Just nu i M3-nätverket
Jump to content

Hjälp med HijackThis logg?


poland

Recommended Posts

Hej!

 

Fick en slang av antivirus xp pro 2010 for nagra dagar sedan och anvande mbam och adaware for att forsoka fa bort det. Det har inte dykt upp igen efter det men jag har markt att nagot fortfarande ar fel och nu har jag ett riktigt troskverk till dator dar jag inte kan gora nagot alls i stort sett da den tuggar hela tiden. (sitter nu i felsakert lage)

 

Jag lyckades dock fa ihop en hijackthis logga och undrar om nagon vanlig sjal kan hjalpa mig fa bukt med problemet?

 

//Robert

 

[log]Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:27:26 PM, on 2/27/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16981) Boot mode: Normal Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\Program Files\Verizon\VSP\VerizonServicepoint.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\setup\avast.setup

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Documents and Settings\Roberto\Desktop\Hjack.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O1 - Hosts: ::1 localhost

O1 - Hosts: 91.212.127.227 winsecure2009.com

O1 - Hosts: 91.212.127.227 www.winsecure2009.com

O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: Verizon Broadband Toolbar - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\PROGRA~1\VERIZO~1\VERIZO~1.DLL

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"

O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 9964 bytes[/log]

Link to comment
Share on other sites

Kan du klistra in följande loggar så att jag kan se mer om vad som har hänt och vad som kan tänkas finnas kvar i datorn:

 

De loggar från MBAM, Ad-aware, Spyware Doctor och Avast där något har hittats samt loggar från DDS:

Spara DDS på Skrivbordet.

http://download.bleepingcomputer.com/sUBs/dds.scr

 

Starta programmet genom att dubbelklicka på det.

Tryck Yes/Ja om frågan om Optional Scan dyker upp.

Link to comment
Share on other sites

Hmm, nar DDS oppnas sa kommer ingen fraga om scan och scanningen verkar aldrig komma igang? Jag vet inte hur det skall se ut, men ett prompt fonster oppnas och det star att en logg skall komma upp sa fort scanningen ar klar, men den verkar inte starta. Jag vantade ca 20 minuter men inget hande. Samt sa kan jag inte kora mbam, adaware eller spyware doctor da datorn tuggar for mycket, det gar ca 20 minuter och programmen har inte ens oppnats sa att jag kan starta scannern.

 

Jag ar inte sa hemma pa datorer, men jag kan inte kora dem i felsakert lage eftersom de skadliga processerna inte ar igang da och inte kan upptackas - ar det korrekt uppfattat av mig eller kan jag kora programmen i felsakert?

 

Jag har kollat i utforskaren efter loggar fran de sokningar jag gjort tidigare i veckan men kunde inte hitta nagra sa jag antar att jag inte sparade nagra.

 

Ar i sa fall (med tanke pa att jag inte lyckas fa igang nagra progeam i normalt lage och da jag inte har nagra loggar kvar) det enda alternativet att aterstalla datorn?

 

//Robert

Link to comment
Share on other sites

Jag letade runt lite mer i felsakert lage och hittade dessa 3 loggar fran tidigare i veckan.

 

...Jag forsokte satta in dem i inlagget har men jag fick inte posta da jag far svar att inlagget ar for langt (aven fast jag anvander log-taggar sa jag bifogade txtfilerna istallet.

 

Spyware Doctor kunde jag inte hitta vart de sparade nagon logg, men jag tog en screenshot av dess quarantine som ar fran sokningen tidigare i veckan och bifogade den.

 

...jag sag att en av loggarna ar gjorda fran den andra anvandaren pa datorn, jag vet inte om det gor nagonting, men sa ar det i alla fall.

 

Nar det kommer till DSS som du gav lank till sa kan jag fortfarande inte fa det att fungera i normalt lage, men sag till om du vill att jag ska kora den i det felsakra laget eller inte.

 

//Robert

post-71364-126734016796_thumb.jpg

adawarelog.txt

mbam-log-2010-02-21 (22-37-28).txt

mbam-log-2010-02-25 (17-11-44).txt

Link to comment
Share on other sites

Fint att du fick fram loggar. Att du inte får igång programmen inkl. DDS innebär nog att det är mycket kvar av det skadliga programmet. Men det brukar ordna sig.

 

I fortsättningen så kan du klistra in loggarna direkt i ditt svar i stället för att bifoga dem. Det blir lite lättare att läsa dem så.

 

I första hand så använder du normalt läge om jag inte skriver något annat.

 

1. Spara FixExe.reg på Skrivbordet.

Dubbelklicka på filen och när en fråga kommer upp om du vill att innehållet ska läggas in i registret i datorn så klicka på Ja.

 

2. Spara RKill av Grinler på Skrivbordet. Ladda ner det från den första av dessa länkar:

http://download.bleepingcomputer.com/grinler/rkill.com

http://download.bleepingcomputer.com/grinler/rkill.pif

http://download.bleepingcomputer.com/grinler/rkill.scr

http://download.bleepingcomputer.com/grinler/rkill.exe

 

Starta Rkill (i Vista och Windows 7 genom att högerklicka på filen och välj Kör som administratör om det valet finns).

Det blir ett svart fönster/ruta en stund om programmet lyckades köra.

Om det inte blev något svart fönster/ruta så ta bort den RKill-varianten och upprepa med nästa RKill.

 

Om du får ett meddelande om att RKill är skadligt så bry dig inte om det. Det är det skadliga programmen som inte vill bli stoppat. Lämna kvar varningen på skärmen och kör RKill en gång till.

 

Kör RKill flera gånger efter varandra tills du inte ser till det skadliga programmet längre, dock max 10 gånger. Fortsätt med resten sedan. Om du redan från början inte ser till det skadliga programmet så räcker det med 3 gånger.

 

Om inte någon av program-varianterna kan köra så berätta det.

 

Om du behöver starta om datorn så kör RKill igen, oavsett om det är i normalt eller felsäkert läge.

 

3. Ta bort den DDS du har och hämta den på nytt.

http://download.bleepingcomputer.com/sUBs/dds.scr

 

Starta programmet genom att dubbelklicka på det.

Tryck Yes/Ja om frågan om Optional Scan dyker upp.

I ditt svar klistrar du in loggen DSS.txt. Medan du bifogar Attach.txt som en fil.

Link to comment
Share on other sites

Oj vad segt det gick, men nu har jag loggen.

 

DDS (Ver_09-12-01.01) - NTFSx86

Run by Roberto at 11:55:56.15 on Sun 02/28/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.129 [GMT -6:00]

 

AV: avast! antivirus 4.8.1368 [VPS 100228-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

 

============== Running Processes ===============

 

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Verizon\McciTrayApp.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

C:\Program Files\Verizon\VSP\VerizonServicepoint.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Roberto\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

============== Pseudo HJT Report ===============

 

uStart Page = hxxp://www.google.com

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = hxxp://www.dell4me.com/myway

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

mSearch Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.google.com

BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File

TB: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe

mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033

mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"

mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [iSTray] "c:\program files\spyware doctor\pctsTray.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

IE: E&xportera till Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxsrvc.dll

Hosts: 91.212.127.227 winsecure2009.com

Hosts: 91.212.127.227 www.winsecure2009.com

 

================= FIREFOX ===================

 

FF - ProfilePath - c:\docume~1\roberto\applic~1\mozilla\firefox\profiles\gsl31wgh.default\

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1698.5652\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_HotbarSA.dll

FF - plugin: c:\program files\verizon\vsp\nprpspa.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

 

============= SERVICES / DRIVERS ===============

 

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2009-6-22 156800]

R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2009-6-22 5248]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-26 64288]

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-2-21 28552]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-2-21 207792]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-6-22 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-22 20560]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-6-22 138680]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-2-21 112592]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1229232]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-2-21 359624]

R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-2-21 1141712]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-6-22 254040]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-16 133104]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-6-22 352920]

 

=============== Created Last 30 ================

 

