Just nu i M3-nätverket
Jump to content

Virus som "slår ut" Internet och dator överlag


Rob..

Recommended Posts

[log]Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:14:22, on 11/02/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Safe mode

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newsnow.co.uk/newsfeed/?name=Liverpool

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157'>http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896'>http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [CTDVDDET] "C:\Program\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"

O4 - HKLM\..\Run: [VolPanel] "C:\Program\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r

O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [HPHUPD08] c:\Program\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program\CyberLink\PowerCinema\PCMService.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [HPBootOp] "C:\Program\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [VoddlerNet Manager] C:\Program\Voddler\service\VNetManager.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ostxhvyc] C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Application Data\yiculo\ktkvsftav.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ostxhvyc] C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Application Data\yiculo\ktkvsftav.exe

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program\eRoom 7\ERClient7.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll

O9 - Extra button: Hjälp med anslutning - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Hjälp med anslutning - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab

O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} (ERPageAddin Class) - https://solid.seb.se/eRoomSetup/,DanaInfo=SEB-eRoom.sebank.se,SSL,CT=java+client.cab

O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.postfoto.se/aurigma/ImageUploader4.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://83.150.146.111/activex/AxisCamControl.cab

O16 - DPF: {D9CDEFE3-51BB-4737-A12C-53D9814A148C} (DAX Control) - https://solid.seb.se/exchweb/controls/,DanaInfo=skcc020a.sebank.se,CT=java+DAX.cab

O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.postfoto.se/upload/aurigma/ImageUploader4.cab

O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/JuniperSetupClient.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatisk LiveUpdate-schemaläggare - Unknown owner - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: Bonjour Service - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program\Canon\CAL\CALMAIN.exe

O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe

O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program\CyberLink\PowerCinema\Kernel\TV\CLSched.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe

O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program\Juniper Networks\Common Files\dsNcService.exe

O23 - Service: Tjänsten Google Update (gupdate) (gupdate) - Google Inc. - C:\Program\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program\Delade filer\LightScribe\LSSrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: VoddlerNet - Voddler - C:\Program\Voddler\service\voddler.exe

 

--

End of file - 9881 bytes

[/log]Har problem med ngt virusliknande ting som sabbar hela datorn, kan inte använda nätet dessutom kan jag inte öppna vanliga program på datorn. Sen får jag upp ett meddelande hela tiden ”security warning, application cannot be executed. The file wscntfy.exe is infected. Do you want to activate your antivirus software now” Sen kommer man till antivurus softwares sida där man ska köpa ett program.

 

Jag har ett program som heter spybot search and destroy (som ska vara bra för ngt… :rolleyes: ) där fick jag frågan om jag skulle tillåta en ändring vilket jag dessvärre gjorde.

 

Jag har antivir som virusprogram och den verkar inte hitta ngt.

 

Bifogar en hijackthislog

 

 

 

 

Tacksam för hjälp!

Link to comment
Share on other sites

Detta bör få igång internet och göra det möjligt att köra fler program:

 

1. I Internet Explorer välj Internet-alternativ i Verktygsmenyn.

Välj fliken Anslutningar

Tryck på LAN-inställningar

Ta bort bocken före "Använd en proxyserver".

Tryck på OK.

 

2. Spara RKill av Grinler på Skrivbordet. Ladda ner det från den första av dessa länkar:

http://download.bleepingcomputer.com/grinler/rkill.com

http://download.bleepingcomputer.com/grinler/rkill.pif

http://download.bleepingcomputer.com/grinler/rkill.scr

http://download.bleepingcomputer.com/grinler/rkill.exe

 

Om du inte kan ladda ner RKill så upprepa punkt 1 och det kan behöva göras flera gånger innan det fastnar. Om du inte lyckas efter 5 försök så säg till.

 

Starta Rkill (i Vista och Windows 7 genom att högerklicka på filen och välj Kör som administratör om det valet finns).

Det blir ett svart fönster/ruta en stund om programmet lyckades köra.

Om det inte blev något svart fönster/ruta så ta bort den RKill-varianten och upprepa med nästa RKill.

 

Om du får ett meddelande om att RKill är skadligt så bry dig inte om det. Det är det skadliga programmen som inte vill bli stoppat. Lämna kvar varningen på skärmen och kör RKill en gång till.

 

Kör RKill flera gånger efter varandra tills du inte ser till det skadliga programmet längre, dock max 10 gånger.

 

Om inte någon av program-varianterna kan köra så berätta det.

 

3. På sidan http://www.virustotal.com trycker du på Bläddra-knappen och klistrar in följande filnamn i rutan, tryck på Öppna och sedan Skicka Fil. Vänta sedan tills resultatet är klart (Närvarande status blir genomförd). Klistra in en länk till resultat-sidan i ditt svar.

C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Application Data\yiculo\ktkvsftav.exe

 

4. Vi kan se vad DDS visar också. Spara DDS på Skrivbordet.

http://download.bleepingcomputer.com/sUBs/dds.scr

 

Starta programmet genom att dubbelklicka på det.

Tryck Yes/Ja om frågan om Optional Scan dyker upp.

I ditt svar klistrar du in loggen DSS.txt. Men spara Attach.txt på Skrivbordet.

Link to comment
Share on other sites

[log]This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Ran as HP_Žgaren on 13/02/2010 at 10:26:14.

 

 

Processes terminated by Rkill or while it was running:

 

 

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program\HP\HP Software Update\HPWuSchd2.exe

C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Application Data\yiculo\ktkvsftav.exe

C:\Program\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program\eRoom 7\ERClient7.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Documents and Settings\HP_Ägaren\Skrivbord\rkill.com

 

 

Rkill completed on 13/02/2010 at 10:26:16.

[/log]Rkill completed on 13/02/2010 at 10:26:16.

[/log]

Detta bör få igång internet och göra det möjligt att köra fler program:

 

1. I Internet Explorer välj Internet-alternativ i Verktygsmenyn.

Välj fliken Anslutningar

Tryck på LAN-inställningar

Ta bort bocken före "Använd en proxyserver".

Tryck på OK.

 

2. Spara RKill av Grinler på Skrivbordet. Ladda ner det från den första av dessa länkar:

http://download.bleepingcomputer.com/grinler/rkill.com

http://download.bleepingcomputer.com/grinler/rkill.pif

http://download.bleepingcomputer.com/grinler/rkill.scr

http://download.bleepingcomputer.com/grinler/rkill.exe

 

Om du inte kan ladda ner RKill så upprepa punkt 1 och det kan behöva göras flera gånger innan det fastnar. Om du inte lyckas efter 5 försök så säg till.

 

Starta Rkill (i Vista och Windows 7 genom att högerklicka på filen och välj Kör som administratör om det valet finns).

Det blir ett svart fönster/ruta en stund om programmet lyckades köra.

Om det inte blev något svart fönster/ruta så ta bort den RKill-varianten och upprepa med nästa RKill.

 

Om du får ett meddelande om att RKill är skadligt så bry dig inte om det. Det är det skadliga programmen som inte vill bli stoppat. Lämna kvar varningen på skärmen och kör RKill en gång till.

 

Kör RKill flera gånger efter varandra tills du inte ser till det skadliga programmet längre, dock max 10 gånger.

 

Om inte någon av program-varianterna kan köra så berätta det.

 

3. På sidan http://www.virustotal.com trycker du på Bläddra-knappen och klistrar in följande filnamn i rutan, tryck på Öppna och sedan Skicka Fil. Vänta sedan tills resultatet är klart (Närvarande status blir genomförd). Klistra in en länk till resultat-sidan i ditt svar.

C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Application Data\yiculo\ktkvsftav.exe

 

4. Vi kan se vad DDS visar också. Spara DDS på Skrivbordet.

http://download.bleepingcomputer.com/sUBs/dds.scr

 

Starta programmet genom att dubbelklicka på det.

Tryck Yes/Ja om frågan om Optional Scan dyker upp.

I ditt svar klistrar du in loggen DSS.txt. Men spara Attach.txt på Skrivbordet.

 

 

Tror det gick bra.

 

 

 

 

 

 

virustotal

[log]

DDS (Ver_09-12-01.01) - NTFSx86

Run by HP_Žgaren at 10:42:44.20 on 13/02/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.2046.1401 [GMT 1:00]

 

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

 

============== Running Processes ===============

 

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Avira\AntiVir Desktop\sched.exe

C:\Program\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE

C:\Program\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

C:\Program\Creative\Shared Files\Module Loader\DLLML.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program\CyberLink\PowerCinema\PCMService.exe

C:\HP\KBD\KBD.EXE

C:\Program\Delade filer\Real\Update_OB\realsched.exe

svchost.exe

C:\WINDOWS\system32\iid.exe

C:\Program\Avira\AntiVir Desktop\avgnt.exe

C:\Program\Voddler\service\VNetManager.exe

C:\Program\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program\Spybot - Search & Destroy\TeaTimer.exe

C:\Program\Personal\bin\Personal.exe

C:\Program\WinZip\WZQKPICK.EXE

c:\windows\system\hpsysdrv.exe

C:\Program\Avira\AntiVir Desktop\avguard.exe

C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program\Bonjour\mDNSResponder.exe

C:\Program\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe

C:\Program\Juniper Networks\Common Files\dsNcService.exe

C:\Program\Java\jre6\bin\jqs.exe

C:\Program\Delade filer\LightScribe\LSSrvc.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program\Canon\CAL\CALMAIN.exe

C:\Program\CyberLink\PowerCinema\Kernel\TV\CLSched.exe

C:\Program\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Documents and Settings\HP_Ägaren\Skrivbord\dds.scr

 

============== Pseudo HJT Report ===============

 

uStart Page = hxxp://www.newsnow.co.uk/newsfeed/?name=Liverpool

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program\spybot~1\SDHelper.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program\yahoo!\companion\installs\cpn\yt.dll

uRun: [updateMgr] "c:\program\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sUPERAntiSpyware] c:\program\superantispyware\SUPERAntiSpyware.exe

uRun: [spybotSD TeaTimer] c:\program\spybot - search & destroy\TeaTimer.exe

uRun: [ostxhvyc] c:\documents and settings\hp_ägaren\lokala inställningar\application data\yiculo\ktkvsftav.exe

mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

mRun: [CTDVDDET] "c:\program\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"

mRun: [VolPanel] "c:\program\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r

mRun: [AudioDrvEmulator] "c:\program\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program\creative\shared files\module loader\audio emulator\AudDrvEm.dll"

mRun: [CTHelper] CTHELPER.EXE

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [HPHUPD08] c:\program\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe

mRun: [PCMService] "c:\program\cyberlink\powercinema\PCMService.exe"

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [HPBootOp] "c:\program\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run

mRun: [HP Software Update] c:\program\hp\hp software update\HPWuSchd2.exe

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [TkBellExe] "c:\program\delade filer\real\update_ob\realsched.exe" -osboot

mRun: [Net iD] c:\windows\system32\iid.exe

mRun: [avgnt] "c:\program\avira\antivir desktop\avgnt.exe" /min

mRun: [AppleSyncNotifier] c:\program\delade filer\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [<NO NAME>]

mRun: [VoddlerNet Manager] c:\program\voddler\service\VNetManager.exe

mRun: [QuickTime Task] "c:\program\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program\itunes\iTunesHelper.exe"

mRun: [ostxhvyc] c:\documents and settings\hp_ägaren\lokala inställningar\application data\yiculo\ktkvsftav.exe

StartupFolder: c:\docume~1\hp_gar~1\start-~1\program\autost~1\monito~1.lnk - c:\program\eroom 7\ERClient7.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\adober~1.lnk - c:\program\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\hpdigi~1.lnk - c:\program\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\personal.lnk - c:\program\personal\bin\Personal.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\winzip~1.lnk - c:\program\winzip\WZQKPICK.EXE

IE: E&xportera till Microsoft Excel - c:\program\micros~2\office11\EXCEL.EXE/3000

IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\program\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program\spybot~1\SDHelper.dll

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://solid.seb.se/eRoomSetup/,DanaInfo=SEB-eRoom.sebank.se,SSL,CT=java+client.cab

DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.postfoto.se/aurigma/ImageUploader4.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://83.150.146.111/activex/AxisCamControl.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D9CDEFE3-51BB-4737-A12C-53D9814A148C} - hxxps://solid.seb.se/exchweb/controls/,DanaInfo=skcc020a.sebank.se,CT=java+DAX.cab

DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://www.postfoto.se/upload/aurigma/ImageUploader4.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

Notify: !SASWinLogon - c:\program\superantispyware\SASWINLO.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program\superantispyware\SASSEH.DLL

 

============= SERVICES / DRIVERS ===============

 

R1 avgio;avgio;c:\program\avira\antivir desktop\avgio.sys [2009-9-20 11608]

R1 SASDIFSV;SASDIFSV;c:\program\superantispyware\sasdifsv.sys [2006-10-10 5632]

R1 SASKUTIL;SASKUTIL;c:\program\superantispyware\SASKUTIL.SYS [2007-2-27 32256]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program\avira\antivir desktop\sched.exe [2009-9-20 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program\avira\antivir desktop\avguard.exe [2009-9-20 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-9-20 56816]

R2 PWSYSDRV;PWSYSDRV;c:\windows\system32\drivers\pwsysdrv.sys [2006-10-12 17072]

R2 VoddlerNet;VoddlerNet;c:\program\voddler\service\voddler.exe [2010-1-26 1235664]

R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2005-1-1 2799488]

R3 SASENUM;SASENUM;c:\program\superantispyware\SASENUM.SYS [2006-2-16 4096]

S2 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"c:\program\symantec\liveupdate\aluschedulersvc.exe" --> c:\program\symantec\liveupdate\ALUSchedulerSvc.exe [?]

