Trojan-Downloader.BAT.Ftp.ab

[perotta]

Hej!

 

Är det någon som kan hjälpa mig att ta bort Trojan-Downloader.BAT.Ftp.ab från datorn?

/perotta

 

 

[Cecilia]

Vi kan ju se om HijackThis visar något till att börja med:

http://www.thespykiller.co.uk/files/HJTsetup.exe

Installera, kör, skanna och spara loggen (inget annat).

 

I ditt svar bifogar du HijackThis-loggen på detta sätt:

Tryck på LOG-knappen i Besvara-fönstret

Klistra in loggen

Tryck igen på LOG-knappen

 

[perotta]

[log]

Logfile of HijackThis v1.99.1

Scan saved at 16:11:11, on 2006-11-27

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\BREDBA~1\backweb\1803213\Program\SERVIC~1.EXE

c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe

c:\APPS\Powercinema\Kernel\TV\CLSched.exe

C:\Program\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe

C:\Program\CyberLink\Shared Files\CLML_NTService\CLMLService.exe

C:\Program\Bredbandsbolaget Security Services\Anti-Virus\fsgk32st.exe

C:\Program\Bredbandsbolaget Security Services\Anti-Virus\FSGK32.EXE

C:\Program\Bredbandsbolaget Security Services\backweb\1803213\program\fsbwsys.exe

C:\Program\Bredbandsbolaget Security Services\Common\FSMA32.EXE

C:\Program\Bredbandsbolaget Security Services\Common\FSMB32.EXE

c:\APPS\HIDSERVICE\HIDSERVICE.exe

C:\Program\Bredbandsbolaget Security Services\Anti-Virus\fssm32.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\Program\Bredbandsbolaget Security Services\Common\FCH32.EXE

C:\Program\MICROS~4\MSSQL\binn\sqlservr.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\Bredbandsbolaget Security Services\Anti-Virus\fsqh.exe

C:\Program\Bredbandsbolaget Security Services\Common\FAMEH32.EXE

C:\Program\Bredbandsbolaget Security Services\Anti-Virus\fsrw.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Bredbandsbolaget Security Services\FWES\Program\fsdfwd.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\Program\Bredbandsbolaget Security Services\Anti-Virus\fsav32.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program\Java\jre1.5.0_08\bin\jusched.exe

C:\Apps\Powercinema\PCMService.exe

C:\apps\ABoard\ABoard.exe

C:\Program\QuickTime\qttask.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\apps\ABoard\AOSD.exe

C:\Program\Bredbandsbolaget Security Services\Common\FSM32.EXE

C:\Program\BREDBA~1\ANTI-S~1\fsaw.exe

C:\Program\Bredbandsbolaget Security Services\backweb\1803213\Program\fspex.exe

C:\Program\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program\Bredbandsbolaget Security Services\FSGUI\fsguidll.exe

C:\Program\Outlook Express\msimn.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\sw.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_08\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar3.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre1.5.0_08\bin\jusched.exe"

O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"

O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\Bredbandsbolaget Security Services\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\Bredbandsbolaget Security Services\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program\Bredbandsbolaget Security Services\FSGUI\FSSW.EXE" /reboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [skype] "C:\APPS\skype\phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [updateMgr] "C:\Program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Bredbandsbolaget Security Services.lnk = C:\Program\Bredbandsbolaget Security Services\backweb\1803213\Program\fspex.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: &Blockera detta popup-fönster - C:\Program\Bredbandsbolaget Security Services\Anti-Spyware\blockpopups.htm

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra button: IE-sköld - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\Bredbandsbolaget Security Services\Anti-Spyware\ieshield.dll

O9 - Extra 'Tools' menuitem: IE-sköld... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\Bredbandsbolaget Security Services\Anti-Spyware\ieshield.dll

O9 - Extra button: YU-MP3.COM Account Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe (file missing)

