still altnet [Archive] - Safer-Networking Forums

Bucepahlus

2008-05-19, 23:07

This continues this old thread. (http://forums.spybot.info/showthread.php?t=27694&page=2) I havent been able to give a respone in time due to lot of work. sorry about that.

here is a fresh HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:53:12, on 19.05.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programfiler\DLink\Bluetooth-programvare\bin\btwdins.exe
C:\Norman\Npf\BIN\NPFSVICE.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\WINDOWS\System32\alg.exe
C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe
C:\Norman\Npm\bin\ZLH.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Norman\Npf\BIN\npfmsg2.exe
C:\Programfiler\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Programfiler\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Norman\Npm\bin\ZLH.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Npf\BIN\npfmsg2.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spray.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-21-117609710-2139871995-839522115-1005\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Christer')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send til &Bluetooth - C:\Programfiler\DLink\Bluetooth-programvare\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programfiler\DLink\Bluetooth-programvare\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programfiler\DLink\Bluetooth-programvare\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134fd.bay134.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.euchannels.net/KooPlayer.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171581406062
O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.euchannels.net/UKooPlayer.ocx
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{138A474E-ECE7-4B26-86B3-E91ABFF8C499}: NameServer = 62.97.193.3,62.97.193.54
O17 - HKLM\System\CS2\Services\Tcpip\..\{138A474E-ECE7-4B26-86B3-E91ABFF8C499}: NameServer = 62.97.193.3,62.97.193.54
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programfiler\DLink\Bluetooth-programvare\bin\btwdins.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 8461 bytes

----
in the last post on May 10th you ask waht program find altnet in the registry:
spybot does:

--- Search result list ---
Altnet: [SBI $2F41B249] Oppsett (Registernøkkel, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Altnet

WebTrends live: Sporer cookie (Internet Explorer: Øystein) (Cookie, nothing done)

DoubleClick: Sporer cookie (Firefox: default) (Cookie, nothing done)

HitBox: Sporer cookie (Firefox: default) (Cookie, nothing done)

HitBox: Sporer cookie (Firefox: default) (Cookie, nothing done)

HitBox: Sporer cookie (Firefox: default) (Cookie, nothing done)

Tradedoubler: Sporer cookie (Firefox: default) (Cookie, nothing done)

Tradedoubler: Sporer cookie (Firefox: default) (Cookie, nothing done)

WebTrends live: Sporer cookie (Firefox: default) (Cookie, nothing done)

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup fil, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Internet Explorer: [SBI $1E8157BE] Typed URL list (2 filer) (Registernøkkel, nothing done)
HKEY_USERS\S-1-5-21-117609710-2139871995-839522115-1004\Software\Microsoft\Internet Explorer\TypedURLs

Internet Explorer: [SBI $1E8157BE] Typed URL list (8 filer) (Registernøkkel, nothing done)
HKEY_USERS\S-1-5-21-117609710-2139871995-839522115-1005\Software\Microsoft\Internet Explorer\TypedURLs

MS Direct3D: [SBI $7FB7B83F] Most recent application (Registerendring, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name

MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registerendring, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name

MS Office 10.0 (Word): [SBI $51FE086C] Recently used documents list (Registerverdi, nothing done)
HKEY_USERS\S-1-5-21-117609710-2139871995-839522115-1005\Software\Microsoft\Office\10.0\Word\Data\Settings

Windows Explorer: [SBI $2026AFB6] User Assistant history IE (1 filer) (Registernøkkel, nothing done)
HKEY_USERS\S-1-5-21-117609710-2139871995-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: [SBI $2026AFB6] User Assistant history IE (1 filer) (Registernøkkel, nothing done)
HKEY_USERS\S-1-5-21-117609710-2139871995-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: [SBI $6107D172] User Assistant history files (17 filer) (Registernøkkel, nothing done)
HKEY_USERS\S-1-5-21-117609710-2139871995-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: [SBI $6107D172] User Assistant history files (13 filer) (Registernøkkel, nothing done)
HKEY_USERS\S-1-5-21-117609710-2139871995-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registernøkkel, nothing done)
HKEY_USERS\S-1-5-21-117609710-2139871995-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Media SDK: [SBI $37AAEDE6] Computer name (Registerendring, nothing done)
HKEY_USERS\S-1-5-21-117609710-2139871995-839522115-1004\Software\Microsoft\Windows Media\WMSDK\General\ComputerName