S2 gupdate;Tjänsten Google Update (gupdate);c:\program\google\update\GoogleUpdate.exe [2010-1-5 135664]

S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2005-1-1 468768]

 

=============== Created Last 30 ================

 

2010-01-31 07:57:46 119808 --sha-r- c:\windows\system32\cmpropsj.dll

 

==================== Find3M ====================

 

2010-02-11 20:24:06 9175040 ----a-w- c:\documents and settings\hp_ägaren\ntuser.dat

2009-12-31 16:50:03 353792 ------w- c:\windows\system32\drivers\srv.sys

2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys

2009-12-21 13:22:55 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2009-12-17 07:42:44 343552 ----a-w- c:\windows\system32\mspaint.exe

2009-12-17 07:42:44 343552 ------w- c:\windows\system32\dllcache\mspaint.exe

2009-12-14 07:10:20 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-14 07:10:20 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll

2009-12-10 18:24:44 64822 ----a-w- c:\windows\system32\perfc01D.dat

2009-12-10 18:24:44 387910 ----a-w- c:\windows\system32\perfh01D.dat

2009-12-08 09:25:55 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll

2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys

2009-11-27 17:14:13 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:14:13 17920 ------w- c:\windows\system32\dllcache\msyuv.dll

2009-11-27 17:14:13 1293824 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 17:14:13 1293824 ------w- c:\windows\system32\dllcache\quartz.dll

2009-11-27 16:10:39 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:10:39 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll

2009-11-27 16:10:39 85504 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:10:39 85504 ------w- c:\windows\system32\dllcache\avifil32.dll

2009-11-27 16:10:39 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:10:39 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll

2009-11-27 16:10:39 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:10:39 28672 ------w- c:\windows\system32\dllcache\msvidc32.dll

2009-11-27 16:10:39 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:10:39 11264 ------w- c:\windows\system32\dllcache\msrle32.dll

2009-11-21 16:03:18 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2006-08-13 20:19:17 22 --sha-w- c:\windows\sminst\HPCD.sys

2009-01-07 20:46:24 32768 --sha-w- c:\windows\system32\config\systemprofile\lokala inställningar\tidigare\history.ie5\mshist012009010720090108\index.dat

 

============= FINISH: 10:43:17.46 ===============

[/log]

Link to comment
Share on other sites

Om du märker av något av det skadliga programmet eller något program inte fungerar så kör RKill igen. Om du behöver starta om datorn så måste du t ex köra RKill.

 

TeaTimer-funktionen i Spybot S&D är väldigt bra, men just nu så kan den störa de nödvändiga förändringarna i registret så du behöver stänga av den. Kom ihåg att sätta på den när datorn är ren men inte förrän dess. Om det då kommer upp frågor om ändringar ska tillåtas så välj att tillåta dem.

 

Starta Spybot S&D

Välj Advanced i Mode-menyn

Till vänster välj Tools - Resident

Ta bort bocken för TeaTimer

Avsluta programmet.

Om någon fråga kommer upp gällande om en ändring ska tillåtas så acceptera ändringen.

Starta om datorn.

 

Ladda ner ResetTeaTimer.exe till Skrivbordet.

http://home.hetnet.nl/~stefsmeenk/ResetTeaTimer.exe

Kör det.

 

Ladda ner Malwarebytes Anti-Malware (MBAM) från en av dessa länkar:

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

Dubbelklicka på mbam-setup för att installera programmet.

 

Se till i slutet av installationen att det är bockar för:

Uppdatera Malwarebytes' Anti-Malware

Starta Malwarebytes' Anti-Malware

Tryck på Slutför

Om det finns någon uppdatering så kommer den att laddas ner och installeras.

 

När programmet startar så välj "Utför snabb skanning" och tryck på Skanna.

Skanningen tar ett tag.

När den är klar så tryck på OK och sedan "Visa resultat".

Bocka för allt och tryck sedan Ta bort markerade.

När borttagningen är klar så öppnar Anteckningar med en logg.

 

Eventuellt så kommer det upp en begäran om att starta om datorn (Restart). I så fall gör det.

Om det blir ett felmeddelande Error loading... efter omstarten så starta om datorn än en gång.

Om programmet inte kommer igång efter omstarten så starta det.

 

Om loggen inte kommer upp själv i Anteckningar så hittar du loggen på fliken Loggar i MBAM.

Kopiera loggen och klistra in den i ditt svar.

Link to comment
Share on other sites

[log]Malwarebytes' Anti-Malware 1.44

Databasversion: 3732

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

 

13/02/2010 13:23:40

mbam-log-2010-02-13 (13-23-40).txt

 

Skanningstyp: Snabb skanning

Antal skannade objekt: 117758

Förfluten tid: 4 minute(s), 35 second(s)

 

Infekterade minnesprocesser: 0

Infekterade minnesmoduler: 0

Infekterade registernycklar: 0

Infekterade registervärden: 2

Infekterade registerdataposter: 0

Infekterade mappar: 0

Infekterade filer: 0

 

Infekterade minnesprocesser:

(Inga illasinnade poster hittades)

 

Infekterade minnesmoduler:

(Inga illasinnade poster hittades)

 

Infekterade registernycklar:

(Inga illasinnade poster hittades)

 

Infekterade registervärden:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ostxhvyc (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ostxhvyc (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

 

Infekterade registerdataposter:

(Inga illasinnade poster hittades)

 

Infekterade mappar:

(Inga illasinnade poster hittades)

 

Infekterade filer:

(Inga illasinnade poster hittades)

[/log]

Om du märker av något av det skadliga programmet eller något program inte fungerar så kör RKill igen. Om du behöver starta om datorn så måste du t ex köra RKill.

 

TeaTimer-funktionen i Spybot S&D är väldigt bra, men just nu så kan den störa de nödvändiga förändringarna i registret så du behöver stänga av den. Kom ihåg att sätta på den när datorn är ren men inte förrän dess. Om det då kommer upp frågor om ändringar ska tillåtas så välj att tillåta dem.

 

Starta Spybot S&D

Välj Advanced i Mode-menyn

Till vänster välj Tools - Resident

Ta bort bocken för TeaTimer

Avsluta programmet.

Om någon fråga kommer upp gällande om en ändring ska tillåtas så acceptera ändringen.

Starta om datorn.

 

Ladda ner ResetTeaTimer.exe till Skrivbordet.

http://home.hetnet.nl/~stefsmeenk/ResetTeaTimer.exe

Kör det.

 

Ladda ner Malwarebytes Anti-Malware (MBAM) från en av dessa länkar:

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

Dubbelklicka på mbam-setup för att installera programmet.

 

Se till i slutet av installationen att det är bockar för:

Uppdatera Malwarebytes' Anti-Malware

Starta Malwarebytes' Anti-Malware

Tryck på Slutför

Om det finns någon uppdatering så kommer den att laddas ner och installeras.

 

När programmet startar så välj "Utför snabb skanning" och tryck på Skanna.

Skanningen tar ett tag.

När den är klar så tryck på OK och sedan "Visa resultat".

Bocka för allt och tryck sedan Ta bort markerade.

När borttagningen är klar så öppnar Anteckningar med en logg.

 

Eventuellt så kommer det upp en begäran om att starta om datorn (Restart). I så fall gör det.

Om det blir ett felmeddelande Error loading... efter omstarten så starta om datorn än en gång.

Om programmet inte kommer igång efter omstarten så starta det.

 

Om loggen inte kommer upp själv i Anteckningar så hittar du loggen på fliken Loggar i MBAM.

Kopiera loggen och klistra in den i ditt svar.

 

 

Fick köra rkill när datorn startades om.

 

loggen;

Link to comment
Share on other sites

[log]

DDS (Ver_09-12-01.01) - NTFSx86

Run by HP_Žgaren at 13:35:49.14 on 13/02/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.2046.1455 [GMT 1:00]

 

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

 

============== Running Processes ===============

 

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE

C:\Program\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

C:\Program\Creative\Shared Files\Module Loader\DLLML.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program\CyberLink\PowerCinema\PCMService.exe

C:\HP\KBD\KBD.EXE

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\iid.exe

C:\Program\Avira\AntiVir Desktop\avgnt.exe

C:\Program\Voddler\service\VNetManager.exe

C:\Program\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program\Personal\bin\Personal.exe

C:\Program\WinZip\WZQKPICK.EXE

C:\Program\Avira\AntiVir Desktop\avguard.exe

C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program\Bonjour\mDNSResponder.exe

C:\Program\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe

C:\Program\Juniper Networks\Common Files\dsNcService.exe

C:\Program\Java\jre6\bin\jqs.exe

C:\Program\Delade filer\LightScribe\LSSrvc.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program\Canon\CAL\CALMAIN.exe

C:\Program\CyberLink\PowerCinema\Kernel\TV\CLSched.exe

C:\Program\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program\internet explorer\iexplore.exe

C:\Program\internet explorer\iexplore.exe

C:\Documents and Settings\HP_Ägaren\Skrivbord\dds.scr

 

============== Pseudo HJT Report ===============

 

uStart Page = hxxp://www.newsnow.co.uk/newsfeed/?name=Liverpool

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program\spybot~1\SDHelper.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program\yahoo!\companion\installs\cpn\yt.dll

uRun: [updateMgr] "c:\program\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sUPERAntiSpyware] c:\program\superantispyware\SUPERAntiSpyware.exe

mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

mRun: [CTDVDDET] "c:\program\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"

mRun: [VolPanel] "c:\program\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r

mRun: [AudioDrvEmulator] "c:\program\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program\creative\shared files\module loader\audio emulator\AudDrvEm.dll"

mRun: [CTHelper] CTHELPER.EXE

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [HPHUPD08] c:\program\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe

mRun: [PCMService] "c:\program\cyberlink\powercinema\PCMService.exe"

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [HPBootOp] "c:\program\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run

mRun: [HP Software Update] c:\program\hp\hp software update\HPWuSchd2.exe

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [TkBellExe] "c:\program\delade filer\real\update_ob\realsched.exe" -osboot

mRun: [Net iD] c:\windows\system32\iid.exe

mRun: [avgnt] "c:\program\avira\antivir desktop\avgnt.exe" /min

mRun: [AppleSyncNotifier] c:\program\delade filer\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [<NO NAME>]

mRun: [VoddlerNet Manager] c:\program\voddler\service\VNetManager.exe

mRun: [QuickTime Task] "c:\program\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program\itunes\iTunesHelper.exe"

mRunOnce: [Malwarebytes' Anti-Malware] c:\program\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\hp_gar~1\start-~1\program\autost~1\monito~1.lnk - c:\program\eroom 7\ERClient7.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\adober~1.lnk - c:\program\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\hpdigi~1.lnk - c:\program\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\personal.lnk - c:\program\personal\bin\Personal.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\winzip~1.lnk - c:\program\winzip\WZQKPICK.EXE

IE: E&xportera till Microsoft Excel - c:\program\micros~2\office11\EXCEL.EXE/3000

IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\program\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program\spybot~1\SDHelper.dll

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://solid.seb.se/eRoomSetup/,DanaInfo=SEB-eRoom.sebank.se,SSL,CT=java+client.cab

DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.postfoto.se/aurigma/ImageUploader4.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://83.150.146.111/activex/AxisCamControl.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D9CDEFE3-51BB-4737-A12C-53D9814A148C} - hxxps://solid.seb.se/exchweb/controls/,DanaInfo=skcc020a.sebank.se,CT=java+DAX.cab

DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://www.postfoto.se/upload/aurigma/ImageUploader4.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

Notify: !SASWinLogon - c:\program\superantispyware\SASWINLO.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program\superantispyware\SASSEH.DLL

 

============= SERVICES / DRIVERS ===============

 

R1 avgio;avgio;c:\program\avira\antivir desktop\avgio.sys [2009-9-20 11608]

R1 SASDIFSV;SASDIFSV;c:\program\superantispyware\sasdifsv.sys [2006-10-10 5632]

R1 SASKUTIL;SASKUTIL;c:\program\superantispyware\SASKUTIL.SYS [2007-2-27 32256]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program\avira\antivir desktop\sched.exe [2009-9-20 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program\avira\antivir desktop\avguard.exe [2009-9-20 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-9-20 56816]

R2 PWSYSDRV;PWSYSDRV;c:\windows\system32\drivers\pwsysdrv.sys [2006-10-12 17072]

R2 VoddlerNet;VoddlerNet;c:\program\voddler\service\voddler.exe [2010-1-26 1235664]

R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2005-1-1 2799488]

R3 SASENUM;SASENUM;c:\program\superantispyware\SASENUM.SYS [2006-2-16 4096]

S2 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"c:\program\symantec\liveupdate\aluschedulersvc.exe" --> c:\program\symantec\liveupdate\ALUSchedulerSvc.exe [?]

S2 gupdate;Tjänsten Google Update (gupdate);c:\program\google\update\GoogleUpdate.exe [2010-1-5 135664]

S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2005-1-1 468768]

 

=============== Created Last 30 ================

 

2010-01-31 07:57:46 119808 --sha-r- c:\windows\system32\cmpropsj.dll

 

==================== Find3M ====================

 

2010-02-13 12:04:40 9175040 ----a-w- c:\documents and settings\hp_ägaren\ntuser.dat

2010-01-07 15:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 15:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-31 16:50:03 353792 ------w- c:\windows\system32\drivers\srv.sys

2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys

2009-12-21 13:22:55 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2009-12-17 07:42:44 343552 ----a-w- c:\windows\system32\mspaint.exe

2009-12-17 07:42:44 343552 ------w- c:\windows\system32\dllcache\mspaint.exe

2009-12-14 07:10:20 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-14 07:10:20 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll

2009-12-10 18:24:44 64822 ----a-w- c:\windows\system32\perfc01D.dat

2009-12-10 18:24:44 387910 ----a-w- c:\windows\system32\perfh01D.dat

2009-12-08 09:25:55 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll

2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys

2009-11-27 17:14:13 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:14:13 17920 ------w- c:\windows\system32\dllcache\msyuv.dll

2009-11-27 17:14:13 1293824 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 17:14:13 1293824 ------w- c:\windows\system32\dllcache\quartz.dll

2009-11-27 16:10:39 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:10:39 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll

2009-11-27 16:10:39 85504 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:10:39 85504 ------w- c:\windows\system32\dllcache\avifil32.dll

2009-11-27 16:10:39 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:10:39 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll

2009-11-27 16:10:39 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:10:39 28672 ------w- c:\windows\system32\dllcache\msvidc32.dll

2009-11-27 16:10:39 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:10:39 11264 ------w- c:\windows\system32\dllcache\msrle32.dll

2009-11-21 16:03:18 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2006-08-13 20:19:17 22 --sha-w- c:\windows\sminst\HPCD.sys

2009-01-07 20:46:24 32768 --sha-w- c:\windows\system32\config\systemprofile\lokala inställningar\tidigare\history.ie5\mshist012009010720090108\index.dat

 

============= FINISH: 13:36:20.73 ===============

[/log]

Det verkar inte som att MBAM hittade allt så klistra in en ny DDS-logg.

Link to comment
Share on other sites

På sidan http://www.virustotal.com trycker du på Bläddra-knappen och klistrar in följande filnamn i rutan, tryck på Skicka Fil och vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in resultatet från de olika antivirusprogrammen (inte Övrig information) eller en länk till resultatet här.

c:\windows\system32\cmpropsj.dll

 

Kan du klistra in DDS-loggen utan att använda log-knappen/taggen för det är inte kul att försöka läsa loggen nu.

