Virus; ansluter sig till internet etc... (digeste.dll)

[Colandus]

Hejsan! Jag har fått ett problem...

 

Det är så att jag har fått ett virus, när jag startar min dator börjar den direkt att använda min internet uppkoppling (som den inte brukade göra innan) och detta fortsätter även när jag stänger ner alla andra program som använder sig utav internet.

 

Viruset har blockerat mig från att öppna aktivitetshanteraren samt regedit :

 

Här är min HijackThis log:

[log]Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:53:40, on 2009-01-31

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\windows\System32\smss.exe

C:\windows\system32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\windows\System32\svchost.exe

C:\windows\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\windows\system32\spoolsv.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\windows\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\windows\system32\nvsvc32.exe

C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\windows\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\windows\explorer.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\00THotkey.exe

C:\windows\system32\TFNF5.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\TOSHIBA\Toshibas zoomningsfunktion\SmoothView.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\TOSHIBA\Tvs\TvsTray.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

C:\windows\AGRSMMSG.exe

C:\windows\system32\TPSMain.exe

C:\Program Files\TOSHIBA\TOSHIBAs kontroller\TFncKy.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\windows\system32\TPSBattM.exe

C:\WINDOWS\VM_STI.EXE

C:\windows\system32\rundll32.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\windows\System32\rs32net.exe

C:\Program Files\Messenger\MSMSGS.EXE

C:\windows\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\windows\System32\rs32net.exe

C:\windows\system32\svschost.exe

C:\windows\system32\cmd.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\windows\services.exe

C:\windows\system32\svñshost.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

E:\autorun.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/

R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll

F2 - REG:system.ini: Shell=Explorer.exe "C:\windows\system32\~.exe"

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\windows\TEMP\init.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\Toshibas zoomningsfunktion\SmoothView.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE Philips SPC 300NC PC Camera

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [lsass driver] C:\windows\msauc.exe

O4 - HKLM\..\Run: [rs32net] C:\windows\System32\rs32net.exe

O4 - HKLM\..\Run: [services] C:\windows\services.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [rs32net] C:\windows\System32\rs32net.exe

O4 - HKCU\..\Run: [svschost.exe] C:\windows\system32\svschost.exe -check

O4 - HKCU\..\Run: [services] C:\windows\services.exe

O4 - HKCU\..\Policies\Explorer\Run: [services] C:\windows\services.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Logitech SetPoint.lnk = ?

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Ladda ner allt med Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Ladda ner markerat med Free Download Mananger - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Ladda ner med Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab

O16 - DPF: {E505599B-F37A-4849-A7B0-E0AAB5CB054C} (ScriptPlayerRuntime Class) - https://gfs.nb.se/privat/bank/scripts/eid/NordeaSmartCard.cab

O20 - Winlogon Notify: crypt - C:\windows\SYSTEM32\crypts.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe

O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

 

--

End of file - 10278 bytes

[/log]

 

 

Tacksam för svar!

 

[Zipp.]

 

[log]Ladda ner Malwarebytes Anti-Malware (MBAM) från en av dessa länkar:

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-108

04572.html

http://projects.securitywonks.net/projects/details.php?file=158

Dubbelklicka på mbam-setup för att installera programmet.

 

 

Se till i slutet av installationen att det är bockar för:

Uppdatera Malwarebytes' Anti-Malware

Starta Malwarebytes' Anti-Malware

Tryck på Slutför

Om det finns någon uppdatering så kommer den att laddas ner och installeras.

 

När programmet startar så välj "Utför snabb skanning" och tryck på Skanna.

Skanningen tar ett tag.

När den är klar så tryck på OK och sedan "Visa resultat".

Bocka för allt och tryck sedan Ta bort markerade.

När borttagningen är klar så öppnar Anteckningar med en logg.

 

Eventuellt så kommer det upp en begäran om att starta om datorn (Restart). I så fall gör det.

Om det blir ett felmeddelande Error loading... efter omstarten så starta om datorn än en gång.

Om programmet inte kommer igång efter omstarten så starta det.

 

Om loggen inte kommer upp själv i Anteckningar så hittar du loggen på fliken Loggar i MBAM.

Kopiera loggen och klistra in den i ditt svar. [/log]

 

[Colandus]

Jag är tacksam för ditt snabba svar... Men tyvärr så funkade inte det heller :/

 

När jag öppnar installations-filen händer ingenting... Jag testade att installera den i min andra dator och skicka den installerade mappen direkt, men det funkade inte heller. Dock funkar andra program...