Windows Media SDK: [SBI $37AAEDE6] Computer name (Registerendring, nothing done)
HKEY_USERS\S-1-5-21-117609710-2139871995-839522115-1005\Software\Microsoft\Windows Media\WMSDK\General\ComputerName

Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registerendring, nothing done)
HKEY_USERS\S-1-5-21-117609710-2139871995-839522115-1004\Software\Microsoft\Windows Media\WMSDK\General\UniqueID

Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registerendring, nothing done)
HKEY_USERS\S-1-5-21-117609710-2139871995-839522115-1005\Software\Microsoft\Windows Media\WMSDK\General\UniqueID

Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registerverdi, nothing done)
HKEY_USERS\S-1-5-21-117609710-2139871995-839522115-1004\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registerverdi, nothing done)
HKEY_USERS\S-1-5-21-117609710-2139871995-839522115-1005\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Cookie: Cookie (9) (Cookie, nothing done)

Cache: Cache (1071) (Cache, nothing done)

History: Historie (15) (Historie, nothing done)

Cookie: Cookie (110) (Cookie, nothing done)

--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2007-04-04 unins000.exe (51.41.0.0)
2008-05-02 unins001.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2008-04-16 Includes\Adware.sbi (*)
2008-05-14 Includes\AdwareC.sbi (*)
2008-05-14 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-05-14 Includes\DialerC.sbi (*)
2008-05-14 Includes\HeavyDuty.sbi (*)
2008-04-30 Includes\Hijackers.sbi (*)
2008-05-14 Includes\HijackersC.sbi (*)
2008-04-30 Includes\Keyloggers.sbi (*)
2008-05-14 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-04-22 Includes\Malware.sbi (*)
2008-05-14 Includes\MalwareC.sbi (*)
2008-03-26 Includes\PUPS.sbi (*)
2008-05-14 Includes\PUPSC.sbi (*)
2008-05-14 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-05-14 Includes\SecurityC.sbi (*)
2008-04-16 Includes\Spybots.sbi (*)
2008-05-14 Includes\SpybotsC.sbi (*)
2008-04-16 Includes\Spyware.sbi (*)
2008-05-14 Includes\SpywareC.sbi (*)
2007-11-06 Includes\Tracks.uti (*)
2008-04-30 Includes\Trojans.sbi (*)
2008-05-14 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