Link to comment
Share on other sites

På sidan http://www.virustotal.com trycker du på Bläddra-knappen och klistrar in följande filnamn i rutan, tryck på Skicka Fil och vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in resultatet från de olika antivirusprogrammen (inte Övrig information) eller en länk till resultatet här.

c:\windows\system32\cmpropsj.dll

 

Kan du klistra in DDS-loggen utan att använda log-knappen/taggen för det är inte kul att försöka läsa loggen nu.

 

 

Fick detta svar på filen c:\windows\system32\cmpropsj.dll

; 0 bytes size received / Se ha recibido un archivo vacio

 

testade med filen c:\windows\system32\cmprops.dll och fick detta svar;

http://www.virustotal.com/analisis/b15ffb67f27bf7094a3883adb35fc5118d5280ba4965b684023a2ac3ad393e1a-1266090614

 

ddsloggen;

 

 

DDS (Ver_09-12-01.01) - NTFSx86

Run by HP_Žgaren at 20:52:51.51 on 13/02/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.2046.1381 [GMT 1:00]

 

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

 

============== Running Processes ===============

 

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE

C:\Program\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

C:\Program\Creative\Shared Files\Module Loader\DLLML.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program\CyberLink\PowerCinema\PCMService.exe

C:\HP\KBD\KBD.EXE

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\iid.exe

C:\Program\Avira\AntiVir Desktop\avgnt.exe

C:\Program\Voddler\service\VNetManager.exe

C:\Program\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program\Personal\bin\Personal.exe

C:\Program\WinZip\WZQKPICK.EXE

C:\Program\Avira\AntiVir Desktop\avguard.exe

C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program\Bonjour\mDNSResponder.exe

C:\Program\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe

C:\Program\Juniper Networks\Common Files\dsNcService.exe

C:\Program\Java\jre6\bin\jqs.exe

C:\Program\Delade filer\LightScribe\LSSrvc.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program\Canon\CAL\CALMAIN.exe

C:\Program\CyberLink\PowerCinema\Kernel\TV\CLSched.exe

C:\Program\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program\internet explorer\iexplore.exe

C:\Program\internet explorer\iexplore.exe

C:\Program\internet explorer\iexplore.exe

C:\Program\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program\internet explorer\iexplore.exe

C:\Documents and Settings\HP_Ägaren\Skrivbord\dds.scr

 

============== Pseudo HJT Report ===============

 

uStart Page = hxxp://www.newsnow.co.uk/newsfeed/?name=Liverpool

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program\spybot~1\SDHelper.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program\yahoo!\companion\installs\cpn\yt.dll

uRun: [updateMgr] "c:\program\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sUPERAntiSpyware] c:\program\superantispyware\SUPERAntiSpyware.exe

mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

mRun: [CTDVDDET] "c:\program\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"

mRun: [VolPanel] "c:\program\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r

mRun: [AudioDrvEmulator] "c:\program\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program\creative\shared files\module loader\audio emulator\AudDrvEm.dll"

mRun: [CTHelper] CTHELPER.EXE

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [HPHUPD08] c:\program\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe

mRun: [PCMService] "c:\program\cyberlink\powercinema\PCMService.exe"

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [HPBootOp] "c:\program\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run

mRun: [HP Software Update] c:\program\hp\hp software update\HPWuSchd2.exe

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [TkBellExe] "c:\program\delade filer\real\update_ob\realsched.exe" -osboot

mRun: [Net iD] c:\windows\system32\iid.exe

mRun: [avgnt] "c:\program\avira\antivir desktop\avgnt.exe" /min

mRun: [AppleSyncNotifier] c:\program\delade filer\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [<NO NAME>]

mRun: [VoddlerNet Manager] c:\program\voddler\service\VNetManager.exe

mRun: [QuickTime Task] "c:\program\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program\itunes\iTunesHelper.exe"

mRunOnce: [Malwarebytes' Anti-Malware] c:\program\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\hp_gar~1\start-~1\program\autost~1\monito~1.lnk - c:\program\eroom 7\ERClient7.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\adober~1.lnk - c:\program\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\hpdigi~1.lnk - c:\program\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\personal.lnk - c:\program\personal\bin\Personal.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\winzip~1.lnk - c:\program\winzip\WZQKPICK.EXE

IE: E&xportera till Microsoft Excel - c:\program\micros~2\office11\EXCEL.EXE/3000

IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\program\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program\spybot~1\SDHelper.dll

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://solid.seb.se/eRoomSetup/,DanaInfo=SEB-eRoom.sebank.se,SSL,CT=java+client.cab

DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.postfoto.se/aurigma/ImageUploader4.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://83.150.146.111/activex/AxisCamControl.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D9CDEFE3-51BB-4737-A12C-53D9814A148C} - hxxps://solid.seb.se/exchweb/controls/,DanaInfo=skcc020a.sebank.se,CT=java+DAX.cab

DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://www.postfoto.se/upload/aurigma/ImageUploader4.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

Notify: !SASWinLogon - c:\program\superantispyware\SASWINLO.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program\superantispyware\SASSEH.DLL

 

============= SERVICES / DRIVERS ===============

 

R1 avgio;avgio;c:\program\avira\antivir desktop\avgio.sys [2009-9-20 11608]

R1 SASDIFSV;SASDIFSV;c:\program\superantispyware\sasdifsv.sys [2006-10-10 5632]

R1 SASKUTIL;SASKUTIL;c:\program\superantispyware\SASKUTIL.SYS [2007-2-27 32256]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program\avira\antivir desktop\sched.exe [2009-9-20 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program\avira\antivir desktop\avguard.exe [2009-9-20 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-9-20 56816]

R2 PWSYSDRV;PWSYSDRV;c:\windows\system32\drivers\pwsysdrv.sys [2006-10-12 17072]

R2 VoddlerNet;VoddlerNet;c:\program\voddler\service\voddler.exe [2010-1-26 1235664]

R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2005-1-1 2799488]

R3 SASENUM;SASENUM;c:\program\superantispyware\SASENUM.SYS [2006-2-16 4096]

S2 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"c:\program\symantec\liveupdate\aluschedulersvc.exe" --> c:\program\symantec\liveupdate\ALUSchedulerSvc.exe [?]

S2 gupdate;Tjänsten Google Update (gupdate);c:\program\google\update\GoogleUpdate.exe [2010-1-5 135664]

S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2005-1-1 468768]

 

=============== Created Last 30 ================

 

2010-01-31 07:57:46 119808 --sha-r- c:\windows\system32\cmpropsj.dll

 

==================== Find3M ====================

 

2010-02-13 12:04:40 9175040 ----a-w- c:\documents and settings\hp_ägaren\ntuser.dat

2010-01-07 15:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 15:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-31 16:50:03 353792 ------w- c:\windows\system32\drivers\srv.sys

2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys

2009-12-21 13:22:55 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2009-12-17 07:42:44 343552 ----a-w- c:\windows\system32\mspaint.exe

2009-12-17 07:42:44 343552 ------w- c:\windows\system32\dllcache\mspaint.exe

2009-12-14 07:10:20 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-14 07:10:20 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll

2009-12-10 18:24:44 64822 ----a-w- c:\windows\system32\perfc01D.dat

2009-12-10 18:24:44 387910 ----a-w- c:\windows\system32\perfh01D.dat

2009-12-08 09:25:55 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll

2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys

2009-11-27 17:14:13 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:14:13 17920 ------w- c:\windows\system32\dllcache\msyuv.dll

2009-11-27 17:14:13 1293824 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 17:14:13 1293824 ------w- c:\windows\system32\dllcache\quartz.dll

2009-11-27 16:10:39 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:10:39 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll

2009-11-27 16:10:39 85504 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:10:39 85504 ------w- c:\windows\system32\dllcache\avifil32.dll

2009-11-27 16:10:39 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:10:39 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll

2009-11-27 16:10:39 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:10:39 28672 ------w- c:\windows\system32\dllcache\msvidc32.dll

2009-11-27 16:10:39 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:10:39 11264 ------w- c:\windows\system32\dllcache\msrle32.dll

2009-11-21 16:03:18 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2006-08-13 20:19:17 22 --sha-w- c:\windows\sminst\HPCD.sys

2009-01-07 20:46:24 32768 --sha-w- c:\windows\system32\config\systemprofile\lokala inställningar\tidigare\history.ie5\mshist012009010720090108\index.dat

 

============= FINISH: 20:53:04.03 ===============

Link to comment
Share on other sites

Spara ComboFix på Skrivbordet:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Stäng av alla program du ser inklusive antivirusprogram och antispionprogram men lämna brandväggen på.

Hur? Se http://www.bleepingcomputer.com/forums/topic114351.html

Kör ComboFix och följ anvisningarna som visas.

Om det kommer upp en fråga om du vill installera återställningskonsolen så svara ja.

 

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, klistra in den i ditt svar. Kontrollera att antivirusprogram mm är igång innan du ansluter till internet.

 

Om du får problem med att komma ut på internet:

Kontrollpanelen - Nätverksanslutningar

högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.

 

Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix.

Link to comment
Share on other sites

Spara ComboFix på Skrivbordet:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Stäng av alla program du ser inklusive antivirusprogram och antispionprogram men lämna brandväggen på.

Hur? Se http://www.bleepingcomputer.com/forums/topic114351.html

Kör ComboFix och följ anvisningarna som visas.

Om det kommer upp en fråga om du vill installera återställningskonsolen så svara ja.

 

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, klistra in den i ditt svar. Kontrollera att antivirusprogram mm är igång innan du ansluter till internet.

 

Om du får problem med att komma ut på internet:

Kontrollpanelen - Nätverksanslutningar

högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.

 

Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix.

 

 

 

ComboFix 10-02-12.01 - HP_Ägaren 13/02/2010 23:53:54.14.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.2046.1489 [GMT 1:00]

Körs från: c:\documents and settings\HP_Ägaren\Skrivbord\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

 

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\HP_Ägaren\Lokala inställningar\Application Data\yiculo

c:\documents and settings\HP_Ägaren\Lokala inställningar\Application Data\yiculo\ktkvsftav.exe

 

.

(((((((((((((((((((((((( Filer Skapade från 2010-01-13 till 2010-02-13 ))))))))))))))))))))))))))))))

.

 

2010-01-31 07:57 . 2010-01-31 07:57 119808 --sha-r- c:\windows\system32\cmpropsj.dll

2010-01-26 13:41 . 2010-01-26 13:41 11591888 ----a-w- c:\documents and settings\All Users\Application Data\Voddler\VoddlerPlayer.exe

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-13 12:17 . 2009-01-06 16:13 -------- d-----w- c:\program\Malwarebytes' Anti-Malware

2010-02-13 09:59 . 2005-01-01 19:48 -------- d-----w- c:\program\Google

2010-02-13 07:52 . 2009-01-02 09:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-02-11 18:16 . 2009-09-12 05:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-02-11 17:27 . 2007-10-08 20:23 -------- d-----w- c:\program\SUPERAntiSpyware

2010-01-30 14:19 . 2006-10-15 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser

2010-01-26 16:39 . 2009-11-13 17:27 520340 ----a-w- c:\documents and settings\All Users\Application Data\Voddler\Uninstall.exe

2010-01-07 15:07 . 2009-01-06 16:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 15:07 . 2009-01-06 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-31 16:50 . 2004-08-04 04:00 353792 ------w- c:\windows\system32\drivers\srv.sys

2009-12-27 10:49 . 2009-12-03 17:16 -------- d-----w- c:\program\iTunes

2009-12-21 19:09 . 2004-08-04 04:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-18 16:20 . 2009-11-13 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Voddler

2009-12-17 11:39 . 2009-12-17 11:39 499712 ----a-w- c:\documents and settings\All Users\Application Data\Voddler\MSVCP71.DLL

2009-12-17 11:39 . 2009-12-17 11:39 348160 ----a-w- c:\documents and settings\All Users\Application Data\Voddler\msvcr71.dll

2009-12-17 11:39 . 2009-12-17 11:39 339968 ----a-w- c:\documents and settings\All Users\Application Data\Voddler\SDL.dll

2009-12-17 11:39 . 2009-12-17 11:39 212992 ----a-w- c:\documents and settings\All Users\Application Data\Voddler\glew32.dll

2009-12-17 07:42 . 2004-08-04 04:00 343552 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:10 . 2004-08-04 04:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-10 18:24 . 2005-12-04 20:48 64822 ----a-w- c:\windows\system32\perfc01D.dat

2009-12-10 18:24 . 2005-12-04 20:48 387910 ----a-w- c:\windows\system32\perfh01D.dat

2009-12-07 18:26 . 2009-09-20 06:29 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-12-04 18:22 . 2004-08-04 04:00 455424 ------w- c:\windows\system32\drivers\mrxsmb.sys

2009-12-03 17:11 . 2009-12-03 17:11 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

2009-12-03 17:07 . 2009-12-03 17:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe

2009-11-27 17:14 . 2004-08-04 04:00 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:14 . 2004-08-04 04:00 1293824 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 16:10 . 2004-08-04 04:00 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:10 . 2004-08-04 04:00 85504 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:10 . 2004-08-04 04:00 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:10 . 2004-08-04 04:00 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:10 . 2004-08-04 04:00 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-21 16:03 . 2004-08-04 04:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2006-08-13 20:19 . 2006-08-13 20:19 22 --sha-w- c:\windows\SMINST\HPCD.sys

.

