Just nu i M3-nätverket
Jump to content

Win32.TrojanDownloader.Small


dusc

Recommended Posts

  • Replies 109
  • Created
  • Last Reply

I vilken fil och mapp hittar Ad-aware trojanen?

 

Vi kan se om HijackThis visar något till att börja med. Ladda ner från en av länkarna:

http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

Installera, starta och välj "Do a system scan and save a logfile", kopiera loggen som kommer upp (inget annat).

 

I ditt svar bifogar du HijackThis-loggen på detta sätt:

Tryck på LOG-knappen i Besvara-fönstret

Klistra in loggen

Tryck igen på LOG-knappen

 

Link to comment
Share on other sites

[log]Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:47:41, on 2008-11-09

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\bgsvcgen.exe

C:\Program\Bonjour\mDNSResponder.exe

C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\spupdsvc.exe

C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\WINDOWS\ehome\medctrro.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\Logi_MwX.Exe

C:\WINDOWS\VistaDrive\VistaDrive.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\Program\Razer\DeathAdder\razerhid.exe

C:\Program\Analog Devices\Core\smax4pnp.exe

C:\Program\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\iid.exe

C:\Program\Java\jre1.6.0_07\bin\jusched.exe

C:\Program\Delade filer\Nero\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program\Windows Live\Messenger\MsnMsgr.Exe

C:\program\steam\steam.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\Razer\DeathAdder\razertra.exe

C:\Program\Razer\DeathAdder\razerofa.exe

C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Delade filer\Nero\Lib\NMIndexingService.exe

C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program\iPod\bin\iPodService.exe

C:\Program\Delade filer\Nero\Lib\NMIndexStoreSvr.exe

C:\Program\CA\CA Internet Security Suite\ccprovsp.exe

C:\Program\Outlook Express\msimn.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157'>http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896'>http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.se/ie

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {02661BE3-375C-4325-ADB5-E2D0F2E48EE7} - C:\WINDOWS\system32\mcd3232.dll (file missing)

O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1C2C4EEC-A3F1-4B4E-A708-B5E7C508515C} - C:\WINDOWS\system32\lz3232.dll (file missing)

O2 - BHO: (no name) - {3605D931-30C1-438F-AF6B-97413BAC11AE} - C:\WINDOWS\system32\mqtrig32.dll (file missing)

O2 - BHO: (no name) - {37485D03-F3BB-4106-AE2C-76A9E731302D} - C:\WINDOWS\system32\kbdcz132.dll (file missing)

O2 - BHO: (no name) - {384CD68A-C008-4782-A3BB-15D068EC1EBD} - C:\WINDOWS\system32\d3d932.dll (file missing)

O2 - BHO: (no name) - {3B317CAF-4875-4A95-96FF-AFBD3084EBE6} - C:\WINDOWS\system32\sigtab32.dll (file missing)

O2 - BHO: (no name) - {6445E1ED-90AE-44C7-964A-C4430795BDF3} - C:\WINDOWS\system32\kcdinbe1.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {9311F160-9B1E-44BB-9477-A36BA58FB5CB} - C:\WINDOWS\system32\webclntd.dll (file missing)

O2 - BHO: (no name) - {9671F4F9-14F4-4952-B87A-B792979FDACF} - C:\WINDOWS\system32\vbscripu.dll (file missing)

O2 - BHO: (no name) - {A4F866D8-65D4-4A5B-8814-7EAB98FAE902} - C:\WINDOWS\system32\mfc4032.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll

O2 - BHO: (no name) - {ADE59680-BB26-4B3C-8D12-6B7F52EC373C} - C:\WINDOWS\system32\msvjdctl.dll (file missing)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: (no name) - {B521D0C5-E356-4E82-9A08-3547B4C30BD3} - C:\WINDOWS\system32\shlwapid.dll (file missing)

O2 - BHO: (no name) - {C0282A23-F328-41D7-A680-9134B40FB743} - C:\WINDOWS\system32\rtm32.dll (file missing)

O2 - BHO: (no name) - {CB14CE28-A869-4A15-BC64-F64A4D900661} - C:\WINDOWS\system32\slayesxp.dll (file missing)

O2 - BHO: (no name) - {DDEAAD26-D28E-4007-8AEB-543D5CF36E46} - C:\WINDOWS\system32\lpadperf.dll (file missing)

O2 - BHO: (no name) - {E181E021-C444-4196-AC51-3B91C618CBA9} - C:\WINDOWS\system32\atiohlx2.dll (file missing)

O2 - BHO: (no name) - {E2FE9BE7-12A2-49E6-983B-8F5357FBC65C} - C:\WINDOWS\system32\radpldlg.dll (file missing)

O2 - BHO: (no name) - {ECA8C40D-1D2B-4D23-BCE1-2A53920647DA} - C:\WINDOWS\system32\msvcp71d.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program\Delade filer\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [cctray] "C:\Program\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [DeathAdder] C:\Program\Razer\DeathAdder\razerhid.exe

O4 - HKLM\..\Run: [startCCC] "C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\Multimedia\QuickTime Alternative\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [OM_Monitor] C:\Program\OLYMPUS\OLYMPUS Master\FirstStart.exe

O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program\Delade filer\Nero\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [steam] "c:\program\steam\steam.exe" -silent

O4 - HKCU\..\Run: [OM_Monitor] C:\Program\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-19\..\RunOnce: [setDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [setDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [setDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [setDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} (PPLive Lite Class) - http://dl.pplive.com/PluginSetup.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program\Delade filer\Nero\Lib\NMIndexingService.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program\Spyware Doctor\pctsSvc.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

 

--

End of file - 12511 bytes

[/log]

 

Link to comment
Share on other sites

I vilken fil och mapp hittar Ad-aware trojanen?

 

Ladda ner Malwarebytes Anti-Malware (MBAM) från en av dessa länkar:

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

http://projects.securitywonks.net/projects/details.php?file=158

Dubbelklicka på mbam-setup för att installera programmet.

 

[log]Se till i slutet av installationen att det är bockar för:

Uppdatera Malwarebytes' Anti-Malware

Starta Malwarebytes' Anti-Malware

Tryck på Slutför

Om det finns någon uppdatering så kommer den att laddas ner och installeras.

 

När programmet startar så välj "Utför snabb skanning" och tryck på Skanna.

Skanningen tar ett tag.

När den är klar så tryck på OK och sedan "Visa resultat".

Bocka för allt och tryck sedan Ta bort markerade.

När borttagningen är klar så öppnar Anteckningar med en logg.

 

Eventuellt så kommer det upp en begäran om att starta om datorn (Restart). I så fall gör det.

Om programmet inte kommer igång efter omstarten så starta det.

 

Om loggen inte kommer upp själv i Anteckningar så hittar du loggen på fliken Loggar i MBAM.

Kopiera loggen och klistra in den i ditt svar tillsammans med en ny HijackThis-logg.[/log]

 

Link to comment
Share on other sites

[log]Malwarebytes' Anti-Malware 1.30

Databasversion: 1377

Windows 5.1.2600 Service Pack 3

 

2008-11-09 20:17:32

mbam-log-2008-11-09 (20-17-32).txt

 

Skanningstyp: Snabb skanning

Antal skannade objekt: 52218

Förfluten tid: 4 minute(s), 33 second(s)

 

Infekterade minnesprocesser: 0

Infekterade minnesmoduler: 1

Infekterade registernycklar: 3

Infekterade registervärden: 0

Infekterade registerdataposter: 0

Infekterade mappar: 0

Infekterade filer: 1

 

Infekterade minnesprocesser:

(Inga illasinnade poster hittades)

 

Infekterade minnesmoduler:

C:\WINDOWS\system32\kbdneprd.dll (Trojan.BHO) -> Delete on reboot.

 

Infekterade registernycklar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{697748f1-e5cd-4beb-a8ce-5af80e4620fc} (Trojan.BHO.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{697748f1-e5cd-4beb-a8ce-5af80e4620fc} (Trojan.BHO.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{697748f1-e5cd-4beb-a8ce-5af80e4620fc} (Trojan.BHO) -> Quarantined and deleted successfully.

 

Infekterade registervärden:

(Inga illasinnade poster hittades)

 

Infekterade registerdataposter:

(Inga illasinnade poster hittades)

 

Infekterade mappar:

(Inga illasinnade poster hittades)

 

Infekterade filer:

C:\WINDOWS\system32\kbdneprd.dll (Trojan.BHO.H) -> Delete on reboot.