O9 - Extra 'Tools' menuitem: &YU-MP3.COM User Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O12 - Plugin for .wav: C:\Program\Internet Explorer\PLUGINS\npqtplugin.dll

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\sw.htm

O16 - DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B} (GameControl Class) - http://se.king.com/midasa.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/download/2006/en/ErrorSafeScannerInstall.cab

O16 - DPF: {C8CE8EAB-8B03-484B-B348-A2442D38E7AF} (Intermezzon Player Control) - http://download.intermezzon.com/3.3/designerplayer.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program\Delade filer\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Bredbandsbolaget Security Services (BackWeb Plug-in - 1803213) - BackWeb Technologies Inc. - C:\Program\BREDBA~1\backweb\1803213\Program\SERVIC~1.EXE

O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe

O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe

O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program\Bredbandsbolaget Security Services\Anti-Virus\fsgk32st.exe

O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program\Bredbandsbolaget Security Services\backweb\1803213\program\fsbwsys.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\Bredbandsbolaget Security Services\FWES\Program\fsdfwd.exe

O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\Bredbandsbolaget Security Services\Common\FSMA32.EXE

O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe

 

[/log]

Det är HijackThis-loggen efter skanning.

 

[Cecilia]

Det är en gammal Java-version med säkerhetshål i datorn. Avinstallera alla Java i Kontrollpanelen - Lägg till eller ta bort program och installera därefter en ny: http://www.java.com/sv/

 

Skanna med HijackThis och bocka för:

 

O9 - Extra button: YU-MP3.COM Account Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe (file missing)

O9 - Extra 'Tools' menuitem: &YU-MP3.COM User Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe (file missing)

O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/downloa

d/2006/en/ErrorSafeScannerInstall.cab

 

Avsluta alla andra program.

Tryck Fix checked.

 

Starta om datorn och så en ny HijackThis-logg.

Hittar F-secure någonting nu? I så fall i vilken fil och mapp hittar den trojanen?

 

[perotta]

Hej Cecilia!

 

Har gjort allting med Java respektive Fix checked med HijackThis men tyvärr kommer igen meddelande att virus är upptäckt i datorn. Skickar nya logfile eftersom jag kan inte se trojaner i logfilen. Tusen tack så länge.[log]

Logfile of HijackThis v1.99.1

Scan saved at 17:55:55, on 2006-11-27

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\BREDBA~1\backweb\1803213\Program\SERVIC~1.EXE

c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe

c:\APPS\Powercinema\Kernel\TV\CLSched.exe

C:\Program\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe

C:\Program\CyberLink\Shared Files\CLML_NTService\CLMLService.exe

C:\Program\Bredbandsbolaget Security Services\Anti-Virus\fsgk32st.exe

C:\Program\Bredbandsbolaget Security Services\Anti-Virus\FSGK32.EXE

C:\Program\Bredbandsbolaget Security Services\backweb\1803213\program\fsbwsys.exe

C:\Program\Bredbandsbolaget Security Services\Common\FSMA32.EXE

C:\Program\Bredbandsbolaget Security Services\Common\FSMB32.EXE

c:\APPS\HIDSERVICE\HIDSERVICE.exe

C:\Program\Bredbandsbolaget Security Services\Anti-Virus\fssm32.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\Program\MICROS~4\MSSQL\binn\sqlservr.exe

C:\Program\Bredbandsbolaget Security Services\Common\FCH32.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program\Bredbandsbolaget Security Services\Anti-Virus\fsqh.exe

C:\Program\Bredbandsbolaget Security Services\Common\FAMEH32.EXE

C:\Program\Bredbandsbolaget Security Services\Anti-Virus\fsrw.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Bredbandsbolaget Security Services\FWES\Program\fsdfwd.exe

C:\Program\Bredbandsbolaget Security Services\Anti-Virus\fsav32.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Apps\Powercinema\PCMService.exe

C:\apps\ABoard\ABoard.exe

C:\Program\QuickTime\qttask.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\Program\Bredbandsbolaget Security Services\Common\FSM32.EXE