 

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Not* Tomma poster & legitima standardposter visas inte.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"SUPERAntiSpyware"="c:\program\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 1318912]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ftutil2"="ftutil2.dll" [2004-06-07 106496]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]

"nwiz"="nwiz.exe" [2006-10-31 1622016]

"CTDVDDET"="c:\program\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]

"VolPanel"="c:\program\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880]

"AudioDrvEmulator"="c:\program\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]

"CTHelper"="CTHELPER.EXE" [2005-08-08 16384]

"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-08 18944]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"HPHUPD08"="c:\program\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]

"PCMService"="c:\program\CyberLink\PowerCinema\PCMService.exe" [2006-02-24 147456]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]

"HPBootOp"="c:\program\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]

"HP Software Update"="c:\program\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"TkBellExe"="c:\program\Delade filer\Real\Update_OB\realsched.exe" [2005-01-01 180269]

"Net iD"="c:\windows\system32\iid.exe" [2008-02-22 74992]

"avgnt"="c:\program\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"AppleSyncNotifier"="c:\program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

"VoddlerNet Manager"="c:\program\Voddler\service\VNetManager.exe" [2010-01-26 573640]

"QuickTime Task"="c:\program\QuickTime\qttask.exe" [2009-11-10 417792]

"iTunesHelper"="c:\program\iTunes\iTunesHelper.exe" [2009-11-12 141600]

 

c:\documents and settings\HP_Žgaren\Start-meny\Program\Autostart\

Monitor My eRooms (V7).lnk - c:\program\eRoom 7\ERClient7.exe [2009-1-21 153096]

 

c:\documents and settings\All Users\Start-meny\Program\Autostart\

Adobe Reader Speed Launch.lnk - c:\program\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HP Digital Imaging Monitor.lnk - c:\program\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

Personal.lnk - c:\program\Personal\bin\Personal.exe [2009-1-11 910864]

WinZip Quick Pick.lnk - c:\program\WinZip\WZQKPICK.EXE [2009-6-19 525640]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2007-04-19 11:41 294912 ----a-w- c:\program\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program\\uTorrent\\uTorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program\\Spotify\\spotify.exe"=

"c:\\Program\\RagTime 6.5\\Win32\\RagTime 6.5.exe"=

"c:\\Program\\Bonjour\\mDNSResponder.exe"=

"c:\\Program\\iTunes\\iTunes.exe"=

"c:\\Program\\Voddler\\service\\voddler.exe"=

 

R1 SASDIFSV;SASDIFSV;c:\program\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 12:53 5632]

R1 SASKUTIL;SASKUTIL;c:\program\SUPERAntiSpyware\SASKUTIL.SYS [27/02/2007 11:39 32256]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program\Avira\AntiVir Desktop\sched.exe [20/09/2009 07:29 108289]

R2 PWSYSDRV;PWSYSDRV;c:\windows\system32\drivers\pwsysdrv.sys [12/10/2006 17:08 17072]

R2 VoddlerNet;VoddlerNet;c:\program\Voddler\service\voddler.exe [26/01/2010 14:42 1235664]

R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [01/01/2005 20:20 2799488]

R3 SASENUM;SASENUM;c:\program\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 16:51 4096]

S2 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"c:\program\Symantec\LiveUpdate\ALUSchedulerSvc.exe" --> c:\program\Symantec\LiveUpdate\ALUSchedulerSvc.exe [?]

S2 gupdate;Tjänsten Google Update (gupdate);c:\program\Google\Update\GoogleUpdate.exe [05/01/2010 13:52 135664]

S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [01/01/2005 20:19 468768]

.

Innehållet i mappen 'Schemalagda aktiviteter':

 

2010-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program\Apple Software Update\SoftwareUpdate.exe [2008-04-11 10:34]

 

2010-02-13 c:\windows\Tasks\Google Software Updater.job

- c:\program\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-24 18:46]

 

2010-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program\Google\Update\GoogleUpdate.exe [2010-01-05 12:52]

 

2010-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program\Google\Update\GoogleUpdate.exe [2010-01-05 12:52]

.

.

------- Extra genomsökning -------

.

uStart Page = hxxp://www.newsnow.co.uk/newsfeed/?name=Liverpool

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xportera till Microsoft Excel - c:\program\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://solid.seb.se/eRoomSetup/,DanaInfo=SEB-eRoom.sebank.se,SSL,CT=java+client.cab

DPF: {D9CDEFE3-51BB-4737-A12C-53D9814A148C} - hxxps://solid.seb.se/exchweb/controls/,DanaInfo=skcc020a.sebank.se,CT=java+DAX.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

.

- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -

 

AddRemove-Pdf995 - c:\program\pdf995\setup.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-14 00:01

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLer som "laddats" under processer som körs ---------------------

 

- - - - - - - > 'winlogon.exe'(680)

c:\program\SUPERAntiSpyware\SASWINLO.dll

.

Sluttid: 2010-02-14 00:02:50

ComboFix-quarantined-files.txt 2010-02-13 23:02

 

Före genomsökningen: 160,364,404,736 byte ledigt

Efter genomsökningen: 160,563,081,216 byte ledigt

 

- - End Of File - - E9F823CA9AD21F9438EA4A31B4E2B1DE

Link to comment
Share on other sites

Om du inte har startat om datorn sedan du körde ComboFix så gör det. Sök sedan igenom datorn med MBAM (uppdatera först förstås). Om något hittas så klistra in loggen.

 

Se om det nu går att kolla upp filen c:\windows\system32\cmpropsj.dll på virustotal-sidan.

 

Om MBAM inte hittar något så gör följande:

 

Spara Gmer på Skrivbordet från:

http://www2.gmer.net/download.php

Packa upp filen till Skrivbordet.

Dra ur internetanslutningen.

Stäng alla program, även antivirusprogram och brandvägg.

Starta programmet gmer.exe.

Om det kommer upp en fråga om "scan" så välj Nej/No. Spara loggen och klistra in i ditt svar. Gör inte mer.

 

Om frågan inte kommer så välj fliken Rootkit/Malware, kontrollera att allt är förbockat till höger utom Show All och andra partitioner än C:. Tryck på Scan. Låt datorn stå ifred medan Gmer håller på.

Tryck på Save och spara resultatet på Skrivbordet.

Sätt igång antivirusprogram och brandvägg innan du ansluter till internet.

Klistra in resultatet i ditt svar.

Link to comment
Share on other sites

Om du inte har startat om datorn sedan du körde ComboFix så gör det. Sök sedan igenom datorn med MBAM (uppdatera först förstås). Om något hittas så klistra in loggen.

 

Se om det nu går att kolla upp filen c:\windows\system32\cmpropsj.dll på virustotal-sidan.

 

Om MBAM inte hittar något så gör följande:

 

Spara Gmer på Skrivbordet från:

http://www2.gmer.net/download.php

Packa upp filen till Skrivbordet.

Dra ur internetanslutningen.

Stäng alla program, även antivirusprogram och brandvägg.

Starta programmet gmer.exe.

Om det kommer upp en fråga om "scan" så välj Nej/No. Spara loggen och klistra in i ditt svar. Gör inte mer.

 

Om frågan inte kommer så välj fliken Rootkit/Malware, kontrollera att allt är förbockat till höger utom Show All och andra partitioner än C:. Tryck på Scan. Låt datorn stå ifred medan Gmer håller på.

Tryck på Save och spara resultatet på Skrivbordet.

Sätt igång antivirusprogram och brandvägg innan du ansluter till internet.

Klistra in resultatet i ditt svar.

 

 

Hur lång tid ska gmer ta?, har kört den i ca 7h. Såg ut som att den var klar och jaf försökte spara den men sen händer inget.

Link to comment
Share on other sites

Det låter lite väl länge det.

 

Pröva den här rootkit-skanningen i stället.

Spara denna fil på Skrivbordet:

http://rootrepeal.googlepages.com/RootRepeal.zip

Packa upp zip-filen (extrahera) så att du får en programfil.

 

Dra ut internetanslutningen. Stäng av alla program du ser inklusive brandvägg, antivirusprogram och antispionprogram.

Hur? Se http://www.bleepingcomputer.com/forums/topic114351.html

 

Starta RootRepeal (i Vista och Windows 7 som vanligt genom att högerklicka på ikonen och välja Kör som administratör).

Välj Report-fliken och tryck på Scan.

Bocka för alla sju valen och tryck sedan på Yes/Ja.

Välj C: och tryck Ok.

Det tar ett tag för RootRepeal att söka igenom C:.

När sökningen är klar så tryck på Save Report och spara den med namnet rootrepeal.log. Klistra in innehållet i rootrepeal.log i ditt svar.

Link to comment
Share on other sites

Det låter lite väl länge det.

 

Pröva den här rootkit-skanningen i stället.

Spara denna fil på Skrivbordet:

http://rootrepeal.googlepages.com/RootRepeal.zip

Packa upp zip-filen (extrahera) så att du får en programfil.

 

Dra ut internetanslutningen. Stäng av alla program du ser inklusive brandvägg, antivirusprogram och antispionprogram.

Hur? Se http://www.bleepingcomputer.com/forums/topic114351.html

 

Starta RootRepeal (i Vista och Windows 7 som vanligt genom att högerklicka på ikonen och välja Kör som administratör).

Välj Report-fliken och tryck på Scan.

Bocka för alla sju valen och tryck sedan på Yes/Ja.

Välj C: och tryck Ok.

Det tar ett tag för RootRepeal att söka igenom C:.

När sökningen är klar så tryck på Save Report och spara den med namnet rootrepeal.log. Klistra in innehållet i rootrepeal.log i ditt svar.

 

 

Det här gick snabbare.

 

loggen;

 

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/02/14 17:40

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

 

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xB61FF000 Size: 98304 File Visible: No Signed: -

Status: -

 

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBAE4A000 Size: 8192 File Visible: No Signed: -

Status: -

 

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB44FA000 Size: 49152 File Visible: No Signed: -

Status: -

 

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

 

Path: c:\windows\temp\sqlite_6fgy8ympyv0mmyq

Status: Allocation size mismatch (API: 4096, Raw: 0)

 

Path: c:\windows\temp\sqlite_9yg39u4ohzl8udt

Status: Allocation size mismatch (API: 4096, Raw: 0)

 

Path: c:\windows\temp\sqlite_i6bymnkun1tywmz

Status: Allocation size mismatch (API: 4096, Raw: 0)

 

SSDT

-------------------

#: 041 Function Name: NtCreateKey

Status: Hooked by "<unknown>" at address 0xbaec2e56

 

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0xbaec2e4c

 

#: 063 Function Name: NtDeleteKey

Status: Hooked by "<unknown>" at address 0xbaec2e5b

 

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "<unknown>" at address 0xbaec2e65

 

#: 098 Function Name: NtLoadKey

Status: Hooked by "<unknown>" at address 0xbaec2e6a

 

#: 122 Function Name: NtOpenProcess

Status: Hooked by "<unknown>" at address 0xbaec2e38

 

#: 128 Function Name: NtOpenThread

Status: Hooked by "<unknown>" at address 0xbaec2e3d

 

#: 193 Function Name: NtReplaceKey

Status: Hooked by "<unknown>" at address 0xbaec2e74

 

#: 204 Function Name: NtRestoreKey

Status: Hooked by "<unknown>" at address 0xbaec2e6f

 

#: 247 Function Name: NtSetValueKey

Status: Hooked by "<unknown>" at address 0xbaec2e60

 

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "<unknown>" at address 0xbaec2e47

 

==EOF==

Link to comment
Share on other sites

Inget där.

 

Kopiera alla rader i rutan (använd markera kod)

[KOD]

Fcopy::

c:\windows\system32\cmpropsj.dll | c:\cmpropsj.dll.bad

[/KOD]

och klistra in i Anteckningar.

Spara filen på Skrivbordet med namnet CFScript.

 

Förbered datorn på samma sätt som tidigare för ComboFix.

Dra CFScript med musen och släpp den ovanpå ComboFix-ikonen på Skrivbordet så startar programmet på ett särskilt sätt.

Klistra in loggen som kommer ut.

 

Kolla upp filen c:\cmpropsj.dll.bad på virustotal-sidan.

Link to comment
Share on other sites

Inget där.

 

Kopiera alla rader i rutan (använd markera kod)

[KOD]

Fcopy::

c:\windows\system32\cmpropsj.dll | c:\cmpropsj.dll.bad

[/KOD]

och klistra in i Anteckningar.

Spara filen på Skrivbordet med namnet CFScript.

 

Förbered datorn på samma sätt som tidigare för ComboFix.

Dra CFScript med musen och släpp den ovanpå ComboFix-ikonen på Skrivbordet så startar programmet på ett särskilt sätt.

Klistra in loggen som kommer ut.

 

Kolla upp filen c:\cmpropsj.dll.bad på virustotal-sidan.

 

 

Vet ej om jag lyckades med cfsscript. Hittade ingen markera kod.

 

ang filen c:\cmpropsj.dll.bad den hittar inte jag. Jag körde den vanliga (c:\windows\system32\cmpropsj.dll) och där var det inget.

 

 

här är loggen;

 

 

 

ComboFix 10-02-12.01 - HP_Ägaren 14/02/2010 20:14:42.15.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.2046.1456 [GMT 1:00]

Körs från: c:\documents and settings\HP_Ägaren\Skrivbord\ComboFix.exe

Använda kommandoväxlar :: c:\documents and settings\HP_Ägaren\Skrivbord\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

 

(((((((((((((((((((((((( Filer Skapade från 2010-01-14 till 2010-02-14 ))))))))))))))))))))))))))))))

.

 

2010-02-09 15:50 . 2010-02-09 15:50 11591888 ----a-w- c:\documents and settings\All Users\Application Data\Voddler\VoddlerPlayer.exe

2010-01-31 07:57 . 2010-01-31 07:57 119808 --sha-r- c:\windows\system32\cmpropsj.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-14 09:17 . 2009-11-13 17:27 520340 ----a-w- c:\documents and settings\All Users\Application Data\Voddler\Uninstall.exe

2010-02-14 08:58 . 2009-01-02 09:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-02-13 12:17 . 2009-01-06 16:13 -------- d-----w- c:\program\Malwarebytes' Anti-Malware

2010-02-13 09:59 . 2005-01-01 19:48 -------- d-----w- c:\program\Google

2010-02-11 18:16 . 2009-09-12 05:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-02-11 17:27 . 2007-10-08 20:23 -------- d-----w- c:\program\SUPERAntiSpyware

2010-01-30 14:19 . 2006-10-15 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser

2010-01-07 15:07 . 2009-01-06 16:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 15:07 . 2009-01-06 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-31 16:50 . 2004-08-04 04:00 353792 ------w- c:\windows\system32\drivers\srv.sys

2009-12-27 10:49 . 2009-12-03 17:16 -------- d-----w- c:\program\iTunes

2009-12-21 19:09 . 2004-08-04 04:00 916480 ------w- c:\windows\system32\wininet.dll

2009-12-18 16:20 . 2009-11-13 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Voddler

2009-12-17 11:39 . 2009-12-17 11:39 499712 ----a-w- c:\documents and settings\All Users\Application Data\Voddler\MSVCP71.DLL

2009-12-17 11:39 . 2009-12-17 11:39 348160 ----a-w- c:\documents and settings\All Users\Application Data\Voddler\msvcr71.dll

2009-12-17 11:39 . 2009-12-17 11:39 339968 ----a-w- c:\documents and settings\All Users\Application Data\Voddler\SDL.dll

2009-12-17 11:39 . 2009-12-17 11:39 212992 ----a-w- c:\documents and settings\All Users\Application Data\Voddler\glew32.dll

2009-12-17 07:42 . 2004-08-04 04:00 343552 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:10 . 2004-08-04 04:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-10 18:24 . 2005-12-04 20:48 64822 ----a-w- c:\windows\system32\perfc01D.dat

2009-12-10 18:24 . 2005-12-04 20:48 387910 ----a-w- c:\windows\system32\perfh01D.dat

2009-12-09 10:11 . 2004-08-04 04:00 2146304 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-09 10:11 . 2004-08-04 04:00 2024960 ------w- c:\windows\system32\ntkrnlpa.exe

2009-12-07 18:26 . 2009-09-20 06:29 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-12-04 18:22 . 2004-08-04 04:00 455424 ------w- c:\windows\system32\drivers\mrxsmb.sys

2009-12-03 17:11 . 2009-12-03 17:11 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

2009-12-03 17:07 . 2009-12-03 17:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe

2009-11-27 17:14 . 2004-08-04 04:00 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:14 . 2004-08-04 04:00 1293824 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 16:10 . 2004-08-04 04:00 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:10 . 2004-08-04 04:00 85504 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:10 . 2004-08-04 04:00 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:10 . 2004-08-04 04:00 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:10 . 2004-08-04 04:00 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-21 16:03 . 2004-08-04 04:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2006-08-13 20:19 . 2006-08-13 20:19 22 --sha-w- c:\windows\SMINST\HPCD.sys

.

