Hi!

 

I'm new here and have a problem I hope you can solve:

 

Last night, Norton warned me that lssas.exe had been changed so I stopped what I was doing and searched the web. Apparently there's a trojan which calls itself isass.exe which can replace Lsass.exe and this seemed to be the case here (I found such a file).

 

So I went to download a program to destroy it, but Norton then told me that msiexec.exe had been changed, too. I checked and found that a msiexec had appeared yesterday in a folder called Windows/prefetch.

 

This seems like bad news: If I try to download a program, I'll need the msiexec-file, and it will then infect my comp more, right?

 

So, I'm completely lost, being not at all computer-savvy.

 

Help, please?

 

Liz

 

PS: Forgot to say, I've got Windows XP with SP3 (on automatic update), Norton Firewall and use Internet Explorer.

 

 

 

Try this ->

 

---

Well ... as far a I can tell, everything seems to be OK ... I hope I'm right about that!
Here's the Malwarebyte log:

Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 3

28-09-2008 17:49:26
mbam-log-2008-09-28 (17-49-26).txt

Skan type: Fuldstændig skanning (C:\|)
Objekter skannet: 208828
Tid tilbagelagt: 36 minute(s), 46 second(s)

 Inficerede Hukommelses Processer: 0
 Inficerede Hukommelses Moduler: 0
 Inficerede Registeringsdatabase Nøgler: 0
Inficerede Registeringsdatabase Værdier: 0
Inficerede Registeringsdatabase Filer: 0
Inficerede Mapper: 0
Inficerede Filer: 0

 Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)

 Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)

 Inficerede Registeringsdatabase Nøgler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Værdier:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Filer:
(Ingen mistænkelige filer fundet)

Inficerede Mapper:
(Ingen mistænkelige filer fundet)

Inficerede Filer:
(Ingen mistænkelige filer fundet)

And here's the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 17:55:29, on 28-09-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmer\BTNtService.exe
C:\Programmer\Fælles filer\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxdpcoms.exe
C:\Norman\Npf\BIN\NPFSVICE.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmer\StartSkysolSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\Norman\nse\bin\NSESVC.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Norman\Npm\bin\ZLH.EXE
C:\Programmer\Lexmark Z2300 Series\lxdpmon.exe
C:\Programmer\Lexmark Z2300 Series\ezprint.exe
C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe
C:\Programmer\Uniblue\SpyEraser\SpyEraser.exe
C:\Programmer\Windows Desktop Search\WindowsSearch.exe
C:\Programmer\Microsoft Office\Office12\ONENOTEM.EXE
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmer\Yahoo!\Messenger\ymsgr_tray.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Npf\BIN\npfmsg2.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\bruger\Dokumenter\Modtagne filer\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programmer\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxdpmon.exe] "C:\Programmer\Lexmark Z2300 Series\lxdpmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programmer\Lexmark Z2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programmer\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Programmer\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - Startup: Screen Clipper and Launcher til OneNote 2007.lnk = C:\Programmer\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Windows-pc-søgning.lnk = C:\Programmer\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmer\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog det - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmer\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog det i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmer\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programmer\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.adesk.dk
O15 - Trusted Zone: www.bec.dk
O15 - Trusted Zone: http://www.legolasfiction.proboards86.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programmer\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://lissa-and-the-elves.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmer\Fælles filer\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\Skype4COM.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programmer\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FLLESF~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programmer\BTNtService.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmer\Fælles filer\LightScribe\LSSrvc.exe
O23 - Service: lxdp_device -   - C:\WINDOWS\system32\lxdpcoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Unknown owner - C:\Norman\nse\bin\NSESVC.EXE" -daemon (file missing)
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Start BT in service - Unknown owner - C:\Programmer\StartSkysolSvc.exe

For at være ærlig, ved jeg ikke lige nu hvad der er galt, men kør lige et par programmer mere -

---

OK - det har jeg gjort. Her er loggen - den der advarsel ser faretruende ud, synes jeg:

ComboFix 08-09-28.01 - bruger 2008-09-29 19:05:54.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.45.1030.18.1449 [GMT 2:00]
Running from: C:\Documents and Settings\bruger\Skrivebord\ComboFix.exe
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Andre\Cookies\andre@dk.msn[1].txt

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NSESVC
-------\Service_nsesvc

(((((((((((((((((((((((((   Files Created from 2008-08-28 to 2008-09-29  )))))))))))))))))))))))))))))))
.