 

Jag har även internet avstängt om det spelar någon roll.

[inlägget ändrat 2009-01-31 15:27:38 av Colandus]

[Zipp.]

 

Pröva att byta namn på installer före du kör den

 

[Colandus]

Okej! Det funkade, men var dock tvungen att ändra namn på själva programmet också...

 

Efter scannen tryckte jag på "Ta bort markerade", då stod det att regedit var inaktiverad och att den kommer att aktiveras av programmet, tryckte på OK och sedan kom ett annat felmeddelande som även kommer när jag startar datorn och sedan kom ett nytt felmeddelande, som lyder:

"Programmet eller DLL-filen C:\windows\system32\digeste.dll är inte en giltlig Windows-minnesavbildning. Kontrollera detta mot installationsdisketten."

 

Men efter att jag tryckte på okej så slutfördes det, loggen kom upp samt ett nytt felmeddelande:

"Det går inte att hitta filen C:\windows\services.exe. Kontrollera att du angav rätt namn och försök igen. Du kan söka efter en fil genom att klicka på knappen Start och välja Sök."

 

Som kommer tillbaka direkt när jag trycker på OK igen... Den går alltså inte att stänga av!

 

Den varnade även om att "vissa poster gick inte ta bort", från registret

 

Här är loggen:

[log]Malwarebytes' Anti-Malware 1.33

Databasversion: 1654

Windows 5.1.2600 Service Pack 3

 

2009-01-31 15:48:30

mbam-log-2009-01-31 (15-48-30).txt

 

Skanningstyp: Snabb skanning

Antal skannade objekt: 60310

Förfluten tid: 9 minute(s), 10 second(s)

 

Infekterade minnesprocesser: 3

Infekterade minnesmoduler: 1

Infekterade registernycklar: 8

Infekterade registervärden: 7

Infekterade registerdataposter: 10

Infekterade mappar: 1

Infekterade filer: 22

 

Infekterade minnesprocesser:

C:\WINDOWS\system32\svschost.exe (Trojan.FakeAlert) -> Unloaded process successfully.

C:\WINDOWS\system32\svñshost.exe (Trojan.FakeAlert) -> Unloaded process successfully.

C:\WINDOWS\services.exe (Backdoor.ProRat) -> Unloaded process successfully.

 

Infekterade minnesmoduler:

C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Delete on reboot.

 

Infekterade registernycklar:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati1wcxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ati1wcxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ati1wcxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati1wcxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Agent) -> Quarantined and deleted successfully.

 

Infekterade registervärden:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass driver (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rs32net (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rs32net (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svschost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\services (Backdoor.ProRat) -> Quarantined and deleted successfully.

 

Infekterade registerdataposter:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digeste.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Downloader) -> Data: c:\windows\system32\~.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Downloader) -> Data: system32\~.exe -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe "C:\windows\system32\~.exe") Good: (Explorer.exe) -> Quarantined and deleted successfully.

 

Infekterade mappar:

C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.

 

Infekterade filer:

C:\WINDOWS\services.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSShrsr.dll (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\TDSSoiqh.dll (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\TDSSxfum.dll (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\drivers\TDSSmqlt.sys (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\drivers\ati1wcxx.sys (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\Temp\TDSS9df2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft Common\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\msauc.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\rs32net.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\shell31.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv141230259577.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv281230259519.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\digeste.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\svschost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\svñshost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSkkbi.log (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\TDSSlxwp.dll (Rootkit.Agent) -> Delete on reboot.

[/log]

 

 

Jag har kört scannen utan en internet uppkoppling, men jag öppnade den iallafall för att kunna uppdatera vid installationen.

 

[inlägget ändrat 2009-01-31 15:52:26 av Colandus]

[Zipp.]

 

Starta om datorn och sen en ny Hijack log

 

[Colandus]

[log]Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:58:14, on 2009-01-31

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\windows\System32\smss.exe

C:\windows\SYSTEM32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\windows\System32\svchost.exe

C:\windows\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\windows\system32\spoolsv.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\windows\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\windows\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\windows\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\windows\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\windows\system32\wuauclt.exe

C:\WINDOWS\system32\00THotkey.exe

C:\windows\system32\TFNF5.exe

C:\Program Files\TOSHIBA\Toshibas zoomningsfunktion\SmoothView.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\TOSHIBA\Tvs\TvsTray.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

C:\windows\AGRSMMSG.exe

C:\windows\system32\TPSMain.exe

C:\Program Files\TOSHIBA\TOSHIBAs kontroller\TFncKy.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\VM_STI.EXE

C:\windows\system32\rundll32.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\windows\system32\TPSBattM.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\Messenger\MSMSGS.EXE

C:\windows\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\windows\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/

R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll

F2 - REG:system.ini: UserInit=C:\windows\system32\userinit.exe,C:\windows\TEMP\init.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\Toshibas zoomningsfunktion\SmoothView.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE Philips SPC 300NC PC Camera

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Logitech SetPoint.lnk = ?