 

((((((((((((((((((((((((((((( SnapShot@2010-02-13_23.01.13 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-02-14 16:34 . 2010-02-14 16:34 16384 c:\windows\Temp\Perflib_Perfdata_910.dat

+ 2008-10-16 07:12 . 2009-12-09 10:11 2189952 c:\windows\system32\dllcache\ntoskrnl.exe

- 2008-10-16 07:12 . 2009-08-04 20:59 2189952 c:\windows\system32\dllcache\ntoskrnl.exe

+ 2008-10-16 07:12 . 2009-12-09 10:11 2024960 c:\windows\system32\dllcache\ntkrpamp.exe

- 2008-10-16 07:12 . 2009-08-04 17:29 2024960 c:\windows\system32\dllcache\ntkrpamp.exe

- 2008-10-16 07:12 . 2009-08-04 17:29 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe

+ 2008-10-16 07:12 . 2009-12-09 10:11 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe

+ 2008-10-16 07:12 . 2009-12-09 10:11 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe

- 2008-10-16 07:12 . 2009-08-04 17:29 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe

- 2008-10-16 07:12 . 2009-08-04 20:59 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe

+ 2008-10-16 07:12 . 2009-12-09 10:11 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe

+ 2008-10-16 07:12 . 2009-12-09 10:11 2024960 c:\windows\Driver Cache\i386\ntkrpamp.exe

- 2008-10-16 07:12 . 2009-08-04 17:29 2024960 c:\windows\Driver Cache\i386\ntkrpamp.exe

- 2008-10-16 07:12 . 2009-08-04 17:29 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe

+ 2008-10-16 07:12 . 2009-12-09 10:11 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe

+ 2008-10-16 07:12 . 2009-12-09 10:11 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe

- 2008-10-16 07:12 . 2009-08-04 17:29 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe

.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Not* Tomma poster & legitima standardposter visas inte.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"SUPERAntiSpyware"="c:\program\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 1318912]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ftutil2"="ftutil2.dll" [2004-06-07 106496]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]

"nwiz"="nwiz.exe" [2006-10-31 1622016]

"CTDVDDET"="c:\program\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]

"VolPanel"="c:\program\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880]

"AudioDrvEmulator"="c:\program\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]

"CTHelper"="CTHELPER.EXE" [2005-08-08 16384]

"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-08 18944]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"HPHUPD08"="c:\program\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]

"PCMService"="c:\program\CyberLink\PowerCinema\PCMService.exe" [2006-02-24 147456]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]

"HPBootOp"="c:\program\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]

"HP Software Update"="c:\program\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"TkBellExe"="c:\program\Delade filer\Real\Update_OB\realsched.exe" [2005-01-01 180269]

"Net iD"="c:\windows\system32\iid.exe" [2008-02-22 74992]

"avgnt"="c:\program\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"AppleSyncNotifier"="c:\program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

"VoddlerNet Manager"="c:\program\Voddler\service\VNetManager.exe" [2010-02-09 573640]

"QuickTime Task"="c:\program\QuickTime\qttask.exe" [2009-11-10 417792]

"iTunesHelper"="c:\program\iTunes\iTunesHelper.exe" [2009-11-12 141600]

 

c:\documents and settings\HP_Žgaren\Start-meny\Program\Autostart\

Monitor My eRooms (V7).lnk - c:\program\eRoom 7\ERClient7.exe [2009-1-21 153096]

 

c:\documents and settings\All Users\Start-meny\Program\Autostart\

Adobe Reader Speed Launch.lnk - c:\program\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HP Digital Imaging Monitor.lnk - c:\program\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

Personal.lnk - c:\program\Personal\bin\Personal.exe [2009-1-11 910864]

WinZip Quick Pick.lnk - c:\program\WinZip\WZQKPICK.EXE [2009-6-19 525640]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2007-04-19 11:41 294912 ----a-w- c:\program\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program\\uTorrent\\uTorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program\\Spotify\\spotify.exe"=

"c:\\Program\\RagTime 6.5\\Win32\\RagTime 6.5.exe"=

"c:\\Program\\Bonjour\\mDNSResponder.exe"=

"c:\\Program\\iTunes\\iTunes.exe"=

"c:\\Program\\Voddler\\service\\voddler.exe"=

 

R1 SASDIFSV;SASDIFSV;c:\program\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 12:53 5632]

R1 SASKUTIL;SASKUTIL;c:\program\SUPERAntiSpyware\SASKUTIL.SYS [27/02/2007 11:39 32256]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program\Avira\AntiVir Desktop\sched.exe [20/09/2009 07:29 108289]

R2 PWSYSDRV;PWSYSDRV;c:\windows\system32\drivers\pwsysdrv.sys [12/10/2006 17:08 17072]

R2 VoddlerNet;VoddlerNet;c:\program\Voddler\service\voddler.exe [09/02/2010 16:51 1235664]

R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [01/01/2005 20:20 2799488]

R3 SASENUM;SASENUM;c:\program\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 16:51 4096]

S2 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"c:\program\Symantec\LiveUpdate\ALUSchedulerSvc.exe" --> c:\program\Symantec\LiveUpdate\ALUSchedulerSvc.exe [?]

S2 gupdate;Tjänsten Google Update (gupdate);c:\program\Google\Update\GoogleUpdate.exe [05/01/2010 13:52 135664]

S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [01/01/2005 20:19 468768]

.

Innehållet i mappen 'Schemalagda aktiviteter':

 

2010-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program\Apple Software Update\SoftwareUpdate.exe [2008-04-11 10:34]

 

2010-02-14 c:\windows\Tasks\Google Software Updater.job

- c:\program\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-24 18:46]

 

2010-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program\Google\Update\GoogleUpdate.exe [2010-01-05 12:52]

 

2010-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program\Google\Update\GoogleUpdate.exe [2010-01-05 12:52]

.

.

------- Extra genomsökning -------

.

uStart Page = hxxp://www.newsnow.co.uk/newsfeed/?name=Liverpool

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xportera till Microsoft Excel - c:\program\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://solid.seb.se/eRoomSetup/,DanaInfo=SEB-eRoom.sebank.se,SSL,CT=java+client.cab

DPF: {D9CDEFE3-51BB-4737-A12C-53D9814A148C} - hxxps://solid.seb.se/exchweb/controls/,DanaInfo=skcc020a.sebank.se,CT=java+DAX.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-14 20:17

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLer som "laddats" under processer som körs ---------------------

 

- - - - - - - > 'winlogon.exe'(688)

c:\program\SUPERAntiSpyware\SASWINLO.dll

 

- - - - - - - > 'explorer.exe'(1868)

c:\windows\system32\nview.dll

c:\windows\system32\NVWRSENG.DLL

c:\windows\system32\nvwddi.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Sluttid: 2010-02-14 20:19:23

ComboFix-quarantined-files.txt 2010-02-14 19:19

ComboFix2.txt 2010-02-13 23:02

 

Före genomsökningen: 160,376,606,720 byte ledigt

Efter genomsökningen: 160,393,224,192 byte ledigt

 

- - End Of File - - 90AD12E42EF6C8F0B5E9B960ABBEDF7F

Link to comment
Share on other sites

cmpropsj.dll är ingen vanlig Windows-fil, däremot cmprops.dll är en vanlig fil.

 

Förlåt, det blev instruktionen för gamla forumet. Se om det här går bättre.

Kopiera alla rader i rutan:

[kod]

Fcopy::

c:\windows\system32\cmpropsj.dll | c:\cmpropsj.dll.bad

[/kod]

och klistra in i Anteckningar.

Spara filen på Skrivbordet med namnet CFScript.

 

Förbered datorn på samma sätt som tidigare för ComboFix.

Dra CFScript med musen och släpp den ovanpå ComboFix-ikonen på Skrivbordet så startar programmet på ett särskilt sätt.

Klistra in loggen som kommer ut.

 

Ovanstående innebär att den dolda filen:

2010-01-31 07:57 . 2010-01-31 07:57 119808 --sha-r- c:\windows\system32\cmpropsj.dll

ska kopieras så att du kan komma åt den.

För säkerhets skull ställ in Den här datorn/Utforskaren så att du kan se alla filer:

Verktyg - Mappalternativ - Visning

Välj Visa dolda filer och mappar

Avbocka Dölj filnamnstillägg för kända filtyper

Avbocka Dölj skyddade operativsystemfiler

Link to comment
Share on other sites

cmpropsj.dll är ingen vanlig Windows-fil, däremot cmprops.dll är en vanlig fil.

 

Förlåt, det blev instruktionen för gamla forumet. Se om det här går bättre.

Kopiera alla rader i rutan:

[kod]

Fcopy::

c:\windows\system32\cmpropsj.dll | c:\cmpropsj.dll.bad

[/kod]

och klistra in i Anteckningar.

Spara filen på Skrivbordet med namnet CFScript.

 

Förbered datorn på samma sätt som tidigare för ComboFix.

Dra CFScript med musen och släpp den ovanpå ComboFix-ikonen på Skrivbordet så startar programmet på ett särskilt sätt.

Klistra in loggen som kommer ut.

 

Ovanstående innebär att den dolda filen:

2010-01-31 07:57 . 2010-01-31 07:57 119808 --sha-r- c:\windows\system32\cmpropsj.dll

ska kopieras så att du kan komma åt den.

För säkerhets skull ställ in Den här datorn/Utforskaren så att du kan se alla filer:

Verktyg - Mappalternativ - Visning

Välj Visa dolda filer och mappar

Avbocka Dölj filnamnstillägg för kända filtyper

Avbocka Dölj skyddade operativsystemfiler

 

hmm jag ser cmpropsj.dll, verkar ligga som dold. men virstotal hittar inget, misslyckad jag med scriptet? jag kopierade allt detta;

 

[kod]

Fcopy::

c:\windows\system32\cmpropsj.dll | c:\cmpropsj.dll.bad

[/kod]

 

loggen

 

 

ComboFix 10-02-12.01 - HP_Ägaren 14/02/2010 21:32:22.16.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.2046.1422 [GMT 1:00]

Körs från: c:\documents and settings\HP_Ägaren\Skrivbord\ComboFix.exe

Använda kommandoväxlar :: c:\documents and settings\HP_Ägaren\Skrivbord\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

 

(((((((((((((((((((((((( Filer Skapade från 2010-01-14 till 2010-02-14 ))))))))))))))))))))))))))))))

.

 

2010-02-09 15:50 . 2010-02-09 15:50 11591888 ----a-w- c:\documents and settings\All Users\Application Data\Voddler\VoddlerPlayer.exe

2010-01-31 07:57 . 2010-01-31 07:57 119808 --sha-r- c:\windows\system32\cmpropsj.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-14 09:17 . 2009-11-13 17:27 520340 ----a-w- c:\documents and settings\All Users\Application Data\Voddler\Uninstall.exe

2010-02-14 08:58 . 2009-01-02 09:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-02-13 12:17 . 2009-01-06 16:13 -------- d-----w- c:\program\Malwarebytes' Anti-Malware

2010-02-13 09:59 . 2005-01-01 19:48 -------- d-----w- c:\program\Google

2010-02-11 18:16 . 2009-09-12 05:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-02-11 17:27 . 2007-10-08 20:23 -------- d-----w- c:\program\SUPERAntiSpyware

2010-01-30 14:19 . 2006-10-15 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser

2010-01-07 15:07 . 2009-01-06 16:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 15:07 . 2009-01-06 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-31 16:50 . 2004-08-04 04:00 353792 ------w- c:\windows\system32\drivers\srv.sys

2009-12-27 10:49 . 2009-12-03 17:16 -------- d-----w- c:\program\iTunes

2009-12-21 19:09 . 2004-08-04 04:00 916480 ------w- c:\windows\system32\wininet.dll

2009-12-18 16:20 . 2009-11-13 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Voddler

2009-12-17 11:39 . 2009-12-17 11:39 499712 ----a-w- c:\documents and settings\All Users\Application Data\Voddler\MSVCP71.DLL

2009-12-17 11:39 . 2009-12-17 11:39 348160 ----a-w- c:\documents and settings\All Users\Application Data\Voddler\msvcr71.dll

2009-12-17 11:39 . 2009-12-17 11:39 339968 ----a-w- c:\documents and settings\All Users\Application Data\Voddler\SDL.dll

2009-12-17 11:39 . 2009-12-17 11:39 212992 ----a-w- c:\documents and settings\All Users\Application Data\Voddler\glew32.dll

2009-12-17 07:42 . 2004-08-04 04:00 343552 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:10 . 2004-08-04 04:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-10 18:24 . 2005-12-04 20:48 64822 ----a-w- c:\windows\system32\perfc01D.dat

2009-12-10 18:24 . 2005-12-04 20:48 387910 ----a-w- c:\windows\system32\perfh01D.dat

2009-12-09 10:11 . 2004-08-04 04:00 2146304 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-09 10:11 . 2004-08-04 04:00 2024960 ------w- c:\windows\system32\ntkrnlpa.exe

2009-12-07 18:26 . 2009-09-20 06:29 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-12-04 18:22 . 2004-08-04 04:00 455424 ------w- c:\windows\system32\drivers\mrxsmb.sys

2009-12-03 17:11 . 2009-12-03 17:11 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

2009-12-03 17:07 . 2009-12-03 17:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe

2009-11-27 17:14 . 2004-08-04 04:00 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:14 . 2004-08-04 04:00 1293824 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 16:10 . 2004-08-04 04:00 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:10 . 2004-08-04 04:00 85504 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:10 . 2004-08-04 04:00 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:10 . 2004-08-04 04:00 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:10 . 2004-08-04 04:00 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-21 16:03 . 2004-08-04 04:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2006-08-13 20:19 . 2006-08-13 20:19 22 --sha-w- c:\windows\SMINST\HPCD.sys

.