C:\apps\ABoard\AOSD.exe

C:\Program\Java\jre1.5.0_09\bin\jusched.exe

C:\Program\BREDBA~1\ANTI-S~1\fsaw.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program\Bredbandsbolaget Security Services\backweb\1803213\Program\fspex.exe

C:\Program\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program\Bredbandsbolaget Security Services\FSGUI\fsguidll.exe

C:\Program\Outlook Express\msimn.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

C:\Program\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\sw.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar3.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"

O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\Bredbandsbolaget Security Services\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\Bredbandsbolaget Security Services\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program\Bredbandsbolaget Security Services\FSGUI\FSSW.EXE" /reboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre1.5.0_09\bin\jusched.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [skype] "C:\APPS\skype\phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [updateMgr] "C:\Program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Bredbandsbolaget Security Services.lnk = C:\Program\Bredbandsbolaget Security Services\backweb\1803213\Program\fspex.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: &Blockera detta popup-fönster - C:\Program\Bredbandsbolaget Security Services\Anti-Spyware\blockpopups.htm

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: IE-sköld - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\Bredbandsbolaget Security Services\Anti-Spyware\ieshield.dll

O9 - Extra 'Tools' menuitem: IE-sköld... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\Bredbandsbolaget Security Services\Anti-Spyware\ieshield.dll

O12 - Plugin for .wav: C:\Program\Internet Explorer\PLUGINS\npqtplugin.dll

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\sw.htm

O16 - DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B} (GameControl Class) - http://se.king.com/midasa.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {C8CE8EAB-8B03-484B-B348-A2442D38E7AF} (Intermezzon Player Control) - http://download.intermezzon.com/3.3/designerplayer.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program\Delade filer\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Bredbandsbolaget Security Services (BackWeb Plug-in - 1803213) - BackWeb Technologies Inc. - C:\Program\BREDBA~1\backweb\1803213\Program\SERVIC~1.EXE

O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe

O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe

O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program\Bredbandsbolaget Security Services\Anti-Virus\fsgk32st.exe

O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program\Bredbandsbolaget Security Services\backweb\1803213\program\fsbwsys.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\Bredbandsbolaget Security Services\FWES\Program\fsdfwd.exe

O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\Bredbandsbolaget Security Services\Common\FSMA32.EXE

O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe

 

 

[/log]

 

[Cecilia]

I vilken fil och mapp hittas trojanen?

 

[perotta]

Trojanen är i filen EQ i mapen C:\WINDOWS\SYSTEM32

 

 

[Cecilia]

Se om det går att ta bort filen så här:

Starta om datorn i felsäkert läge (tryck F8 upprepade gånger under uppstarten och välj felsäkert läge i menyn).

 

Ställ in Utforskaren så att du kan se alla filer:

Verktyg - (Mapp)alternativ eller liknande - Visning

Välj Visa dolda filer och mappar

Avbocka Dölj filnamnstillägg för kända filtyper

Avbocka Dölj skyddade operativsystemfiler

 

Ta bort filen:

C:\WINDOWS\SYSTEM32\EQ

 

Starta om i normalt läge och kontrollera att filen är borta.

 

[perotta]

Det gick inte att hitta filen. Har gjort allting i felsäkert läge. Just nu kom meddelande från mitt Säkerhetspaket(F-secure) att virus upptäcktes. När jag klickar på OK att ta bort(rekommenderas), kommer meddelande "Det gick inte att komma åt objektet." Galet.

 

[Cecilia]

Du har antagligen råkat ut för ett besvärligt rootkit som döljer sig och är svårt att få tag på.

 

Skanna datorn med BlackLight:

http://www.f-secure.com/blacklight/try_blacklight.html

Kopiera och klistra in resultatet här.

 

Ladda ner Gmer till Skrivbordet från denna sida: http://www.gmer.net/

Packa upp filen till Skrivbordet.