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Ladda ner allt med Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Ladda ner markerat med Free Download Mananger - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Ladda ner med Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab

O16 - DPF: {E505599B-F37A-4849-A7B0-E0AAB5CB054C} (ScriptPlayerRuntime Class) - https://gfs.nb.se/privat/bank/scripts/eid/NordeaSmartCard.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

 

--

End of file - 9270 bytes

[/log]

 

[Zipp.]

 

[log]Avinstallera om hittas = AskSearch

 

Scanna med Hijack bocka i följande rader stäng Web-läsaren och klicka Fix checked

 

R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll

F2 - REG:system.ini: UserInit=C:\windows\system32\userinit.exe,C:\windows\TEMP\in

it.exe

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Syst

em, DisableRegedit=1

 

sen töm denna Temp mapp

 

C:\windows\TEMP

 

scanna igen med Malwarebytes om nåt hittas[/log]

 

 

[Colandus]

Har ännu inte scannat med Malwarebytes, men när jag tömmer temp mappen kan jag inte ta bort följande filer:

 

Perflib_Perfdata_234.dat, eftersom att den används av en annan person eller program.

 

[Zipp.]

 

Dom kan vara kvar

 

[Colandus]

Okej...

 

Aktivitetshanteraren är fortfarande avaktiverad. Jag scannade med Malwarebytes och fick 7 upptäckter inklusive "Hijack.Regedit" samt "Hijack.TaskManager", och de 2 var båda klassade som bad...

 

Behöver jag skicka loggen eller ska jag ta bort markerade?

 

[Zipp.]

 

Ta bort det som hittades och testa om Aktivitetshanteraren funkar

 

[Colandus]

Vissa av dem gick inte bort, men de med "Hijack" gick bort... Fast det funkar fortfarande inte att öppna aktivitetshanteraren :/

 

Jag startade om datorn men det funkade ändå inte.

 

Jag noterade även att när man startar datorn så kommer det 2 rader med korta meningar som kommer upp snabbt (jag antar att det är filnamn, hann inte se eftersom att det gick så fort).

 

 

Scannar med Malwarebytes igen!

 

[Zipp.]

 

Scannar med Malwarebytes igen!

 

skicka loggen om nåt hittas

 

[Colandus]

Jag kör en fullständig scan, om det inte gör något (förutom att det tar betydligt längre tid).

 

[Colandus]

Okej...

 

Fullständig scan är klar, och det verkade som om inget hade gått bort innan. Har dock 1 mer än innan. När man väljer att ta bort markerade säger den att det inte går, och att en omstart krävs.

 

När jag väl har startat om datorn kommer följande meddelande upp (väldigt snabbt, var tvungen att starta om flera gånger för att få fram det fullständiga meddelandet):

"Invalid boot.INI file

booting from C:\windows\"

 

Fortfarande så funkar inte aktivitetshanteraren samt regedit...

 

Här är då loggen:

[log]Malwarebytes' Anti-Malware 1.33

Databasversion: 1654

Windows 5.1.2600 Service Pack 3

 

2009-01-31 17:44:18

mbam-log-2009-01-31 (17-43-51).txt

 

Skanningstyp: Fullständig skanning (C:\|)

Antal skannade objekt: 141438

Förfluten tid: 50 minute(s), 22 second(s)

 

Infekterade minnesprocesser: 0

Infekterade minnesmoduler: 0

Infekterade registernycklar: 4

Infekterade registervärden: 0

Infekterade registerdataposter: 2

Infekterade mappar: 0

Infekterade filer: 2

 

Infekterade minnesprocesser:

(Inga illasinnade poster hittades)

 

Infekterade minnesmoduler:

(Inga illasinnade poster hittades)

 

Infekterade registernycklar:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati1wcxx (Rootkit.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ati1wcxx (Rootkit.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ati1wcxx (Rootkit.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati1wcxx (Rootkit.Agent) -> No action taken.