 

((((((((((((((((((((((((((((( SnapShot@2010-02-13_23.01.13 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-02-14 16:34 . 2010-02-14 16:34 16384 c:\windows\Temp\Perflib_Perfdata_910.dat

+ 2008-10-16 07:12 . 2009-12-09 10:11 2189952 c:\windows\system32\dllcache\ntoskrnl.exe

- 2008-10-16 07:12 . 2009-08-04 20:59 2189952 c:\windows\system32\dllcache\ntoskrnl.exe

+ 2008-10-16 07:12 . 2009-12-09 10:11 2024960 c:\windows\system32\dllcache\ntkrpamp.exe

- 2008-10-16 07:12 . 2009-08-04 17:29 2024960 c:\windows\system32\dllcache\ntkrpamp.exe

- 2008-10-16 07:12 . 2009-08-04 17:29 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe

+ 2008-10-16 07:12 . 2009-12-09 10:11 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe

+ 2008-10-16 07:12 . 2009-12-09 10:11 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe

- 2008-10-16 07:12 . 2009-08-04 17:29 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe

- 2008-10-16 07:12 . 2009-08-04 20:59 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe

+ 2008-10-16 07:12 . 2009-12-09 10:11 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe

+ 2008-10-16 07:12 . 2009-12-09 10:11 2024960 c:\windows\Driver Cache\i386\ntkrpamp.exe

- 2008-10-16 07:12 . 2009-08-04 17:29 2024960 c:\windows\Driver Cache\i386\ntkrpamp.exe

- 2008-10-16 07:12 . 2009-08-04 17:29 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe

+ 2008-10-16 07:12 . 2009-12-09 10:11 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe

+ 2008-10-16 07:12 . 2009-12-09 10:11 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe

- 2008-10-16 07:12 . 2009-08-04 17:29 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe

.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Not* Tomma poster & legitima standardposter visas inte.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"SUPERAntiSpyware"="c:\program\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 1318912]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ftutil2"="ftutil2.dll" [2004-06-07 106496]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]

"nwiz"="nwiz.exe" [2006-10-31 1622016]

"CTDVDDET"="c:\program\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]

"VolPanel"="c:\program\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880]

"AudioDrvEmulator"="c:\program\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]

"CTHelper"="CTHELPER.EXE" [2005-08-08 16384]

"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-08 18944]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"HPHUPD08"="c:\program\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]

"PCMService"="c:\program\CyberLink\PowerCinema\PCMService.exe" [2006-02-24 147456]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]

"HPBootOp"="c:\program\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]

"HP Software Update"="c:\program\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"TkBellExe"="c:\program\Delade filer\Real\Update_OB\realsched.exe" [2005-01-01 180269]

"Net iD"="c:\windows\system32\iid.exe" [2008-02-22 74992]

"avgnt"="c:\program\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"AppleSyncNotifier"="c:\program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

"VoddlerNet Manager"="c:\program\Voddler\service\VNetManager.exe" [2010-02-09 573640]

"QuickTime Task"="c:\program\QuickTime\qttask.exe" [2009-11-10 417792]

"iTunesHelper"="c:\program\iTunes\iTunesHelper.exe" [2009-11-12 141600]

 

c:\documents and settings\HP_Žgaren\Start-meny\Program\Autostart\

Monitor My eRooms (V7).lnk - c:\program\eRoom 7\ERClient7.exe [2009-1-21 153096]

 

c:\documents and settings\All Users\Start-meny\Program\Autostart\

Adobe Reader Speed Launch.lnk - c:\program\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HP Digital Imaging Monitor.lnk - c:\program\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

Personal.lnk - c:\program\Personal\bin\Personal.exe [2009-1-11 910864]

WinZip Quick Pick.lnk - c:\program\WinZip\WZQKPICK.EXE [2009-6-19 525640]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2007-04-19 11:41 294912 ----a-w- c:\program\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program\\uTorrent\\uTorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program\\Spotify\\spotify.exe"=

"c:\\Program\\RagTime 6.5\\Win32\\RagTime 6.5.exe"=

"c:\\Program\\Bonjour\\mDNSResponder.exe"=

"c:\\Program\\iTunes\\iTunes.exe"=

"c:\\Program\\Voddler\\service\\voddler.exe"=

 

R1 SASDIFSV;SASDIFSV;c:\program\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 12:53 5632]

R1 SASKUTIL;SASKUTIL;c:\program\SUPERAntiSpyware\SASKUTIL.SYS [27/02/2007 11:39 32256]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program\Avira\AntiVir Desktop\sched.exe [20/09/2009 07:29 108289]

R2 PWSYSDRV;PWSYSDRV;c:\windows\system32\drivers\pwsysdrv.sys [12/10/2006 17:08 17072]

R2 VoddlerNet;VoddlerNet;c:\program\Voddler\service\voddler.exe [09/02/2010 16:51 1235664]

R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [01/01/2005 20:20 2799488]

R3 SASENUM;SASENUM;c:\program\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 16:51 4096]

S2 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"c:\program\Symantec\LiveUpdate\ALUSchedulerSvc.exe" --> c:\program\Symantec\LiveUpdate\ALUSchedulerSvc.exe [?]

S2 gupdate;Tjänsten Google Update (gupdate);c:\program\Google\Update\GoogleUpdate.exe [05/01/2010 13:52 135664]

S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [01/01/2005 20:19 468768]

.

Innehållet i mappen 'Schemalagda aktiviteter':

 

2010-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program\Apple Software Update\SoftwareUpdate.exe [2008-04-11 10:34]

 

2010-02-14 c:\windows\Tasks\Google Software Updater.job

- c:\program\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-24 18:46]

 

2010-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program\Google\Update\GoogleUpdate.exe [2010-01-05 12:52]

 

2010-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program\Google\Update\GoogleUpdate.exe [2010-01-05 12:52]

.

.

------- Extra genomsökning -------

.

uStart Page = hxxp://www.newsnow.co.uk/newsfeed/?name=Liverpool

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xportera till Microsoft Excel - c:\program\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://solid.seb.se/eRoomSetup/,DanaInfo=SEB-eRoom.sebank.se,SSL,CT=java+client.cab

DPF: {D9CDEFE3-51BB-4737-A12C-53D9814A148C} - hxxps://solid.seb.se/exchweb/controls/,DanaInfo=skcc020a.sebank.se,CT=java+DAX.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

.

 

**************************************************************************

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files:

 

**************************************************************************

.

--------------------- DLLer som "laddats" under processer som körs ---------------------

 

- - - - - - - > 'winlogon.exe'(688)

c:\program\SUPERAntiSpyware\SASWINLO.dll

 

- - - - - - - > 'explorer.exe'(408)

c:\windows\system32\nview.dll

c:\windows\system32\NVWRSENG.DLL

c:\windows\system32\nvwddi.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Sluttid: 2010-02-14 21:35:26

ComboFix-quarantined-files.txt 2010-02-14 20:35

ComboFix2.txt 2010-02-14 19:19

ComboFix3.txt 2010-02-13 23:02

 

Före genomsökningen: 160,409,370,624 byte ledigt

Efter genomsökningen: 160,389,517,312 byte ledigt

 

- - End Of File - - 87C6EF2B41928F9180CB28BA1B74DF8C

Link to comment
Share on other sites

Bra att du ser filen. :)

Kan du högerklicka på den och välja Kopiera? Går det sedan att högerklicka på Skrivbordet och välja Klistra in?

Om du nu har den kopierade filen liggande på Skrivbordet går det då att skicka upp denna kopia till virustotal?

Link to comment
Share on other sites

Bra att du ser filen. :)

Kan du högerklicka på den och välja Kopiera? Går det sedan att högerklicka på Skrivbordet och välja Klistra in?

Om du nu har den kopierade filen liggande på Skrivbordet går det då att skicka upp denna kopia till virustotal?

 

 

Kan inte kopiera den. Åtkomst nekad.

Den är skrivskyddad och när jag försöker ändra så nekas det.

Link to comment
Share on other sites

Har du nu efter ComboFix fått en extra meny när du startar datorn?

I så fall har du två sekunder på dig att trycka på nedåtpil-tangenten följt av Enter för att välja en återställningskonsol. Väl där skriver du:

 

copy c:\windows\system32\cmpropsj.dll c:\cmpropsj.dll.bad

 

Starta om datorn och kolla upp c:\cmpropsj.dll.bad.

 

Oavsett om ovanstående fungerade eller inte så spara TDSSKiller på Skrivbordet:

http://support.kaspersky.com/downloads/utils/tdsskiller.zip

 

Högerklicka och välj Extrahera alla. Se till att uppackningen sker till Skrivbordet. Alternativt så kan du använda ditt eget program för att packa upp zip-filer, se bara till att filen tdsskiller.exe hamnar på Skrivbordet.

 

Start - Kör

Kopiera raden som är i rutan

"%userprofile%\skrivbord\TDSSKiller.exe" -l rapport.txt -v

 

Öppna filer rapport som skapades på Skrivbordet och klistra in innehållet i ditt svar.

Link to comment
Share on other sites

Har du nu efter ComboFix fått en extra meny när du startar datorn?

I så fall har du två sekunder på dig att trycka på nedåtpil-tangenten följt av Enter för att välja en återställningskonsol. Väl där skriver du:

 

copy c:\windows\system32\cmpropsj.dll c:\cmpropsj.dll.bad

 

Starta om datorn och kolla upp c:\cmpropsj.dll.bad.

 

Oavsett om ovanstående fungerade eller inte så spara TDSSKiller på Skrivbordet:

http://support.kaspersky.com/downloads/utils/tdsskiller.zip

 

Högerklicka och välj Extrahera alla. Se till att uppackningen sker till Skrivbordet. Alternativt så kan du använda ditt eget program för att packa upp zip-filer, se bara till att filen tdsskiller.exe hamnar på Skrivbordet.

 

Start - Kör

Kopiera raden som är i rutan

"%userprofile%\skrivbord\TDSSKiller.exe" -l rapport.txt -v

 

Öppna filer rapport som skapades på Skrivbordet och klistra in innehållet i ditt svar.

 

virustotal;

 

http://www.virustotal.com/analisis/2809c219de2dac421e216aa0e103210a5051609b735e1b3aab0db157ce5a2bd9-1266263829

 

 

loggen

 

21:02:08:500 3652 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00

21:02:08:500 3652 ================================================================================

21:02:08:500 3652 SystemInfo:

 

21:02:08:500 3652 OS Version: 5.1.2600 ServicePack: 3.0

21:02:08:500 3652 Product type: Workstation

21:02:08:500 3652 ComputerName: DITT-34474B0299

21:02:08:500 3652 UserName: HP_Ägaren

21:02:08:500 3652 Windows directory: C:\WINDOWS

21:02:08:500 3652 Processor architecture: Intel x86

21:02:08:500 3652 Number of processors: 2

21:02:08:500 3652 Page size: 0x1000

21:02:08:500 3652 Boot type: Normal boot

21:02:08:500 3652 ================================================================================

21:02:08:515 3652 UnloadDriverW: NtUnloadDriver error 2

21:02:08:515 3652 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

21:02:08:531 3652 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000

21:02:08:578 3652 UtilityInit: KLMD drop and load success

21:02:08:578 3652 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)

21:02:08:578 3652 UtilityInit: KLMD open success

21:02:08:578 3652 UtilityInit: Initialize success

21:02:08:578 3652

21:02:08:578 3652 Scanning Services ...

21:02:08:578 3652 CreateRegParser: Registry parser init started

21:02:08:578 3652 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127

21:02:08:578 3652 CreateRegParser: DisableWow64Redirection error

21:02:08:578 3652 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

21:02:08:578 3652 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043

21:02:08:578 3652 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

21:02:08:578 3652 wfopen_ex: Trying to KLMD file open

21:02:08:578 3652 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system

21:02:08:578 3652 wfopen_ex: File opened ok (Flags 2)

21:02:08:578 3652 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 3D4970

21:02:08:578 3652 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

21:02:08:578 3652 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043

21:02:08:578 3652 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

21:02:08:578 3652 wfopen_ex: Trying to KLMD file open

21:02:08:578 3652 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software

21:02:08:578 3652 wfopen_ex: File opened ok (Flags 2)

21:02:08:578 3652 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 3D4A18

21:02:08:578 3652 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127

21:02:08:578 3652 CreateRegParser: EnableWow64Redirection error

21:02:08:578 3652 CreateRegParser: RegParser init completed

21:02:08:812 3652 GetAdvancedServicesInfo: Raw services enum returned 351 services

21:02:08:828 3652 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

21:02:08:828 3652 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

21:02:08:828 3652

21:02:08:828 3652 Scanning Kernel memory ...