2008-09-29 18:38 . 2008-09-29 18:38 <DIR> d-------- C:\Programmer\CCleaner
2008-09-28 17:07 . 2008-09-28 17:08 <DIR> d-------- C:\Programmer\Malwarebytes' Anti-Malware
2008-09-28 17:07 . 2008-09-28 17:07 <DIR> d-------- C:\Documents and Settings\bruger\Application Data\Malwarebytes
2008-09-28 17:07 . 2008-09-28 17:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-28 17:07 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-28 17:07 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-28 16:36 . 2008-09-28 16:46 901,230,592 --------- C:\Backup Sep 2008.bkf
2008-09-27 20:50 . 2008-09-27 20:50 <DIR> d-------- C:\Documents and Settings\bruger\Application Data\Uniblue
2008-09-27 20:50 . 2008-09-27 20:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-09-27 20:50 . 2008-08-25 15:44 20,232 --a------ C:\WINDOWS\system32\AntiSpyNative64.exe
2008-09-27 20:50 . 2008-08-25 15:44 16,648 --a------ C:\WINDOWS\system32\AntiSpyNative32.exe
2008-09-27 20:49 . 2008-09-27 20:49 <DIR> d-------- C:\Programmer\Uniblue
2008-09-06 11:39 . 2008-09-06 11:39 <DIR> d-------- C:\WINDOWS\system32\da
2008-09-06 11:39 . 2008-09-06 11:39 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-06 11:39 . 2008-09-06 11:39 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-06 11:38 . 2008-09-06 11:38 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-06 11:14 . 2004-08-26 17:48 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-29 17:12 5 ----a-w C:\NPF_USER.DAT
2008-09-28 15:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\NPF
2008-09-28 06:59 --------- d-----w C:\Programmer\Java
2008-09-10 20:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-10 20:29 22,010 ----a-w C:\Programmer\bttl.ini
2008-09-02 10:48 19,512 ----a-w C:\WINDOWS\system32\drivers\nvcw32mf.sys
2008-08-08 15:10 --------- d-----w C:\Documents and Settings\bruger\Application Data\Ahead
2008-08-01 19:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-08-01 19:32 91 ----a-w C:\Programmer\IM.ini
2008-08-01 19:32 1,450 ----a-w C:\Programmer\smwithonly.inf
2008-08-01 19:32 --------- d-----w C:\Programmer\driver
2008-08-01 19:32 --------- d-----w C:\Programmer\device
2008-07-18 18:39 586,752 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-09-30 07:19 24,576 ----a-w C:\Programmer\InstRes.dll
2007-09-30 07:18 299,101 ----a-w C:\Programmer\btpcfg.dll
2007-09-30 07:16 691,720 ----a-w C:\Programmer\BlueSoleil.exe
2007-09-30 07:16 51,816 ----a-w C:\Programmer\StartSkysolSvc.exe
2007-09-30 07:16 43,608 ----a-w C:\Programmer\gprs.exe
2007-09-30 07:16 41,049 ----a-w C:\Programmer\SkypeAgent.dll
2007-09-30 07:16 2,330,624 ----a-w C:\Programmer\btpres.dll
2007-09-30 07:16 166,520 ----a-w C:\Programmer\BTNtService.exe
2007-09-30 07:16 138,328 ----a-w C:\Programmer\BlueSoleil VoIP Plugin.exe
2007-09-30 07:15 57,425 ----a-w C:\Programmer\btfunc.dll
2007-09-30 07:15 258,140 ----a-w C:\Programmer\outlookAddin.dll
2007-09-30 07:15 106,573 ----a-w C:\Programmer\setup.dll
2007-09-30 07:14 28,753 ----a-w C:\Programmer\PlayerCtrl.dll
2007-09-30 07:14 131,151 ----a-w C:\Programmer\btwin.dll
2007-09-30 07:14 110,665 ----a-w C:\Programmer\versit.dll
2007-08-06 15:58 65,536 ----a-w C:\Programmer\BsVistaCommon.dll
2007-01-12 18:22 51,984 ----a-w C:\Programmer\hid2hci.exe
2006-06-23 14:38 24,576 ----a-w C:\Programmer\iTunesCtrl.dll
2006-04-14 06:28 28,672 ----a-w C:\Programmer\hcicmd.dll
2005-10-28 15:36 317 ----a-w C:\Programmer\btav.ini
2005-05-31 08:17 89,640 ----a-w C:\Programmer\Config.dat
2004-08-11 15:35 625,014 ----a-w C:\Programmer\back.bmp
2004-08-04 11:41 3,638 ----a-w C:\Programmer\bluetooth.ico
2004-05-04 09:53 1,645,320 ----a-w C:\Programmer\GdiPlus.dll
2003-01-23 07:01 1,429 ----a-w C:\Programmer\smwithoutonly.inf
2002-11-29 10:14 2,238 ----a-w C:\Programmer\pan.ico
2002-11-05 06:50 1,078 ----a-w C:\Programmer\hid_mouse.ico
2002-10-11 07:38 64 ----a-w C:\Programmer\Config.ini
2002-08-30 15:52 766 ----a-w C:\Programmer\dun.ico
2000-02-02 12:47 1,348,368 ----a-w C:\Programmer\BlueSoleil.chm
1999-08-30 21:19 2,238 ----a-w C:\Programmer\av.ico
1998-06-16 07:00 401,462 ----a-w C:\Programmer\Msvcp60.dll
2008-03-07 13:39 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Lokale indstillinger\Application Data\Microsoft\Feeds Cache\index.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"Yahoo! Pager"="C:\Programmer\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 8466432]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 81920]
"LXSUPMON"="C:\WINDOWS\system32\LXSUPMON.EXE" [2001-10-09 818176]
"Norman ZANDA"="C:\Norman\Npm\bin\ZLH.EXE" [2008-06-02 273520]
"Adobe Reader Speed Launcher"="C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"lxdpmon.exe"="C:\Programmer\Lexmark Z2300 Series\lxdpmon.exe" [2008-03-27 656040]
"EzPrint"="C:\Programmer\Lexmark Z2300 Series\ezprint.exe" [2008-03-27 107176]
"SunJavaUpdateSched"="C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 C:\WINDOWS\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2007-06-29 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