2010-02-27 02:04:25 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-02-27 00:29:57 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-02-27 00:29:44 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-02-27 00:17:19 0 d-----w- c:\program files\Lavasoft

2010-02-25 21:06:16 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-02-22 03:57:01 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-02-22 03:56:48 0 d-----w- c:\program files\Panda Security

2010-02-22 03:55:42 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-02-22 01:21:45 767952 ----a-w- c:\windows\BDTSupport.dll.old

2010-02-22 01:21:45 767952 ----a-w- c:\windows\BDTSupport.dll

2010-02-22 01:21:43 882 ----a-w- c:\windows\RegSDImport.xml

2010-02-22 01:21:43 879 ----a-w- c:\windows\RegISSImport.xml

2010-02-22 01:21:43 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-02-22 01:21:43 131 ----a-w- c:\windows\IDB.zip

2010-02-22 01:21:43 1152444 ----a-w- c:\windows\UDB.zip

2010-02-22 01:21:42 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-02-22 01:21:42 1652688 ----a-w- c:\windows\PCTBDCore.dll

2010-02-22 01:21:42 1640400 ----a-w- c:\windows\PCTBDCore.dll.old

2010-02-22 00:33:13 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat

2010-02-22 00:33:13 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-02-22 00:32:53 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-02-22 00:32:53 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat

2010-02-22 00:32:53 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat

2010-02-22 00:32:53 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-02-22 00:32:32 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat

2010-02-22 00:32:32 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-02-22 00:32:03 0 d-----w- c:\program files\common files\PC Tools

2010-02-22 00:32:02 0 d-----w- c:\program files\Spyware Doctor

2010-02-22 00:32:02 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2010-02-21 05:27:54 0 d-----w- c:\docume~1\alluse~1\applic~1\PopCap

 

==================== Find3M ====================

 

2010-01-07 22:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 22:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys

2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

2009-12-18 13:05:43 634648 ------w- c:\windows\system32\dllcache\iexplore.exe

2009-12-18 13:04:09 161792 ------w- c:\windows\system32\dllcache\ieakui.dll

2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe

2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll

2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe

2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe

2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll

2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys

2009-09-13 16:35:34 16911 ----a-w- c:\program files\common files\wequmomut.vbs

2009-09-13 16:35:33 12556 ----a-w- c:\program files\common files\akik.bin

 

============= FINISH: 11:57:05.59 ===============

Attach.txt

Link to comment
Share on other sites

På sidan http://www.virustotal.com trycker du på Bläddra-knappen och klistrar in ett av följande filnamn i rutan, tryck på Skicka Fil och vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in resultatet från de olika antivirusprogrammen (inte Övrig information) eller en länk till resultatet här. Upprepa med nästa filnamn.

c:\program files\common files\wequmomut.vbs

c:\program files\common files\akik.bin

 

Du får nog en dator som fungerar bättre om du inte har Spyware Doctor och Ad-aware igång hela tiden. Du har ju en svag processor så det är bäst att inte ha för mycket igång samtidigt.

 

Spara ComboFix på Skrivbordet:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Stäng av alla program du ser inklusive antivirusprogram och antispionprogram men lämna brandväggen på.

Hur? Se http://www.bleepingcomputer.com/forums/topic114351.html

Kör ComboFix och följ anvisningarna som visas.

Om det kommer upp en fråga om du vill installera återställningskonsolen så svara ja.

 

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, klistra in den i ditt svar. Kontrollera att antivirusprogram mm är igång innan du ansluter till internet.

 

Om du får problem med att komma ut på internet:

Kontrollpanelen - Nätverksanslutningar

högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.

 

Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix.

Link to comment
Share on other sites

Virustotal:

 

http://www.virustotal.com/analisis/54322842356268e9e3ea0d791b8209d533b164e3bbc7716402c3523a4119775e-1267383586

 

http://www.virustotal.com/analisis/79ef7286e00fb23fd9d18f5de82c43a5c23168bc6a1c0122859a0f9894fd9ae0-1267383849

 

Ad-aware och Spydoctor har jag laddat ner och installerat under veckan da jag fick problem sa de ligger normalt inte och kor men jag har latit dem gora det nu da det har hallit alla antivirus pop-ups fran xp antivirus 2010 borta. Gallande USB-modem - jag har en dell laptop med ett sant dar tradlost natverkskort (wifi-kort som kom med datorn?) jag kor fran som man kan ta ut och stoppa in i datorn fran sidan, men det kors ju inte fran de vanliga USBportarna utan det finns en dedikerad slot for det - ar det lugnt att kora Combofix nar jag anvander ett sadant eller "raknas"det som ett USBnatverkskort?

 

Ja vantar med att kora combofix tills jag blir informerad om det ar lugnt eller inte att kora det :)

Link to comment
Share on other sites

ComboFix 10-02-27.04 - Roberto 02/28/2010 15:27:56.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.148 [GMT -6:00]

Running from: c:\documents and settings\Roberto\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1368 [VPS 100228-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\All Users\Application Data\peza.vbs

c:\documents and settings\All Users\Documents\pypa.inf

c:\documents and settings\Roberto\Application Data\linilajuly.inf

c:\documents and settings\Roberto\Application Data\rysoqafy.vbs

c:\documents and settings\Roberto\Cookies\abixy.sys

c:\documents and settings\Roberto\Cookies\anibunedud.inf

c:\documents and settings\Roberto\Cookies\deqowaxez.sys

c:\documents and settings\Roberto\Cookies\roberto@www.managerzone[1].txt

c:\documents and settings\Roberto\Cookies\roberto@www.managerzone[2].txt

c:\documents and settings\Roberto\Cookies\yximuwyxy.sys

c:\documents and settings\Roberto\Local Settings\Temporary Internet Files\31BXLbn54.jpg

c:\documents and settings\Roberto\Local Settings\Temporary Internet Files\60bkpXOj5.jpg

c:\documents and settings\Roberto\Local Settings\Temporary Internet Files\8oX1Y.jpg

c:\documents and settings\Roberto\Local Settings\Temporary Internet Files\8yMY5yM4.jpg

c:\documents and settings\Roberto\Local Settings\Temporary Internet Files\uhyjuka._sy

c:\program files\Common Files\wequmomut.vbs

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\ibakubiwih.reg

c:\windows\system32\twain_32.dll

c:\windows\ykugegyho.vbs

 

.

((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))

.

 

2010-02-27 02:04 . 2010-02-27 00:29 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-02-27 00:29 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-02-27 00:29 . 2010-02-27 00:29 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-02-27 00:17 . 2010-02-27 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-02-27 00:17 . 2010-02-27 00:18 -------- d-----w- c:\program files\Lavasoft

2010-02-25 21:06 . 2010-02-27 00:18 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-02-22 04:43 . 2010-02-22 04:43 -------- d-----w- c:\documents and settings\Roberto\Local Settings\Application Data\Threat Expert

2010-02-22 03:57 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-02-22 03:56 . 2010-02-22 03:56 -------- d-----w- c:\program files\Panda Security

2010-02-22 03:55 . 2010-02-28 08:17 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-02-22 01:21 . 2010-01-21 23:21 767952 ----a-w- c:\windows\BDTSupport.dll

2010-02-22 01:21 . 2010-01-21 23:21 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-02-22 01:21 . 2009-10-28 07:36 1152444 ----a-w- c:\windows\UDB.zip

2010-02-22 01:21 . 2008-11-26 18:08 131 ----a-w- c:\windows\IDB.zip

2010-02-22 01:21 . 2010-01-21 23:21 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-02-22 01:21 . 2010-01-21 23:21 1652688 ----a-w- c:\windows\PCTBDCore.dll

2010-02-22 00:33 . 2009-10-30 17:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-02-22 00:32 . 2009-11-09 17:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-02-22 00:32 . 2009-10-06 22:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-02-22 00:32 . 2009-09-03 15:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-02-22 00:32 . 2010-02-22 01:22 -------- d-----w- c:\program files\Common Files\PC Tools