--- System information ---
Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security update for Microsoft Data Access Components
/ DataAccess: Security Update for Microsoft Data Access Components
/ Internet Explorer 6 / SP1: Windows XP hurtigreparasjon - KB918439
/ Internet Explorer 6 / SP1: Windows XP hurtigreparasjon - KB918899
/ Internet Explorer 6 / SP1: Windows XP hurtigreparasjon - KB925486
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ Outlook Express 6 / SP1: Windows XP hurtigreparasjon - KB911567
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player: Hurtigreparasjon for Windows Media Player [Se Q828026 hvis du vil ha mer informasjon]
/ Windows Media Player / SP0: Hurtigreparasjon for Windows Media Player [Se wm828026 hvis du vil ha mer informasjon]
/ Windows Media Player: Windows Media Update 817787
/ Windows Media Player: Windows Media Update 828026
/ Windows Media Player 11: Sikkerhetsoppdatering for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hurtigreparasjon for Windows Media Player 11 (KB939683)
/ Windows Media Player 6.4: Sikkerhetsoppdatering for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Sikkerhetsoppdatering for Windows Media Player 9 (KB917734)
/ Windows XP: Sikkerhetsoppdatering for Windows XP (KB923689)
/ Windows XP: Sikkerhetsoppdatering for Windows XP (KB941569)
/ Windows XP / SP0: Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB928090)
/ Windows XP / SP0: Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB929969)
/ Windows XP / SP0: Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB931768)
/ Windows XP / SP0: Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB933566)
/ Windows XP / SP0: Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB937143)
/ Windows XP / SP0: Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB939653)
/ Windows XP / SP0: Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB942615)
/ Windows XP / SP0: Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP0: Hurtigreparasjon for Windows Internet Explorer 7 (KB947864)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP hurtigreparasjon - KB873339
/ Windows XP / SP3: Windows XP hurtigreparasjon - KB885835
/ Windows XP / SP3: Windows XP hurtigreparasjon - KB885836
/ Windows XP / SP3: Windows XP hurtigreparasjon - KB885884
/ Windows XP / SP3: Windows XP hurtigreparasjon - KB886185
/ Windows XP / SP3: Windows XP hurtigreparasjon - KB887472
/ Windows XP / SP3: Windows XP hurtigreparasjon - KB888302
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP hurtigreparasjon - KB890859
/ Windows XP / SP3: Windows XP hurtigreparasjon - KB891781
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB896358)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB896423)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB896424)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB896428)
/ Windows XP / SP3: Oppdatering for Windows XP (KB898461)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB899587)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB899591)
/ Windows XP / SP3: Oppdatering for Windows XP (KB900485)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB900725)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB901017)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB901190)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB901214)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB902400)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB904706)
/ Windows XP / SP3: Oppdatering for Windows XP (KB904942)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB905414)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB905749)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB908519)
/ Windows XP / SP3: Oppdatering for Windows XP (KB908531)
/ Windows XP / SP3: Oppdatering for Windows XP (KB910437)
/ Windows XP / SP3: Oppdatering for Windows XP (KB911280)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB911562)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB911927)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB912919)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB913580)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB914388)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB914389)
/ Windows XP / SP3: Hurtigreparasjon for Windows XP (KB914440)
/ Windows XP / SP3: Hotfix for Windows XP (KB915865)
/ Windows XP / SP3: Oppdatering for Windows XP (KB916595)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB917344)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB917422)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB917953)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB918118)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB919007)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB920213)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB920670)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB920683)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB920685)
/ Windows XP / SP3: Oppdatering for Windows XP (KB920872)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB921398)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB921503)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB921883)
/ Windows XP / SP3: Oppdatering for Windows XP (KB922582)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB922616)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB922819)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB923191)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB923414)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB923694)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB923980)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB924191)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB924270)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB924496)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB924667)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB925902)
/ Windows XP / SP3: Hotfix for Windows XP (KB926239)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB926255)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB926436)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB927779)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB927802)
/ Windows XP / SP3: Oppdatering for Windows XP (KB927891)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB928090)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB928255)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB928843)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB929123)
/ Windows XP / SP3: Oppdatering for Windows XP (KB929338)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB929969)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB930178)
/ Windows XP / SP3: Oppdatering for Windows XP (KB930916)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB931261)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB931784)
/ Windows XP / SP3: Oppdatering for Windows XP (KB931836)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB932168)
/ Windows XP / SP3: Oppdatering for Windows XP (KB933360)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB933729)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB935839)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB935840)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB936021)
/ Windows XP / SP3: Oppdatering for Windows XP (KB936357)
/ Windows XP / SP3: Oppdatering for Windows XP (KB938828)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB938829)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB941202)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB941568)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB941644)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB941693)
/ Windows XP / SP3: Oppdatering for Windows XP (KB942763)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB943055)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB943460)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB943485)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB944653)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB945553)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB946026)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB948590)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB948881)
/ Windows XP / SP3: Sikkerhetsoppdatering for Windows XP (KB950749)

--- Startup entries list ---
Located: HK_LM:Run, Norman ZANDA
command: C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
file: C:\Norman\Npm\bin\ZLH.EXE
size: 183352
MD5: 15B04067A0830DC1BB7756401B061799

