Kan inte öppna länkar @ google.com i IE7.0, windows-XP

7 november, 2008

Hej!

Jag tycks ha fått något slags virus, ty när jag googlar och försöker klicka på resultatlänkarna händer något oväntat. Ett nytt fönster öppnas (kör active-X, så popup-fönster blockeras vanligtvis) och jag kommer till olika slags advertisements. Även utseendet på mina googleträffar har ändrats, både vad gäller storlek och typsnitt, och IE går betydligt långsammare än det brukar.

Detta är givetvis oerhört frustrerande, men jag lyckas trots upprepadade körningar av virusprogram och Ad-Aware inte hitta felet. Är tacksam om någon har en aning om vad detta kan bero på, alternativt kan tipsa om alternativa sätt att försöka lokalisera felet.

Mvh

P-E

7 november, 2008

[log]Vi kan se om HijackThis visar något till att börja med. Ladda ner från en av länkarna:

http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-102273

53.html

Installera, starta och välj "Do a system scan and save a logfile", kopiera loggen som kommer upp (inget annat).

I ditt svar bifogar du HijackThis-loggen på detta sätt:

Tryck på LOG-knappen i Besvara-fönstret

Klistra in loggen

Tryck igen på LOG-knappen[/log]

7 november, 2008

Hej!

Det förefaller som om endast IE är påverkat, jag gjorde därför en återställning av den browsern men utan resultat. Har även klistrat in logfilen du föreslog...

[log]Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:02:36, on 2008-11-07

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\vcdplayx.exe

C:\Program\Grisoft\AVG7\avgcc.exe

C:\Program\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program\Grisoft\AVG7\avgamsvr.exe

C:\Program\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\iPod\bin\iPodService.exe

C:\Program\Windows Live\Messenger\usnsvc.exe

C:\Program\Windows Live\Messenger\msnmsgr.exe

C:\Program\Netscape\Netscape Browser\netscape.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896'>http://go.microsoft.com/fwlink/?LinkId=54896'>http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157'>http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\Program\MACROG~1\SWEETI~1\toolbar.dll (file missing)

O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program\Dealio\kb106\Dealio.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll

O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program\Dealio\kb106\Dealio.dll

O4 - HKLM\..\Run: [soltek] C:\WINDOWS\system32\autorun.exe

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [VirtualDrive] "C:\Program\FarStone\VirtualDrive\VDTask.exe" /AutoRestore

O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe"

O4 - HKLM\..\Run: [upConfgVer] "C:\Program\Panda Software\Panda Antivirus Platinum\UpgConf.exe" /v:7.07.02

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [au] C:\Program\Dealio\DealioAU.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\Program\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - C:\Program\CoralEurobetPoker\coraleurobetpoker.exe (file missing)

O9 - Extra 'Tools' menuitem: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - C:\Program\CoralEurobetPoker\coraleurobetpoker.exe (file missing)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - E:\Program\MultiPoker\MultiPoker.exe (file missing)

O9 - Extra 'Tools' menuitem: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - E:\Program\MultiPoker\MultiPoker.exe (file missing)

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program\Dealio\kb106\Dealio.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

O16 - DPF: {1538D4E0-B2C4-402D-B71A-BA6A04BC7A5D} (PictureChooser.picChooser) - http://direct.fotomenyn.com/direct/PictureChooser.cab

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {65F77758-B822-45FB-8F0C-08E85705EC4A} (Upload.ctlUpload) - http://direct.fotomenyn.com/direct/upload.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe

--

End of file - 9161 bytes

[/log]

7 november, 2008

[log]Ladda ner ComboFix till Skrivbordet:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Dra ur internetanslutningen och stäng av alla program du ser inklusive antivirusprogram, antispionprogram och brandvägg, alternativt starta om datorn i felsäkert läge.

Kör ComboFix och följ anvisningarna som visas.

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

När den är färdig så ska en logg komma upp, bifoga den till ditt svar. Kontrollera att antivirusprogram och brandvägg är igång innan du ansluter till internet.

Om du får problem med att komma ut på internet:

Kontrollpanelen - Nätverksanslutningar

högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.

Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix.[/log]

7 november, 2008

Hej igen,

Jag vet inte vad exakt vad ComboFix gjorde, men det raderade tydligen en del filer och nu fungerar allt som det ska. Tusen tack för hjälpen, jag hoppas att du får en riktigt bra helg!