2010-02-22 00:32 . 2010-02-28 21:52 -------- d-----w- c:\program files\Spyware Doctor

2010-02-22 00:32 . 2010-02-22 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-02-22 00:31 . 2010-02-28 21:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-02-21 05:27 . 2010-02-21 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-28 01:39 . 2009-08-22 11:32 -------- d-----w- c:\documents and settings\Roberto\Application Data\Skype

2010-02-27 22:03 . 2009-08-22 11:32 -------- d-----w- c:\documents and settings\Roberto\Application Data\skypePM

2010-02-27 10:28 . 2009-12-09 08:00 -------- d-----w- c:\program files\MzMgr by isvicare

2010-02-22 04:03 . 2009-09-13 16:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-14 18:32 . 2009-06-22 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-02-09 15:14 . 2009-09-10 22:34 -------- d-----w- c:\program files\Google

2010-01-11 16:29 . 2009-08-14 21:22 -------- d-----w- c:\program files\Verizon

2010-01-07 22:07 . 2009-09-13 16:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 22:07 . 2009-09-13 16:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-05 10:00 . 2004-08-04 11:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-01-05 10:00 . 2004-08-04 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-12-31 16:50 . 2004-08-04 11:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-16 18:43 . 2004-08-04 11:00 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2004-08-04 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-14 05:15 . 2009-09-03 17:47 44528 ----a-w- c:\documents and settings\Roberto\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-08 19:27 . 2004-08-04 11:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2004-08-04 11:00 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2004-08-04 11:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-09-13 16:35 . 2009-09-13 16:35 12556 ----a-w- c:\program files\Common Files\akik.bin

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

 

------- Sigcheck -------

 

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\DLLCACHE\atapi.sys

[-] 2004-08-04 10:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\SYSTEM32\DRIVERS\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-10 68856]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-11-10 598016]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-03-13 81920]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]

"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-16 149280]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-3-2 24576]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\LunaImaging\\jres\\Sun\\1.4.2_05\\bin\\javaw.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

R0 d346bus;d346bus;c:\windows\SYSTEM32\DRIVERS\d346bus.sys [6/22/2009 12:47 AM 156800]

R0 d346prt;d346prt;c:\windows\SYSTEM32\DRIVERS\d346prt.sys [6/22/2009 12:47 AM 5248]

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [2/26/2010 6:29 PM 64288]

R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [2/21/2010 9:57 PM 28552]

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [2/21/2010 6:32 PM 207792]

R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [6/22/2009 6:07 AM 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [6/22/2009 6:07 AM 20560]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2/21/2010 7:21 PM 112592]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1229232]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/21/2010 6:32 PM 359624]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/16/2009 5:50 PM 133104]

 

--- Other Services/Drivers In Memory ---

 

*Deregistered* - PCTSDInjDriver32

.

Contents of the 'Scheduled Tasks' folder

 

2010-02-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 00:26]

 

2010-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

 

2010-02-28 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-10 23:46]

 

2010-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-16 23:50]

 

2010-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-16 23:50]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

FF - ProfilePath - c:\documents and settings\Roberto\Application Data\Mozilla\Firefox\Profiles\gsl31wgh.default\

FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: c:\program files\Verizon\VSP\nprpspa.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

 

HKLM-Run-PCMService - c:\program files\Dell\Media Experience\PCMService.exe

AddRemove-HijackThis - c:\documents and settings\Roberto\Desktop\HijackThis.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-28 15:56

Windows 5.1.2600 Service Pack 3 NTFS

 

detected NTDLL code modification:

ZwClose

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x829F4DF8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf8676f28

\Driver\ACPI -> ACPI.sys @ 0xf8442cb8

\Driver\atapi -> 0x829f4df8

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf825fbb0

PacketIndicateHandler -> NDIS.sys @ 0xf824ea0d

SendHandler -> NDIS.sys @ 0xf8262b40

Warning: possible MBR rootkit infection !

user & kernel MBR OK

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(696)

c:\windows\System32\BCMLogon.dll

 

- - - - - - - > 'explorer.exe'(2684)

c:\windows\system32\WININET.dll

c:\program files\Spyware Doctor\pctgmhk.dll

c:\windows\system32\IEFRAME.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

c:\program files\Spyware Doctor\pctsSvc.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\WLTRAY.exe

c:\program files\Apoint\Apntex.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

.

**************************************************************************

.

Completion time: 2010-02-28 16:18:55 - machine was rebooted

ComboFix-quarantined-files.txt 2010-02-28 22:18

 

Pre-Run: 34,346,696,704 bytes free

Post-Run: 36,003,684,352 bytes free

 

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

 

- - End Of File - - 8F6A110B8B16CC9094EB2C6BC72D6BB8

 

 

 

Link to comment
Share on other sites

Vad är det här för program?

2010-02-27 10:28 . 2009-12-09 08:00 -------- d-----w- c:\program files\MzMgr by isvicare

 

Det är en typ av infektion som inte kan åtgärdas medan Windows är igång utan du behöver starta datorn från en CD-skiva. Ladda ner OTLPE.iso http://oldtimer.geekstogo.com/OTLPE.iso och bränn den till en CD-skiva som en avbild/image/iso.

Vet du hur man gör det? Om inte så fråga och berätta vad du har för bränningsprogram.

 

Vet du hur du får datorn att starta från en CD-skiva i stället för från en hårddisk? Om inte så fråga.

 

När datorn har startat från CD-skivan visas REATOGO-X-PE skrivbord.

Dubbelklicka på ikonen OTLPE.

När du får frågan "Do you wish to load the remote registry", välj Yes.

När du får frågan "Do you wish to load remote user profile(s) for scanning", välj Yes

Se till att "Automatically Load All Remaining Users" är vald och tryck OK

Programmet OTL startar.

Ändra följande inställning:

* Ändra Drivers till Non-Microsoft

Tryck på Run Scan för att starta genomsökningen.

När skanningen är klar så kommer loggfilen OTL.txt att sparas i mappen C:\_OTL\MovedFiles.

 

Starta om datorn från hårddisken och klistra in loggfilen OTL.txt i ditt svar.

Link to comment
Share on other sites

Vad är det här för program?

2010-02-27 10:28 . 2009-12-09 08:00 -------- d-----w- c:\program files\MzMgr by isvicare

 

-Det ar ett "av nagon" hemmasnickrat program som anvands for analys av ett online fotbollsmanagerspel (Managerzone.se) Det var "safe-flaggat" av deras "crew" sa jag kande att det darfor inte borde vara nagon fara (men sa kanske inte var fallet?)

Det är en typ av infektion som inte kan åtgärdas medan Windows är igång utan du behöver starta datorn från en CD-skiva. Ladda ner OTLPE.iso http://oldtimer.geek...o.com/OTLPE.iso och bränn den till en CD-skiva som en avbild/image/iso.

Vet du hur man gör det? Om inte så fråga och berätta vad du har för bränningsprogram.

- Har inget brannarprogram pa denna dator (mer an XP's egna da skulle jag tro, for ett sant skall val finnas?), men har under alla ar anvant mig av olika typer av Nero, sa om jag inte kan fixa det med XP's sa tar jag hem nagon Neroversion.

 

Vet du hur du får datorn att starta från en CD-skiva i stället för från en hårddisk? Om inte så fråga.

- Det far jag genom att ga in i BIOS-setup vid startup och andra bootdvice fran HDD till CD, visst?

 

När datorn har startat från CD-skivan visas REATOGO-X-PE skrivbord.

Dubbelklicka på ikonen OTLPE.

När du får frågan "Do you wish to load the remote registry", välj Yes.

När du får frågan "Do you wish to load remote user profile(s) for scanning", välj Yes

Se till att "Automatically Load All Remaining Users" är vald och tryck OK

Programmet OTL startar.

Ändra följande inställning:

* Ändra Drivers till Non-Microsoft

Tryck på Run Scan för att starta genomsökningen.