 

Infekterade registervärden:

(Inga illasinnade poster hittades)

 

Infekterade registerdataposter:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

 

Infekterade mappar:

(Inga illasinnade poster hittades)

 

Infekterade filer:

C:\System Volume Information\_restore{E01B9117-E993-4959-9F11-D1C94BD63691}\RP540\A0153086.sys (Rootkit.Agent) -> No action taken.

C:\WINDOWS\system32\drivers\ati1wcxx.sys (Rootkit.Agent) -> No action taken.

[/log]

 

[inlägget ändrat 2009-01-31 17:46:50 av Colandus]

[inlägget ändrat 2009-01-31 17:47:44 av Colandus]

[inlägget ändrat 2009-01-31 17:50:59 av Colandus]

[Zipp.]

 

Kör Combofix enligt info på sidan men stäng inte av brandväggen

 

http://www.bleepingcomputer.com/combofix/se/hur-combofix-ska-anvandas

 

skicka loggen som kommer ut

 

[Colandus]

[log]ComboFix 09-01-21.04 - MY 2009-01-31 19:18:15.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.674 [GMT 1:00]

Körs från: c:\documents and settings\MY\Desktop\ComboFix.exe

 

VARNINIG -ÅTERSTÄLLNINGSKONSOLEN (THE RECOVERY CONSOLE) ÄR INTE INSTALLERAD PÅ DEN HÄR DATORN !!

.

- REDUCERAD FUNKTIONALITETSMOD -

.

 

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Föregående körning -------

.

c:\windows\IE4 Error Log.txt

c:\windows\system32\TDSSorvd.dat

c:\windows\wiaserviv.log

 

.

(((((((((((((((((((((((( Filer Skapade från 2008-12-28 till 2009-01-31 ))))))))))))))))))))))))))))))

.

 

2009-01-31 18:28 . 2009-01-31 18:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET

2009-01-31 15:35 . 2009-01-31 15:35 <DIR> d-------- c:\documents and settings\MY\Application Data\Malwarebytes

2009-01-31 15:34 . 2009-01-31 15:34 <DIR> d-------- c:\program files\kalle

2009-01-31 15:32 . 2009-01-31 15:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-31 15:32 . 2009-01-31 15:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-31 15:32 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-31 15:32 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-31 14:53 . 2009-01-31 14:53 <DIR> d-------- c:\program files\Trend Micro

2009-01-31 14:37 . 2009-01-31 14:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2009-01-31 11:58 . 2009-01-31 12:35 5 --a------ c:\windows\_id.dat

2009-01-31 11:57 . 2009-01-31 19:18 32,768 --a------ c:\windows\system32\drivers\ati1wcxx.sys

2009-01-31 11:57 . 2009-01-31 15:23 124 --a------ c:\windows\adobe.bat

2009-01-23 22:50 . 2009-01-23 22:50 <DIR> d-------- c:\program files\MohadaraDownloader

2008-12-23 23:07 . 2008-12-23 23:07 7,680 --ahs---- c:\windows\Thumbs.db

2008-12-18 16:26 . 2008-12-18 16:26 <DIR> d-------- c:\windows\system32\Nordea

2008-12-05 21:32 . 2008-12-05 21:32 410,984 --a------ c:\windows\system32\deploytk.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-31 14:25 --------- d-----w c:\program files\Norton Security Scan

2009-01-31 14:21 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-31 14:21 --------- d-----w c:\program files\Common Files\Panda Software

2009-01-31 14:11 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-31 11:45 --------- d-----w c:\documents and settings\MY\Application Data\Free Download Manager

2009-01-14 09:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2009-01-09 17:45 --------- d-----w c:\documents and settings\MY\Application Data\uTorrent

2008-12-23 22:08 --------- d-----w c:\program files\Windows Media Connect 2

2008-12-23 22:08 --------- d-----w c:\program files\Jak lånekalkyl 1.5

2008-12-23 22:08 --------- d-----w c:\program files\Free Download Manager

2008-12-23 22:08 --------- d-----w c:\program files\Consumer Update Firmware

2008-12-23 22:08 --------- d-----w c:\program files\????? ???????

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-05 20:32 --------- d-----w c:\program files\Java

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 13:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 13:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll

2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll

.