[/log]

 

Link to comment
Share on other sites

[log]Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:24:17, on 2008-11-09

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\bgsvcgen.exe

C:\Program\Bonjour\mDNSResponder.exe

C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\spupdsvc.exe

C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\WINDOWS\ehome\medctrro.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\Logi_MwX.Exe

C:\WINDOWS\VistaDrive\VistaDrive.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\Program\Razer\DeathAdder\razerhid.exe

C:\Program\Analog Devices\Core\smax4pnp.exe

C:\Program\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\iid.exe

C:\Program\Java\jre1.6.0_07\bin\jusched.exe

C:\Program\Delade filer\Nero\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program\Windows Live\Messenger\MsnMsgr.Exe

C:\program\steam\steam.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Razer\DeathAdder\razertra.exe

C:\Program\Razer\DeathAdder\razerofa.exe

C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program\Delade filer\Nero\Lib\NMIndexingService.exe

C:\Program\iPod\bin\iPodService.exe

C:\Program\Delade filer\Nero\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program\Outlook Express\msimn.exe

C:\Program\Internet Explorer\IEXPLORE.EXE

C:\Program\Delade filer\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157'>http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896'>http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.se/ie

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {02661BE3-375C-4325-ADB5-E2D0F2E48EE7} - C:\WINDOWS\system32\mcd3232.dll (file missing)

O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1C2C4EEC-A3F1-4B4E-A708-B5E7C508515C} - C:\WINDOWS\system32\lz3232.dll (file missing)

O2 - BHO: (no name) - {3605D931-30C1-438F-AF6B-97413BAC11AE} - C:\WINDOWS\system32\mqtrig32.dll (file missing)

O2 - BHO: (no name) - {37485D03-F3BB-4106-AE2C-76A9E731302D} - C:\WINDOWS\system32\kbdcz132.dll (file missing)

O2 - BHO: (no name) - {384CD68A-C008-4782-A3BB-15D068EC1EBD} - C:\WINDOWS\system32\d3d932.dll (file missing)

O2 - BHO: (no name) - {3B317CAF-4875-4A95-96FF-AFBD3084EBE6} - C:\WINDOWS\system32\sigtab32.dll (file missing)

O2 - BHO: (no name) - {6445E1ED-90AE-44C7-964A-C4430795BDF3} - C:\WINDOWS\system32\kcdinbe1.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {9311F160-9B1E-44BB-9477-A36BA58FB5CB} - C:\WINDOWS\system32\webclntd.dll (file missing)

O2 - BHO: (no name) - {9671F4F9-14F4-4952-B87A-B792979FDACF} - C:\WINDOWS\system32\vbscripu.dll (file missing)

O2 - BHO: (no name) - {A4F866D8-65D4-4A5B-8814-7EAB98FAE902} - C:\WINDOWS\system32\mfc4032.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll

O2 - BHO: (no name) - {ADE59680-BB26-4B3C-8D12-6B7F52EC373C} - C:\WINDOWS\system32\msvjdctl.dll (file missing)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: (no name) - {B521D0C5-E356-4E82-9A08-3547B4C30BD3} - C:\WINDOWS\system32\shlwapid.dll (file missing)

O2 - BHO: (no name) - {B5BCF3B4-115D-4CB3-AF64-52690001939D} - C:\WINDOWS\system32\inagXRA7.dll

O2 - BHO: (no name) - {C0282A23-F328-41D7-A680-9134B40FB743} - C:\WINDOWS\system32\rtm32.dll (file missing)

O2 - BHO: (no name) - {CB14CE28-A869-4A15-BC64-F64A4D900661} - C:\WINDOWS\system32\slayesxp.dll (file missing)

O2 - BHO: (no name) - {DDEAAD26-D28E-4007-8AEB-543D5CF36E46} - C:\WINDOWS\system32\lpadperf.dll (file missing)

O2 - BHO: (no name) - {E181E021-C444-4196-AC51-3B91C618CBA9} - C:\WINDOWS\system32\atiohlx2.dll (file missing)

O2 - BHO: (no name) - {E2FE9BE7-12A2-49E6-983B-8F5357FBC65C} - C:\WINDOWS\system32\radpldlg.dll (file missing)

O2 - BHO: (no name) - {ECA8C40D-1D2B-4D23-BCE1-2A53920647DA} - C:\WINDOWS\system32\msvcp71d.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program\Delade filer\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [cctray] "C:\Program\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [DeathAdder] C:\Program\Razer\DeathAdder\razerhid.exe

O4 - HKLM\..\Run: [startCCC] "C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\Multimedia\QuickTime Alternative\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [OM_Monitor] C:\Program\OLYMPUS\OLYMPUS Master\FirstStart.exe

O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program\Delade filer\Nero\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [steam] "c:\program\steam\steam.exe" -silent

O4 - HKCU\..\Run: [OM_Monitor] C:\Program\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-19\..\RunOnce: [setDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [setDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [setDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [setDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} (PPLive Lite Class) - http://dl.pplive.com/PluginSetup.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program\Delade filer\Nero\Lib\NMIndexingService.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program\Spyware Doctor\pctsSvc.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

 

--

End of file - 12832 bytes

[/log]

 

Link to comment
Share on other sites

Skanna med HijackThis och bocka för:

 

[log]R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {02661BE3-375C-4325-ADB5-E2D0F2E48EE7} - C:\WINDOWS\system32\mcd3232.dll (file missing)

O2 - BHO: (no name) - {1C2C4EEC-A3F1-4B4E-A708-B5E7C508515C} - C:\WINDOWS\system32\lz3232.dll (file missing)

O2 - BHO: (no name) - {3605D931-30C1-438F-AF6B-97413BAC11AE} - C:\WINDOWS\system32\mqtrig32.dll (file missing)

O2 - BHO: (no name) - {37485D03-F3BB-4106-AE2C-76A9E731302D} - C:\WINDOWS\system32\kbdcz132.dll (file missing)

O2 - BHO: (no name) - {384CD68A-C008-4782-A3BB-15D068EC1EBD} - C:\WINDOWS\system32\d3d932.dll (file missing)

O2 - BHO: (no name) - {3B317CAF-4875-4A95-96FF-AFBD3084EBE6} - C:\WINDOWS\system32\sigtab32.dll (file missing)

O2 - BHO: (no name) - {6445E1ED-90AE-44C7-964A-C4430795BDF3} - C:\WINDOWS\system32\kcdinbe1.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {9311F160-9B1E-44BB-9477-A36BA58FB5CB} - C:\WINDOWS\system32\webclntd.dll (file missing)

O2 - BHO: (no name) - {9671F4F9-14F4-4952-B87A-B792979FDACF} - C:\WINDOWS\system32\vbscripu.dll (file missing)

O2 - BHO: (no name) - {A4F866D8-65D4-4A5B-8814-7EAB98FAE902} - C:\WINDOWS\system32\mfc4032.dll (file missing)

O2 - BHO: (no name) - {ADE59680-BB26-4B3C-8D12-6B7F52EC373C} - C:\WINDOWS\system32\msvjdctl.dll (file missing)

O2 - BHO: (no name) - {B521D0C5-E356-4E82-9A08-3547B4C30BD3} - C:\WINDOWS\system32\shlwapid.dll (file missing)

O2 - BHO: (no name) - {B5BCF3B4-115D-4CB3-AF64-52690001939D} - C:\WINDOWS\system32\inagXRA7.dll

O2 - BHO: (no name) - {C0282A23-F328-41D7-A680-9134B40FB743} - C:\WINDOWS\system32\rtm32.dll (file missing)

O2 - BHO: (no name) - {CB14CE28-A869-4A15-BC64-F64A4D900661} - C:\WINDOWS\system32\slayesxp.dll (file missing)

O2 - BHO: (no name) - {DDEAAD26-D28E-4007-8AEB-543D5CF36E46} - C:\WINDOWS\system32\lpadperf.dll (file missing)

O2 - BHO: (no name) - {E181E021-C444-4196-AC51-3B91C618CBA9} - C:\WINDOWS\system32\atiohlx2.dll (file missing)

O2 - BHO: (no name) - {E2FE9BE7-12A2-49E6-983B-8F5357FBC65C} - C:\WINDOWS\system32\radpldlg.dll (file missing)

O2 - BHO: (no name) - {ECA8C40D-1D2B-4D23-BCE1-2A53920647DA} - C:\WINDOWS\system32\msvcp71d.dll (file missing)[/log]

 

Avsluta alla andra program.