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe"
file: C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe
size: 144784
MD5: 836DC47E6CAD975304D1D3EB2F516A1C

Located: HK_LM:Run, CARPService (DISABLED)
command: carpserv.exe
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, QuickTime Task (DISABLED)
command: "C:\Programfiler\QuickTime\qttask.exe" -atboottime
file: C:\Programfiler\QuickTime\qttask.exe
size: 282624
MD5: 7FBE43046EFDF24FC9375024E4D02AC9

Located: HK_CU:Run, CTFMON.EXE
where: .DEFAULT...
command: C:\WINDOWS\System32\CTFMON.EXE
file: C:\WINDOWS\System32\CTFMON.EXE
size: 15360
MD5: DDC0E7A20F0F77BEC5108C265C4AE435

Located: HK_CU:Run, CTFMON.EXE
where: PE_C_ADMIN...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: DDC0E7A20F0F77BEC5108C265C4AE435

Located: HK_CU:Run, msnmsgr
where: PE_C_ADMIN...
command: "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, CTFMON.EXE
where: PE_C_ADMINISTRATOR.MUSHROOM...
command: C:\WINDOWS\System32\CTFMON.EXE
file: C:\WINDOWS\System32\CTFMON.EXE
size: 15360
MD5: DDC0E7A20F0F77BEC5108C265C4AE435

Located: HK_CU:Run, CTFMON.EXE
where: PE_C_GJEST...
command: C:\WINDOWS\System32\ctfmon.exe
file: C:\WINDOWS\System32\ctfmon.exe
size: 15360
MD5: DDC0E7A20F0F77BEC5108C265C4AE435

Located: HK_CU:Run, MessengerPlus2
where: PE_C_GJEST...
command: "C:\Programfiler\Messenger Plus! 2\MsgPlus1.exe" /WinStart
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, MSMSGS
where: PE_C_GJEST...
command: "C:\Programfiler\Messenger\msmsgs.exe" /background
file: C:\Programfiler\Messenger\msmsgs.exe
size: 1694208
MD5: 74E6E96C6F0E2ECA4EDBB7F7A468F259

Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-19...
command: C:\WINDOWS\System32\CTFMON.EXE
file: C:\WINDOWS\System32\CTFMON.EXE
size: 15360
MD5: DDC0E7A20F0F77BEC5108C265C4AE435

Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-20...
command: C:\WINDOWS\System32\CTFMON.EXE
file: C:\WINDOWS\System32\CTFMON.EXE
size: 15360
MD5: DDC0E7A20F0F77BEC5108C265C4AE435

Located: HK_CU:Run, ATI Launchpad
where: S-1-5-21-117609710-2139871995-839522115-1004...
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-117609710-2139871995-839522115-1004...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: DDC0E7A20F0F77BEC5108C265C4AE435

Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-21-117609710-2139871995-839522115-1005...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: DDC0E7A20F0F77BEC5108C265C4AE435

Located: HK_CU:Run, MessengerPlus2
where: S-1-5-21-117609710-2139871995-839522115-1005...
command: "C:\Programfiler\Messenger Plus! 2\MsgPlus.exe" /WinStart
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, QuickTime Task
where: S-1-5-21-117609710-2139871995-839522115-1005...
command: "C:\Programfiler\QuickTime\qttask.exe" -atboottime
file: C:\Programfiler\QuickTime\qttask.exe
size: 282624
MD5: 7FBE43046EFDF24FC9375024E4D02AC9

Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-18...
command: C:\WINDOWS\System32\CTFMON.EXE
file: C:\WINDOWS\System32\CTFMON.EXE
size: 15360
MD5: DDC0E7A20F0F77BEC5108C265C4AE435

Located: Startup (common), Adobe Gamma Loader.lnk
where: C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart...
command: C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
size: 113664
MD5: C2FF17734176CD15221C10044EF0BA1A