 

((((((((((((((((((((((((((((( snapshot@2009-01-31_18.49.54.17 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-01-31 18:14:31 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1f8.dat

.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Not* Tomma poster & legitima standardposter visas inte.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1764864]

"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5802008]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-07 5918720]

"00THotkey"="c:\windows\system32\00THotkey.exe" [2005-05-11 13:46 356352]

"SmoothView"="c:\program files\TOSHIBA\Toshibas zoomningsfunktion\SmoothView.exe" [2005-05-13 118784]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2005-04-05 73728]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]

"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-09-01 102400]

"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-08-30 1077329]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"BigDogPath"="c:\windows\VM_STI.EXE" [2004-06-09 40960]

"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 172032]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-05 136600]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"000StTHK"="000StTHK.exe" [2001-06-23 04:28 94208 c:\windows\system32\000StTHK.exe]

"TFNF5"="TFNF5.exe" [2004-12-15 c:\windows\system32\TFNF5.exe]

"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 c:\windows\agrsmmsg.exe]

"TPSMain"="TPSMain.exe" [2005-03-21 c:\windows\system32\TPSMain.exe]

"TPSODDCtl"="TPSODDCtl.exe" [bU]

"TFncKy"="TFncKy.exe" [bU]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [bU]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

"NDSTray.exe"="NDSTray.exe" [bU]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

c:\documents and settings\All Users\Start Menu\Programs\StartupLogitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-12-25 753664]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableTaskMgr"= 1 (0x1)

"DisableRegistryTools"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\SYSTEM32\Userinit.exe,c:\windows\TEMP\init.exe,"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"UacDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\windows\\system32\\TFNF5.exe"=

"c:\\windows\\system32\\000StTHK.exe"=

"c:\\WINDOWS\\system32\\00THotkey.exe"=

"c:\\Program Files\\TOSHIBA\\Tvs\\TvsTray.exe"=

"c:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"=

"c:\\Program Files\\Common Files\\Logitech\\khalshared\\KHALMNPR.EXE"=

"c:\\windows\\system32\\netsh.exe"=

"c:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"=

"c:\\WINDOWS\\system32\\dla\\tfswctrl.exe"=

"c:\\windows\\explorer.exe"= c:\\windows\\Explorer.EXE

"c:\\Program Files\\kalle\\mbam.exe"=

"c:\\windows\\system32\\ctfmon.exe"=

"c:\\windows\\TEMP\\init.exe"=

"c:\\Program Files\\Apoint2K\\Apoint.exe"=

 

R0 ati1wcxx;ati1wcxx;c:\windows\system32\drivers\ati1wcxx.sys [2009-01-31 32768]

R1 NTGDT;NTGDT;c:\windows\system32\drivers\NTGDT.SYS [2005-10-28 18144]

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\jgphin.sys --> c:\windows\system32\drivers\jgphin.sys [?]

R3 ttv400x;TOSHIBA PCI DVB-T/Analog Hybrid Tuner;c:\windows\system32\drivers\ttv400x.sys [2005-10-25 173568]

R4 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2006-12-25 3712]

R4 TOS_SPS;TOSHIBA SPS Driver;c:\program files\Toshiba\TMP2VDec\tos_sps.sys [2005-07-11 163712]

S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2008-02-02 476416]

S3 TdsNordecr;Nordea NCR1 SmartCard Reader;c:\windows\system32\drivers\nordecr.sys [2007-10-30 23040]

 

--- Övriga tjänster/drivrutiner i minnet ---

 

*NewlyCreated* - ABP470N5

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{901281eb-9748-11dc-b7e0-0012f0c5b020}]

\Shell\AutoRun\command - e:\qiraat\Run.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1144a52-deba-11da-b18e-0012f0c5b020}]

\sHelL\AUTopLAy\cOMmand - E:\gyao.exe

\sHelL\AutoRun\command - E:\gyao.exe

\sHelL\eXpLOre\cOMmAnD - E:\gyao.exe

\sHelL\oPeN\coMmanD - E:\gyao.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba942386-5249-11dd-bb6b-0012f0c5b020}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec3479c8-8e39-11dd-bc9a-0012f0c5b020}]

\Shell\AutoRun\command - E:\setupSNK.exe

.

Innehållet i mappen 'Schemalagda aktiviteter':

 

2009-01-28 c:\windows\Tasks\Norton Security Scan for MY.job

- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]

 

2006-04-24 c:\windows\Tasks\Registration reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2008-04-14 01:12]

 

2006-05-01 c:\windows\Tasks\Registration reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2008-04-14 01:12]

 

2009-01-31 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDetect.exe []

.

.

