additions
Hotfix for Windows XP (KB926239)
HP Deskjet Preloaded Printer Drivers
HP Diagnostic Assistant
HP Image Zone 4.5.3
HP Image Zone Plus 4.5.3
HP Photosmart-kameraer 4.0
HP PSC & OfficeJet 4.0
HP Software Update
HPIZplus450
HpSdpAppCoreApp
Hurtigreparasjon for Windows XP (KB952287)
Hurtigreparasjon for Windows XP (KB970653-v3)
Hurtigreparasjon for Windows XP (KB976098-v2)
IL-2 Sturmovik: Forgotten Battles
IL-2 Sturmovik: Forgotten Battles AEP
InstantShare
InterVideo DiscLabel
InterVideo WinDVD Creator
InterVideo WinDVD Player
iTunes
Ivellon 1.5 English
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 17
K-Lite Codec Pack 3.8.5 Full
LS_HSI
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Norwegian Language Pack
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Search Enhancement Pack
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.5)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Oblivion
Oblivion - Fighter's Stronghold
Oblivion - Knights of the Nine
Oblivion mod manager 1.1.6
OneCare Advisor (Windows Live Toolbar)
Oppdatering for Windows XP (KB894391)
Oppdatering for Windows XP (KB898461)
Oppdatering for Windows XP (KB900485)
Oppdatering for Windows XP (KB908531)
Oppdatering for Windows XP (KB910437)
Oppdatering for Windows XP (KB911280)
Oppdatering for Windows XP (KB916595)
Oppdatering for Windows XP (KB920872)
Oppdatering for Windows XP (KB922582)
Oppdatering for Windows XP (KB927891)
Oppdatering for Windows XP (KB930916)
Oppdatering for Windows XP (KB933360)
Oppdatering for Windows XP (KB938828)
Oppdatering for Windows XP (KB942763)
Oppdatering for Windows XP (KB942840)
Oppdatering for Windows XP (KB946627)
Oppdatering for Windows XP (KB951072-v2)
Oppdatering for Windows XP (KB955839)
Oppdatering for Windows XP (KB961503)
Oppdatering for Windows XP (KB967715)
Oppdatering for Windows XP (KB968389)
Oppdatering for Windows XP (KB973687)
Oppdatering for Windows XP (KB973815)
Oppdatering for Windows XP (KB976749)
Oxin's Style! 3D Sexvilla 2.058.002
Oxin's Style! Hentai3D 2.056.001
PanoStandAlone
PhotoGallery
Photosmart 320,370,7400,8100,8400 Series (nob)
Påloggingsassistent for Windows Live
Popup Blocker (Windows Live Toolbar)
PrintScreen
PS2
PSPrinters06
QFolder
QuickProjects
QuickTime
Readme
RealPlayer
Scan
Security Update for CAPICOM (KB931906)
Segoe UI
Sikkerhetsoppdatering for Windows Media Player (KB911564)
Sikkerhetsoppdatering for Windows Media Player (KB952069)
Sikkerhetsoppdatering for Windows Media Player (KB973540)
Sikkerhetsoppdatering for Windows Media Player 6.4 (KB925398)
Sikkerhetsoppdatering for Windows Media Player 9 (KB936782)
Sikkerhetsoppdatering for Windows XP (KB890046)
Sikkerhetsoppdatering for Windows XP (KB893756)
Sikkerhetsoppdatering for Windows XP (KB896358)
Sikkerhetsoppdatering for Windows XP (KB896423)
Sikkerhetsoppdatering for Windows XP (KB896428)
Sikkerhetsoppdatering for Windows XP (KB899587)
Sikkerhetsoppdatering for Windows XP (KB899591)
Sikkerhetsoppdatering for Windows XP (KB900725)
Sikkerhetsoppdatering for Windows XP (KB901017)
Sikkerhetsoppdatering for Windows XP (KB901214)
Sikkerhetsoppdatering for Windows XP (KB902400)
Sikkerhetsoppdatering for Windows XP (KB904706)
Sikkerhetsoppdatering for Windows XP (KB905414)
Sikkerhetsoppdatering for Windows XP (KB905749)
Sikkerhetsoppdatering for Windows XP (KB908519)
Sikkerhetsoppdatering for Windows XP (KB911562)
Sikkerhetsoppdatering for Windows XP (KB911927)