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 03.11.2003 14:17:44
Date (last access): 18.05.2008 19:10:52
Date (last write): 03.11.2003 14:17:44
Filesize: 54248
Attributes: archive
MD5: FC7850324464E4D19A24A03D882B5CC4
CRC32: 452E8571
Version: 6.0.1.1091

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 04.04.2007 16:53:52
Date (last access): 18.05.2008 19:16:14
Date (last write): 28.01.2008 11:43:28
Filesize: 1554256
Attributes: archive
MD5: 5248E02EFBCB64D328647CD00E384B85
CRC32: C1B426A9
Version: 1.5.0.11

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: SSVHelper Class
Path: C:\Programfiler\Java\jre1.6.0_05\bin\
Long name: ssv.dll
Short name:
Date (created): 22.03.2008 17:06:20
Date (last access): 18.05.2008 19:10:52
Date (last write): 22.02.2008 05:25:20
Filesize: 509328
Attributes: archive
MD5: 5B42CB6A121256465B251840FDB1B2FE
CRC32: 6EF0BCE9
Version: 6.0.50.13

--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
Installer: C:\WINDOWS\Downloaded Program Files\QTPlugin.inf
Codebase: http://www.apple.com/qtactivex/qtplugin.cab
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Programfiler\QuickTime\
Long name: QTPlugin.ocx
Short name:
Date (created): 27.04.2007 09:43:06
Date (last access): 18.05.2008 17:59:20
Date (last write): 27.04.2007 09:43:06
Filesize: 566856
Attributes: archive
MD5: C720DAF94EAB085FC54BF500C16ECC9B
CRC32: 74D59ED8
Version: 7.1.6.200

{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object)
DPF name:
CLSID name: CKAVWebScan Object
Installer: C:\WINDOWS\Downloaded Program Files\kavwebscan.inf
Codebase: http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\
Long name: kavwebscan.dll
Short name: KAVWEB~1.DLL
Date (created): 29.08.2007 15:49:54
Date (last access): 18.05.2008 17:59:20
Date (last write): 29.08.2007 15:49:54
Filesize: 950272
Attributes: archive
MD5: BC915C49931CE46222F9B0A7EFB56CEE
CRC32: 11048171
Version: 5.0.98.0

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\macromed\Director\
Long name: SwDir.dll

{31435657-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\wvc1dmo.inf
Codebase: http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

{33564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\WMV9VCM.inf
Codebase: http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.

{33564D57-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\wmv9dmo.inf
Codebase: http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
description: Microsoft WMV Video Codec
classification: Legitimate
known filename: WMV9DMO.CAB
info link:
info source: Patrick M. Kolla

{4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool)
DPF name:
CLSID name: MSN Photo Upload Tool
Installer: C:\WINDOWS\Downloaded Program Files\MSNPupld.inf
Codebase: http://by134fd.bay134.hotmail.msn.com/resources/MsnPUpld.cab
description:
classification: Legitimate
known filename: MsnPUpld.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MsnPUpld.dll
Short name:
Date (created): 08.10.2004 16:01:22
Date (last access): 18.05.2008 17:59:20
Date (last write): 08.10.2004 16:01:22
Filesize: 372736
Attributes: archive
MD5: D2ED523BB0FE94F8F492BEFE1C336040
CRC32: C4677625
Version: 10.0.910.0

{5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control)
DPF name:
CLSID name: KooPlayer Control
Installer:
Codebase: http://www.euchannels.net/KooPlayer.ocx
description:
classification: Legitimate
known filename: KOOPLA~1.OCX
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: KooPlayer.ocx
Short name: KOOPLA~1.OCX
Date (created): 19.01.2008 20:20:16
Date (last access): 18.05.2008 17:59:20
Date (last write): 19.01.2008 20:20:18
Filesize: 288032
Attributes: archive
MD5: 908D19AB87499465C0433BEA3E23A985
CRC32: E27BDF1F
Version: 1.0.0.84