------- Extra genomsökning -------

.

uStart Page = hxxp://www.google.se/

IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html

IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm

IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Ladda ner allt med Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Ladda ner markerat med Free Download Mananger - file://c:\program files\Free Download Manager\dlselected.htm

IE: Ladda ner med Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html

DPF: {E505599B-F37A-4849-A7B0-E0AAB5CB054C} - hxxps://gfs.nb.se/privat/bank/scripts/eid/NordeaSmartCard.cab

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-31 19:18:43

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

c:\windows\Temp\init.exe [2052] 0x8668D758

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]

"imagepath"="\systemroot\system32\drivers\TDSSmqlt.sys"

.

--------------------- LÅSTA REGISTERNYCKLAR ---------------------

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]

@DACL=(02 0000)

"start"=dword:00000001

"type"=dword:00000001

"imagepath"=expand:"\\systemroot\\system32\\drivers\\TDSSmqlt.sys"

"group"="file system"

.

Sluttid: 2009-01-31 19:26:52

ComboFix-quarantined-files.txt 2009-01-31 18:26:49

 

Före genomsökningen: 18,406,420,480 bytes free

Efter genomsökningen: 18,079,588,352 byte ledigt

 

228 --- E O F --- 2009-01-14 09:04:27

[/log]

 

[Zipp.]

 

[log]Ladda ner CFScript.txt på Skrivbordet

 

http://www.skickafilen.se/download.jsp?fileid=36YExjcTVPhfj65vFdQ6

 

sen dra den med musen i Combofix och kör den

Skicka loggen som kommer ut[/log]

 

[Colandus]

När loggen skulle genereras stod det "Det går inte att komma åt filen eftersom den används av en annan process."

 

Och sedan försvan rutan

 

[Zipp.]

 

Titta om du ser loggen här C:\ComboFix.txt

 

[Colandus]

[log]ComboFix 09-01-31.01 - MY 2009-01-31 20:29:23.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.629 [GMT 1:00]

Körs från: c:\documents and settings\MY\Desktop\ComboFix.exe

Använda kommandoväxlar :: c:\documents and settings\MY\Desktop\CFScript.txt

* Skapade en ny återställningspunkt

 

VARNINIG -ÅTERSTÄLLNINGSKONSOLEN (THE RECOVERY CONSOLE) ÄR INTE INSTALLERAD PÅ DEN HÄR DATORN !!

 

FILE ::

c:\windows\system32\drivers\ati1wcxx.sys

c:\windows\system32\drivers\jgphin.sys

c:\windows\system32\drivers\TDSSmqlt.sys

c:\windows\TEMP\init.exe

E:\gyao.exe

.

 

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\MY\Local Settings\Temporary Internet Files\about.txt

c:\documents and settings\MY\Local Settings\Temporary Internet Files\default.temp

c:\documents and settings\MY\Local Settings\Temporary Internet Files\firmware.inf

c:\documents and settings\MY\Local Settings\Temporary Internet Files\head_firmware.inf

c:\documents and settings\MY\Local Settings\Temporary Internet Files\ip3picfile.temp

c:\documents and settings\MY\Local Settings\Temporary Internet Files\ip3Wmapic.temp

c:\documents and settings\MY\Local Settings\Temporary Internet Files\T60.GIF

c:\documents and settings\MY\Local Settings\Temporary Internet Files\T60_ENG_UM_OK.ZIP

.

---- Föregående körning -------

.

c:\windows\system32\drivers\ati1wcxx.sys

c:\windows\TEMP\init.exe

 

.

((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_ABP470N5

-------\Legacy_ATI1WCXX

-------\Legacy_TDSSSERV.SYS

-------\Service_abp470n5

-------\Service_ati1wcxx

 

 

(((((((((((((((((((((((( Filer Skapade från 2008-12-28 till 2009-01-31 ))))))))))))))))))))))))))))))

.

 

2009-01-31 20:34 . 2009-01-31 20:34 5,669 --a------ c:\windows\system32\drivers\jgphin.sys

2009-01-31 18:28 . 2009-01-31 18:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET

2009-01-31 15:35 . 2009-01-31 15:35 <DIR> d-------- c:\documents and settings\MY\Application Data\Malwarebytes

2009-01-31 15:34 . 2009-01-31 15:34 <DIR> d-------- c:\program files\kalle

2009-01-31 15:32 . 2009-01-31 15:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-31 15:32 . 2009-01-31 15:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-31 15:32 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-31 15:32 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-31 14:53 . 2009-01-31 14:53 <DIR> d-------- c:\program files\Trend Micro

2009-01-31 14:37 . 2009-01-31 14:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2009-01-31 11:58 . 2009-01-31 12:35 5 --a------ c:\windows\_id.dat