Sikkerhetsoppdatering for Windows XP (KB913580)
Sikkerhetsoppdatering for Windows XP (KB914388)
Sikkerhetsoppdatering for Windows XP (KB914389)
Sikkerhetsoppdatering for Windows XP (KB917344)
Sikkerhetsoppdatering for Windows XP (KB917953)
Sikkerhetsoppdatering for Windows XP (KB918118)
Sikkerhetsoppdatering for Windows XP (KB918439)
Sikkerhetsoppdatering for Windows XP (KB919007)
Sikkerhetsoppdatering for Windows XP (KB920213)
Sikkerhetsoppdatering for Windows XP (KB920670)
Sikkerhetsoppdatering for Windows XP (KB920683)
Sikkerhetsoppdatering for Windows XP (KB920685)
Sikkerhetsoppdatering for Windows XP (KB921503)
Sikkerhetsoppdatering for Windows XP (KB922819)
Sikkerhetsoppdatering for Windows XP (KB923191)
Sikkerhetsoppdatering for Windows XP (KB923414)
Sikkerhetsoppdatering for Windows XP (KB923561)
Sikkerhetsoppdatering for Windows XP (KB923689)
Sikkerhetsoppdatering for Windows XP (KB923980)
Sikkerhetsoppdatering for Windows XP (KB924270)
Sikkerhetsoppdatering for Windows XP (KB924496)
Sikkerhetsoppdatering for Windows XP (KB924667)
Sikkerhetsoppdatering for Windows XP (KB925902)
Sikkerhetsoppdatering for Windows XP (KB926255)
Sikkerhetsoppdatering for Windows XP (KB926436)
Sikkerhetsoppdatering for Windows XP (KB927779)
Sikkerhetsoppdatering for Windows XP (KB927802)
Sikkerhetsoppdatering for Windows XP (KB928255)
Sikkerhetsoppdatering for Windows XP (KB928843)
Sikkerhetsoppdatering for Windows XP (KB929123)
Sikkerhetsoppdatering for Windows XP (KB930178)
Sikkerhetsoppdatering for Windows XP (KB931261)
Sikkerhetsoppdatering for Windows XP (KB931784)
Sikkerhetsoppdatering for Windows XP (KB932168)
Sikkerhetsoppdatering for Windows XP (KB933729)
Sikkerhetsoppdatering for Windows XP (KB935839)
Sikkerhetsoppdatering for Windows XP (KB935840)
Sikkerhetsoppdatering for Windows XP (KB936021)
Sikkerhetsoppdatering for Windows XP (KB938127)
Sikkerhetsoppdatering for Windows XP (KB938464)
Sikkerhetsoppdatering for Windows XP (KB938829)
Sikkerhetsoppdatering for Windows XP (KB939653)
Sikkerhetsoppdatering for Windows XP (KB941202)
Sikkerhetsoppdatering for Windows XP (KB941568)
Sikkerhetsoppdatering for Windows XP (KB941569)
Sikkerhetsoppdatering for Windows XP (KB941644)
Sikkerhetsoppdatering for Windows XP (KB941693)
Sikkerhetsoppdatering for Windows XP (KB942615)
Sikkerhetsoppdatering for Windows XP (KB943055)
Sikkerhetsoppdatering for Windows XP (KB943460)
Sikkerhetsoppdatering for Windows XP (KB943485)
Sikkerhetsoppdatering for Windows XP (KB944338)
Sikkerhetsoppdatering for Windows XP (KB944533)
Sikkerhetsoppdatering for Windows XP (KB944653)
Sikkerhetsoppdatering for Windows XP (KB945553)
Sikkerhetsoppdatering for Windows XP (KB946026)
Sikkerhetsoppdatering for Windows XP (KB946648)
Sikkerhetsoppdatering for Windows XP (KB947864)
Sikkerhetsoppdatering for Windows XP (KB948590)
Sikkerhetsoppdatering for Windows XP (KB948881)
Sikkerhetsoppdatering for Windows XP (KB950749)
Sikkerhetsoppdatering for Windows XP (KB950759)
Sikkerhetsoppdatering for Windows XP (KB950760)
Sikkerhetsoppdatering for Windows XP (KB950762)
Sikkerhetsoppdatering for Windows XP (KB950974)
Sikkerhetsoppdatering for Windows XP (KB951066)
Sikkerhetsoppdatering for Windows XP (KB951376-v2)
Sikkerhetsoppdatering for Windows XP (KB951376)
Sikkerhetsoppdatering for Windows XP (KB951698)
Sikkerhetsoppdatering for Windows XP (KB951748)
Sikkerhetsoppdatering for Windows XP (KB952004)