21:02:08:828 3652 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk

21:02:08:828 3652 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8A601B78

21:02:08:828 3652 DetectCureTDL3: KLMD_GetDeviceObjectList returned 13 DevObjects

21:02:08:828 3652

21:02:08:828 3652 DetectCureTDL3: DEVICE_OBJECT: 8A35D030

21:02:08:828 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A35D030

21:02:08:828 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A35D030[0x38]

21:02:08:828 3652 DetectCureTDL3: DRIVER_OBJECT: 8A601B78

21:02:08:828 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A601B78[0xA8]

21:02:08:828 3652 KLMD_ReadMem: Trying to ReadMemory 0xE10350E8[0x18]

21:02:08:828 3652 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

21:02:08:828 3652 DetectCureTDL3: IrpHandler (0) addr: BA8EEBB0

21:02:08:828 3652 DetectCureTDL3: IrpHandler (1) addr: 804F4562

21:02:08:828 3652 DetectCureTDL3: IrpHandler (2) addr: BA8EEBB0

21:02:08:828 3652 DetectCureTDL3: IrpHandler (3) addr: BA8E8D1F

21:02:08:828 3652 DetectCureTDL3: IrpHandler (4) addr: BA8E8D1F

21:02:08:828 3652 DetectCureTDL3: IrpHandler (5) addr: 804F4562

21:02:08:828 3652 DetectCureTDL3: IrpHandler (6) addr: 804F4562

21:02:08:828 3652 DetectCureTDL3: IrpHandler (7) addr: 804F4562

21:02:08:828 3652 DetectCureTDL3: IrpHandler (8) addr: 804F4562

21:02:08:828 3652 DetectCureTDL3: IrpHandler (9) addr: BA8E92E2

21:02:08:828 3652 DetectCureTDL3: IrpHandler (10) addr: 804F4562

21:02:08:828 3652 DetectCureTDL3: IrpHandler (11) addr: 804F4562

21:02:08:828 3652 DetectCureTDL3: IrpHandler (12) addr: 804F4562

21:02:08:828 3652 DetectCureTDL3: IrpHandler (13) addr: 804F4562

21:02:08:828 3652 DetectCureTDL3: IrpHandler (14) addr: BA8E93BB

21:02:08:828 3652 DetectCureTDL3: IrpHandler (15) addr: BA8ECF28

21:02:08:828 3652 DetectCureTDL3: IrpHandler (16) addr: BA8E92E2

21:02:08:828 3652 DetectCureTDL3: IrpHandler (17) addr: 804F4562

21:02:08:828 3652 DetectCureTDL3: IrpHandler (18) addr: 804F4562

21:02:08:828 3652 DetectCureTDL3: IrpHandler (19) addr: 804F4562

21:02:08:828 3652 DetectCureTDL3: IrpHandler (20) addr: 804F4562

21:02:08:828 3652 DetectCureTDL3: IrpHandler (21) addr: 804F4562

21:02:08:828 3652 DetectCureTDL3: IrpHandler (22) addr: BA8EAC82

21:02:08:828 3652 DetectCureTDL3: IrpHandler (23) addr: BA8EF99E

21:02:08:828 3652 DetectCureTDL3: IrpHandler (24) addr: 804F4562

21:02:08:828 3652 DetectCureTDL3: IrpHandler (25) addr: 804F4562

21:02:08:828 3652 DetectCureTDL3: IrpHandler (26) addr: 804F4562

21:02:08:828 3652 TDL3_FileDetect: Processing driver: Disk

21:02:08:828 3652 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

21:02:08:828 3652 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

21:02:08:843 3652 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

21:02:08:843 3652

21:02:08:843 3652 DetectCureTDL3: DEVICE_OBJECT: 88763468

21:02:08:843 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 88763468

21:02:08:843 3652 KLMD_ReadMem: Trying to ReadMemory 0x88763468[0x38]

21:02:08:843 3652 DetectCureTDL3: DRIVER_OBJECT: 8A601B78

21:02:08:843 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A601B78[0xA8]

21:02:08:843 3652 KLMD_ReadMem: Trying to ReadMemory 0xE10350E8[0x18]

21:02:08:843 3652 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

21:02:08:843 3652 DetectCureTDL3: IrpHandler (0) addr: BA8EEBB0

21:02:08:843 3652 DetectCureTDL3: IrpHandler (1) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (2) addr: BA8EEBB0

21:02:08:843 3652 DetectCureTDL3: IrpHandler (3) addr: BA8E8D1F

21:02:08:843 3652 DetectCureTDL3: IrpHandler (4) addr: BA8E8D1F

21:02:08:843 3652 DetectCureTDL3: IrpHandler (5) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (6) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (7) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (8) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (9) addr: BA8E92E2

21:02:08:843 3652 DetectCureTDL3: IrpHandler (10) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (11) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (12) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (13) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (14) addr: BA8E93BB

21:02:08:843 3652 DetectCureTDL3: IrpHandler (15) addr: BA8ECF28

21:02:08:843 3652 DetectCureTDL3: IrpHandler (16) addr: BA8E92E2

21:02:08:843 3652 DetectCureTDL3: IrpHandler (17) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (18) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (19) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (20) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (21) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (22) addr: BA8EAC82

21:02:08:843 3652 DetectCureTDL3: IrpHandler (23) addr: BA8EF99E

21:02:08:843 3652 DetectCureTDL3: IrpHandler (24) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (25) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (26) addr: 804F4562

21:02:08:843 3652 TDL3_FileDetect: Processing driver: Disk

21:02:08:843 3652 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

21:02:08:843 3652 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

21:02:08:843 3652 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

21:02:08:843 3652

21:02:08:843 3652 DetectCureTDL3: DEVICE_OBJECT: 88E7E490

21:02:08:843 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 88E7E490

21:02:08:843 3652 KLMD_ReadMem: Trying to ReadMemory 0x88E7E490[0x38]

21:02:08:843 3652 DetectCureTDL3: DRIVER_OBJECT: 8A601B78

21:02:08:843 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A601B78[0xA8]

21:02:08:843 3652 KLMD_ReadMem: Trying to ReadMemory 0xE10350E8[0x18]

21:02:08:843 3652 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

21:02:08:843 3652 DetectCureTDL3: IrpHandler (0) addr: BA8EEBB0

21:02:08:843 3652 DetectCureTDL3: IrpHandler (1) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (2) addr: BA8EEBB0

21:02:08:843 3652 DetectCureTDL3: IrpHandler (3) addr: BA8E8D1F

21:02:08:843 3652 DetectCureTDL3: IrpHandler (4) addr: BA8E8D1F

21:02:08:843 3652 DetectCureTDL3: IrpHandler (5) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (6) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (7) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (8) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (9) addr: BA8E92E2

21:02:08:843 3652 DetectCureTDL3: IrpHandler (10) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (11) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (12) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (13) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (14) addr: BA8E93BB

21:02:08:843 3652 DetectCureTDL3: IrpHandler (15) addr: BA8ECF28

21:02:08:843 3652 DetectCureTDL3: IrpHandler (16) addr: BA8E92E2

21:02:08:843 3652 DetectCureTDL3: IrpHandler (17) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (18) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (19) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (20) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (21) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (22) addr: BA8EAC82

21:02:08:843 3652 DetectCureTDL3: IrpHandler (23) addr: BA8EF99E

21:02:08:843 3652 DetectCureTDL3: IrpHandler (24) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (25) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (26) addr: 804F4562

21:02:08:843 3652 TDL3_FileDetect: Processing driver: Disk

21:02:08:843 3652 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

21:02:08:843 3652 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

21:02:08:843 3652 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

21:02:08:843 3652

21:02:08:843 3652 DetectCureTDL3: DEVICE_OBJECT: 8A29C098

21:02:08:843 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A29C098

21:02:08:843 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A29C098[0x38]

21:02:08:843 3652 DetectCureTDL3: DRIVER_OBJECT: 8A601B78

21:02:08:843 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A601B78[0xA8]

21:02:08:843 3652 KLMD_ReadMem: Trying to ReadMemory 0xE10350E8[0x18]

21:02:08:843 3652 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

21:02:08:843 3652 DetectCureTDL3: IrpHandler (0) addr: BA8EEBB0

21:02:08:843 3652 DetectCureTDL3: IrpHandler (1) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (2) addr: BA8EEBB0

21:02:08:843 3652 DetectCureTDL3: IrpHandler (3) addr: BA8E8D1F

21:02:08:843 3652 DetectCureTDL3: IrpHandler (4) addr: BA8E8D1F

21:02:08:843 3652 DetectCureTDL3: IrpHandler (5) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (6) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (7) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (8) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (9) addr: BA8E92E2

21:02:08:843 3652 DetectCureTDL3: IrpHandler (10) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (11) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (12) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (13) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (14) addr: BA8E93BB

21:02:08:843 3652 DetectCureTDL3: IrpHandler (15) addr: BA8ECF28

21:02:08:843 3652 DetectCureTDL3: IrpHandler (16) addr: BA8E92E2

21:02:08:843 3652 DetectCureTDL3: IrpHandler (17) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (18) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (19) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (20) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (21) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (22) addr: BA8EAC82

21:02:08:843 3652 DetectCureTDL3: IrpHandler (23) addr: BA8EF99E

21:02:08:843 3652 DetectCureTDL3: IrpHandler (24) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (25) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (26) addr: 804F4562

21:02:08:843 3652 TDL3_FileDetect: Processing driver: Disk

21:02:08:843 3652 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

21:02:08:843 3652 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

21:02:08:843 3652 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

21:02:08:843 3652

21:02:08:843 3652 DetectCureTDL3: DEVICE_OBJECT: 8A365030

21:02:08:843 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A365030

21:02:08:843 3652 DetectCureTDL3: DEVICE_OBJECT: 8A1DF6C8

21:02:08:843 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A1DF6C8

21:02:08:843 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A1DF6C8[0x38]

21:02:08:843 3652 DetectCureTDL3: DRIVER_OBJECT: 8A117030

21:02:08:843 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A117030[0xA8]

21:02:08:843 3652 KLMD_ReadMem: Trying to ReadMemory 0xE1F7C480[0x1E]

21:02:08:843 3652 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor

21:02:08:843 3652 DetectCureTDL3: IrpHandler (0) addr: BAC35218

21:02:08:843 3652 DetectCureTDL3: IrpHandler (1) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (2) addr: BAC35218

21:02:08:843 3652 DetectCureTDL3: IrpHandler (3) addr: BAC3523C

21:02:08:843 3652 DetectCureTDL3: IrpHandler (4) addr: BAC3523C

21:02:08:843 3652 DetectCureTDL3: IrpHandler (5) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (6) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (7) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (8) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (9) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (10) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (11) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (12) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (13) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (14) addr: BAC35180

21:02:08:843 3652 DetectCureTDL3: IrpHandler (15) addr: BAC309E6

21:02:08:843 3652 DetectCureTDL3: IrpHandler (16) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (17) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (18) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (19) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (20) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (21) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (22) addr: BAC345F0

21:02:08:843 3652 DetectCureTDL3: IrpHandler (23) addr: BAC32A6E

21:02:08:843 3652 DetectCureTDL3: IrpHandler (24) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (25) addr: 804F4562

21:02:08:843 3652 DetectCureTDL3: IrpHandler (26) addr: 804F4562

21:02:08:843 3652 KLMD_ReadMem: Trying to ReadMemory 0xBAC31F26[0x400]

21:02:08:843 3652 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0

21:02:08:843 3652 TDL3_FileDetect: Processing driver: usbstor

21:02:08:843 3652 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

21:02:08:843 3652 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

21:02:08:859 3652 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean

21:02:08:859 3652

21:02:08:859 3652 DetectCureTDL3: DEVICE_OBJECT: 88643540

21:02:08:859 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 88643540

21:02:08:859 3652 DetectCureTDL3: DEVICE_OBJECT: 8A1E3418

21:02:08:859 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A1E3418

21:02:08:859 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A1E3418[0x38]

21:02:08:859 3652 DetectCureTDL3: DRIVER_OBJECT: 8A117030

21:02:08:859 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A117030[0xA8]

21:02:08:859 3652 KLMD_ReadMem: Trying to ReadMemory 0xE1F7C480[0x1E]

21:02:08:859 3652 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor

21:02:08:859 3652 DetectCureTDL3: IrpHandler (0) addr: BAC35218

21:02:08:859 3652 DetectCureTDL3: IrpHandler (1) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (2) addr: BAC35218

21:02:08:859 3652 DetectCureTDL3: IrpHandler (3) addr: BAC3523C

21:02:08:859 3652 DetectCureTDL3: IrpHandler (4) addr: BAC3523C

21:02:08:859 3652 DetectCureTDL3: IrpHandler (5) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (6) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (7) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (8) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (9) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (10) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (11) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (12) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (13) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (14) addr: BAC35180

21:02:08:859 3652 DetectCureTDL3: IrpHandler (15) addr: BAC309E6

21:02:08:859 3652 DetectCureTDL3: IrpHandler (16) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (17) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (18) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (19) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (20) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (21) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (22) addr: BAC345F0

21:02:08:859 3652 DetectCureTDL3: IrpHandler (23) addr: BAC32A6E

21:02:08:859 3652 DetectCureTDL3: IrpHandler (24) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (25) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (26) addr: 804F4562

21:02:08:859 3652 KLMD_ReadMem: Trying to ReadMemory 0xBAC31F26[0x400]

21:02:08:859 3652 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0

21:02:08:859 3652 TDL3_FileDetect: Processing driver: usbstor

21:02:08:859 3652 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

21:02:08:859 3652 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

21:02:08:859 3652 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean

21:02:08:859 3652

21:02:08:859 3652 DetectCureTDL3: DEVICE_OBJECT: 88643AB8

21:02:08:859 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 88643AB8

21:02:08:859 3652 DetectCureTDL3: DEVICE_OBJECT: 8A26D6C0

21:02:08:859 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A26D6C0

21:02:08:859 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A26D6C0[0x38]

21:02:08:859 3652 DetectCureTDL3: DRIVER_OBJECT: 8A117030

21:02:08:859 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A117030[0xA8]

21:02:08:859 3652 KLMD_ReadMem: Trying to ReadMemory 0xE1F7C480[0x1E]

21:02:08:859 3652 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor

21:02:08:859 3652 DetectCureTDL3: IrpHandler (0) addr: BAC35218

21:02:08:859 3652 DetectCureTDL3: IrpHandler (1) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (2) addr: BAC35218

21:02:08:859 3652 DetectCureTDL3: IrpHandler (3) addr: BAC3523C

21:02:08:859 3652 DetectCureTDL3: IrpHandler (4) addr: BAC3523C

21:02:08:859 3652 DetectCureTDL3: IrpHandler (5) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (6) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (7) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (8) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (9) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (10) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (11) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (12) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (13) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (14) addr: BAC35180

21:02:08:859 3652 DetectCureTDL3: IrpHandler (15) addr: BAC309E6

21:02:08:859 3652 DetectCureTDL3: IrpHandler (16) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (17) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (18) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (19) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (20) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (21) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (22) addr: BAC345F0

21:02:08:859 3652 DetectCureTDL3: IrpHandler (23) addr: BAC32A6E

21:02:08:859 3652 DetectCureTDL3: IrpHandler (24) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (25) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (26) addr: 804F4562

21:02:08:859 3652 KLMD_ReadMem: Trying to ReadMemory 0xBAC31F26[0x400]

21:02:08:859 3652 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0

21:02:08:859 3652 TDL3_FileDetect: Processing driver: usbstor

21:02:08:859 3652 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

21:02:08:859 3652 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

21:02:08:859 3652 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean

21:02:08:859 3652

21:02:08:859 3652 DetectCureTDL3: DEVICE_OBJECT: 8A090470

21:02:08:859 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A090470

21:02:08:859 3652 DetectCureTDL3: DEVICE_OBJECT: 8A1E5368

21:02:08:859 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A1E5368

21:02:08:859 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A1E5368[0x38]

21:02:08:859 3652 DetectCureTDL3: DRIVER_OBJECT: 8A117030

21:02:08:859 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A117030[0xA8]