Tryck Fix checked.

 

Starta om datorn och så en ny HijackThis-logg.

Hittar Ad-aware något nu?

 

Link to comment
Share on other sites

Hej

Den är fortfarande kvar :-( bifogar ny hijack log

[log]Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:37:46, on 2008-11-09

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\bgsvcgen.exe

C:\Program\Bonjour\mDNSResponder.exe

C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\spupdsvc.exe

C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\WINDOWS\ehome\medctrro.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\Logi_MwX.Exe

C:\WINDOWS\VistaDrive\VistaDrive.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\Program\Razer\DeathAdder\razerhid.exe

C:\Program\Analog Devices\Core\smax4pnp.exe

C:\Program\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\iid.exe

C:\Program\Java\jre1.6.0_07\bin\jusched.exe

C:\Program\Delade filer\Nero\Lib\NMBgMonitor.exe

C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program\Windows Live\Messenger\MsnMsgr.Exe

C:\program\steam\steam.exe

C:\Program\Messenger\msmsgs.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Razer\DeathAdder\razertra.exe

C:\Program\Razer\DeathAdder\razerofa.exe

C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program\Delade filer\Nero\Lib\NMIndexingService.exe

C:\Program\iPod\bin\iPodService.exe

C:\Program\Delade filer\Nero\Lib\NMIndexStoreSvr.exe

C:\Program\Outlook Express\msimn.exe

C:\Program\Lavasoft\Ad-Aware\Ad-Aware.exe

C:\Program\CA\CA Internet Security Suite\ccprovsp.exe

C:\Program\Internet Explorer\IEXPLORE.EXE

C:\Program\Delade filer\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157'>http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896'>http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.se/ie

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {77349033-9050-4CFD-815E-C6A9C155EFFB} - C:\WINDOWS\system32\FM2032.DLL

O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program\Delade filer\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [cctray] "C:\Program\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [DeathAdder] C:\Program\Razer\DeathAdder\razerhid.exe

O4 - HKLM\..\Run: [startCCC] "C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\Multimedia\QuickTime Alternative\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [OM_Monitor] C:\Program\OLYMPUS\OLYMPUS Master\FirstStart.exe

O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program\Delade filer\Nero\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [steam] "c:\program\steam\steam.exe" -silent

O4 - HKCU\..\Run: [OM_Monitor] C:\Program\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-19\..\RunOnce: [setDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [setDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [setDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [setDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} (PPLive Lite Class) - http://dl.pplive.com/PluginSetup.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program\Delade filer\Nero\Lib\NMIndexingService.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

 

--

End of file - 10464 bytes

[/log]

 

Link to comment
Share on other sites

I vilken fil och mapp hittar Ad-aware Win32.TrojanDownloader.Small?

 

Surfa till http://www.virustotal.com klistra in följande filnamn i rutan, tryck på Skicka Fil och vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in resultatet från de olika antivirusprogrammen (inte Övrig information) här.

C:\WINDOWS\system32\FM2032.DLL

 

 

Link to comment
Share on other sites

Filen kanske inte finns, fast den finns omnämnd i registret.

 

I vilken fil och mapp hittar Ad-aware Win32.TrojanDownloader.Small?

 

 

Link to comment
Share on other sites

[log]http://www.virustotal.com/sv/analisis/e230d776c96e2fbcfc55cb6c2a3435df[/log]

 

filen heter C:\WINDOWS\system32\qmgr32.dll

 

[log]Antivirus;Version;Senaste Uppdatering;Resultat

AhnLab-V3;-;-;-

AntiVir;-;-;TR/Dldr.Small.vxz

Authentium;-;-;W32/Downldr2.DCJT

Avast;-;-;Win32:Small-LVX

AVG;-;-;Downloader.Small.COD

BitDefender;-;-;-

CAT-QuickHeal;-;-;-

ClamAV;-;-;-

DrWeb;-;-;-

eSafe;-;-;-

eTrust-Vet;-;-;-

Ewido;-;-;Downloader.Small.vxz

F-Prot;-;-;W32/Downldr2.DCJT

F-Secure;-;-;Trojan-Downloader.Win32.Small.vxz

Fortinet;-;-;-

GData;-;-;Trojan-Downloader.Win32.Small.vxz

Ikarus;-;-;not-a-virus:AdWare.Win32.Stud.d

K7AntiVirus;-;-;Trojan-Downloader.Win32.Small.vxz

Kaspersky;-;-;Trojan-Downloader.Win32.Small.vxz

McAfee;-;-;Generic Downloader.x

Microsoft;-;-;-

NOD32v2;-;-;probably a variant of Win32/TrojanDownloader.Small

Norman;-;-;W32/DLoader.IVHM

Panda;-;-;Trj/Downloader.MDW

PCTools;-;-;-

Prevx1;-;-;Malicious Software

Rising;-;-;-

Sophos;-;-;-

Sunbelt;-;-;AdWare.Win32.Stud.d

TheHacker;-;-;Trojan/Downloader.Small.ydn

TrendMicro;-;-;-

VBA32;-;-;Trojan-Downloader.Win32.Small.vxz

ViRobot;-;-;-

VirusBuster;-;-;-

Webwasher-Gateway;-;-;Trojan.Dldr.Small.vxz

 

Övrig information

MD5: 8fa96c6928efd2faf541d7d23810585a

SHA1: 19d00f0f93d78f181dc4440bdc82adb050ee7fc8

SHA256: ac61d2a57ccd8a1b8a898672ef47dc76f3ff4288eb1706109928fcdb23f087a1

SHA512: 2b0fe32cbb321a7f7a487a2cb605f848df22c68dea36e8f0caa0533b11c43db6db39bba5913f5799ee43b02249bb72a861541e360272900b46e77bc7b7d8620e[/log]

 

Link to comment
Share on other sites

Ladda ner ComboFix till Skrivbordet:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Du bör installera Windows Återställningskonsol eftersom det gör det möjligt att starta datorn i ett särskild återställningsläge vilket kan vara bra om något händer med datorn under de kommande rensningarna.

 

[log]Alternativ 1: Du har en CD med Windows XP

Stoppa in CDn

Start - Kör

Skriv in

x:\i386\winnt32.exe /cmdcons

där du byter ut x mot den bokstav som CDn har.

Tryck på OK

Svara Ja på frågan om du vill installera återställningskonsolen.

Programmet kommer att kontakta Microsoft för att få de senaste filerna.

Tryck på OK när det är klart.

 

För att inte Återställningskonsolen ska fråga efter ett lösenord så gör på följande sätt:

Start - Kör

regedit

Leta upp HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Setup\RecoveryConsole i vänsterkolumnen.

Ändra värdet på SecurityLevel till 1

Stäng regedit

Starta om datorn.[/log]

 

[log]Alternativ 2: Du har inte en CD med Windows XP

Surfa till http://support.microsoft.com/kb/310994

se till att språket på sidan matchar språket i Windows (språk väljs i högerkolumnen) om du inte har XP Media Center Edition för då ska du ha engelska.

 

Skrolla ner till rubriken Hämta programfilen för installationsdisketterna

Välj rätt nedladdning utifrån vilken Service Pack du har installerat till XP. Om du har SP3 så välj SP2.

Om du har XP Media Center Edition så välj XP Professional.

Spara den nedladdade filen på Skrivbordet.

 

När nedladdningen är klar så drar du den nedladdade filen med musen över Skrivbordet och släpper den på ComboFix-ikonen.

ComboFix kommer då att installera Återställningskonsolen.

När det är klart så kommer ComboFix att fråga om du vill fortsätta med att skanna, där väljer du No/Nej.[/log]

 

[log]Dra ur internetanslutningen och stäng av alla program du ser inklusive antivirusprogram, antispionprogram och brandvägg, alternativt starta om datorn i felsäkert läge.

Kör ComboFix och följ anvisningarna som visas.

 

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, bifoga den till ditt svar. Kontrollera att antivirusprogram och brandvägg är igång innan du ansluter till internet.