När skanningen är klar så kommer loggfilen OTL.txt att sparas i mappen C:\_OTL\MovedFiles.

 

Starta om datorn från hårddisken och klistra in loggfilen OTL.txt i ditt svar.

 

Aterkommer med loggfil och sa vidare, lar fixa skiva och lata mitt flinta-internet jobba hem isofilen.

 

...tack sa mycket for hjalpen sa har langt, skont att det finns mer intelligenta manniskor som vill och kan hjalpa mindre intelligenta sadana smile.gif

Link to comment
Share on other sites

c:\program files\MzMgr by isvicare Jag kunde inte få fram någon information om programmet så det är därför jag frågade dig. Jag har ingen aning om det är ett bra eller dåligt program.

 

ISO Burner är ett exempel på ett program som är lätt att använda för att bränna ISO-filer (lättare än Nero eftersom det inte finns så många val).

http://www.ntfs.com/iso-burning.htm

 

- Det far jag genom att ga in i BIOS-setup vid startup och andra bootdvice fran HDD till CD, visst?

Japp :)

Link to comment
Share on other sites

tankade och installerade ISOburner och brande OTLPE.iso men nar jag bootade om med skivan sa far jag ett felmeddelande som sager:

 

"File VMSCSI.SY_ caused an unexpected error (256) at line 3540 in d:\xpsprtm\base\bost\setup\setup.c."

 

Jag tankte att det kanske blev fel nar jag brande skivan sa jag brande en ny skiva med lagre skrivhastighet men det blev samma felmeddelande nar jag forsokte kora fran den ocksa.

 

Nagot tips pa vad jag gor for fel?

Link to comment
Share on other sites

Då gör vi på något annat sätt i stället. Som du väl har märkt så har du fått en liten ny meny under uppstarten av datorn. Den visas i två sekunder och genom att använda piltangenterna så kan du välja "Microsoft Windows Recovery Console" i stället för din vanliga Windows-installation. Efter att ha markerat "Microsoft Windows Recovery Console" trycker du på Enter-tangenten för att starta upp en återställningskonsol.

 

Men nu innan du startar återställningskonsolen går du med Utforskaren eller Den här datorn till mappen

c:\windows\SYSTEM32\ReinstallBackups\0004\DriverFiles\i386

och högerklickar på filen atapi.sys och väljer Kopiera. Gå sedan till mappen

c:\

och klistra in den kopierade filen (till höger så högerklickar du på ett tomt utrymme och väljer Klistra in). Kontrollera att du nu ser en fil atapi.sys i mappen c:\.

 

Starta om datorn och välj att starta återställningskonsolen. När konsolen är framme skriver du följande kommandon (var noga):

 

cd c:\windows\system32\drivers

ren atapi.sys atapi.bad

copy c:\atapi.sys .

cd c:\windows\SYSTEM32\DLLCACHE

copy c:\atapi.sys .

exit

 

Om du får något felmeddelande så avbryt och om möjligt skriv i den här tråden från en annan dator. Om du inte kan det så återställ på detta vis:

cd c:\windows\system32\drivers

ren atapi.bad atapi.sys

 

Starta datorn som vanligt så att du kommer till Windows. Kör ComboFix igen och klistra in dess logg.

Link to comment
Share on other sites

Var tvungen att kora rkill igen innan jag kunde komma nagonvart i normalt lage. rkill stanger nagot som heter c:\windows\system32\imapi.exe nar jag kor det efter en omstart och efter den filen ar stangd sa "kommer datorn igang igen" och det gar faktiskt att gora nagot.

 

Hur som helst, loggen:

 

ComboFix 10-02-27.04 - Roberto 03/01/2010 16:14:04.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.68 [GMT -6:00]

Running from: c:\documents and settings\Roberto\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1368 [VPS 100301-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Roberto\Cookies\roberto@www.managerzone[1].txt

 

.

((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))

.

 

2010-03-01 20:44 . 2004-08-04 10:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-03-01 20:44 . 2004-08-04 04:59 95360 ----a-w- c:\windows\system32\dllcache\ATAPI.SYS

2010-03-01 20:44 . 2004-08-04 04:59 95360 ----a-w- C:\atapi.sys

2010-03-01 04:19 . 2010-03-01 04:19 691696 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-03-01 04:16 . 2010-03-01 04:16 -------- d-----w- c:\program files\LSoft Technologies

2010-02-27 02:04 . 2010-02-27 00:29 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-02-27 00:29 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-02-27 00:29 . 2010-02-27 00:29 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-02-27 00:17 . 2010-02-27 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-02-27 00:17 . 2010-02-27 00:18 -------- d-----w- c:\program files\Lavasoft

2010-02-25 21:06 . 2010-02-27 00:18 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-02-22 04:43 . 2010-02-22 04:43 -------- d-----w- c:\documents and settings\Roberto\Local Settings\Application Data\Threat Expert

2010-02-22 03:57 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-02-22 03:56 . 2010-02-22 03:56 -------- d-----w- c:\program files\Panda Security

2010-02-22 03:55 . 2010-02-28 08:17 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-02-22 01:21 . 2010-01-21 23:21 767952 ----a-w- c:\windows\BDTSupport.dll

2010-02-22 01:21 . 2010-01-21 23:21 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-02-22 01:21 . 2009-10-28 07:36 1152444 ----a-w- c:\windows\UDB.zip

2010-02-22 01:21 . 2008-11-26 18:08 131 ----a-w- c:\windows\IDB.zip

2010-02-22 01:21 . 2010-01-21 23:21 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-02-22 01:21 . 2010-01-21 23:21 1652688 ----a-w- c:\windows\PCTBDCore.dll

2010-02-22 00:33 . 2009-10-30 17:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-02-22 00:32 . 2009-11-09 17:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-02-22 00:32 . 2009-10-06 22:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-02-22 00:32 . 2009-09-03 15:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-02-22 00:32 . 2010-02-22 01:22 -------- d-----w- c:\program files\Common Files\PC Tools

2010-02-22 00:32 . 2010-03-01 22:37 -------- d-----w- c:\program files\Spyware Doctor

2010-02-22 00:32 . 2010-02-22 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-02-22 00:31 . 2010-03-01 22:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-02-21 05:27 . 2010-02-21 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-01 06:40 . 2009-12-09 08:00 -------- d-----w- c:\program files\MzMgr by isvicare

2010-03-01 04:16 . 2005-03-02 10:08 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-02-28 01:39 . 2009-08-22 11:32 -------- d-----w- c:\documents and settings\Roberto\Application Data\Skype

2010-02-27 22:03 . 2009-08-22 11:32 -------- d-----w- c:\documents and settings\Roberto\Application Data\skypePM

2010-02-22 04:03 . 2009-09-13 16:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-14 18:32 . 2009-06-22 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-02-09 15:14 . 2009-09-10 22:34 -------- d-----w- c:\program files\Google

2010-01-11 16:29 . 2009-08-14 21:22 -------- d-----w- c:\program files\Verizon

2010-01-07 22:07 . 2009-09-13 16:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 22:07 . 2009-09-13 16:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-05 10:00 . 2004-08-04 11:00 832512 ------w- c:\windows\system32\wininet.dll

2010-01-05 10:00 . 2004-08-04 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-12-31 16:50 . 2004-08-04 11:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-16 18:43 . 2004-08-04 11:00 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2004-08-04 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-14 05:15 . 2009-09-03 17:47 44528 ----a-w- c:\documents and settings\Roberto\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-08 19:27 . 2004-08-04 11:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2004-08-04 11:00 2066048 ------w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2004-08-04 11:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-09-13 16:35 . 2009-09-13 16:35 12556 ----a-w- c:\program files\Common Files\akik.bin

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

 

------- Sigcheck -------

 

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys

[-] 2004-08-04 10:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\SYSTEM32\DRIVERS\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\DLLCACHE\ATAPI.SYS

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-10 68856]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-11-10 598016]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-03-13 81920]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]

"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-16 149280]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-3-2 24576]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\LunaImaging\\jres\\Sun\\1.4.2_05\\bin\\javaw.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

R0 d346bus;d346bus;c:\windows\SYSTEM32\DRIVERS\d346bus.sys [6/22/2009 12:47 AM 156800]

R0 d346prt;d346prt;c:\windows\SYSTEM32\DRIVERS\d346prt.sys [6/22/2009 12:47 AM 5248]

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [2/26/2010 6:29 PM 64288]

R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [2/21/2010 9:57 PM 28552]

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [2/21/2010 6:32 PM 207792]

R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [6/22/2009 6:07 AM 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [6/22/2009 6:07 AM 20560]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2/21/2010 7:21 PM 112592]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1229232]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/21/2010 6:32 PM 359624]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/16/2009 5:50 PM 133104]

S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [2/28/2010 10:19 PM 691696]

 

--- Other Services/Drivers In Memory ---

 

*Deregistered* - PCTSDInjDriver32

.