2009-01-31 11:57 . 2009-01-31 15:23 124 --a------ c:\windows\adobe.bat

2009-01-23 22:50 . 2009-01-23 22:50 <DIR> d-------- c:\program files\MohadaraDownloader

2008-12-23 23:07 . 2008-12-23 23:07 7,680 --ahs---- c:\windows\Thumbs.db

2008-12-18 16:26 . 2008-12-18 16:26 <DIR> d-------- c:\windows\system32\Nordea

2008-12-05 21:32 . 2008-12-05 21:32 410,984 --a------ c:\windows\system32\deploytk.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-31 14:25 --------- d-----w c:\program files\Norton Security Scan

2009-01-31 14:21 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-31 14:21 --------- d-----w c:\program files\Common Files\Panda Software

2009-01-31 14:11 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-31 11:45 --------- d-----w c:\documents and settings\MY\Application Data\Free Download Manager

2009-01-14 09:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2009-01-09 17:45 --------- d-----w c:\documents and settings\MY\Application Data\uTorrent

2008-12-23 22:08 --------- d-----w c:\program files\Windows Media Connect 2

2008-12-23 22:08 --------- d-----w c:\program files\Jak lånekalkyl 1.5

2008-12-23 22:08 --------- d-----w c:\program files\Free Download Manager

2008-12-23 22:08 --------- d-----w c:\program files\Consumer Update Firmware

2008-12-23 22:08 --------- d-----w c:\program files\????? ???????

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-05 20:32 --------- d-----w c:\program files\Java

.

 

((((((((((((((((((((((((((((( snapshot@2009-01-31_18.49.54.17 )))))))))))))))))))))))))))))))))))))))))

.

+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE

- 2000-08-31 07:00:00 161,792 ----a-w c:\windows\SWREG.exe

+ 2000-08-31 07:00:00 286,720 ----a-w c:\windows\SWREG.exe

+ 2009-01-31 19:34:37 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_a98.dat

.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Not* Tomma poster & legitima standardposter visas inte.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1764864]

"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5802008]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-07 5918720]

"00THotkey"="c:\windows\system32\00THotkey.exe" [2005-05-11 13:46 356352]

"SmoothView"="c:\program files\TOSHIBA\Toshibas zoomningsfunktion\SmoothView.exe" [2005-05-13 118784]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2005-04-05 73728]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]

"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-09-01 102400]

"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-08-30 1077329]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"BigDogPath"="c:\windows\VM_STI.EXE" [2004-06-09 40960]

"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 172032]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-05 136600]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"000StTHK"="000StTHK.exe" [2001-06-23 04:28 94208 c:\windows\system32\000StTHK.exe]

"TFNF5"="TFNF5.exe" [2004-12-15 c:\windows\system32\TFNF5.exe]

"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 c:\windows\agrsmmsg.exe]

"TPSMain"="TPSMain.exe" [2005-03-21 c:\windows\system32\TPSMain.exe]

"TPSODDCtl"="TPSODDCtl.exe" [bU]

"TFncKy"="TFncKy.exe" [bU]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [bU]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

"NDSTray.exe"="NDSTray.exe" [bU]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

c:\documents and settings\All Users\Start Menu\Programs\StartupLogitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-12-25 753664]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableTaskMgr"= 1 (0x1)

"DisableRegistryTools"= 1 (0x1)

 

Registernyckeln SafeBoot behöver repareras. Den här datorn kan inte startas i felsäkert läge.

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]

@="Driver Group"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]

@="DiskDrive"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]

@="Hdc"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]

@="Keyboard"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]

@="Mouse"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]

@="System"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

@="Volume"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"UacDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"= c:\\Program Files\\Messenger\\MSMSGS.EXE

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\windows\\system32\\TFNF5.exe"=

"c:\\windows\\system32\\000StTHK.exe"=

"c:\\WINDOWS\\system32\\00THotkey.exe"=

"c:\\Program Files\\TOSHIBA\\Tvs\\TvsTray.exe"=

"c:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"=

"c:\\Program Files\\Common Files\\Logitech\\khalshared\\KHALMNPR.EXE"=

"c:\\windows\\system32\\netsh.exe"=

"c:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"=

"c:\\WINDOWS\\system32\\dla\\tfswctrl.exe"=

"c:\\Program Files\\kalle\\mbam.exe"=

"c:\\Program Files\\Apoint2K\\Apoint.exe"=

"c:\\ComboFix\\NirCmd.cfexe"=

"c:\\windows\\system32\\CF20994.exe"=

"c:\\DOCUME~1\\MY\\LOCALS~1\\Temp\\wingwsdnt.exe"=

 