 

Om du får problem med att komma ut på internet:

Kontrollpanelen - Nätverksanslutningar

högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.[/log]

 

Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix.

 

Link to comment
Share on other sites

Här kommer loggen ifrpn combofix

[log]ComboFix 08-11-09.04 - Stefan 2008-11-10 19:36:03.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1053.18.1500 [GMT 1:00]

Running from: c:\slask\ComboFix.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Stefan\Lokala inställningar\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML

 

.

((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))

.

 

2008-11-10 19:06 . 2008-11-10 19:06 3,512 --a------ c:\windows\system32\tmp.reg

2008-11-10 19:05 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe

2008-11-10 19:05 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe

2008-11-10 19:05 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe

2008-11-10 19:05 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe

2008-11-10 19:05 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe

2008-11-10 19:05 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe

2008-11-10 19:05 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe

2008-11-10 19:05 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe

2008-11-10 19:05 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe

2008-11-10 19:05 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe

2008-11-10 06:35 . 2008-11-10 06:35 14,848 --a------ c:\windows\system32\qmgr32.dll

2008-11-09 20:11 . 2008-11-09 20:11 <KAT> d-------- c:\program\Malwarebytes' Anti-Malware

2008-11-09 20:11 . 2008-11-09 20:11 <KAT> d-------- c:\documents and settings\Stefan\Application Data\Malwarebytes

2008-11-09 20:11 . 2008-11-09 20:11 <KAT> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-11-09 20:11 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-11-09 20:11 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-11-09 18:39 . 2008-11-09 20:56 <KAT> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2008-11-09 18:24 . 2008-11-09 18:24 <KAT> d-------- c:\program\Lavasoft

2008-11-05 23:04 . 2008-11-05 23:04 <KAT> d-------- c:\documents and settings\Stefan\Application Data\OpenOffice.org

2008-11-05 23:02 . 2008-11-05 23:02 <KAT> d-------- c:\program\OpenOffice.org 3

2008-11-05 23:02 . 2008-11-05 23:02 <KAT> d-------- c:\program\JRE

2008-11-03 19:58 . 2008-11-03 21:44 <KAT> d-------- c:\program\Fighters

2008-11-03 19:58 . 2008-11-03 19:58 <KAT> d-------- c:\documents and settings\All Users\Application Data\Fighters

2008-11-03 19:42 . 2008-11-03 19:42 <KAT> d-------- c:\program\Trend Micro

2008-11-01 14:29 . 2008-11-01 14:29 <KAT> d-------- c:\documents and settings\All Users\Application Data\PPLive

2008-11-01 14:28 . 2008-11-01 14:32 <KAT> d-------- c:\program\PPLive

2008-11-01 14:28 . 2008-11-01 14:28 <KAT> d-------- c:\documents and settings\All Users\Application Data\Jlcm

2008-10-31 19:22 . 2008-10-31 19:22 <KAT> d-------- c:\windows\system32\xircom

2008-10-31 19:22 . 2008-10-31 19:22 <KAT> d-------- c:\program\microsoft frontpage

2008-10-31 19:15 . 2008-10-31 19:20 2,979 --a------ c:\windows\system32\spupdsvc.inf

2008-10-31 19:12 . 2008-10-31 19:12 <KAT> d-------- c:\windows\system32\sv

2008-10-31 19:12 . 2008-10-31 19:12 <KAT> d-------- c:\windows\system32\bits

2008-10-31 19:12 . 2008-10-31 19:12 <KAT> d-------- c:\windows\l2schemas

2008-10-31 19:10 . 2008-10-31 19:10 <KAT> d-------- c:\windows\ServicePackFiles

2008-10-31 12:44 . 2008-04-14 17:04 276,992 --------- c:\windows\system32\wmphoto.dll

2008-10-31 12:44 . 2008-04-14 17:04 69,120 --------- c:\windows\system32\wlanapi.dll

2008-10-31 12:42 . 2008-04-14 17:04 1,737,856 --------- c:\windows\system32\mtxparhd.dll

2008-10-31 12:41 . 2008-04-14 17:04 870,784 --------- c:\windows\system32\ati3d1ag.dll

2008-10-24 12:41 . 2008-10-15 17:38 337,408 --------- c:\windows\system32\dllcache\netapi32.dll

2008-10-23 20:00 . 2008-10-23 20:00 <KAT> d--h----- c:\windows\PIF

2008-10-21 19:18 . 2008-10-21 19:18 <KAT> d-------- c:\documents and settings\Stefan\cbt

2008-10-20 21:21 . 2008-10-20 21:21 <KAT> d-------- c:\program\DirectVobSub

2008-10-15 15:40 . 2008-10-15 15:40 <KAT> d-------- c:\documents and settings\All Users\Application Data\Blizzard

2008-10-15 05:39 . 2008-08-14 14:27 2,189,952 --------- c:\windows\system32\dllcache\ntoskrnl.exe

2008-10-15 05:39 . 2008-08-14 14:27 2,146,304 --------- c:\windows\system32\dllcache\ntkrnlmp.exe

2008-10-15 05:39 . 2008-08-14 14:27 2,066,816 --------- c:\windows\system32\dllcache\ntkrnlpa.exe

2008-10-15 05:39 . 2008-08-14 14:27 2,024,960 --------- c:\windows\system32\dllcache\ntkrpamp.exe

2008-10-15 05:39 . 2008-09-15 16:27 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys

2008-10-15 05:39 . 2008-09-08 11:41 333,824 --------- c:\windows\system32\dllcache\srv.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-10 18:15 --------- d-----w c:\program\Steam

2008-11-09 17:24 --------- d-----w c:\program\Delade filer\Wise Installation Wizard

2008-11-09 16:32 --------- d-----w c:\documents and settings\Stefan\Application Data\HLSW

2008-11-08 15:40 --------- d-----w c:\documents and settings\Stefan\Application Data\uTorrent

2008-11-05 22:02 --------- d-----w c:\program\Java

2008-11-05 11:02 --------- d-----w c:\program\World of Warcraft

2008-11-04 15:50 --------- d-----w c:\documents and settings\Stefan\Application Data\Skype

2008-11-04 15:48 --------- d-----w c:\documents and settings\Stefan\Application Data\skypePM

2008-11-03 19:44 --------- d-----w c:\documents and settings\Stefan\Application Data\dvdcss

2008-10-21 18:43 --------- d-----w c:\documents and settings\Stefan\Application Data\iid

2008-10-15 04:49 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2008-10-14 14:33 --------- d-----w c:\program\Warcraft III

2008-10-03 17:26 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll

2008-09-30 17:03 --------- d-----w c:\program\Delade filer\Blizzard Entertainment

2008-09-29 16:53 880,560 ----a-w c:\windows\system32\drivers\vetefile.sys

2008-09-29 16:53 108,368 ----a-w c:\windows\system32\drivers\veteboot.sys

2008-09-19 18:00 --------- d-s---w c:\program\HLSW

2008-09-15 15:27 1,846,400 ----a-w c:\windows\system32\win32k.sys

2008-09-13 16:04 --------- d--h--w c:\program\InstallShield Installation Information

2008-09-13 16:02 --------- d-----w c:\program\OLYMPUS

2008-09-13 16:01 --------- d-----w c:\program\PIXELA

2008-09-10 11:39 176,640 ----a-w c:\windows\system32\drivers\b57xp32.sys

2008-08-27 09:27 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll

2008-08-26 08:27 826,368 ----a-w c:\windows\system32\wininet.dll

2008-08-26 08:27 826,368 ------w c:\windows\system32\dllcache\wininet.dll

2008-08-26 08:27 671,232 ------w c:\windows\system32\dllcache\mstime.dll

2008-08-26 08:27 477,696 ------w c:\windows\system32\dllcache\mshtmled.dll

2008-08-26 08:27 44,544 ------w c:\windows\system32\dllcache\pngfilt.dll

2008-08-26 08:27 233,472 ------w c:\windows\system32\dllcache\webcheck.dll

2008-08-26 08:27 193,024 ------w c:\windows\system32\dllcache\msrating.dll

2008-08-26 08:27 105,984 ------w c:\windows\system32\dllcache\url.dll

2008-08-26 08:27 102,912 ------w c:\windows\system32\dllcache\occache.dll

2008-08-26 08:27 1,159,680 ------w c:\windows\system32\dllcache\urlmon.dll

2008-08-25 08:43 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe

2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe

2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe

2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll

2008-08-14 13:27 2,189,952 ----a-w c:\windows\system32\ntoskrnl.exe

2008-08-14 13:27 2,066,816 ----a-w c:\windows\system32\ntkrnlpa.exe

2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9B5251B-479A-4BF8-AADA-1C524954B6B1}]