 

Dubbelklicka på programmet gmer.exe för att starta det.

Välj fliken rootkit, tryck på Scan

Klistra in resultatet här.

 

[perotta]

Hej Cecilia!

 

Kampen fortsätter. Har skannat datorn med BlackLight men det visade ingenting. Har laddat ner Gmer och skannat med den och det här är resultat:[log]

GMER 1.0.12.12011 - http://www.gmer.net

Rootkit scan 2006-11-28 18:40:49

Windows 5.1.2600 Service Pack 2

 

 

---- System - GMER 1.0.12 ----

 

SSDT \WINDOWS\System32\drivers\fsndis5.sys ZwCreateProcess

SSDT \WINDOWS\System32\drivers\fsndis5.sys ZwCreateProcessEx

SSDT \WINDOWS\System32\drivers\fsndis5.sys ZwCreateSection

SSDT \WINDOWS\System32\drivers\fsndis5.sys ZwCreateThread

SSDT \WINDOWS\System32\drivers\fsndis5.sys ZwWriteVirtualMemory

 

Code \WINDOWS\System32\drivers\fsndis5.sys IoCreateDevice

 

---- Kernel code sections - GMER 1.0.12 ----

 

.text ntkrnlpa.exe!ZwCallbackReturn + 23ED 805010F1 3 Bytes [ 87, 69, F7 ]

PAGE ntkrnlpa.exe!IoCreateDevice 805699CA 5 Bytes JMP F7696FD0 \WINDOWS\System32\drivers\fsndis5.sys

PAGENPNP NDIS.SYS!NdisRegisterProtocol F72D517D 5 Bytes JMP F7696C49 \WINDOWS\System32\drivers\fsndis5.sys

PAGENPNP NDIS.SYS!NdisOpenAdapter F72D5397 5 Bytes JMP F7696EB4 \WINDOWS\System32\drivers\fsndis5.sys

PAGENPNP NDIS.SYS!NdisCloseAdapter F72DF61E 5 Bytes JMP F7696EE4 \WINDOWS\System32\drivers\fsndis5.sys

PAGENPNP NDIS.SYS!NdisDeregisterProtocol F72DF7FD 5 Bytes JMP F7696CB0 \WINDOWS\System32\drivers\fsndis5.sys

PAGENDSP NDIS.SYS!NdisReturnPackets F72E2800 5 Bytes JMP F769B13A \WINDOWS\System32\drivers\fsndis5.sys

PAGENDSP NDIS.SYS!NdisRequest F72E296B 5 Bytes JMP F7699578 \WINDOWS\System32\drivers\fsndis5.sys

PAGENDSP NDIS.SYS!NdisSend F72E5977 5 Bytes JMP F769B3FE \WINDOWS\System32\drivers\fsndis5.sys

PAGENDSP NDIS.SYS!NdisSendPackets F72E5994 5 Bytes JMP F769B4D0 \WINDOWS\System32\drivers\fsndis5.sys

PAGENDSP NDIS.SYS!NdisTransferData F72E59AF 5 Bytes JMP F769B25C \WINDOWS\System32\drivers\fsndis5.sys

.text ntdll.dll!NtClose 7C90D586 5 Bytes JMP 72033FAA

.text ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 72034135

.text ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 72034019

.text ntdll.dll!NtCreateSection 7C90D793 5 Bytes JMP 72033FC8

 

---- Devices - GMER 1.0.12 ----

 

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_READ [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_READ [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA [F73019E8] fsdfw.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP [F73019E8] fsdfw.sys

[/log] Hoppas det säger nåt...

 

[Cecilia]

Inget i någon av de loggarna.

Försök med Gromozon borttagningsprogrammet:

http://www.prevx.com/gromozon.asp

 

Skanna datorn online:

http://www.kaspersky.com/virusscanner

Spara loggen och klistra in i ditt svar.