Sikkerhetsoppdatering for Windows XP (KB952954)
Sikkerhetsoppdatering for Windows XP (KB953838)
Sikkerhetsoppdatering for Windows XP (KB953839)
Sikkerhetsoppdatering for Windows XP (KB954211)
Sikkerhetsoppdatering for Windows XP (KB954600)
Sikkerhetsoppdatering for Windows XP (KB955069)
Sikkerhetsoppdatering for Windows XP (KB956390)
Sikkerhetsoppdatering for Windows XP (KB956391)
Sikkerhetsoppdatering for Windows XP (KB956572)
Sikkerhetsoppdatering for Windows XP (KB956802)
Sikkerhetsoppdatering for Windows XP (KB956803)
Sikkerhetsoppdatering for Windows XP (KB956841)
Sikkerhetsoppdatering for Windows XP (KB956844)
Sikkerhetsoppdatering for Windows XP (KB957095)
Sikkerhetsoppdatering for Windows XP (KB957097)
Sikkerhetsoppdatering for Windows XP (KB958215)
Sikkerhetsoppdatering for Windows XP (KB958470)
Sikkerhetsoppdatering for Windows XP (KB958644)
Sikkerhetsoppdatering for Windows XP (KB958687)
Sikkerhetsoppdatering for Windows XP (KB958690)
Sikkerhetsoppdatering for Windows XP (KB958869)
Sikkerhetsoppdatering for Windows XP (KB959426)
Sikkerhetsoppdatering for Windows XP (KB960225)
Sikkerhetsoppdatering for Windows XP (KB960714)
Sikkerhetsoppdatering for Windows XP (KB960715)
Sikkerhetsoppdatering for Windows XP (KB960803)
Sikkerhetsoppdatering for Windows XP (KB960859)
Sikkerhetsoppdatering for Windows XP (KB961371)
Sikkerhetsoppdatering for Windows XP (KB961373)
Sikkerhetsoppdatering for Windows XP (KB961501)
Sikkerhetsoppdatering for Windows XP (KB963027)
Sikkerhetsoppdatering for Windows XP (KB968537)
Sikkerhetsoppdatering for Windows XP (KB969059)
Sikkerhetsoppdatering for Windows XP (KB969897)
Sikkerhetsoppdatering for Windows XP (KB969898)
Sikkerhetsoppdatering for Windows XP (KB969947)
Sikkerhetsoppdatering for Windows XP (KB970238)
Sikkerhetsoppdatering for Windows XP (KB971486)
Sikkerhetsoppdatering for Windows XP (KB971557)
Sikkerhetsoppdatering for Windows XP (KB971633)
Sikkerhetsoppdatering for Windows XP (KB971657)
Sikkerhetsoppdatering for Windows XP (KB971961)
Sikkerhetsoppdatering for Windows XP (KB972260)
Sikkerhetsoppdatering for Windows XP (KB973346)
Sikkerhetsoppdatering for Windows XP (KB973354)
Sikkerhetsoppdatering for Windows XP (KB973507)
Sikkerhetsoppdatering for Windows XP (KB973525)
Sikkerhetsoppdatering for Windows XP (KB973869)
Sikkerhetsoppdatering for Windows XP (KB974112)
Sikkerhetsoppdatering for Windows XP (KB974455)
Sikkerhetsoppdatering for Windows XP (KB974571)
Sikkerhetsoppdatering for Windows XP (KB975025)
Sikkerhetsoppdatering for Windows XP (KB975467)
SkinsHP1
Smart Menus (Windows Live Toolbar)
Sonic Express Labeler
Sonic RecordNow!
SST Programming Software
SUPERAntiSpyware Free Edition
Tabbed Browsing (Windows Live Toolbar)
The Settlers II - 10th Anniversary
TrayApp
ubi.com
Unload
VC80CRTRedist - 8.0.50727.4053
VirtuallyJenna K17 570 MOD
Vuze
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Favorites for Windows Live Toolbar
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP hurtigreparasjon - KB873339
Windows XP hurtigreparasjon - KB883667
Windows XP hurtigreparasjon - KB885835
Windows XP hurtigreparasjon - KB885836
Windows XP hurtigreparasjon - KB886185
Windows XP hurtigreparasjon - KB887472
Windows XP hurtigreparasjon - KB887742
Windows XP hurtigreparasjon - KB888302
Windows XP hurtigreparasjon - KB890175
Windows XP hurtigreparasjon - KB890859
Windows XP hurtigreparasjon - KB891781
WinRAR archiver