2008-11-10 06:35 14848 --a------ c:\windows\system32\qmgr32.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program\Delade filer\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"swg"="c:\program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-29 68856]

"MsnMsgr"="c:\program\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"Steam"="c:\program\steam\steam.exe" [2008-10-18 1410296]

"OM_Monitor"="c:\program\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 57344]

"MSMSGS"="c:\program\Messenger\msmsgs.exe" [2008-04-14 1695232]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VistaDrive"="c:\windows\VistaDrive\VistaDrive.exe" [2006-10-05 280779]

"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"Adobe Reader Speed Launcher"="c:\program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"NeroFilterCheck"="c:\program\Delade filer\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]

"cctray"="c:\program\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 177416]

"CAVRID"="c:\program\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 230664]

"DeathAdder"="c:\program\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]

"StartCCC"="c:\program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"SoundMAXPnP"="c:\program\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"QuickTime Task"="c:\program\Multimedia\QuickTime Alternative\QTTask.exe" [2008-05-27 413696]

"AppleSyncNotifier"="c:\program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]

"iTunesHelper"="c:\program\iTunes\iTunesHelper.exe" [2008-07-30 289064]

"OM_Monitor"="c:\program\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 40960]

"Net iD"="c:\windows\system32\iid.exe" [2008-02-22 74992]

"SunJavaUpdateSched"="c:\program\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 c:\windows\system32\CTXFIHLP.EXE]

"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\Logi_MwX.Exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"="shell32" [X]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

"SetDefaultMIDI"="MIDIDEF.EXE" [2006-08-17 c:\windows\MIDIDEF.EXE]

"nltide_3"="advpack.dll" [2008-08-26 c:\windows\system32\advpack.dll]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.ACDV"= ACDV.dll

"VIDC.MJPG"= pvmjpg21.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program\\uTorrent\\uTorrent.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program\\Steam\\steamapps\\stefan.lindqvist@ahlsell.se\\counter-strike\\hl.exe"=

"c:\\Program\\HLSW\\hlsw.exe"=

"c:\\Program\\Steam\\steamapps\\stefan.lindqvist@ahlsell.se\\counter-strike source\\hl2.exe"=

"c:\\Program\\SopCast\\SopCast.exe"=

"c:\\Program\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program\\Bonjour\\mDNSResponder.exe"=

"c:\\Program\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Stefan\\Lokala inställningar\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=

"c:\\Program\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program\\Steam\\Steam.exe"=

"c:\\Documents and Settings\\Stefan\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program\\PPLive\\PPLive.exe"=

"c:\\Program\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

 

R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\VD_FileDisk.sys [2006-01-13 15872]

R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-08-02 22784]

.

Contents of the 'Scheduled Tasks' folder

 

2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

.

.

------- Supplementary Scan -------

.

FireFox -: Profile - c:\documents and settings\Stefan\Application Data\Mozilla\Firefox\Profiles\rzadyo7y.defaultFireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.aftonbladet.se/

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-10 19:37:15

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-11-10 19:37:52

ComboFix-quarantined-files.txt 2008-11-10 18:37:42

 

Pre-Run: 93 844 365 312 byte ledigt

Post-Run: 94,443,130,880 byte ledigt

 

206 --- E O F --- 2008-11-01 15:09:50

[/log]

 

Link to comment
Share on other sites

Kopiera alla rader i rutan (använd markera kod)

File::
c:\windows\system32\qmgr32.dll

och klistra in i Anteckningar.

Spara filen på Skrivbordet med namnet CFScript.

 

Förbered datorn på samma sätt som tidigare för ComboFix.

Dra CFScript med musen och släpp den ovanpå ComboFix-ikonen på Skrivbordet så startar programmet på ett särskilt sätt.

Klistra in loggen som kommer ut och en ny HijackThis-logg.

 

Link to comment
Share on other sites

Hej igen Cecilia

Här e loggen

Mvh Stefan

 

[log]ComboFix 08-11-09.04 - Stefan 2008-11-11 17:47:05.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1053.18.1501 [GMT 1:00]

Running from: c:\slask\ComboFix.exe

Command switches used :: c:\documents and settings\Stefan\Skrivbord\CFScript.txt

* Created a new restore point

 

FILE ::

c:\windows\system32\qmgr32.dll

.

 

((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))

.

 

2008-11-10 22:37 . 2008-11-10 22:37 14,848 --a------ c:\windows\system32\msqbde40.dll

2008-11-10 19:06 . 2008-11-10 22:13 3,512 --a------ c:\windows\system32\tmp.reg

2008-11-10 19:05 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe

2008-11-10 19:05 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe

2008-11-10 19:05 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe

2008-11-10 19:05 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe

2008-11-10 19:05 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe

2008-11-10 19:05 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe

2008-11-10 19:05 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe

2008-11-10 19:05 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe

2008-11-10 19:05 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe

2008-11-10 19:05 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe

2008-11-09 20:11 . 2008-11-09 20:11 <KAT> d-------- c:\program\Malwarebytes' Anti-Malware

2008-11-09 20:11 . 2008-11-09 20:11 <KAT> d-------- c:\documents and settings\Stefan\Application Data\Malwarebytes

2008-11-09 20:11 . 2008-11-09 20:11 <KAT> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-11-09 20:11 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-11-09 20:11 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-11-09 18:39 . 2008-11-09 20:56 <KAT> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2008-11-09 18:24 . 2008-11-09 18:24 <KAT> d-------- c:\program\Lavasoft

2008-11-05 23:04 . 2008-11-05 23:04 <KAT> d-------- c:\documents and settings\Stefan\Application Data\OpenOffice.org

2008-11-05 23:02 . 2008-11-05 23:02 <KAT> d-------- c:\program\OpenOffice.org 3

2008-11-05 23:02 . 2008-11-05 23:02 <KAT> d-------- c:\program\JRE

2008-11-03 19:58 . 2008-11-03 21:44 <KAT> d-------- c:\program\Fighters

2008-11-03 19:58 . 2008-11-03 19:58 <KAT> d-------- c:\documents and settings\All Users\Application Data\Fighters

2008-11-03 19:42 . 2008-11-03 19:42 <KAT> d-------- c:\program\Trend Micro

2008-11-01 14:29 . 2008-11-01 14:29 <KAT> d-------- c:\documents and settings\All Users\Application Data\PPLive

2008-11-01 14:28 . 2008-11-01 14:32 <KAT> d-------- c:\program\PPLive

2008-11-01 14:28 . 2008-11-01 14:28 <KAT> d-------- c:\documents and settings\All Users\Application Data\Jlcm

2008-10-31 19:22 . 2008-10-31 19:22 <KAT> d-------- c:\windows\system32\xircom

2008-10-31 19:22 . 2008-10-31 19:22 <KAT> d-------- c:\program\microsoft frontpage

2008-10-31 19:15 . 2008-10-31 19:20 2,979 --a------ c:\windows\system32\spupdsvc.inf

2008-10-31 19:12 . 2008-10-31 19:12 <KAT> d-------- c:\windows\system32\sv

2008-10-31 19:12 . 2008-10-31 19:12 <KAT> d-------- c:\windows\system32\bits

2008-10-31 19:12 . 2008-10-31 19:12 <KAT> d-------- c:\windows\l2schemas

2008-10-31 19:10 . 2008-10-31 19:10 <KAT> d-------- c:\windows\ServicePackFiles

2008-10-31 12:44 . 2008-04-14 17:04 276,992 --------- c:\windows\system32\wmphoto.dll

2008-10-31 12:44 . 2008-04-14 17:04 69,120 --------- c:\windows\system32\wlanapi.dll

2008-10-31 12:42 . 2008-04-14 17:04 1,737,856 --------- c:\windows\system32\mtxparhd.dll

2008-10-31 12:41 . 2008-04-14 17:04 870,784 --------- c:\windows\system32\ati3d1ag.dll