Contents of the 'Scheduled Tasks' folder

 

2010-03-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 00:26]

 

2010-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

 

2010-03-01 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-10 23:46]

 

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-16 23:50]

 

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-16 23:50]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

FF - ProfilePath - c:\documents and settings\Roberto\Application Data\Mozilla\Firefox\Profiles\gsl31wgh.default\

FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-01 16:41

Windows 5.1.2600 Service Pack 3 NTFS

 

detected NTDLL code modification:

ZwClose

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x82D81338]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf8676f28

\Driver\ACPI -> ACPI.sys @ 0xf8462cb8

\Driver\atapi -> 0x82d81338

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf825fbb0

PacketIndicateHandler -> NDIS.sys @ 0xf824ea0d

SendHandler -> NDIS.sys @ 0xf8262b40

Warning: possible MBR rootkit infection !

user & kernel MBR OK

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(512)

c:\windows\System32\BCMLogon.dll

 

- - - - - - - > 'explorer.exe'(3836)

c:\windows\system32\WININET.dll

c:\program files\Spyware Doctor\pctgmhk.dll

c:\windows\system32\IEFRAME.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\windows\system32\WLTRAY.exe

c:\program files\Apoint\Apntex.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

c:\program files\Spyware Doctor\pctsSvc.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

.

**************************************************************************

.

Completion time: 2010-03-01 16:59:46 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-01 22:59

ComboFix2.txt 2010-02-28 22:18

 

Pre-Run: 35,643,564,032 bytes free

Post-Run: 35,648,888,832 bytes free

 

- - End Of File - - 0A0C2A46FBFBD6BB7F7ADEF871B4F73A

 

 

 

Link to comment
Share on other sites

Okej, det blir till att söka djupare i den datorn. Men först avstängning av drivrutin som stökar till det.

 

1. Spara DeFogger by jpshortstuff http://www.jpshortstuff.247fixes.com/Defogger.exe på Skrivbordet.

 

Starta DeFogger.

När programmets fönster kommer upp trycker du på knappen Disable för att inaktivera drivrutinerna som hör ihop med ditt installerade CD-emuleringsprogram.

Tryck på Yes/Ja för att fortsätta.

När programmet är klart kommer det upp ett meddelande 'Finished!'.

Tryck på OK.

Programmet ber om omstart av datorn, tryck på OK.

 

VIKTIGT! Om du får ett felmeddelande medan DeFogger kör, så klistra in loggen defogger_disable som då skapas på Skrivbordet.

 

Aktivera inte dessa drivrutiner innan rensningen är helt klar.

 

2. Spara TDSSKiller på Skrivbordet:

http://support.kaspersky.com/downloads/utils/tdsskiller.zip

 

Högerklicka och välj Extrahera alla. Se till att uppackningen sker till Skrivbordet. Alternativt så kan du använda ditt eget program för att packa upp zip-filer, se bara till att filen tdsskiller.exe hamnar på Skrivbordet.

 

Start - Kör

Kopiera raden som är i rutan

"%userprofile%\skrivbord\TDSSKiller.exe" -l rapport.txt -v

 

Öppna filer rapport som skapades på Skrivbordet och klistra in innehållet i ditt svar.

 

3. Kör ComboFix igen och klistra in den nya loggen.

Link to comment
Share on other sites

Jag fick inget felmeddelande nar jag korde defogger men har ar loggen anda.

 

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 17:56 on 01/03/2010 (Roberto)

 

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

 

Checking for services/drivers...

Unable to read atapi.sys

d346prt -> Disabled (Service running -> reboot required)

SPTD -> Already disabled

 

 

-=E.O.F=-

 

Rapport.txt

 

18:12:08:500 0804 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25

18:12:08:500 0804 ================================================================================

18:12:08:500 0804 SystemInfo:

 

18:12:08:500 0804 OS Version: 5.1.2600 ServicePack: 3.0

18:12:08:500 0804 Product type: Workstation

18:12:08:500 0804 ComputerName: SHANALYNNE

18:12:08:500 0804 UserName: Roberto

18:12:08:500 0804 Windows directory: C:\WINDOWS

18:12:08:500 0804 Processor architecture: Intel x86

18:12:08:515 0804 Number of processors: 1

18:12:08:515 0804 Page size: 0x1000

18:12:08:546 0804 Boot type: Normal boot

18:12:08:546 0804 ================================================================================

18:12:08:828 0804 UnloadDriverW: NtUnloadDriver error 2

18:12:08:828 0804 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

18:12:10:421 0804 Initialize success

18:12:10:421 0804

18:12:10:421 0804 Scanning Services ...

18:12:10:421 0804 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

18:12:10:421 0804 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

18:12:10:421 0804 wfopen_ex: Trying to KLMD file open

18:12:10:421 0804 wfopen_ex: File opened ok (Flags 2)

18:12:10:421 0804 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

18:12:10:421 0804 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

18:12:10:421 0804 wfopen_ex: Trying to KLMD file open

18:12:10:421 0804 wfopen_ex: File opened ok (Flags 2)

18:12:11:296 0804 GetAdvancedServicesInfo: Raw services enum returned 378 services

18:12:11:312 0804 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

18:12:11:312 0804 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

18:12:11:312 0804

18:12:11:312 0804 Scanning Kernel memory ...