==== End Of File ===========================

evilfantasy · « **Reply #10 on:** December 09, 2009, 05:29:57 PM »

One more time please.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

SkipFix::

DDS::
uURLSearchHooks: H - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{55F992BA-1D26-E5AF-0907C8AEF5A56624}\{F1333513-8015-AAF3-FD42BD84CFB0024A}\{F02E7673-B596-886F-5D7515D1DE7A7F98}*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{866E5309-4DE4-EC1D-5303B5015403F078}\{E4D7DA31-B59C-2F42-84703E9617E7637D}\{F8D6A80B-EA06-4220-85CE61582D500BD8}*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{91EC4B89-4AF2-1685-8B077627C8A43419}\{2EE609D8-52A7-5ABD-6D921F70AFC106D5}\{F0CB3253-4F19-C88D-A2C81B3BBC751916}*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{92E364B2-3C99-8131-FA38C55A9DF469B6}\{ED083C7B-BB22-E038-94448FA9BD51D19E}\{5592BF6F-6CA4-ED79-1454C42B0B348E21}*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A76448FF-EA59-23D3-98F3B9C94A7EC293}\{51B7BFF3-30C4-3859-72DBC6993BF1721D}\{60FC5D85-3D13-ED0E-8811CBE6817E353D}*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AD212F18-226F-19C5-6836DC0F322A8CD1}\{165CDB28-57BC-2FFB-C17032E84F1598CE}\{1D773DA2-1E07-1A59-CFCCE9D8E9744932}*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C53C8AFE-780B-A095-1875A9D39C824CF2}\{151E6624-94D7-6041-A2A26FFA6BDDEF0C}\{8D08884B-CD31-5FF0-CA8CAC497363EFC4}*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F9E7FB8A-7FC0-F5C6-C2C005BCC6E52A75}\{38D64012-6403-EA81-41E60280EAB79558}\{8D4E630B-001F-4733-DF87B943421629E7}*]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

You can open Defogger and have it Re-enable the virtual drivers now.

----------

Download JavaRa
* Unzip the file and open the JavaRa.exe
* Click Remove Older Versions
* JavaRa will search for and remove any outdated version of Java and remove any that are found.
* Click Additional Tasks
* Place a check next to Remove Useless JRE Files and click Go
* Exit JavaRa
* Delete the JavaRa files from the desktop

Andrimner · « **Reply #11 on:** December 09, 2009, 06:29:47 PM »

Ok, all done - here is the new log:

ComboFix 09-12-09.03 - HP_Eier 10.12.2009 2:11.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.47.1044.18.1022.558 [GMT 1:00]
Kjører fra: c:\documents and settings\HP_Eier\Skrivebord\ComboFix.exe
Command switches brukt :: c:\documents and settings\HP_Eier\Skrivebord\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((( Filer Opprettet Fra 2009-11-10 til 2009-12-10 )))))))))))))))))))))))))))))))))
.