 

Ladda ner ComboFix:

http://download.bleepingcomputer.com/sUBs/combofix.exe

 

Kör den och följ anvisningarna som visas.

 

VIKTIGT! Klicka inte på Combofix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, klistra in den här

 

Jag tittar på dem i morgon.

 

[perotta]

Den kommer loggen från Kaspersky

[log]KASPERSKY ONLINE SCANNER REPORT

Tuesday, November 28, 2006 8:45:48 PM

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.83.0

Kaspersky Anti-Virus database last update: 28/11/2006

Kaspersky Anti-Virus database records: 232537

 

 

Scan Settings

Scan using the following antivirus database standard

Scan Archives true

Scan Mail Bases true

 

Scan Target Folders

C:\WINDOWS\

 

Scan Statistics

Total number of scanned objects 18494

Number of viruses found 0

Number of infected objects 0 / 0

Number of suspicious objects 0

Duration of the scan process 00:12:19

 

Infected Object Name Virus Name Last Action

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

 

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

 

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

 

C:\WINDOWS\Sti_Trace.log Object is locked skipped

 

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

 

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

 

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

 

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

 

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

 

C:\WINDOWS\system32\config\SAM Object is locked skipped

 

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

 

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

 

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

 

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

 

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

 

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

 

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

 

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

 

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

 

C:\WINDOWS\system32\h323log.txt Object is locked skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

 

C:\WINDOWS\Temp\Perflib_Perfdata_678.dat Object is locked skipped

 

C:\WINDOWS\wiadebug.log Object is locked skipped

 

C:\WINDOWS\wiaservc.log Object is locked skipped

 

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

 

Scan process completed.

[/log]

Här kommer loggen från ComboFix

[log]

Stefan - 06-11-28 21:13:44,31 Service Pack 2

ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Stefan\Skrivbord"

 

((((((((((((((((((((((((((((((( Files Created from 2006-10-28 to 2006-11-28 ))))))))))))))))))))))))))))))))))

 

 

2006-11-28 21:03 0 --a------ C:\WINDOWS\system32\Tilecomnm.com

2006-11-28 20:55 <KAT> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2006-11-28 20:24 <KAT> d-------- C:\WINDOWS\system32\Kaspersky Lab

2006-11-28 18:27 <KAT> d-------- C:\Program\WinZip

2006-11-28 18:27 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\WinZip

2006-11-28 18:23 80 --a------ C:\WINDOWS\gmer_uninstall.cmd

2006-11-28 12:24 <KAT> d-------- C:\CD4

2006-11-28 12:11 <KAT> d-------- C:\WINDOWS\pss

2006-11-27 21:01 73,728 --a------ C:\WINDOWS\system32\csseqchk.dll

2006-11-27 21:01 23,040 --a------ C:\WINDOWS\system32\mciseq.dll

2006-11-27 17:32 <KAT> d-------- C:\Program\Java

2006-11-27 17:31 <KAT> d-------- C:\Program\Delade filer\Java

2006-11-27 12:48 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2006-11-27 12:47 <KAT> d-------- C:\Documents and Settings\Stefan\.housecall6.6

2006-11-25 19:25 <KAT> d-------- C:\Program\Hijackthis

2006-11-24 14:13 <KAT> d-------- C:\MBS

2006-11-24 13:29 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll

2006-11-24 13:29 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll

2006-11-24 11:49 36,939 --a------ C:\WINDOWS\system32\insrepim.exe

2006-11-24 11:49 188,988 --a------ C:\WINDOWS\system32\msrpjt40.dll

2006-11-24 11:48 81,920 --a------ C:\WINDOWS\system32\mdt2fw95.dll

2006-11-24 11:47 32,830 --a------ C:\WINDOWS\system32\dbmsshrn.dll

2006-11-24 11:47 29,244 --a------ C:\WINDOWS\system32\dbmslpcn.dll

2006-11-24 11:47 274,489 --a------ C:\WINDOWS\system32\ntwdblib.dll

2006-11-24 10:25 <KAT> d-------- C:\Program\SQLXML 4.0

2006-11-24 10:18 <KAT> d-------- C:\Program\Microsoft Visual Studio 8

2006-11-24 09:33 <KAT> d-------- C:\Program\Microsoft SQL Server

2006-11-18 16:02 <KAT> d-------- C:\Program\MSXML 4.0

2006-11-04 20:25 1,321,744 --a------ C:\WINDOWS\system32\msxml6.dll

2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-11-27 17:31 -------- d-------- C:\Program\Delade filer