18:12:11:312 0804 Devices to scan: 4

18:12:11:312 0804

18:12:11:312 0804 Driver Name: Disk

18:12:11:312 0804 IRP_MJ_CREATE : F8678BB0

18:12:11:312 0804 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

18:12:11:312 0804 IRP_MJ_CLOSE : F8678BB0

18:12:11:312 0804 IRP_MJ_READ : F8672D1F

18:12:11:312 0804 IRP_MJ_WRITE : F8672D1F

18:12:11:312 0804 IRP_MJ_QUERY_INFORMATION : 804F355A

18:12:11:312 0804 IRP_MJ_SET_INFORMATION : 804F355A

18:12:11:312 0804 IRP_MJ_QUERY_EA : 804F355A

18:12:11:312 0804 IRP_MJ_SET_EA : 804F355A

18:12:11:312 0804 IRP_MJ_FLUSH_BUFFERS : F86732E2

18:12:11:312 0804 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

18:12:11:312 0804 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

18:12:11:312 0804 IRP_MJ_DIRECTORY_CONTROL : 804F355A

18:12:11:312 0804 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

18:12:11:312 0804 IRP_MJ_DEVICE_CONTROL : F86733BB

18:12:11:312 0804 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8676F28

18:12:11:312 0804 IRP_MJ_SHUTDOWN : F86732E2

18:12:11:312 0804 IRP_MJ_LOCK_CONTROL : 804F355A

18:12:11:312 0804 IRP_MJ_CLEANUP : 804F355A

18:12:11:312 0804 IRP_MJ_CREATE_MAILSLOT : 804F355A

18:12:11:312 0804 IRP_MJ_QUERY_SECURITY : 804F355A

18:12:11:312 0804 IRP_MJ_SET_SECURITY : 804F355A

18:12:11:312 0804 IRP_MJ_POWER : F8674C82

18:12:11:312 0804 IRP_MJ_SYSTEM_CONTROL : F867999E

18:12:11:312 0804 IRP_MJ_DEVICE_CHANGE : 804F355A

18:12:11:312 0804 IRP_MJ_QUERY_QUOTA : 804F355A

18:12:11:312 0804 IRP_MJ_SET_QUOTA : 804F355A

18:12:11:375 0804 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code

18:12:11:375 0804 sion

18:12:11:421 0804 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

18:12:11:421 0804

18:12:11:421 0804 Driver Name: Disk

18:12:11:421 0804 IRP_MJ_CREATE : F8678BB0

18:12:11:421 0804 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

18:12:11:421 0804 IRP_MJ_CLOSE : F8678BB0

18:12:11:421 0804 IRP_MJ_READ : F8672D1F

18:12:11:437 0804 IRP_MJ_WRITE : F8672D1F

18:12:11:437 0804 IRP_MJ_QUERY_INFORMATION : 804F355A

18:12:11:437 0804 IRP_MJ_SET_INFORMATION : 804F355A

18:12:11:437 0804 IRP_MJ_QUERY_EA : 804F355A

18:12:11:437 0804 IRP_MJ_SET_EA : 804F355A

18:12:11:437 0804 IRP_MJ_FLUSH_BUFFERS : F86732E2

18:12:11:437 0804 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

18:12:11:437 0804 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

18:12:11:437 0804 IRP_MJ_DIRECTORY_CONTROL : 804F355A

18:12:11:437 0804 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

18:12:11:437 0804 IRP_MJ_DEVICE_CONTROL : F86733BB

18:12:11:437 0804 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8676F28

18:12:11:437 0804 IRP_MJ_SHUTDOWN : F86732E2

18:12:11:437 0804 IRP_MJ_LOCK_CONTROL : 804F355A

18:12:11:437 0804 IRP_MJ_CLEANUP : 804F355A

18:12:11:437 0804 IRP_MJ_CREATE_MAILSLOT : 804F355A

18:12:11:437 0804 IRP_MJ_QUERY_SECURITY : 804F355A

18:12:11:437 0804 IRP_MJ_SET_SECURITY : 804F355A

18:12:11:437 0804 IRP_MJ_POWER : F8674C82

18:12:11:437 0804 IRP_MJ_SYSTEM_CONTROL : F867999E

18:12:11:437 0804 IRP_MJ_DEVICE_CHANGE : 804F355A

18:12:11:437 0804 IRP_MJ_QUERY_QUOTA : 804F355A

18:12:11:437 0804 IRP_MJ_SET_QUOTA : 804F355A

18:12:11:453 0804 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code

18:12:11:453 0804 sion

18:12:11:468 0804 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

18:12:11:468 0804

18:12:11:468 0804 Driver Name: Disk

18:12:11:468 0804 IRP_MJ_CREATE : F8678BB0

18:12:11:468 0804 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

18:12:11:468 0804 IRP_MJ_CLOSE : F8678BB0

18:12:11:468 0804 IRP_MJ_READ : F8672D1F

18:12:11:468 0804 IRP_MJ_WRITE : F8672D1F

18:12:11:468 0804 IRP_MJ_QUERY_INFORMATION : 804F355A

18:12:11:468 0804 IRP_MJ_SET_INFORMATION : 804F355A

18:12:11:468 0804 IRP_MJ_QUERY_EA : 804F355A

18:12:11:468 0804 IRP_MJ_SET_EA : 804F355A

18:12:11:468 0804 IRP_MJ_FLUSH_BUFFERS : F86732E2

18:12:11:468 0804 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

18:12:11:468 0804 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

18:12:11:468 0804 IRP_MJ_DIRECTORY_CONTROL : 804F355A

18:12:11:468 0804 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

18:12:11:468 0804 IRP_MJ_DEVICE_CONTROL : F86733BB

18:12:11:468 0804 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8676F28

18:12:11:468 0804 IRP_MJ_SHUTDOWN : F86732E2

18:12:11:468 0804 IRP_MJ_LOCK_CONTROL : 804F355A

18:12:11:468 0804 IRP_MJ_CLEANUP : 804F355A

18:12:11:468 0804 IRP_MJ_CREATE_MAILSLOT : 804F355A

18:12:11:468 0804 IRP_MJ_QUERY_SECURITY : 804F355A

18:12:11:468 0804 IRP_MJ_SET_SECURITY : 804F355A

18:12:11:468 0804 IRP_MJ_POWER : F8674C82

18:12:11:468 0804 IRP_MJ_SYSTEM_CONTROL : F867999E

18:12:11:468 0804 IRP_MJ_DEVICE_CHANGE : 804F355A

18:12:11:468 0804 IRP_MJ_QUERY_QUOTA : 804F355A

18:12:11:468 0804 IRP_MJ_SET_QUOTA : 804F355A

18:12:11:500 0804 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code

18:12:11:500 0804 sion

18:12:11:562 0804 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

18:12:11:562 0804

18:12:11:562 0804 Driver Name: atapi

18:12:11:562 0804 IRP_MJ_CREATE : 82E07008

18:12:11:562 0804 IRP_MJ_CREATE_NAMED_PIPE : 82E07008

18:12:11:562 0804 IRP_MJ_CLOSE : 82E07008

18:12:11:562 0804 IRP_MJ_READ : 82E07008

18:12:11:562 0804 IRP_MJ_WRITE : 82E07008

18:12:11:562 0804 IRP_MJ_QUERY_INFORMATION : 82E07008

18:12:11:562 0804 IRP_MJ_SET_INFORMATION : 82E07008

18:12:11:562 0804 IRP_MJ_QUERY_EA : 82E07008

18:12:11:562 0804 IRP_MJ_SET_EA : 82E07008

18:12:11:562 0804 IRP_MJ_FLUSH_BUFFERS : 82E07008

18:12:11:562 0804 IRP_MJ_QUERY_VOLUME_INFORMATION : 82E07008

18:12:11:562 0804 IRP_MJ_SET_VOLUME_INFORMATION : 82E07008

18:12:11:562 0804 IRP_MJ_DIRECTORY_CONTROL : 82E07008

18:12:11:562 0804 IRP_MJ_FILE_SYSTEM_CONTROL : 82E07008

18:12:11:562 0804 IRP_MJ_DEVICE_CONTROL : 82E07008

18:12:11:562 0804 IRP_MJ_INTERNAL_DEVICE_CONTROL : 82E07008

18:12:11:562 0804 IRP_MJ_SHUTDOWN : 82E07008

18:12:11:562 0804 IRP_MJ_LOCK_CONTROL : 82E07008

18:12:11:562 0804 IRP_MJ_CLEANUP : 82E07008

18:12:11:562 0804 IRP_MJ_CREATE_MAILSLOT : 82E07008

18:12:11:562 0804 IRP_MJ_QUERY_SECURITY : 82E07008

18:12:11:562 0804 IRP_MJ_SET_SECURITY : 82E07008

18:12:11:562 0804 IRP_MJ_POWER : 82E07008

18:12:11:562 0804 IRP_MJ_SYSTEM_CONTROL : 82E07008

18:12:11:562 0804 IRP_MJ_DEVICE_CHANGE : 82E07008

18:12:11:562 0804 IRP_MJ_QUERY_QUOTA : 82E07008

18:12:11:562 0804 IRP_MJ_SET_QUOTA : 82E07008

18:12:11:625 0804 ihd: 0, 0, 0, 0, 0, 0, 0

18:12:11:625 0804 siohd: 0

18:12:11:718 0804 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean

18:12:11:718 0804

18:12:11:718 0804 Completed

18:12:11:718 0804

18:12:11:718 0804 Results:

18:12:11:718 0804 Memory objects infected / cured / cured on reboot: 0 / 0 / 0

18:12:11:718 0804 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

18:12:11:718 0804 File objects infected / cured / cured on reboot: 0 / 0 / 0

18:12:11:718 0804

18:12:11:718 0804 KLMD(ARK) unloaded successfully

 

Combofix igen:

 

ComboFix 10-02-27.04 - Roberto 03/01/2010 18:25:21.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.59 [GMT -6:00]

Running from: c:\documents and settings\Roberto\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1368 [VPS 100301-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Roberto\Cookies\roberto@www.managerzone[1].txt

 

.