Mvh

P-E

[log]ComboFix 08-10-10.07 - Pekka 2008-11-07 19:33:56.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1053.18.158 [GMT 1:00]

Running from: C:\Documents and Settings\Pekka\Skrivbord\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

- REDUCED FUNCTIONALITY MODE -

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\autorun.ini

C:\WINDOWS\temp\perflib_perfdata_1cc.dat

.

((((((((((((((((((((((((( Files Created from 2008-10-07 to 2008-11-07 )))))))))))))))))))))))))))))))

.

2008-11-07 19:02 . 2008-11-07 19:02 <KAT> d-------- C:\Program\Trend Micro

2008-11-03 19:49 . 2002-01-10 09:15 <KAT> dr------- C:\Documents and Settings\postgres\Start-meny

2008-11-03 19:49 . 2002-01-10 09:15 <KAT> d-------- C:\Documents and Settings\postgres\Skrivbord

2008-11-03 19:49 . 2002-01-10 09:15 <KAT> d--h----- C:\Documents and Settings\postgres\Skrivare

2008-11-03 19:49 . 2002-01-10 09:15 <KAT> d--h----- C:\Documents and Settings\postgres\Nätverket

2008-11-03 19:49 . 2002-01-10 09:15 <KAT> d-------- C:\Documents and Settings\postgres\Mina dokument

2008-11-03 19:49 . 2005-03-04 20:12 <KAT> d--h----- C:\Documents and Settings\postgres\Mallar

2008-11-03 19:49 . 2008-11-07 19:34 <KAT> d--h----- C:\Documents and Settings\postgres\Lokala inställningar

2008-11-03 19:49 . 2002-01-10 09:15 <KAT> d-------- C:\Documents and Settings\postgres\Favoriter

2008-11-03 19:49 . 2008-11-03 19:49 <KAT> d-------- C:\Documents and Settings\postgres

2008-11-03 19:43 . 2008-11-03 19:43 <KAT> d-------- C:\Program\PostgreSQL

2008-11-03 19:38 . 2008-11-03 19:51 <KAT> d-------- C:\Program\PokerTracker 3

2008-11-03 19:33 . 2008-11-03 19:57 <KAT> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2008-11-03 19:23 . 2003-06-26 14:52 464,128 --a------ C:\WINDOWS\system32\csimxctl.ocx

2008-11-03 19:23 . 2003-06-17 14:54 87,280 --a------ C:\WINDOWS\system32\wsatrace.dll

2008-11-02 15:03 . 2008-11-03 20:21 <KAT> d-------- C:\Program\PeerGuardian2

2008-10-27 17:10 . 2008-10-27 17:10 <KAT> d-------- C:\Documents and Settings\Pekka\Application Data\vlc

2008-10-27 17:08 . 2008-10-27 17:08 <KAT> d-------- C:\Program\VLC

2008-10-24 10:41 . 2008-10-15 17:38 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll

2008-10-21 18:28 . 2008-09-08 11:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys

2008-10-21 17:38 . 2008-08-14 14:27 2,189,952 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2008-10-21 17:38 . 2008-08-14 14:27 2,146,304 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe

2008-10-21 17:38 . 2008-08-14 14:27 2,066,816 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2008-10-21 17:38 . 2008-08-14 14:27 2,024,960 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe

2008-10-21 17:38 . 2008-09-15 16:27 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-07 18:28 --------- d-----w C:\Documents and Settings\Pekka\Application Data\Azureus

2008-11-07 07:00 --------- d-----w C:\Documents and Settings\Pekka\Application Data\AVG7

2008-11-04 23:30 --------- d-----w C:\Program\Windows Live Safety Center

2008-11-03 19:00 --------- d-----w C:\Program\PartyGaming

2008-10-27 16:20 --------- d-----w C:\Documents and Settings\Pekka\Application Data\dvdcss

2008-10-27 16:10 --------- d-----w C:\Documents and Settings\Pekka\Application Data\vlc

2008-10-27 16:08 --------- d-----w C:\Program\VLC

2008-09-15 15:27 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys

2008-09-11 00:00 --------- d-----w C:\Program\vghd

2008-09-10 21:45 --------- d-----w C:\Documents and Settings\Pekka\Application Data\vghd