21:02:08:859 3652 KLMD_ReadMem: Trying to ReadMemory 0xE1F7C480[0x1E]

21:02:08:859 3652 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor

21:02:08:859 3652 DetectCureTDL3: IrpHandler (0) addr: BAC35218

21:02:08:859 3652 DetectCureTDL3: IrpHandler (1) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (2) addr: BAC35218

21:02:08:859 3652 DetectCureTDL3: IrpHandler (3) addr: BAC3523C

21:02:08:859 3652 DetectCureTDL3: IrpHandler (4) addr: BAC3523C

21:02:08:859 3652 DetectCureTDL3: IrpHandler (5) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (6) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (7) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (8) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (9) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (10) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (11) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (12) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (13) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (14) addr: BAC35180

21:02:08:859 3652 DetectCureTDL3: IrpHandler (15) addr: BAC309E6

21:02:08:859 3652 DetectCureTDL3: IrpHandler (16) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (17) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (18) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (19) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (20) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (21) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (22) addr: BAC345F0

21:02:08:859 3652 DetectCureTDL3: IrpHandler (23) addr: BAC32A6E

21:02:08:859 3652 DetectCureTDL3: IrpHandler (24) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (25) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (26) addr: 804F4562

21:02:08:859 3652 KLMD_ReadMem: Trying to ReadMemory 0xBAC31F26[0x400]

21:02:08:859 3652 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0

21:02:08:859 3652 TDL3_FileDetect: Processing driver: usbstor

21:02:08:859 3652 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

21:02:08:859 3652 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

21:02:08:859 3652 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean

21:02:08:859 3652

21:02:08:859 3652 DetectCureTDL3: DEVICE_OBJECT: 8A541C68

21:02:08:859 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A541C68

21:02:08:859 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A541C68[0x38]

21:02:08:859 3652 DetectCureTDL3: DRIVER_OBJECT: 8A601B78

21:02:08:859 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A601B78[0xA8]

21:02:08:859 3652 KLMD_ReadMem: Trying to ReadMemory 0xE10350E8[0x18]

21:02:08:859 3652 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

21:02:08:859 3652 DetectCureTDL3: IrpHandler (0) addr: BA8EEBB0

21:02:08:859 3652 DetectCureTDL3: IrpHandler (1) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (2) addr: BA8EEBB0

21:02:08:859 3652 DetectCureTDL3: IrpHandler (3) addr: BA8E8D1F

21:02:08:859 3652 DetectCureTDL3: IrpHandler (4) addr: BA8E8D1F

21:02:08:859 3652 DetectCureTDL3: IrpHandler (5) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (6) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (7) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (8) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (9) addr: BA8E92E2

21:02:08:859 3652 DetectCureTDL3: IrpHandler (10) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (11) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (12) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (13) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (14) addr: BA8E93BB

21:02:08:859 3652 DetectCureTDL3: IrpHandler (15) addr: BA8ECF28

21:02:08:859 3652 DetectCureTDL3: IrpHandler (16) addr: BA8E92E2

21:02:08:859 3652 DetectCureTDL3: IrpHandler (17) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (18) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (19) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (20) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (21) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (22) addr: BA8EAC82

21:02:08:859 3652 DetectCureTDL3: IrpHandler (23) addr: BA8EF99E

21:02:08:859 3652 DetectCureTDL3: IrpHandler (24) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (25) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (26) addr: 804F4562

21:02:08:859 3652 TDL3_FileDetect: Processing driver: Disk

21:02:08:859 3652 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

21:02:08:859 3652 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

21:02:08:859 3652 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

21:02:08:859 3652

21:02:08:859 3652 DetectCureTDL3: DEVICE_OBJECT: 8A582C68

21:02:08:859 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A582C68

21:02:08:859 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A582C68[0x38]

21:02:08:859 3652 DetectCureTDL3: DRIVER_OBJECT: 8A601B78

21:02:08:859 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A601B78[0xA8]

21:02:08:859 3652 KLMD_ReadMem: Trying to ReadMemory 0xE10350E8[0x18]

21:02:08:859 3652 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

21:02:08:859 3652 DetectCureTDL3: IrpHandler (0) addr: BA8EEBB0

21:02:08:859 3652 DetectCureTDL3: IrpHandler (1) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (2) addr: BA8EEBB0

21:02:08:859 3652 DetectCureTDL3: IrpHandler (3) addr: BA8E8D1F

21:02:08:859 3652 DetectCureTDL3: IrpHandler (4) addr: BA8E8D1F

21:02:08:859 3652 DetectCureTDL3: IrpHandler (5) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (6) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (7) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (8) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (9) addr: BA8E92E2

21:02:08:859 3652 DetectCureTDL3: IrpHandler (10) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (11) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (12) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (13) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (14) addr: BA8E93BB

21:02:08:859 3652 DetectCureTDL3: IrpHandler (15) addr: BA8ECF28

21:02:08:859 3652 DetectCureTDL3: IrpHandler (16) addr: BA8E92E2

21:02:08:859 3652 DetectCureTDL3: IrpHandler (17) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (18) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (19) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (20) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (21) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (22) addr: BA8EAC82

21:02:08:859 3652 DetectCureTDL3: IrpHandler (23) addr: BA8EF99E

21:02:08:859 3652 DetectCureTDL3: IrpHandler (24) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (25) addr: 804F4562

21:02:08:859 3652 DetectCureTDL3: IrpHandler (26) addr: 804F4562

21:02:08:859 3652 TDL3_FileDetect: Processing driver: Disk

21:02:08:859 3652 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

21:02:08:859 3652 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

21:02:08:875 3652 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

21:02:08:875 3652

21:02:08:875 3652 DetectCureTDL3: DEVICE_OBJECT: 8A5BDC68

21:02:08:875 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A5BDC68

21:02:08:875 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A5BDC68[0x38]

21:02:08:875 3652 DetectCureTDL3: DRIVER_OBJECT: 8A601B78

21:02:08:875 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A601B78[0xA8]

21:02:08:875 3652 KLMD_ReadMem: Trying to ReadMemory 0xE10350E8[0x18]

21:02:08:875 3652 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

21:02:08:875 3652 DetectCureTDL3: IrpHandler (0) addr: BA8EEBB0

21:02:08:875 3652 DetectCureTDL3: IrpHandler (1) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (2) addr: BA8EEBB0

21:02:08:875 3652 DetectCureTDL3: IrpHandler (3) addr: BA8E8D1F

21:02:08:875 3652 DetectCureTDL3: IrpHandler (4) addr: BA8E8D1F

21:02:08:875 3652 DetectCureTDL3: IrpHandler (5) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (6) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (7) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (8) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (9) addr: BA8E92E2

21:02:08:875 3652 DetectCureTDL3: IrpHandler (10) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (11) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (12) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (13) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (14) addr: BA8E93BB

21:02:08:875 3652 DetectCureTDL3: IrpHandler (15) addr: BA8ECF28

21:02:08:875 3652 DetectCureTDL3: IrpHandler (16) addr: BA8E92E2

21:02:08:875 3652 DetectCureTDL3: IrpHandler (17) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (18) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (19) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (20) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (21) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (22) addr: BA8EAC82

21:02:08:875 3652 DetectCureTDL3: IrpHandler (23) addr: BA8EF99E

21:02:08:875 3652 DetectCureTDL3: IrpHandler (24) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (25) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (26) addr: 804F4562

21:02:08:875 3652 TDL3_FileDetect: Processing driver: Disk

21:02:08:875 3652 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

21:02:08:875 3652 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

21:02:08:875 3652 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

21:02:08:875 3652

21:02:08:875 3652 DetectCureTDL3: DEVICE_OBJECT: 8A583AB8

21:02:08:875 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A583AB8

21:02:08:875 3652 DetectCureTDL3: DEVICE_OBJECT: 8A601390

21:02:08:875 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A601390

21:02:08:875 3652 DetectCureTDL3: DEVICE_OBJECT: 8A5544B0

21:02:08:875 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A5544B0

21:02:08:875 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A5544B0[0x38]

21:02:08:875 3652 DetectCureTDL3: DRIVER_OBJECT: 8A54D030

21:02:08:875 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A54D030[0xA8]

21:02:08:875 3652 KLMD_ReadMem: Trying to ReadMemory 0xE100FE20[0x1A]

21:02:08:875 3652 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi

21:02:08:875 3652 DetectCureTDL3: IrpHandler (0) addr: BA6666F2

21:02:08:875 3652 DetectCureTDL3: IrpHandler (1) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (2) addr: BA6666F2

21:02:08:875 3652 DetectCureTDL3: IrpHandler (3) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (4) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (5) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (6) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (7) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (8) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (9) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (10) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (11) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (12) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (13) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (14) addr: BA666712

21:02:08:875 3652 DetectCureTDL3: IrpHandler (15) addr: BA662852

21:02:08:875 3652 DetectCureTDL3: IrpHandler (16) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (17) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (18) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (19) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (20) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (21) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (22) addr: BA66673C

21:02:08:875 3652 DetectCureTDL3: IrpHandler (23) addr: BA66D336

21:02:08:875 3652 DetectCureTDL3: IrpHandler (24) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (25) addr: 804F4562

21:02:08:875 3652 DetectCureTDL3: IrpHandler (26) addr: 804F4562

21:02:08:875 3652 KLMD_ReadMem: Trying to ReadMemory 0xBA663864[0x400]

21:02:08:875 3652 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0

21:02:08:875 3652 TDL3_FileDetect: Processing driver: atapi

21:02:08:875 3652 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys

21:02:08:875 3652 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys

21:02:08:890 3652 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean

21:02:08:890 3652

21:02:08:890 3652 DetectCureTDL3: DEVICE_OBJECT: 8A5BEAB8

21:02:08:890 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A5BEAB8

21:02:08:890 3652 DetectCureTDL3: DEVICE_OBJECT: 8A6161A8

21:02:08:890 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6161A8

21:02:08:890 3652 DetectCureTDL3: DEVICE_OBJECT: 8A58AB00

21:02:08:890 3652 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A58AB00

21:02:08:890 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A58AB00[0x38]

21:02:08:890 3652 DetectCureTDL3: DRIVER_OBJECT: 8A54D030

21:02:08:890 3652 KLMD_ReadMem: Trying to ReadMemory 0x8A54D030[0xA8]

21:02:08:890 3652 KLMD_ReadMem: Trying to ReadMemory 0xE100FE20[0x1A]

21:02:08:890 3652 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi

21:02:08:890 3652 DetectCureTDL3: IrpHandler (0) addr: BA6666F2

21:02:08:890 3652 DetectCureTDL3: IrpHandler (1) addr: 804F4562

21:02:08:890 3652 DetectCureTDL3: IrpHandler (2) addr: BA6666F2

21:02:08:890 3652 DetectCureTDL3: IrpHandler (3) addr: 804F4562

21:02:08:890 3652 DetectCureTDL3: IrpHandler (4) addr: 804F4562

21:02:08:890 3652 DetectCureTDL3: IrpHandler (5) addr: 804F4562

21:02:08:890 3652 DetectCureTDL3: IrpHandler (6) addr: 804F4562

21:02:08:890 3652 DetectCureTDL3: IrpHandler (7) addr: 804F4562

21:02:08:890 3652 DetectCureTDL3: IrpHandler (8) addr: 804F4562

21:02:08:890 3652 DetectCureTDL3: IrpHandler (9) addr: 804F4562

21:02:08:890 3652 DetectCureTDL3: IrpHandler (10) addr: 804F4562

21:02:08:890 3652 DetectCureTDL3: IrpHandler (11) addr: 804F4562

21:02:08:890 3652 DetectCureTDL3: IrpHandler (12) addr: 804F4562

21:02:08:890 3652 DetectCureTDL3: IrpHandler (13) addr: 804F4562

21:02:08:890 3652 DetectCureTDL3: IrpHandler (14) addr: BA666712

21:02:08:890 3652 DetectCureTDL3: IrpHandler (15) addr: BA662852

21:02:08:890 3652 DetectCureTDL3: IrpHandler (16) addr: 804F4562

21:02:08:890 3652 DetectCureTDL3: IrpHandler (17) addr: 804F4562

21:02:08:890 3652 DetectCureTDL3: IrpHandler (18) addr: 804F4562

21:02:08:890 3652 DetectCureTDL3: IrpHandler (19) addr: 804F4562

21:02:08:890 3652 DetectCureTDL3: IrpHandler (20) addr: 804F4562

21:02:08:890 3652 DetectCureTDL3: IrpHandler (21) addr: 804F4562

21:02:08:890 3652 DetectCureTDL3: IrpHandler (22) addr: BA66673C

21:02:08:890 3652 DetectCureTDL3: IrpHandler (23) addr: BA66D336

21:02:08:890 3652 DetectCureTDL3: IrpHandler (24) addr: 804F4562

21:02:08:890 3652 DetectCureTDL3: IrpHandler (25) addr: 804F4562

21:02:08:890 3652 DetectCureTDL3: IrpHandler (26) addr: 804F4562

21:02:08:890 3652 KLMD_ReadMem: Trying to ReadMemory 0xBA663864[0x400]

21:02:08:890 3652 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0

21:02:08:890 3652 TDL3_FileDetect: Processing driver: atapi

21:02:08:890 3652 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys

21:02:08:890 3652 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys

21:02:08:890 3652 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean

21:02:08:890 3652

21:02:08:890 3652 Completed

21:02:08:890 3652

21:02:08:890 3652 Results:

21:02:08:890 3652 Memory objects infected / cured / cured on reboot: 0 / 0 / 0

21:02:08:890 3652 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

21:02:08:890 3652 File objects infected / cured / cured on reboot: 0 / 0 / 0

21:02:08:890 3652

21:02:08:890 3652 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000

21:02:08:890 3652 UtilityDeinit: KLMD(ARK) unloaded successfully

Link to comment
Share on other sites

Jag skickar ett PM (meddelande) till dig här i forumet. Svara på det och bifoga cmpropsj.dll.bad så ska jag se om jag kan ta reda på mer om filen och hur man bäst och säkrast får bort den.

Link to comment
Share on other sites

Råkade på en annan som hade en mycket lik infektion och så hjälpte följande.

 

Kopiera alla rader i rutan:

 

Killall::
Rootkit::
c:\windows\system32\cmpropsj.dll

 

och klistra in i Anteckningar.

Spara filen på Skrivbordet med namnet CFScript.

 

Förbered datorn på samma sätt som tidigare för ComboFix.

Dra CFScript med musen och släpp den ovanpå ComboFix-ikonen på Skrivbordet så startar programmet på ett särskilt sätt.

Klistra in loggen som kommer ut.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...