2006-11-27 12:48 -------- d-------- C:\Program\Internet Explorer

2006-11-24 14:21 -------- d---s---- C:\Documents and Settings\Stefan\Application Data\Microsoft

2006-11-24 11:46 -------- d--h----- C:\Program\Uninstall Information

2006-11-24 11:46 -------- d-------- C:\Program\Delade filer\Microsoft Shared

2006-11-24 10:17 -------- d-------- C:\Program\Microsoft Office

2006-11-23 18:16 -------- d-------- C:\Program\EA GAMES

2006-10-30 14:00 -------- d-------- C:\Program\MSN Messenger

2006-10-28 13:31 -------- d-------- C:\Program\Google

2006-10-27 06:56 -------- d-------- C:\Documents and Settings\Stefan\Application Data\F-Secure

2006-10-26 15:02 -------- d-------- C:\Program\Bredbandsbolaget Security Services

2006-10-26 15:02 -------- d-------- C:\Documents and Settings\Stefan\Application Data\Lavasoft

2006-10-26 15:00 118842 -r------- C:\WINDOWS\bwUnin-6.3.2.123-1803213L.exe

2006-10-26 10:31 -------- d-------- C:\Program\com hem security

2006-10-13 13:41 141824 --a------ C:\WINDOWS\system32\nwprovau.dll

2006-10-06 21:07 3013 --a------ C:\Program\INSTALL.LOG

2006-09-13 06:07 1084416 --a------ C:\WINDOWS\system32\msxml3.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"MSMSGS"="\"C:\\Program\\Messenger\\msmsgs.exe\" /background"

"Skype"="\"C:\\APPS\\skype\\phone\\Skype.exe\" /nosplash /minimized"

"updateMgr"="\"C:\\Program\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"

"swg"="C:\\Program\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"

"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"

"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"

"VTTimer"="VTTimer.exe"

"VTTrayp"="VTtrayp.exe"

"SoundMan"="SOUNDMAN.EXE"

"PCMService"="\"c:\\Apps\\Powercinema\\PCMService.exe\""

"ACTIVBOARD"="c:\\apps\\ABoard\\ABoard.exe"

"QuickTime Task"="\"C:\\Program\\QuickTime\\qttask.exe\" -atboottime"

"TkBellExe"="\"C:\\Program\\Delade filer\\Real\\Update_OB\\realsched.exe\" -osboot"

"F-Secure Manager"="\"C:\\Program\\Bredbandsbolaget Security Services\\Common\\FSM32.EXE\" /splash"

"F-Secure TNB"="\"C:\\Program\\Bredbandsbolaget Security Services\\TNB\\TNBUtil.exe\" /CHECKALL /WAITFORSW"

"F-Secure Startup Wizard"="\"C:\\Program\\Bredbandsbolaget Security Services\\FSGUI\\FSSW.EXE\" /reboot"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000001

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Min aktuella startsida"

"Flags"=dword:00000002

"Position"=hex:2c,00,00,00,40,01,00,00,00,00,00,00,e0,01,00,00,36,02,00,00,00, 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00

"CurrentState"=hex:04,00,00,40

"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff, ff,ff,04,00,00,00

"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00, 00,00,01,00,00,00

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

 

 

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

 

backup-20061127-193258-655

O16 - DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B} (GameControl Class) - http://se.king.com/midasa.cab

backup-20061127-174929-628

O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/download/2006/en/ErrorSafeScannerInstall.cab

backup-20061127-174607-537

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

backup-20061127-174606-916

O9 - Extra button: YU-MP3.COM Account Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe (file missing)

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\Scheduled scanning task.job

 

Completion time: 06-11-28 21:15:38.81

C:\ComboFix.txt ... 06-11-28 21:15

[/log]

Tusen tack på förhand!!!