R1 NTGDT;NTGDT;c:\windows\system32\drivers\NTGDT.SYS [2005-10-28 18144]

R3 abp470n5;abp470n5;c:\windows\system32\drivers\jgphin.sys [2009-01-31 5669]

R3 ttv400x;TOSHIBA PCI DVB-T/Analog Hybrid Tuner;c:\windows\system32\drivers\ttv400x.sys [2005-10-25 173568]

R4 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2006-12-25 3712]

R4 TOS_SPS;TOSHIBA SPS Driver;c:\program files\Toshiba\TMP2VDec\tos_sps.sys [2005-07-11 163712]

S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2008-02-02 476416]

S3 TdsNordecr;Nordea NCR1 SmartCard Reader;c:\windows\system32\drivers\nordecr.sys [2007-10-30 23040]

 

--- Övriga tjänster/drivrutiner i minnet ---

 

*NewlyCreated* - ABP470N5

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39cc2567-dba1-11da-b186-0012f0c5b020}]

\shell\AUtOPLAy\command - E:\xdno.cmd

\shell\AutoRun\command - E:\xdno.cmd

\shell\expLore\CoMMAnd - E:\xdno.cmd

\shell\oPen\coMmAnd - E:\xdno.cmd

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{901281eb-9748-11dc-b7e0-0012f0c5b020}]

\Shell\AutoRun\command - e:\qiraat\Run.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1144a52-deba-11da-b18e-0012f0c5b020}]

\sHelL\AUTopLAy\cOMmand - E:\gyao.exe

\sHelL\AutoRun\command - E:\gyao.exe

\sHelL\eXpLOre\cOMmAnD - E:\gyao.exe

\sHelL\oPeN\coMmanD - E:\gyao.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba942386-5249-11dd-bb6b-0012f0c5b020}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec3479c8-8e39-11dd-bc9a-0012f0c5b020}]

\Shell\AutoRun\command - E:\setupSNK.exe

.

Innehållet i mappen 'Schemalagda aktiviteter':

 

2009-01-28 c:\windows\Tasks\Norton Security Scan for MY.job

- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]

 

2006-04-24 c:\windows\Tasks\Registration reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2008-04-14 01:12]

 

2006-05-01 c:\windows\Tasks\Registration reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2008-04-14 01:12]

 

2009-01-31 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDetect.exe []

.

.

------- Extra genomsökning -------

.

uStart Page = hxxp://www.google.se/

IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html

IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm

IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Ladda ner allt med Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Ladda ner markerat med Free Download Mananger - file://c:\program files\Free Download Manager\dlselected.htm

IE: Ladda ner med Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html

DPF: {E505599B-F37A-4849-A7B0-E0AAB5CB054C} - hxxps://gfs.nb.se/privat/bank/scripts/eid/NordeaSmartCard.cab

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-31 20:34:15

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Andra processer som körs ------------------------

.

c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe

c:\windows\system32\scardsvr.exe

c:\program files\Toshiba\ConfigFree\CFSvcs.exe

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\ehome\ehmsas.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\TPSBattM.exe

c:\program files\Apoint2K\ApntEx.exe

c:\program files\Toshiba\ConfigFree\NDSTray.exe

c:\program files\Windows Live\Messenger\usnsvc.exe

c:\docume~1\MY\LOCALS~1\temp\wingwsdnt.exe

c:\docume~1\MY\LOCALS~1\temp\winthnjhe.exe

.

**************************************************************************

.

Sluttid: 2009-01-31 20:38:48 - datorn startades om. [MY]

ComboFix-quarantined-files.txt 2009-01-31 19:38:38

ComboFix2.txt 2009-01-31 18:26:52

 

Före genomsökningen: 17,917,825,024 bytes free

Efter genomsökningen: 17,773,498,368 byte ledigt

 

272 --- E O F --- 2009-01-14 09:04:27

[/log]

 

[Zipp.]

 

Scanna denna fil i länken och kopiera resultat och skicka hit

 

c:\windows\system32\drivers\jgphin.sys

 

http://www.virustotal.com/

 

[Colandus]

kommer inte åt http://www.virustotal.com/ på den infekterade datorn, jag kopierade filen och försökte att scanna den från en annan dator men där fick jag meddelandet "Exception

Please report failure as: ErrorTime= "Jan 31 20:58:16""

 

[Zipp.]

 

Uppdatera din Malwarebytes och kör en snabb scan och skicka loggen