2009-12-09 19:12 . 2009-12-09 19:12   --------   d-----w-   c:\windows\system32\LogFiles
2009-12-09 15:51 . 2009-12-09 15:51   --------   d-----w-   c:\programfiler\Trend Micro
2009-12-09 14:13 . 2009-12-09 14:12   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-12-09 14:09 . 2009-12-09 14:09   152576   ----a-w-   c:\documents and settings\HP_Eier\Programdata\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-09 14:08 . 2009-12-09 14:08   79488   ----a-w-   c:\documents and settings\HP_Eier\Programdata\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-08 23:57 . 2009-12-10 01:09   --------   d--h--r-   c:\documents and settings\HP_Eier\Siste
2009-12-08 23:35 . 2009-12-08 23:35   117760   ----a-w-   c:\documents and settings\HP_Eier\Programdata\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-08 23:35 . 2009-12-08 23:35   --------   d-----w-   c:\documents and settings\All Users\Programdata\SUPERAntiSpyware.com
2009-12-08 23:32 . 2009-12-08 23:34   --------   d-----w-   c:\programfiler\SUPERAntiSpyware
2009-12-08 23:32 . 2009-12-08 23:32   --------   d-----w-   c:\documents and settings\HP_Eier\Programdata\SUPERAntiSpyware.com
2009-12-08 22:05 . 2009-12-08 22:05   --------   d-----w-   c:\programfiler\CCleaner
2009-12-07 10:23 . 2009-12-07 10:23   --------   d-----w-   c:\documents and settings\HP_Eier\Programdata\Malwarebytes
2009-12-07 10:23 . 2009-12-03 15:14   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-07 10:23 . 2009-12-07 10:23   --------   d-----w-   c:\programfiler\Malwarebytes' Anti-Malware
2009-12-07 10:23 . 2009-12-07 10:23   --------   d-----w-   c:\documents and settings\All Users\Programdata\Malwarebytes
2009-12-07 10:23 . 2009-12-03 15:13   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-12-07 06:25 . 2009-12-08 15:06   --------   d-----w-   C:\My Shared Folder
2009-12-04 15:16 . 2009-12-04 15:16   --------   d-----w-   c:\programfiler\Fellesfiler\DivX Shared
2009-12-04 12:09 . 2009-12-04 14:36   --------   d-----w-   C:\Video og film
2009-12-03 19:15 . 2009-12-06 17:21   --------   d-----w-   c:\documents and settings\HP_Eier\Lokale innstillinger\Programdata\Temp
2009-12-03 14:12 . 2009-12-03 14:13   --------   d-----w-   c:\documents and settings\LocalService\Lokale innstillinger\Programdata\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-09 23:51 . 2009-02-14 15:22   --------   d-----w-   c:\programfiler\DesktopEarth
2009-12-09 19:19 . 2006-11-03 21:07   --------   d-----w-   c:\documents and settings\HP_Eier\Programdata\Azureus
2009-12-09 14:59 . 2009-12-09 14:59   16   ----a-w-   c:\documents and settings\HP_Eier\Programdata\fvgqad.dat
2009-12-09 14:11 . 2005-01-02 00:02   --------   d-----w-   c:\programfiler\Java
2009-12-08 23:29 . 2006-03-04 11:05   --------   d-----w-   c:\programfiler\Fellesfiler\Wise Installation Wizard
2009-12-07 11:59 . 2009-12-07 11:59   16   ----a-w-   c:\documents and settings\NetworkService\Programdata\fvgqad.dat
2009-12-07 10:13 . 2009-04-25 13:41   --------   d-----w-   c:\documents and settings\All Users\Programdata\avg8
2009-12-07 02:42 . 2009-12-07 02:42   4   ----a-w-   c:\documents and settings\HP_Eier\Programdata\avdrn.dat
2009-12-04 15:17 . 2005-09-24 13:51   --------   d-----w-   c:\programfiler\DivX
2009-12-04 11:40 . 2005-01-02 00:24   --------   d--h--w-   c:\programfiler\InstallShield Installation Information
2009-12-04 11:26 . 2008-05-10 15:56   --------   d-----w-   c:\documents and settings\HP_Eier\Programdata\Orbit
2009-12-03 17:42 . 2009-08-22 11:38   --------   d-----w-   c:\programfiler\Fellesfiler\AVSMedia
2009-12-03 14:15 . 2004-11-29 20:10   61348   ----a-w-   c:\windows\system32\perfc014.dat
2009-12-03 14:15 . 2004-11-29 20:10   386354   ----a-w-   c:\windows\system32\perfh014.dat
2009-09-25 05:59 . 2004-08-04 12:00   661504   ------w-   c:\windows\system32\wininet.dll
2009-09-25 05:59 . 2004-08-04 12:00   81920   ----a-w-   c:\windows\system32\ieencode.dll
2009-09-20 13:59 . 2007-08-08 15:18   17616   ----a-w-   c:\documents and settings\HP_Eier\Lokale innstillinger\Programdata\GDIPFONTCACHEV1.DAT
2009-09-11 14:37 . 2004-08-04 12:00   133632   ----a-w-   c:\windows\system32\msv1_0.dll
2005-09-24 14:16 . 2005-09-24 14:16   4878136   ----a-w-   c:\programfiler\Firefox Setup 1.0.7.exe
2005-09-24 13:51 . 2005-09-24 13:51   9346144   ----a-w-   c:\programfiler\DivXCreate.exe
2005-09-24 13:35 . 2005-09-24 13:34   9341640   ----a-w-   c:\programfiler\Install_MSN_Messenger.EXE
2005-04-13 22:11 . 2007-03-27 16:39   53283   ----a-w-   c:\programfiler\mozilla firefox\plugins\NCScnet.dll
2005-04-13 22:33 . 2007-03-27 16:39   1044514   ----a-w-   c:\programfiler\mozilla firefox\plugins\NCSEcw.dll
2005-04-13 22:11 . 2007-03-27 16:39   98339   ----a-w-   c:\programfiler\mozilla firefox\plugins\NCSUtil.dll
.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\programfiler\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 10:58   1107200   ----a-w-   c:\programfiler\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\programfiler\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\programfiler\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\programfiler\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\programfiler\Fellesfiler\Real\Update_OB\realsched.exe -osboot" [X]
"SunJavaUpdateSched"="c:\programfiler\Java\jre6\bin\jusched.exe" [2009-12-09 149280]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\programfiler\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"iTunesHelper"="c:\programfiler\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
"ATIPTA"="c:\programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-04 344064]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"Profiler"="c:\programfiler\Saitek\Software\Profiler.exe" [2004-07-26 159744]
"SaiSmart"="c:\programfiler\Saitek\Software\SaiSmart.exe" [2004-07-26 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-03 2029336]