 

[Cecilia]

Scan Target Folders

C:\WINDOWS\

Det är bäst att skanna hela C: med Kaspersky, inte bara Windows-mappen.

 

Hittade Gromozon borttagningsprogrammet något?

 

Vad innehåller mappen C:\MBS?

 

Gå till http://www.virustotal.com/ klistra in följande filnamn i rutan, tryck på Send och vänta tills resultatet är klart (Status blir Finished). Klistra in resultatet (inkl. filstorlek) här.

C:\WINDOWS\system32\Tilecomnm.com

 

Annars så går det inte att se något otrevligt i någon av loggarna. Skanna igenom datorn med F-secure och klistra in hela resultatet här.

 

[perotta]

Här kommer loggen från VirusTotal [log]VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.

 

 

Select file : DistributeSSL

 

Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu:

News Hot news in the virus/antivirus sector.

Estadisticas Statistics of VirusTotal procesing.

Virustotal More info about Virustotal.

 

 

STATUS: FINISHEDComplete scanning result of "Tilecomnm.com", received in VirusTotal at 11.29.2006, 08:13:53 (CET).

 

Antivirus Version Update Result

AntiVir 7.2.0.46 11.28.2006 no virus found

Authentium 4.93.8 11.29.2006 no virus found

Avast 4.7.892.0 11.28.2006 no virus found

AVG 386 11.28.2006 no virus found

BitDefender 7.2 11.29.2006 no virus found

CAT-QuickHeal 8.00 11.28.2006 no virus found

ClamAV devel-20060426 11.29.2006 no virus found

DrWeb 4.33 11.28.2006 no virus found

eSafe 7.0.14.0 11.28.2006 no virus found

eTrust-InoculateIT 23.73.71 11.29.2006 no virus found

eTrust-Vet 30.3.3221 11.29.2006 no virus found

Ewido 4.0 11.28.2006 no virus found

Fortinet 2.82.0.0 11.29.2006 no virus found

F-Prot 3.16f 11.28.2006 no virus found

F-Prot4 4.2.1.29 11.28.2006 no virus found

Ikarus 0.2.65.0 11.28.2006 no virus found

Kaspersky 4.0.2.24 11.29.2006 no virus found

McAfee 4906 11.28.2006 no virus found

Microsoft 1.1804 11.28.2006 no virus found

NOD32v2 1888 11.28.2006 no virus found

Norman 5.80.02 11.28.2006 no virus found

Panda 9.0.0.4 11.28.2006 no virus found

Prevx1 V2 11.29.2006 no virus found

Sophos 4.11.0 11.16.2006 no virus found

TheHacker 6.0.3.126 11.29.2006 no virus found

UNA 1.83 11.28.2006 no virus found

VBA32 3.11.1 11.28.2006 no virus found

VirusBuster 4.3.15:9 11.28.2006 no virus found

 

 

Aditional Information

File size: 0 bytes

MD5: d41d8cd98f00b204e9800998ecf8427e

SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709

 

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

> Go to: Home Contactar En Español

--------------------------------------------------------------------------------

www.virustotal.com :: ©Hispasec Sistemas 2004-06:: e-mail info@virustotal.com[/log] Ska skanna igenom datorn med F-secure.

 

[Cecilia]

File size: 0 bytes

Ta bort filen.

 

[perotta]

Jag kommer att ge upp. Har gjort allting men systemet meddelar ändå att "Virus upptäcktes". Den enda som är kvar är att rensa hårdisken och installera Windows från början. Tusen tack, Cecilia för allt stöd.