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name:
CLSID name: MUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\muweb.inf
Codebase: http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171581406062
description:
classification: Legitimate
known filename: muweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: muweb.dll
Short name:
Date (created): 26.05.2005 05:19:32
Date (last access): 18.05.2008 19:07:38
Date (last write): 30.07.2007 19:19:04
Filesize: 207736
Attributes: archive
MD5: 2DEE560CCEF55353EB62FDA870446393
CRC32: 5AA71F7B
Version: 7.0.6000.381

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_05
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Programfiler\Java\jre1.6.0_05\bin\
Long name: npjpi160_05.dll
Short name: NPJPI1~1.DLL
Date (created): 22.02.2008 03:33:32
Date (last access): 18.05.2008 17:59:20
Date (last write): 22.02.2008 05:25:20
Filesize: 132496
Attributes: archive
MD5: 4FDFB86D78994BD71CBB779A7809E9CD
CRC32: 5A0EB880
Version: 6.0.50.13

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.

{A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control)
DPF name:
CLSID name: KooPlayer Control
Installer:
Codebase: http://www.euchannels.net/UKooPlayer.ocx
Path: C:\WINDOWS\DOWNLO~1\
Long name: UKooPlayer.ocx
Short name: UKOOPL~1.OCX
Date (created): 19.01.2008 20:19:04
Date (last access): 18.05.2008 17:59:20
Date (last write): 19.01.2008 20:19:06
Filesize: 288496
Attributes: archive
MD5: CD0789AE5CF9851A0F765ACDCC6AA5AB
CRC32: 4E683C13
Version: 1.0.0.70

{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01)
DPF name: Java Runtime Environment 1.4.1_01
CLSID name:
Installer:
Codebase:
description:
classification: Legitimate
known filename: npjpi141_01.dll
info link:
info source: Safer Networking Ltd.

{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_03
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Path: C:\Programfiler\Java\jre1.6.0_03\bin\
Long name: npjpi160_03.dll
Short name: NPJPI1~1.DLL
Date (created): 24.09.2007 23:31:44
Date (last access): 18.05.2008 17:59:20
Date (last write): 25.09.2007 01:11:34
Filesize: 132496
Attributes: archive
MD5: D6A4682A6FF41832A3F1A7AB9AE08199
CRC32: 9080B537
Version: 6.0.30.5

{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_05
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Path: C:\Programfiler\Java\jre1.6.0_05\bin\
Long name: npjpi160_05.dll
Short name: NPJPI1~1.DLL
Date (created): 22.02.2008 03:33:32
Date (last access): 18.05.2008 19:21:00
Date (last write): 22.02.2008 05:25:20
Filesize: 132496
Attributes: archive
MD5: 4FDFB86D78994BD71CBB779A7809E9CD
CRC32: 5A0EB880
Version: 6.0.50.13

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_05
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Programfiler\Java\jre1.6.0_05\bin\
Long name: npjpi160_05.dll
Short name: NPJPI1~1.DLL
Date (created): 22.02.2008 03:33:32
Date (last access): 18.05.2008 19:21:00
Date (last write): 22.02.2008 05:25:20
Filesize: 132496
Attributes: archive
MD5: 4FDFB86D78994BD71CBB779A7809E9CD
CRC32: 5A0EB880
Version: 6.0.50.13

{D27CDB6E-AE6D-11CF-96B8-444553515000} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://active.macromedia.com/flash/cabs/swflash.cab

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\Macromed\Flash\
Long name: Flash9b.ocx
Short name:
Date (created): 09.11.2006 15:46:28
Date (last access): 18.05.2008 17:57:30
Date (last write): 09.11.2006 15:46:28
Filesize: 2262648
Attributes: readonly archive
MD5: F3B3EE66CA76C94510555ABE9D00A353
CRC32: A51F3CB4
Version: 9.0.28.0