2008-10-24 12:41 . 2008-10-15 17:38 337,408 --------- c:\windows\system32\dllcache\netapi32.dll

2008-10-23 20:00 . 2008-10-23 20:00 <KAT> d--h----- c:\windows\PIF

2008-10-21 19:18 . 2008-10-21 19:18 <KAT> d-------- c:\documents and settings\Stefan\cbt

2008-10-20 21:21 . 2008-10-20 21:21 <KAT> d-------- c:\program\DirectVobSub

2008-10-15 15:40 . 2008-10-15 15:40 <KAT> d-------- c:\documents and settings\All Users\Application Data\Blizzard

2008-10-15 05:39 . 2008-08-14 14:27 2,189,952 --------- c:\windows\system32\dllcache\ntoskrnl.exe

2008-10-15 05:39 . 2008-08-14 14:27 2,146,304 --------- c:\windows\system32\dllcache\ntkrnlmp.exe

2008-10-15 05:39 . 2008-08-14 14:27 2,066,816 --------- c:\windows\system32\dllcache\ntkrnlpa.exe

2008-10-15 05:39 . 2008-08-14 14:27 2,024,960 --------- c:\windows\system32\dllcache\ntkrpamp.exe

2008-10-15 05:39 . 2008-09-15 16:27 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys

2008-10-15 05:39 . 2008-09-08 11:41 333,824 --------- c:\windows\system32\dllcache\srv.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-11 13:22 --------- d-----w c:\program\Steam

2008-11-10 21:53 --------- d-----w c:\documents and settings\Stefan\Application Data\uTorrent

2008-11-10 21:24 --------- d-----w c:\program\Google

2008-11-10 20:17 --------- d-----w c:\documents and settings\Stefan\Application Data\HLSW

2008-11-09 17:24 --------- d-----w c:\program\Delade filer\Wise Installation Wizard

2008-11-05 22:02 --------- d-----w c:\program\Java

2008-11-05 11:02 --------- d-----w c:\program\World of Warcraft

2008-11-04 15:50 --------- d-----w c:\documents and settings\Stefan\Application Data\Skype

2008-11-04 15:48 --------- d-----w c:\documents and settings\Stefan\Application Data\skypePM

2008-11-03 19:44 --------- d-----w c:\documents and settings\Stefan\Application Data\dvdcss

2008-10-21 18:43 --------- d-----w c:\documents and settings\Stefan\Application Data\iid

2008-10-15 04:49 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2008-10-14 14:33 --------- d-----w c:\program\Warcraft III

2008-10-03 17:26 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll

2008-09-30 17:03 --------- d-----w c:\program\Delade filer\Blizzard Entertainment

2008-09-29 16:53 880,560 ----a-w c:\windows\system32\drivers\vetefile.sys

2008-09-29 16:53 108,368 ----a-w c:\windows\system32\drivers\veteboot.sys

2008-09-19 18:00 --------- d-s---w c:\program\HLSW

2008-09-15 15:27 1,846,400 ----a-w c:\windows\system32\win32k.sys

2008-09-13 16:04 --------- d--h--w c:\program\InstallShield Installation Information

2008-09-13 16:02 --------- d-----w c:\program\OLYMPUS

2008-09-13 16:01 --------- d-----w c:\program\PIXELA

2008-08-27 09:27 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll

2008-08-26 08:27 826,368 ----a-w c:\windows\system32\wininet.dll

2008-08-26 08:27 826,368 ------w c:\windows\system32\dllcache\wininet.dll

2008-08-26 08:27 671,232 ------w c:\windows\system32\dllcache\mstime.dll

2008-08-26 08:27 477,696 ------w c:\windows\system32\dllcache\mshtmled.dll

2008-08-26 08:27 44,544 ------w c:\windows\system32\dllcache\pngfilt.dll

2008-08-26 08:27 233,472 ------w c:\windows\system32\dllcache\webcheck.dll

2008-08-26 08:27 193,024 ------w c:\windows\system32\dllcache\msrating.dll

2008-08-26 08:27 105,984 ------w c:\windows\system32\dllcache\url.dll

2008-08-26 08:27 102,912 ------w c:\windows\system32\dllcache\occache.dll

2008-08-26 08:27 1,159,680 ------w c:\windows\system32\dllcache\urlmon.dll

2008-08-25 08:43 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe

2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe

2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe

2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll

2008-08-14 13:27 2,189,952 ----a-w c:\windows\system32\ntoskrnl.exe

2008-08-14 13:27 2,066,816 ----a-w c:\windows\system32\ntkrnlpa.exe

2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2FC30DF-A631-43E8-8D0B-7F24F47C9331}]

2008-11-10 22:37 14848 --a------ c:\windows\system32\msqbde40.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]

2008-11-10 22:24 522224 --a------ c:\program\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program\Delade filer\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"swg"="c:\program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-29 68856]

"MsnMsgr"="c:\program\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"Steam"="c:\program\steam\steam.exe" [2008-10-18 1410296]

"OM_Monitor"="c:\program\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 57344]

"MSMSGS"="c:\program\Messenger\msmsgs.exe" [2008-04-14 1695232]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VistaDrive"="c:\windows\VistaDrive\VistaDrive.exe" [2006-10-05 280779]

"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"Adobe Reader Speed Launcher"="c:\program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"NeroFilterCheck"="c:\program\Delade filer\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]

"cctray"="c:\program\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 177416]

"CAVRID"="c:\program\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 230664]

"DeathAdder"="c:\program\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]

"StartCCC"="c:\program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"SoundMAXPnP"="c:\program\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"QuickTime Task"="c:\program\Multimedia\QuickTime Alternative\QTTask.exe" [2008-05-27 413696]

"AppleSyncNotifier"="c:\program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]

"iTunesHelper"="c:\program\iTunes\iTunesHelper.exe" [2008-07-30 289064]

"OM_Monitor"="c:\program\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 40960]

"Net iD"="c:\windows\system32\iid.exe" [2008-02-22 74992]

"SunJavaUpdateSched"="c:\program\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 c:\windows\system32\CTXFIHLP.EXE]

"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\Logi_MwX.Exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"="shell32" [X]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

"SetDefaultMIDI"="MIDIDEF.EXE" [2006-08-17 c:\windows\MIDIDEF.EXE]

"nltide_3"="advpack.dll" [2008-08-26 c:\windows\system32\advpack.dll]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.ACDV"= ACDV.dll

"VIDC.MJPG"= pvmjpg21.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program\\uTorrent\\uTorrent.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program\\Steam\\steamapps\\stefan.lindqvist@ahlsell.se\\counter-strike\\hl.exe"=

"c:\\Program\\HLSW\\hlsw.exe"=

"c:\\Program\\Steam\\steamapps\\stefan.lindqvist@ahlsell.se\\counter-strike source\\hl2.exe"=

"c:\\Program\\SopCast\\SopCast.exe"=

"c:\\Program\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program\\Bonjour\\mDNSResponder.exe"=

"c:\\Program\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Stefan\\Lokala inställningar\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=

"c:\\Program\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program\\Steam\\Steam.exe"=

"c:\\Documents and Settings\\Stefan\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program\\PPLive\\PPLive.exe"=

"c:\\Program\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

 

R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\VD_FileDisk.sys [2006-01-13 15872]

R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-08-02 22784]

.

Contents of the 'Scheduled Tasks' folder

 

2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-11 17:48:35

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-11-11 17:49:13

ComboFix-quarantined-files.txt 2008-11-11 16:49:01

ComboFix2.txt 2008-11-10 18:37:53

 

Pre-Run: 94 804 406 272 byte ledigt

Post-Run: 94,884,487,168 byte ledigt

 

203 --- E O F --- 2008-11-01 15:09:50

[/log]

 

Link to comment
Share on other sites

Ladda ner ATF-Cleaner på Skrivbordet:

 

http://www.atribune.org/ccount/click.php?id=1

 

Kopiera alla rader i rutan (använd markera kod)

File::
c:\windows\system32\msqbde40.dll

och klistra in i Anteckningar.

Spara filen på Skrivbordet med namnet CFScript.

 

[log]Starta om datorn i felsäkert läge (tryck F8 upprepade gånger under uppstarten och välj felsäkert läge i menyn).

 

Dubbelklicka på ATF-Cleaner.exe för att starta programmet.