2008-09-10 19:04 152,904 ----a-w C:\WINDOWS\system32\vghd.scr

2008-09-08 20:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\TVU Networks

2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys

2008-09-04 13:36 5,632 --sha-w C:\Program\Thumbs.db

2008-08-26 08:27 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-08-14 13:27 2,189,952 ----a-w C:\WINDOWS\system32\ntoskrnl.exe

2008-08-14 13:27 2,066,816 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe

2006-05-04 15:43 11,011,592 ----a-w C:\Program\setupeng.exe

2006-01-27 12:43 906,220 ------w C:\Program\Maelstrom-3.0.6-Windows.zip

2006-01-23 00:59 4,332,423 ------w C:\Program\MetropolitanPoker.exe

2006-01-08 20:24 6,557,854 ------w C:\Program\rr1software.zip

2005-12-07 21:58 1,075,343 ------w C:\Program\PFEInstall.exe

2005-12-07 21:41 243,520 ------w C:\Program\jdk-1_5_0_06-windows-i586-p-iftw.exe

2005-12-07 19:11 305,664 ------w C:\Program\setup.exe

2005-12-07 16:26 421,888 ------w C:\Program\putty.exe

2005-12-07 16:05 7,022 ----a-w C:\Program\cygwin.ico

2005-12-07 16:05 58 ----a-w C:\Program\cygwin.bat

2005-10-18 12:52 5,681,152 ----a-w C:\Program\royalcardclub.exe

2005-04-03 15:14 17,144 ----a-w C:\Documents and Settings\Pekka\Application Data\GDIPFONTCACHEV1.DAT

2002-02-09 13:38 263,114 ------w C:\Program\NetInstallEurobetPoker.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

"MsnMsgr"="C:\Program\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"swg"="C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]

"updateMgr"="C:\Program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Soltek"="C:\WINDOWS\system32\autorun.exe" [2001-10-29 61440]

"VirtualDrive"="C:\Program\FarStone\VirtualDrive\VDTask.exe" [2002-03-21 204800]

"vcdplayx"="C:\WINDOWS\vcdplayx.exe" [2002-03-18 57344]

"UpConfgVer"="C:\Program\Panda Software\Panda Antivirus Platinum\UpgConf.exe" [2005-03-08 53248]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]

"AVG7_CC"="C:\Program\Grisoft\AVG7\avgcc.exe" [2008-10-21 590848]

"au"="C:\Program\Dealio\DealioAU.exe" [2007-06-27 238936]

"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"QuickTime Task"="C:\Program\QuickTime\qttask.exe" [2007-06-29 286720]

"iTunesHelper"="C:\Program\iTunes\iTunesHelper.exe" [2007-09-26 267064]

"VTTimer"="VTTimer.exe" [2003-08-20 C:\WINDOWS\system32\VTTimer.exe]

"SoundMan"="SOUNDMAN.EXE" [2004-07-01 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

"AVG7_Run"="C:\Program\Grisoft\AVG7\avgw.exe" [2007-10-25 219136]

C:\Documents and Settings\All Users\Start-meny\Program\AutostartAdobe Reader Speed Launch.lnk - C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

Microsoft Office.lnk - C:\Program\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

--a------ 2006-11-24 17:16 20058152 C:\Program\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\WINDOWS\\system32\\rtcshare.exe"=

"C:\\Program\\NetMeeting\\conf.exe"=

"E:\\Program\\DC++\\DCPlusPlus.exe"=

"C:\\Program\\FarStone\\VirtualDrive\\MGR.exe"=

"C:\\cygwin\\bin\\ssh.exe"=

"C:\\Program\\Maelstrom-3.0.6-Windows\\Maelstrom-3.0.6\\Maelstrom.exe"=

"C:\\Program\\Azureus\\Azureus.exe"=

"C:\\Program\\Java\\jre1.5.0_07\\bin\\javaw.exe"=

"C:\\Program\\Java\\jre1.5.0_09\\bin\\javaw.exe"=

"C:\\Program\\Grisoft\\AVG7\\avginet.exe"=

"C:\\Program\\Grisoft\\AVG7\\avgamsvr.exe"=

"C:\\Program\\Grisoft\\AVG7\\avgcc.exe"=

"C:\\Program\\Java\\jre1.5.0_10\\bin\\javaw.exe"=

"C:\\Program\\Internet Explorer\\iexplore.exe"=

"C:\\Program\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"=

"C:\\Program\\Skype\\Phone\\Skype.exe"=

"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"113:TCP"= 113:TCP:130.238.0.0/255.255.0.0:Disabled:TCP user identification