((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))

.

 

2010-03-02 02:44 . 2004-08-04 16:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-03-02 02:44 . 2004-08-04 16:59 95360 ----a-w- c:\windows\system32\dllcache\atapi.sys

2010-03-01 20:44 . 2004-08-04 04:59 95360 ----a-w- C:\atapi.sys

2010-03-01 04:19 . 2010-03-01 04:19 691696 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-03-01 04:16 . 2010-03-01 04:16 -------- d-----w- c:\program files\LSoft Technologies

2010-02-27 02:04 . 2010-02-27 00:29 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-02-27 00:29 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-02-27 00:29 . 2010-02-27 00:29 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-02-27 00:29 . 2010-02-27 00:29 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys

2010-02-27 00:29 . 2010-02-27 00:29 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll

2010-02-27 00:29 . 2010-02-27 00:29 884176 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe

2010-02-27 00:29 . 2010-02-27 00:29 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll

2010-02-27 00:29 . 2010-02-27 00:29 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2010-02-27 00:29 . 2010-02-27 00:29 211064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll

2010-02-27 00:28 . 2010-02-27 00:29 393896 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll

2010-02-27 00:28 . 2010-02-27 00:28 562272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll

2010-02-27 00:28 . 2010-02-27 00:28 221408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll

2010-02-27 00:28 . 2010-02-27 00:28 390320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll

2010-02-27 00:28 . 2010-02-27 00:28 167312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll

2010-02-27 00:28 . 2010-02-27 00:28 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll

2010-02-27 00:28 . 2010-02-27 00:28 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll

2010-02-27 00:28 . 2010-02-27 00:28 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll

2010-02-27 00:28 . 2010-02-27 00:28 329048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll

2010-02-27 00:28 . 2010-02-27 00:28 94712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll

2010-02-27 00:27 . 2010-02-27 00:27 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll

2010-02-27 00:26 . 2010-02-27 00:27 961984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll

2010-02-27 00:26 . 2010-02-27 00:26 835312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe

2010-02-27 00:26 . 2010-02-27 00:26 842992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe

2010-02-27 00:26 . 2010-02-27 00:26 1593320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe

2010-02-27 00:26 . 2010-02-27 00:26 815184 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe

2010-02-27 00:26 . 2010-02-27 00:26 1229232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe

2010-02-27 00:18 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe

2010-02-27 00:17 . 2010-02-27 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-02-27 00:17 . 2010-02-27 00:18 -------- d-----w- c:\program files\Lavasoft

2010-02-25 21:06 . 2010-02-27 00:18 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-02-23 09:15 . 2010-02-23 09:15 97566 ----a-r- c:\documents and settings\Roberto\Application Data\Microsoft\Installer\{98F47999-C399-41E0-A8A4-C0C46D1E5C4F}\_CB9EC3D949D245AC45EE5F.exe

2010-02-23 09:15 . 2010-02-23 09:15 97566 ----a-r- c:\documents and settings\Roberto\Application Data\Microsoft\Installer\{98F47999-C399-41E0-A8A4-C0C46D1E5C4F}\_ADCC0245AB514F82C70111.exe

2010-02-23 09:15 . 2010-02-23 09:15 97566 ----a-r- c:\documents and settings\Roberto\Application Data\Microsoft\Installer\{98F47999-C399-41E0-A8A4-C0C46D1E5C4F}\_A2D67359417624AC6EBD88.exe

2010-02-23 09:15 . 2010-02-23 09:15 97566 ----a-r- c:\documents and settings\Roberto\Application Data\Microsoft\Installer\{98F47999-C399-41E0-A8A4-C0C46D1E5C4F}\_2A1480F42144C9B0CDCD96.exe

2010-02-23 09:15 . 2010-02-23 09:15 90126 ----a-r- c:\documents and settings\Roberto\Application Data\Microsoft\Installer\{98F47999-C399-41E0-A8A4-C0C46D1E5C4F}\_C58055F5B9FCFBAEE28F84.exe

2010-02-23 09:15 . 2010-02-23 09:15 90126 ----a-r- c:\documents and settings\Roberto\Application Data\Microsoft\Installer\{98F47999-C399-41E0-A8A4-C0C46D1E5C4F}\_ABC39E04A61B87E7546C51.exe

2010-02-22 04:43 . 2010-02-22 04:43 -------- d-----w- c:\documents and settings\Roberto\Local Settings\Application Data\Threat Expert

2010-02-22 04:02 . 2010-02-22 04:02 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-02-22 03:57 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-02-22 03:56 . 2010-02-22 03:56 -------- d-----w- c:\program files\Panda Security

2010-02-22 03:55 . 2010-02-28 08:17 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-02-22 01:21 . 2010-01-21 23:21 767952 ----a-w- c:\windows\BDTSupport.dll

2010-02-22 01:21 . 2010-01-21 23:21 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-02-22 01:21 . 2009-10-28 07:36 1152444 ----a-w- c:\windows\UDB.zip

2010-02-22 01:21 . 2008-11-26 18:08 131 ----a-w- c:\windows\IDB.zip

2010-02-22 01:21 . 2010-01-21 23:21 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-02-22 01:21 . 2010-01-21 23:21 1652688 ----a-w- c:\windows\PCTBDCore.dll

2010-02-22 00:33 . 2009-10-30 17:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-02-22 00:32 . 2009-11-09 17:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-02-22 00:32 . 2009-10-06 22:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-02-22 00:32 . 2009-09-03 15:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-02-22 00:32 . 2010-02-22 01:22 -------- d-----w- c:\program files\Common Files\PC Tools

2010-02-22 00:32 . 2010-03-02 00:49 -------- d-----w- c:\program files\Spyware Doctor

2010-02-22 00:32 . 2010-02-22 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-02-22 00:31 . 2010-03-02 00:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-02-21 05:27 . 2010-02-21 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-01 06:40 . 2009-12-09 08:00 -------- d-----w- c:\program files\MzMgr by isvicare

2010-03-01 04:16 . 2005-03-02 10:08 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-02-28 01:39 . 2009-08-22 11:32 -------- d-----w- c:\documents and settings\Roberto\Application Data\Skype

2010-02-27 22:03 . 2009-08-22 11:32 -------- d-----w- c:\documents and settings\Roberto\Application Data\skypePM

2010-02-22 04:03 . 2009-09-13 16:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-14 18:32 . 2009-06-22 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-02-09 15:14 . 2009-09-10 22:34 -------- d-----w- c:\program files\Google

2010-01-11 16:29 . 2009-08-14 21:22 -------- d-----w- c:\program files\Verizon

2010-01-07 22:07 . 2009-09-13 16:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 22:07 . 2009-09-13 16:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-05 10:00 . 2004-08-04 11:00 832512 ------w- c:\windows\system32\wininet.dll

2010-01-05 10:00 . 2004-08-04 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-12-31 16:50 . 2004-08-04 11:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-16 18:43 . 2004-08-04 11:00 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2004-08-04 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-14 05:15 . 2009-09-03 17:47 44528 ----a-w- c:\documents and settings\Roberto\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-09 08:00 . 2009-12-09 08:00 97566 ----a-r- c:\documents and settings\Roberto\Application Data\Microsoft\Installer\{5E6824FE-8D90-4615-9951-954742F5D271}\_B0F329289034CF18314991.exe

2009-12-09 08:00 . 2009-12-09 08:00 97566 ----a-r- c:\documents and settings\Roberto\Application Data\Microsoft\Installer\{5E6824FE-8D90-4615-9951-954742F5D271}\_AD81B46F0224BA629C03A6.exe