c:\documents and settings\Spiller\Start-meny\Programmer\Oppstart\
PowerReg Scheduler.exe [2009-1-9 256000]

c:\documents and settings\HP_Eier\Start-meny\Programmer\Oppstart\
DesktopEarth AutoStart.lnk - c:\documents and settings\HP_Eier\Programdata\Microsoft\Installer\{DBA5E973-660D-4CBE-A469-F5C37FBF0CE4}\_C1A9BF9D98647632ED5172.exe [2009-2-14 29926]

c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\
CodeMeter Control Center.lnk - c:\programfiler\CodeMeter\Runtime\bin\CodeMeterCC.exe [2007-3-23 4984832]
HP Digital Imaging Monitor.lnk - c:\programfiler\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-5 258048]
WinZip Quick Pick.lnk - c:\programfiler\WinZip\WZQKPICK.EXE [2007-8-3 394856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21   548352   ----a-w-   c:\programfiler\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-15 09:06   11952   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Programfiler\\iTunes\\iTunes.exe"=
"c:\\Programfiler\\Azureus\\Azureus.exe"=
"c:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [25.04.2009 14:42 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [25.04.2009 14:42 108552]
R1 SASDIFSV;SASDIFSV;c:\programfiler\SUPERAntiSpyware\sasdifsv.sys [23.11.2009 08:43 9968]
R1 SASKUTIL;SASKUTIL;c:\programfiler\SUPERAntiSpyware\SASKUTIL.SYS [23.11.2009 08:43 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [25.04.2009 14:42 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [25.04.2009 14:42 297752]
S2 gupdate1c9b16eefa1d850;Google Update Service (gupdate1c9b16eefa1d850);c:\programfiler\Google\Update\GoogleUpdate.exe [30.03.2009 20:37 133104]
S3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\drivers\imhidusb.sys [06.01.2009 13:58 30984]
S3 SaiH2541;SaiH2541;c:\windows\system32\drivers\SaiH2541.sys [01.05.2007 16:10 132232]
S3 SaiHFFB5;SaiHFFB5;c:\windows\system32\drivers\SaiHFFB5.sys [06.01.2009 13:57 56576]
S3 SASENUM;SASENUM;c:\programfiler\SUPERAntiSpyware\SASENUM.SYS [23.11.2009 08:43 7408]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [03.03.2008 22:00 721904]
.
------- Tilleggsskanning -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NB_NO&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NB_NO&c=Q105&bd=pavilion&pf=desktop
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Open in new background tab - c:\programfiler\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/229?db7fb6bca09c413ea8f65a39ed34d332
IE: Open in new foreground tab - c:\programfiler\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/230?db7fb6bca09c413ea8f65a39ed34d332
FF - ProfilePath - c:\documents and settings\HP_Eier\Programdata\Mozilla\Firefox\Profiles\tzvdvu5c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.startsiden.no/
FF - prefs.js: keyword.URL - hxxp://no.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_no&p=
FF - component: c:\programfiler\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\programfiler\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\programfiler\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\programfiler\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\programfiler\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programfiler\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\programfiler\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programfiler\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programfiler\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\programfiler\Mozilla Firefox\plugins\NP_NCS6.dll