C:\Documents and Settings\bruger\Menuen Start\Programmer\Start\
Screen Clipper and Launcher til OneNote 2007.lnk - C:\Programmer\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Windows-pc-s›gning.lnk - C:\Programmer\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Programmer\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programmer\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Programmer\\Messenger\\msmsgs.exe"=
"C:\\Programmer\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Programmer\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\lxdpcoms.exe"=
"C:\\Programmer\\Lexmark Z2300 Series\\lxdpmon.exe"=
"C:\\Programmer\\BlueSoleil.exe"=
"C:\\Programmer\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmer\\Windows Live\\Messenger\\livecall.exe"=

R0 NDIS_RD;Firewall Engine Type-R2;C:\WINDOWS\system32\drivers\NDIS_RD.sys [2004-12-06 53320]
R1 TDI_RD;Firewall Engine Type-R;C:\WINDOWS\system32\drivers\tdi_rd.sys [2004-10-14 32176]
R2 lxdp_device;lxdp_device;C:\WINDOWS\system32\lxdpcoms.exe [2008-02-27 594600]
R2 Ndiskio;Ndiskio;C:\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 20448]
R2 Start BT in service;Start BT in service;C:\Programmer\StartSkysolSvc.exe [2007-09-30 51816]
R3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE [2008-03-11 146488]
S3 nvcfsr;nvcfsr;C:\Norman\Nvc\bin\nvcfsr.sys [2007-01-09 6712]
S3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-09-02 19512]
S3 nvcoafl51;nvcoafl51;C:\Norman\Nvc\bin\nvcoafl51.sys [2007-01-09 30264]
S3 nvcoaft51;nvcoaft51;C:\Norman\Nvc\bin\nvcoaft51.sys [2007-01-09 129848]
S3 nvcoarc51;nvcoarc51;C:\Norman\Nvc\bin\nvcoarc51.sys [2007-01-09 23224]
S3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe [2008-04-29 183352]
S4 adp3132;adp3132;C:\WINDOWS\system32\DRIVERS\adp3132.sys [2007-07-09 313856]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe
HKLM-Run-NeroFilterCheck - C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe

.
------- Supplementary Scan -------
.
O8 -: &Windows Live Search - C:\Programmer\Windows Live Toolbar\msntb.dll/search.htm
O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 -: E&ksporter til Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O15 -: Trusted Zone: www.bec.dk
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-29 19:12:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Norman\npm\bin\elogsvc.exe
C:\Norman\npm\bin\Zanda.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmer\BTNtService.exe
C:\Programmer\Fælles filer\LightScribe\LSSrvc.exe
C:\Norman\Npf\Bin\Npfsvice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Norman\npm\bin\Njeeves.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Norman\NVC\Bin\Nip.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Norman\Npf\Bin\Npfmsg2.exe
C:\Programmer\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\searchfilterhost.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-29 19:17:50 - machine was rebooted
ComboFix-quarantined-files.txt  2008-09-29 17:17:47

Pre-Run: 226.703.536.128 byte ledig
Post-Run: 226,868,326,400 byte ledig

192 --- E O F --- 2008-09-10 20:31:46

Iøvrigt kørte jeg også lige noget, der hedder Spyeraser (Uniblue) som oplyste følgende:

Ved ikke, om det er nogen hjælp ...

 

Men ved du ved dette betyder:

 

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

Det lyder lidt ubehageligt ... 

 

 

 

Den warning betyder ikke noget i dit tilfælde. RECOVERY CONSOLE skal kun bruges hvis der er nogen inficerede filer der ikke kan fixes på "normal" måde. F.eks hvis nogen systemfiler er overskrevet/inficeret

---

 

 

Jeg lukker igen, men du kender adressen

---