{D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class)
DPF name:
CLSID name: CRLDownloadWrapper Class
Installer:
Codebase: http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Path: C:\WINDOWS\Downloaded Program Files\
Long name: crlocx.ocx
Short name:
Date (created): 23.06.2007 18:49:26
Date (last access): 18.05.2008 17:59:20
Date (last write): 23.06.2007 18:49:26
Filesize: 43760
Attributes: archive
MD5: 83412AE824500F533C22599DCAE43F1A
CRC32: AB100875
Version: 1.0.0.1

--- Process list ---
PID: 0 ( 0) [System]
PID: 580 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 652 ( 580) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 676 ( 580) \??\C:\WINDOWS\system32\winlogon.exe
size: 501248
PID: 720 ( 676) C:\WINDOWS\system32\services.exe
size: 108544
MD5: B44F7F43D33E308D07BA54C23B897E20
PID: 732 ( 676) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 8235198CDB70AAEB3C1435C1911641F9
PID: 1040 ( 720) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: C4D272D897700C7AD4B8E8454CD08676
PID: 1112 ( 720) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: C4D272D897700C7AD4B8E8454CD08676
PID: 1196 ( 720) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: C4D272D897700C7AD4B8E8454CD08676
PID: 1240 ( 720) C:\Norman\Npm\bin\ELOGSVC.EXE
size: 150584
MD5: 9BE18F02B84804419EE5B725A40769FE
PID: 1276 ( 720) C:\Norman\Npm\Bin\Zanda.exe
size: 322616
MD5: 4257D92B938ED51235C447242BEAA6A3
PID: 1356 ( 720) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: C4D272D897700C7AD4B8E8454CD08676
PID: 1444 ( 720) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: C4D272D897700C7AD4B8E8454CD08676
PID: 1576 ( 720) C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
size: 607576
MD5: 07AE10139D7713D69F57209FDF0425CC
PID: 1652 ( 720) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1928 ( 720) C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
size: 106496
MD5: 2ACFC9242BE81AE2356E14E5E05C02BB
PID: 1964 ( 720) C:\Programfiler\DLink\Bluetooth-programvare\bin\btwdins.exe
size: 135168
MD5: 9DB4FCB7BC45E6B08A865E48BCF82C7A
PID: 2044 ( 720) C:\Norman\Npf\BIN\NPFSVICE.EXE
size: 65536
MD5: DD45DA5C722DCEAE4A63226607C245D3
PID: 268 ( 720) C:\WINDOWS\system32\PnkBstrA.exe
size: 63040
MD5: BCE50BC860AF68232891BA632FD94D35
PID: 392 ( 236) C:\WINDOWS\Explorer.EXE
size: 1033216
MD5: 2964B3F5E59F5D989252E2564A21A4C1
PID: 440 ( 720) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: C4D272D897700C7AD4B8E8454CD08676
PID: 1232 ( 720) C:\Norman\Npm\bin\NJEEVES.EXE
size: 150584
MD5: 2DC5971B9C6A806003D17D0E0580E864
PID: 1884 ( 720) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: CF4214650C8C6F99D064B18282EA3A17
PID: 3700 ( 392) C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe
size: 144784
MD5: 836DC47E6CAD975304D1D3EB2F516A1C
PID: 3708 ( 392) C:\Norman\Npm\bin\ZLH.EXE
size: 183352
MD5: 15B04067A0830DC1BB7756401B061799
PID: 3740 ( 392) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: DDC0E7A20F0F77BEC5108C265C4AE435
PID: 172 (4020) C:\Norman\Npf\BIN\npfmsg2.exe
size: 340018
MD5: AFAFF40CF4275E0BB04A85F139C9E3C2
PID: 3608 ( 720) C:\Programfiler\Windows Live\Messenger\usnsvc.exe
size: 98328
MD5: 9D19B042A4FD5C02195071EA2FE0C821
PID: 7476 ( 392) C:\WINDOWS\system32\rundll32.exe
size: 33280
MD5: B3A06B00D56F3253F1F59C1F1F090D4F
PID: 7188 (3708) C:\Norman\Nvc\BIN\NIP.EXE
size: 175160
MD5: 9966A319BCC829154BF96D9997A54A0E
PID: 3628 ( 720) C:\Norman\Nvc\BIN\NVCSCHED.EXE
size: 146488
MD5: 3F0A5A2392986474A8E102033A34C5B8
PID: 5920 ( 720) C:\Norman\Nvc\bin\nvcoas.exe
size: 179256
MD5: B9880409B646D603ABE43604525B3EB8
PID: 3788 (7628) C:\Norman\Nvc\bin\cclaw.exe
size: 142392
MD5: 91073BF96585A68930E0E6523DDF8C44
PID: 5776 ( 392) C:\Programfiler\Spybot - Search & Destroy\SpybotSD.exe
size: 5146448
MD5: 2ECA8CDEED7C82F879E766DA92A3561A
PID: 4 ( 0) System
PID: 5284 ( 392) C:\Programfiler\Mozilla Firefox\firefox.exe
size: 7660656
MD5: B366BB8334CDCFB5C2A58DCF5121B6BC