FF - plugin: c:\programfiler\Mozilla Firefox\plugins\NP_NCSPB6.dll
FF - plugin: c:\programfiler\Mozilla Firefox\plugins\NP_NCSTB6.dll
FF - plugin: c:\programfiler\Mozilla Firefox\plugins\npitunes.dll

---- FIREFOX POLICIES ----
c:\programfiler\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-10 02:15
Windows 5.1.2600 Service Pack 2 NTFS

skanner skjulte prosesser ...

skanner skjulte autostart-oppføringer ...

skanner skjulte filer ...

skanning vellykket
skjulte filer: 0

**************************************************************************
.
--------------------- LÅSTE REGISTERNØKLER ---------------------

[HKEY_USERS\S-1-5-21-2708978570-3192926764-780308440-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:7f,c7,c7,f5,13,05,cb,ea,7f,63,78,da,c6,44,db,80,13,6a,61,40,0f,df,61,
0b,75,f6,1b,e5,47,3f,af,53,fc,dd,5c,e0,1d,ee,d0,9f,cc,6c,6a,e5,8a,3d,92,7f,\
"??"=hex:9d,69,f2,3c,9c,f5,ef,9a,be,14,41,e0,7e,6a,c5,06

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{55F992BA-1D26-E5AF-0907C8AEF5A56624}\{F1333513-8015-AAF3-FD42BD84CFB0024A}\{F02E7673-B596-886F-5D7515D1DE7A7F98}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c,
a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{866E5309-4DE4-EC1D-5303B5015403F078}\{E4D7DA31-B59C-2F42-84703E9617E7637D}\{F8D6A80B-EA06-4220-85CE61582D500BD8}*]
"L5OTYL4OSK54QTZWOGJWMONWTG1"=hex:01,00,01,00,00,00,00,00,4f,1a,34,b6,a9,51,c3,
92,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{91EC4B89-4AF2-1685-8B077627C8A43419}\{2EE609D8-52A7-5ABD-6D921F70AFC106D5}\{F0CB3253-4F19-C88D-A2C81B3BBC751916}*]
"PK3IM51V2WPW5YOPIRJ365XEIG1"=hex:01,00,01,00,00,00,00,00,c3,a2,73,89,0b,39,ad,
69,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{92E364B2-3C99-8131-FA38C55A9DF469B6}\{ED083C7B-BB22-E038-94448FA9BD51D19E}\{5592BF6F-6CA4-ED79-1454C42B0B348E21}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,1d,0b,78,
dd,02,85,a5,85,f2,b9,06,f7,25,56,f6,d2,a3,91,db,fa,9b,3c,b7,a0,8f,48,60,e9,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A76448FF-EA59-23D3-98F3B9C94A7EC293}\{51B7BFF3-30C4-3859-72DBC6993BF1721D}\{60FC5D85-3D13-ED0E-8811CBE6817E353D}*]
"L5OTYL4OSK54QTZWOGJWMONWTG1"=hex:01,00,01,00,00,00,00,00,4f,1a,34,b6,a9,51,c3,
92,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AD212F18-226F-19C5-6836DC0F322A8CD1}\{165CDB28-57BC-2FFB-C17032E84F1598CE}\{1D773DA2-1E07-1A59-CFCCE9D8E9744932}*]
"PK3IM51V2WPW5YOPIRJ365XEIG1"=hex:01,00,01,00,00,00,00,00,c3,a2,73,89,0b,39,ad,
69,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C53C8AFE-780B-A095-1875A9D39C824CF2}\{151E6624-94D7-6041-A2A26FFA6BDDEF0C}\{8D08884B-CD31-5FF0-CA8CAC497363EFC4}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,1d,0b,78,
dd,02,85,a5,85,f2,b9,06,f7,25,56,f6,d2,a3,91,db,fa,9b,3c,b7,a0,8f,48,60,e9,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F9E7FB8A-7FC0-F5C6-C2C005BCC6E52A75}\{38D64012-6403-EA81-41E60280EAB79558}\{8D4E630B-001F-4733-DF87B943421629E7}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c,
a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