Bocka i Select All. Tryck på Empty Selected.

 

Om du använder Firefox: Tryck på Firefox och välj Select All. Tryck på Empty Selected. Om du vill ha kvar dina lösenord så tryck No vid frågan.

 

Om du använder Opera: Tryck på Opera och välj Select All. Tryck på Empty Selected. Om du vill ha kvar dina lösenord så tryck No vid frågan.

 

Tryck på Exit i Main-menyn för att stänga programmet.

 

Obs! Detta kommer att ta bort alla cookies, om du har cookies som du vill ha kvar så får du antingen spara undan dem innan eller låta bli att välja Select All och i stället markera allt annat.

 

Dra CFScript med musen och släpp den ovanpå ComboFix-ikonen på Skrivbordet så startar programmet på ett särskilt sätt.

Starta om i normalt läge.

Klistra in ComboFix-loggen som kommer ut.[/log]

 

Link to comment
Share on other sites

Ny combofix log

[log]ComboFix 08-11-09.04 - Stefan 2008-11-11 19:13:24.4 - NTFSx86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1053.18.1778 [GMT 1:00]

Running from: c:\slask\ComboFix.exe

Command switches used :: c:\documents and settings\Stefan\Skrivbord\CFScript.txt

 

FILE ::

c:\windows\system32\msqbde40.dll

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\msqbde40.dll

 

.

((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))

.

 

2008-11-10 19:06 . 2008-11-10 22:13 3,512 --a------ c:\windows\system32\tmp.reg

2008-11-10 19:05 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe

2008-11-10 19:05 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe

2008-11-10 19:05 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe

2008-11-10 19:05 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe

2008-11-10 19:05 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe

2008-11-10 19:05 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe

2008-11-10 19:05 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe

2008-11-10 19:05 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe

2008-11-10 19:05 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe

2008-11-10 19:05 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe

2008-11-09 20:11 . 2008-11-09 20:11 <KAT> d-------- c:\program\Malwarebytes' Anti-Malware

2008-11-09 20:11 . 2008-11-09 20:11 <KAT> d-------- c:\documents and settings\Stefan\Application Data\Malwarebytes

2008-11-09 20:11 . 2008-11-09 20:11 <KAT> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-11-09 20:11 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-11-09 20:11 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-11-09 18:39 . 2008-11-09 20:56 <KAT> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2008-11-09 18:24 . 2008-11-09 18:24 <KAT> d-------- c:\program\Lavasoft

2008-11-05 23:04 . 2008-11-05 23:04 <KAT> d-------- c:\documents and settings\Stefan\Application Data\OpenOffice.org

2008-11-05 23:02 . 2008-11-05 23:02 <KAT> d-------- c:\program\OpenOffice.org 3

2008-11-05 23:02 . 2008-11-05 23:02 <KAT> d-------- c:\program\JRE

2008-11-03 19:58 . 2008-11-03 21:44 <KAT> d-------- c:\program\Fighters

2008-11-03 19:58 . 2008-11-03 19:58 <KAT> d-------- c:\documents and settings\All Users\Application Data\Fighters

2008-11-03 19:42 . 2008-11-03 19:42 <KAT> d-------- c:\program\Trend Micro

2008-11-01 14:29 . 2008-11-01 14:29 <KAT> d-------- c:\documents and settings\All Users\Application Data\PPLive

2008-11-01 14:28 . 2008-11-01 14:32 <KAT> d-------- c:\program\PPLive

2008-11-01 14:28 . 2008-11-01 14:28 <KAT> d-------- c:\documents and settings\All Users\Application Data\Jlcm

2008-10-31 19:22 . 2008-10-31 19:22 <KAT> d-------- c:\windows\system32\xircom

2008-10-31 19:22 . 2008-10-31 19:22 <KAT> d-------- c:\program\microsoft frontpage

2008-10-31 19:15 . 2008-10-31 19:20 2,979 --a------ c:\windows\system32\spupdsvc.inf

2008-10-31 19:12 . 2008-10-31 19:12 <KAT> d-------- c:\windows\system32\sv

2008-10-31 19:12 . 2008-10-31 19:12 <KAT> d-------- c:\windows\system32\bits

2008-10-31 19:12 . 2008-10-31 19:12 <KAT> d-------- c:\windows\l2schemas

2008-10-31 19:10 . 2008-10-31 19:10 <KAT> d-------- c:\windows\ServicePackFiles

2008-10-31 12:44 . 2008-04-14 17:04 276,992 --------- c:\windows\system32\wmphoto.dll

2008-10-31 12:44 . 2008-04-14 17:04 69,120 --------- c:\windows\system32\wlanapi.dll

2008-10-31 12:42 . 2008-04-14 17:04 1,737,856 --------- c:\windows\system32\mtxparhd.dll

2008-10-31 12:41 . 2008-04-14 17:04 870,784 --------- c:\windows\system32\ati3d1ag.dll

2008-10-24 12:41 . 2008-10-15 17:38 337,408 --------- c:\windows\system32\dllcache\netapi32.dll

2008-10-23 20:00 . 2008-10-23 20:00 <KAT> d--h----- c:\windows\PIF

2008-10-21 19:18 . 2008-10-21 19:18 <KAT> d-------- c:\documents and settings\Stefan\cbt

2008-10-20 21:21 . 2008-10-20 21:21 <KAT> d-------- c:\program\DirectVobSub

2008-10-15 15:40 . 2008-10-15 15:40 <KAT> d-------- c:\documents and settings\All Users\Application Data\Blizzard

2008-10-15 05:39 . 2008-08-14 14:27 2,189,952 --------- c:\windows\system32\dllcache\ntoskrnl.exe

2008-10-15 05:39 . 2008-08-14 14:27 2,146,304 --------- c:\windows\system32\dllcache\ntkrnlmp.exe

2008-10-15 05:39 . 2008-08-14 14:27 2,066,816 --------- c:\windows\system32\dllcache\ntkrnlpa.exe

2008-10-15 05:39 . 2008-08-14 14:27 2,024,960 --------- c:\windows\system32\dllcache\ntkrpamp.exe

2008-10-15 05:39 . 2008-09-15 16:27 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys

2008-10-15 05:39 . 2008-09-08 11:41 333,824 --------- c:\windows\system32\dllcache\srv.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-11 17:14 --------- d-----w c:\program\World of Warcraft

2008-11-11 17:00 --------- d-----w c:\program\Steam

2008-11-10 21:53 --------- d-----w c:\documents and settings\Stefan\Application Data\uTorrent

2008-11-10 21:24 --------- d-----w c:\program\Google

2008-11-10 20:17 --------- d-----w c:\documents and settings\Stefan\Application Data\HLSW

2008-11-09 17:24 --------- d-----w c:\program\Delade filer\Wise Installation Wizard

2008-11-05 22:02 --------- d-----w c:\program\Java

2008-11-04 15:50 --------- d-----w c:\documents and settings\Stefan\Application Data\Skype

2008-11-04 15:48 --------- d-----w c:\documents and settings\Stefan\Application Data\skypePM

2008-11-03 19:44 --------- d-----w c:\documents and settings\Stefan\Application Data\dvdcss

2008-10-21 18:43 --------- d-----w c:\documents and settings\Stefan\Application Data\iid

2008-10-15 04:49 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2008-10-14 14:33 --------- d-----w c:\program\Warcraft III

2008-10-03 17:26 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll

2008-09-30 17:03 --------- d-----w c:\program\Delade filer\Blizzard Entertainment

2008-09-29 16:53 880,560 ----a-w c:\windows\system32\drivers\vetefile.sys

2008-09-29 16:53 108,368 ----a-w c:\windows\system32\drivers\veteboot.sys

2008-09-19 18:00 --------- d-s---w c:\program\HLSW

2008-09-15 15:27 1,846,400 ----a-w c:\windows\system32\win32k.sys

2008-09-13 16:04 --------- d--h--w c:\program\InstallShield Installation Information