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 cdawdm;CDAWDM;C:\WINDOWS\system32\DRIVERS\CDAWDM.sys [2002-01-24 46735]

R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5b.sys [2004-04-14 45568]

S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;D:\INSTAL~E\Core\BVRPMPR5.SYS [ ]

S3 SmartCd;SmartCd;C:\WINDOWS\system32\Drivers\SmartCd.sys [2002-01-19 6356]

S3 VcomPort;Ricoh Usb VCom;C:\WINDOWS\system32\DRIVERS\vcomrico.sys [2000-01-01 121020]

*Newly Created Service* - CATCHME

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

2008-11-07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Program\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.google.com/

R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore

O9 -: {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - C:\Program\CoralEurobetPoker\coraleurobetpoker.exe

O9 -: {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - E:\Program\MultiPoker\MultiPoker.exe

O9 -: {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - C:\Program\CoralEurobetPoker\coraleurobetpoker.exe -

O9 -: {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - E:\Program\MultiPoker\MultiPoker.exe -

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-07 19:35:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]

"imagepath"="\systemroot\system32\drivers\TDSSpaxt.sys"

.

Completion time: 2008-11-07 19:36:14

ComboFix-quarantined-files.txt 2008-11-07 18:36:11

Pre-Run: 11 322 847 232 byte ledigt

Post-Run: 12,358,635,520 byte ledigt

170 --- E O F --- 2008-10-24 10:55:13

[/log]

7 november, 2008

[log]Kopiera alla rader nedan

File::

C:\Windows\system32\drivers\TDSSpaxt.sys

Registry::

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]

och klistra in i notepad.

Spara den på Skrivbordet med namn CFScript

Sen dra CFScript med musen i Combofix och kör den.

Skicka loggen som kommer ut och en ny Hijack log.[/log]

7 november, 2008

[log]ComboFix 08-10-10.07 - Pekka 2008-11-07 20:08:55.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1053.18.143 [GMT 1:00]

Running from: C:\Documents and Settings\Pekka\Skrivbord\ComboFix.exe

Command switches used :: C:\Documents and Settings\Pekka\Skrivbord\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

- REDUCED FUNCTIONALITY MODE -

FILE ::

C:\Windows\system32\drivers\TDSSpaxt.sys

.

((((((((((((((((((((((((( Files Created from 2008-10-07 to 2008-11-07 )))))))))))))))))))))))))))))))

.

2008-11-07 19:02 . 2008-11-07 19:02 <KAT> d-------- C:\Program\Trend Micro

2008-11-06 17:14 . 2008-11-06 17:14 73,728 --a------ C:\WINDOWS\system32\TDSScfgb.dll

2008-11-06 17:14 . 2008-11-06 17:14 35,840 --a------ C:\WINDOWS\system32\TDSSoeqh.dll

2008-11-06 17:14 . 2008-11-06 17:14 31,232 --a------ C:\WINDOWS\system32\TDSSriqp.dll

2008-11-06 17:14 . 2008-11-06 17:14 29,696 --a------ C:\WINDOWS\system32\TDSSnrsr.dll

2008-11-06 17:14 . 2008-11-07 00:28 2,441 --a------ C:\WINDOWS\system32\TDSSfpmp.dll

2008-11-06 17:14 . 2008-11-06 17:14 527 --a------ C:\WINDOWS\system32\TDSSosvn.dat

2008-11-03 19:49 . 2002-01-10 09:15 <KAT> dr------- C:\Documents and Settings\postgres\Start-meny

2008-11-03 19:49 . 2002-01-10 09:15 <KAT> d-------- C:\Documents and Settings\postgres\Skrivbord

2008-11-03 19:49 . 2002-01-10 09:15 <KAT> d--h----- C:\Documents and Settings\postgres\Skrivare

2008-11-03 19:49 . 2002-01-10 09:15 <KAT> d--h----- C:\Documents and Settings\postgres\Nätverket

2008-11-03 19:49 . 2002-01-10 09:15 <KAT> d-------- C:\Documents and Settings\postgres\Mina dokument

2008-11-03 19:49 . 2005-03-04 20:12 <KAT> d--h----- C:\Documents and Settings\postgres\Mallar

2008-11-03 19:49 . 2008-11-07 19:36 <KAT> d--h----- C:\Documents and Settings\postgres\Lokala inställningar