--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 18.05.2008 19:20:59

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.spray.no/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F16048B3-952C-40A3-96E5-FBC419CC90EE}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F16048B3-952C-40A3-96E5-FBC419CC90EE}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{ECE6906C-EBB5-4AFA-B91A-20341B189F93}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{ECE6906C-EBB5-4AFA-B91A-20341B189F93}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{83AEACBA-0DBD-4185-8189-4DFEF0A36470}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{83AEACBA-0DBD-4185-8189-4DFEF0A36470}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{138A474E-ECE7-4B26-86B3-E91ABFF8C499}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{138A474E-ECE7-4B26-86B3-E91ABFF8C499}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D6B2BD17-885B-44CE-A8B6-1712715AA302}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D6B2BD17-885B-44CE-A8B6-1712715AA302}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{93F29B53-4CAC-4C50-A893-3DE2A4E44864}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{93F29B53-4CAC-4C50-A893-3DE2A4E44864}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A13384C7-07CB-4B52-AB86-12E8DD86302F}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A13384C7-07CB-4B52-AB86-12E8DD86302F}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1B156261-3216-42DF-AE55-D7F5AED86A1A}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1B156261-3216-42DF-AE55-D7F5AED86A1A}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: TCP/IP
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Navneområde for Sporing av nettverksplassering (NLA - Network Location Awareness)
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Shaba

2008-05-20, 14:20

Hi Bucepahlus

Download Registrar Lite from here (http://www.majorgeeks.com/download469.html) and install it.
Start Registrar Lite.
Type in to Address field this and click ok:
HKEY_LOCAL_MACHINE\SOFTWARE\Altnet
Right-click that key and choose Properties. Click "Take ownership".
Right-click that key again and choose Delete.

Re-scan with spybot and tell me if it still finds altnet?

Bucepahlus

2008-05-23, 08:26

gone now! (for how long?) thanks for help! have now imunized and turned tea timer back on again.. :)

Shaba

2008-05-23, 11:46

Hi

That's great news :)

Any other issues left?

Bucepahlus

2008-05-26, 21:27

Hi

That's great news :)

Any other issues left?

no i think the puter is clean now...
ran spybot, ad-aware and norman at same time... nothing but cookies stuff like that..

:)

Shaba

2008-05-27, 15:31

Hi

Then see below for some tips for the future:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

You can fix these if you like to:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) 6 Update 6 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it saysThe Java SE Runtime Environment (JRE) allows end-users to run Java applications..
Click the Download button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (http://www.personalfirewall.comodo.com/)
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
4) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Next we remove all used tools.

Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

or

Windows Vista System Restore Guide (http://www.bleepingcomputer.com/tutorials/tutorial143.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://bfccomputers.com/index.php?showtopic=1644)

Malwarebytes' Anti-Malware Scanning Guide (http://bfccomputers.com/index.php?showtopic=1645)

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean! :bigthumb:

Shaba

2008-05-29, 17:13

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.