2008-09-13 16:02 --------- d-----w c:\program\OLYMPUS

2008-09-13 16:01 --------- d-----w c:\program\PIXELA

2008-08-27 09:27 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll

2008-08-26 08:27 826,368 ----a-w c:\windows\system32\wininet.dll

2008-08-26 08:27 826,368 ------w c:\windows\system32\dllcache\wininet.dll

2008-08-26 08:27 671,232 ------w c:\windows\system32\dllcache\mstime.dll

2008-08-26 08:27 477,696 ------w c:\windows\system32\dllcache\mshtmled.dll

2008-08-26 08:27 44,544 ------w c:\windows\system32\dllcache\pngfilt.dll

2008-08-26 08:27 233,472 ------w c:\windows\system32\dllcache\webcheck.dll

2008-08-26 08:27 193,024 ------w c:\windows\system32\dllcache\msrating.dll

2008-08-26 08:27 105,984 ------w c:\windows\system32\dllcache\url.dll

2008-08-26 08:27 102,912 ------w c:\windows\system32\dllcache\occache.dll

2008-08-26 08:27 1,159,680 ------w c:\windows\system32\dllcache\urlmon.dll

2008-08-25 08:43 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe

2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe

2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe

2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll

2008-08-14 13:27 2,189,952 ----a-w c:\windows\system32\ntoskrnl.exe

2008-08-14 13:27 2,066,816 ----a-w c:\windows\system32\ntkrnlpa.exe

2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]

2008-11-10 22:24 522224 --a------ c:\program\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program\Delade filer\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"swg"="c:\program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-29 68856]

"MsnMsgr"="c:\program\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"Steam"="c:\program\steam\steam.exe" [2008-10-18 1410296]

"OM_Monitor"="c:\program\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 57344]

"MSMSGS"="c:\program\Messenger\msmsgs.exe" [2008-04-14 1695232]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VistaDrive"="c:\windows\VistaDrive\VistaDrive.exe" [2006-10-05 280779]

"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"Adobe Reader Speed Launcher"="c:\program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"NeroFilterCheck"="c:\program\Delade filer\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]

"cctray"="c:\program\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 177416]

"CAVRID"="c:\program\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 230664]

"DeathAdder"="c:\program\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]

"StartCCC"="c:\program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"SoundMAXPnP"="c:\program\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"QuickTime Task"="c:\program\Multimedia\QuickTime Alternative\QTTask.exe" [2008-05-27 413696]

"AppleSyncNotifier"="c:\program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]

"iTunesHelper"="c:\program\iTunes\iTunesHelper.exe" [2008-07-30 289064]

"OM_Monitor"="c:\program\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 40960]

"Net iD"="c:\windows\system32\iid.exe" [2008-02-22 74992]

"SunJavaUpdateSched"="c:\program\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 c:\windows\system32\CTXFIHLP.EXE]

"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\Logi_MwX.Exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"="shell32" [X]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

"SetDefaultMIDI"="MIDIDEF.EXE" [2006-08-17 c:\windows\MIDIDEF.EXE]

"nltide_3"="advpack.dll" [2008-08-26 c:\windows\system32\advpack.dll]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.ACDV"= ACDV.dll

"VIDC.MJPG"= pvmjpg21.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program\\uTorrent\\uTorrent.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program\\Steam\\steamapps\\stefan.lindqvist@ahlsell.se\\counter-strike\\hl.exe"=

"c:\\Program\\HLSW\\hlsw.exe"=

"c:\\Program\\Steam\\steamapps\\stefan.lindqvist@ahlsell.se\\counter-strike source\\hl2.exe"=

"c:\\Program\\SopCast\\SopCast.exe"=

"c:\\Program\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program\\Bonjour\\mDNSResponder.exe"=

"c:\\Program\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Stefan\\Lokala inställningar\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=

"c:\\Program\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program\\Steam\\Steam.exe"=

"c:\\Documents and Settings\\Stefan\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program\\PPLive\\PPLive.exe"=

"c:\\Program\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

 

R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-08-02 22784]

S1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\VD_FileDisk.sys [2006-01-13 15872]

.

Contents of the 'Scheduled Tasks' folder

 

2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

.

- - - - ORPHANS REMOVED - - - -

 

BHO-{C2FC30DF-A631-43E8-8D0B-7F24F47C9331} - c:\windows\system32\msqbde40.dll

 

 

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-11 19:15:32

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-11-11 19:16:09

ComboFix-quarantined-files.txt 2008-11-11 18:16:04

ComboFix2.txt 2008-11-11 16:49:15

ComboFix3.txt 2008-11-10 18:37:53

 

Pre-Run: 97 114 480 640 byte ledigt

Post-Run: 97,107,304,448 byte ledigt

 

204 --- E O F --- 2008-11-01 15:09:50

[/log]

 

Link to comment
Share on other sites

Hej

körde en ny adaware där var den kvar :-(

låg i "C:\WINDOWS\system32\ati4d1ag.dll"

 

här är hijacklogen mvh Stefan

[log]Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:12:30, on 2008-11-11

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\Logi_MwX.Exe

C:\WINDOWS\VistaDrive\VistaDrive.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program\Razer\DeathAdder\razerhid.exe

C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\bgsvcgen.exe

C:\Program\iTunes\iTunesHelper.exe

C:\Program\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\iid.exe

C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program\Java\jre1.6.0_07\bin\jusched.exe

C:\Program\Delade filer\Nero\Lib\NMBgMonitor.exe

C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program\Windows Live\Messenger\MsnMsgr.Exe

C:\Program\Nero\Nero8\Nero BackItUp\NBService.exe

C:\program\steam\steam.exe

C:\Program\Messenger\msmsgs.exe

C:\WINDOWS\system32\spupdsvc.exe

C:\Program\Razer\DeathAdder\razertra.exe

C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\Program\Razer\DeathAdder\razerofa.exe

C:\WINDOWS\ehome\medctrro.exe

C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program\Delade filer\Nero\Lib\NMIndexingService.exe

C:\Program\iPod\bin\iPodService.exe

C:\Program\Delade filer\Nero\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\CA\CA Internet Security Suite\ccprovsp.exe

C:\Program\Outlook Express\msimn.exe

C:\Program\uTorrent\uTorrent.exe

C:\Program\Delade filer\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program\Internet Explorer\IEXPLORE.EXE

C:\Program\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896'>http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1A218A98-BE0B-4680-A5D2-7E7462FAF63F} - C:\WINDOWS\system32\ati4d1ag.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program\Delade filer\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [cctray] "C:\Program\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [DeathAdder] C:\Program\Razer\DeathAdder\razerhid.exe

O4 - HKLM\..\Run: [startCCC] "C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\Multimedia\QuickTime Alternative\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [OM_Monitor] C:\Program\OLYMPUS\OLYMPUS Master\FirstStart.exe

O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program\Delade filer\Nero\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [steam] "c:\program\steam\steam.exe" -silent

O4 - HKCU\..\Run: [OM_Monitor] C:\Program\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-19\..\RunOnce: [setDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [setDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [setDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [setDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} (PPLive Lite Class) - http://dl.pplive.com/PluginSetup.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program\Delade filer\Nero\Lib\NMIndexingService.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

 

--

End of file - 10014 bytes

[/log]

 

Link to comment
Share on other sites

Fanns inte i ComboFix-loggen, det verkar finnas något dolt i datorn som återskapar en dll-fil med nytt namn när den förra försvinner.

 

Det har ju gått några dagar sedan du körde MBAM så uppdatera MBAM och kör en snabbskanning igen.

 

Ladda ner Gmer till Skrivbordet från en av dessa sidor:

http://www.gmer.net/

http://www.majorgeeks.com/GMER_d5198.html

Packa upp filen till Skrivbordet.

 

Håll så många program som möjligt avstängda.

Dubbelklicka på programmet gmer.exe för att starta det.

Välj fliken rootkit, kontrollera att allt är förbockat till höger utom Show All. Tryck på Scan.

Tryck på Copy och klistra sedan in resultatet i ditt svar.

 

Link to comment
Share on other sites

O2 - BHO: (no name) - {1A218A98-BE0B-4680-A5D2-7E7462FAF63F} - C:\WINDOWS\system32\ati4d1ag.dll

Har du sett den förut, 927?

 

Link to comment
Share on other sites

min tanke var en FP men jag skulle precis ändra inlägget efter att jag kollat i HJT loggen, känns den ju långsökt ATI filer skulle vara BHO. det är väl bara slumpen som gjorde att namnet på filen blev samma som en ATI fil men det är ju lätt att kolla egenskaperna på filen

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.




×
×
  • Create New...