- - - - - - - > 'winlogon.exe'(564)
c:\programfiler\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1440)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andre Kjørende Prosesser ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\programfiler\Java\jre6\bin\jqs.exe
c:\programfiler\Fellesfiler\LightScribe\LSSrvc.exe
c:\programfiler\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\programfiler\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
c:\programfiler\iPod\bin\iPodService.exe
c:\programfiler\Fellesfiler\Real\Update_OB\realsched.exe
c:\programfiler\DesktopEarth\DesktopEarth.exe
c:\programfiler\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Tidspunkt ferdig: 2009-12-10 02:20:06 - maskinen ble startet på nytt
ComboFix-quarantined-files.txt 2009-12-10 01:20
ComboFix2.txt 2009-12-09 23:54
ComboFix3.txt 2009-12-09 18:01

Pre-Run: 81 007 431 680 byte ledig
Post-Run: 80 977 956 864 byte ledig

- - End Of File - - 1A45B871D86822B559D2D29C2ABC8D38

evilfantasy · « **Reply #12 on:** December 09, 2009, 07:57:00 PM »

Open Defogger and choose Re-enable.

How is the computer running now?

Andrimner · « **Reply #13 on:** December 09, 2009, 11:09:28 PM »

It seems to be running just fine now, thank you very much

Andrimner · « **Reply #14 on:** December 10, 2009, 02:52:49 AM »

Never mind that, AVG Resident Shield just popped up again and informed me of 4 new infections, same name, bt this time in A0036939.sys which is located in C:\System Volume Information\_restore{[A whole lot of letters and numbers]}\RP502...

Computer Hope Forum

News:

Author Topic: Atapi.sys infected - Trojan Horse Packed.Protector.C (Read 17221 times)

Andrimner

Atapi.sys infected - Trojan Horse Packed.Protector.C

harry 48

Re: Atapi.sys infected - Trojan Horse Packed.Protector.C

Andrimner

Re: Atapi.sys infected - Trojan Horse Packed.Protector.C

evilfantasy

Re: Atapi.sys infected - Trojan Horse Packed.Protector.C

Andrimner

Re: Atapi.sys infected - Trojan Horse Packed.Protector.C

Andrimner

Re: Atapi.sys infected - Trojan Horse Packed.Protector.C

evilfantasy

Re: Atapi.sys infected - Trojan Horse Packed.Protector.C

Andrimner

Re: Atapi.sys infected - Trojan Horse Packed.Protector.C

evilfantasy

Re: Atapi.sys infected - Trojan Horse Packed.Protector.C

Andrimner

Re: Atapi.sys infected - Trojan Horse Packed.Protector.C

evilfantasy

Re: Atapi.sys infected - Trojan Horse Packed.Protector.C

Andrimner

Re: Atapi.sys infected - Trojan Horse Packed.Protector.C

evilfantasy

Re: Atapi.sys infected - Trojan Horse Packed.Protector.C

Andrimner

Re: Atapi.sys infected - Trojan Horse Packed.Protector.C

Andrimner

Re: Atapi.sys infected - Trojan Horse Packed.Protector.C