2009-12-09 08:00 . 2009-12-09 08:00 97566 ----a-r- c:\documents and settings\Roberto\Application Data\Microsoft\Installer\{5E6824FE-8D90-4615-9951-954742F5D271}\_5DF0FAA50B6B44F41C9DB8.exe

2009-12-09 08:00 . 2009-12-09 08:00 97566 ----a-r- c:\documents and settings\Roberto\Application Data\Microsoft\Installer\{5E6824FE-8D90-4615-9951-954742F5D271}\_29C311F1D9CC627B06A874.exe

2009-12-09 08:00 . 2009-12-09 08:00 90126 ----a-r- c:\documents and settings\Roberto\Application Data\Microsoft\Installer\{5E6824FE-8D90-4615-9951-954742F5D271}\_D44AD008BB11FEA28B7BD5.exe

2009-12-09 08:00 . 2009-12-09 08:00 90126 ----a-r- c:\documents and settings\Roberto\Application Data\Microsoft\Installer\{5E6824FE-8D90-4615-9951-954742F5D271}\_0D5181FA7C5D5A1319F6D9.exe

2009-12-08 19:27 . 2004-08-04 11:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2004-08-04 11:00 2066048 ------w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2004-08-04 11:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-09-13 16:35 . 2009-09-13 16:35 12556 ----a-w- c:\program files\Common Files\akik.bin

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

 

------- Sigcheck -------

 

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\DLLCACHE\atapi.sys

[-] 2004-08-04 16:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\SYSTEM32\DRIVERS\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-10 68856]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-11-10 598016]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-03-13 81920]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]

"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-16 149280]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-3-2 24576]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\LunaImaging\\jres\\Sun\\1.4.2_05\\bin\\javaw.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

R0 d346bus;d346bus;c:\windows\SYSTEM32\DRIVERS\d346bus.sys [6/22/2009 12:47 AM 156800]

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [2/26/2010 6:29 PM 64288]

R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [2/21/2010 9:57 PM 28552]

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [2/21/2010 6:32 PM 207792]

R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [6/22/2009 6:07 AM 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [6/22/2009 6:07 AM 20560]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2/21/2010 7:21 PM 112592]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/21/2010 6:32 PM 359624]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/16/2009 5:50 PM 133104]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1229232]

S4 d346prt;d346prt;c:\windows\SYSTEM32\DRIVERS\d346prt.sys [6/22/2009 12:47 AM 5248]

S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [2/28/2010 10:19 PM 691696]

 

--- Other Services/Drivers In Memory ---

 

*Deregistered* - PCTSDInjDriver32

.

Contents of the 'Scheduled Tasks' folder

 

2010-03-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 00:26]

 

2010-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

 

2010-03-02 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-10 23:46]

 

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-16 23:50]

 

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-16 23:50]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

FF - ProfilePath - c:\documents and settings\Roberto\Application Data\Mozilla\Firefox\Profiles\gsl31wgh.default\

FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-01 18:57

Windows 5.1.2600 Service Pack 3 NTFS

 

detected NTDLL code modification:

ZwClose

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x82A5F248]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf8676f28

\Driver\ACPI -> ACPI.sys @ 0xf8462cb8

\Driver\atapi -> 0x82a5f248

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf825fbb0

PacketIndicateHandler -> NDIS.sys @ 0xf824ea0d

SendHandler -> NDIS.sys @ 0xf8262b40

Warning: possible MBR rootkit infection !

user & kernel MBR OK

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(688)

c:\windows\System32\BCMLogon.dll

 

- - - - - - - > 'explorer.exe'(2136)

c:\windows\system32\WININET.dll

c:\program files\Spyware Doctor\pctgmhk.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

c:\program files\Spyware Doctor\pctsSvc.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\program files\Apoint\Apntex.exe

c:\windows\system32\WLTRAY.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-03-01 19:04:08 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-02 01:04

ComboFix2.txt 2010-03-01 22:59

ComboFix3.txt 2010-02-28 22:18

 

Pre-Run: 35,609,804,800 bytes free

Post-Run: 35,599,888,384 bytes free

 

- - End Of File - - 1A04E67546B62BC3F75D68CBA6C6CC6C

 

 

 

Link to comment
Share on other sites

Se till att vara väldigt noga med att stänga av så mycket det bara går innan du kör nedanstående program. Gå igenom ikonerna vid klockan och stäng av.

 

1. Spara denna fil på Skrivbordet:

http://rootrepeal.googlepages.com/RootRepeal.zip

Packa upp zip-filen (extrahera) så att du får en programfil.

 

2. Spara Gmer på Skrivbordet från:

http://www2.gmer.net/download.php

Packa upp filen till Skrivbordet.

 

3. Dra ut internetanslutningen. Stäng av alla program du ser inklusive brandvägg, antivirusprogram och antispionprogram.

 

4. Starta RootRepeal (i Vista och Windows 7 som vanligt genom att högerklicka på ikonen och välja Kör som administratör).

Välj Report-fliken och tryck på Scan.

Bocka för alla sju valen och tryck sedan på Yes/Ja.

Välj C: och tryck Ok.

Det tar ett tag för RootRepeal att söka igenom C:.

När sökningen är klar så tryck på Save Report och spara den med namnet rootrepeal.log.

 

5. Starta programmet gmer.exe.

Om det kommer upp en fråga om "scan" så välj Nej/No. Spara loggen och klistra in i ditt svar. Gör inte mer.

 

Om frågan inte kommer så välj fliken Rootkit/Malware, kontrollera att allt är förbockat till höger utom Show All och andra partitioner än C:. Tryck på Scan. Låt datorn stå ifred medan Gmer håller på.

Tryck på Save och spara resultatet på Skrivbordet.

 

6. Sätt igång antivirusprogram och brandvägg innan du ansluter till internet.

Klistra in innehållet i rootrepeal.log i ditt svar.

Klistra in resultatet från Gmer i ditt svar.

Link to comment
Share on other sites

RootRepeal funkade fint, men nar jag korde Gmer sa oppnades programmet och borjade scanna pa en gang (allt som skulle vara ibockat var ibockat som default dock)och efter ett par sekunder sa far jag ett felmeddelande som sager att programmet stott pa ett problem och maste stangas. Efter det sa lases datorn och jag ar tvungen att starta om.

 

Vid omstarten sa var dock inte datorn lika seg som vanligt och jag behovde for forsta gangen inte anvanda rkill vid omstart.

 

Hur som helst...

 

Loggen fran rootrepeal:

 

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/03/02 14:20

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

 

Drivers

-------------------

Name:

Image Path:

Address: 0xF83BE000 Size: 98304 File Visible: No Signed: -

Status: -

 

Name:

Image Path:

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

 

Name: catchme.sys

Image Path: C:\ComboFix\catchme.sys

Address: 0xF8952000 Size: 31744 File Visible: No Signed: -

Status: -

 

Name: Combo-Fix.sys

Image Path: Combo-Fix.sys

Address: 0xF8692000 Size: 60416 File Visible: No Signed: -

Status: -

 

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xAA4B0000 Size: 98304 File Visible: No Signed: -

Status: -

 

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF8B22000 Size: 8192 File Visible: No Signed: -

Status: -

 

Name: PROCEXP113.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

Address: 0xF8B02000 Size: 7872 File Visible: No Signed: -

Status: -

 

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA8FCE000 Size: 49152 File Visible: No Signed: -

Status: -

 

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

 

SSDT

-------------------

#: 025 Function Name: NtClose

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaa4f86b8

 

#: 041 Function Name: NtCreateKey

Status: Hooked by "PCTCore.sys" at address 0xf8358e52

 

#: 045 Function Name: NtCreatePagingFile

Status: Hooked by "d346bus.sys" at address 0xf848ba20

 

#: 047 Function Name: NtCreateProcess

Status: Hooked by "PCTCore.sys" at address 0xf8339cde

 

#: 048 Function Name: NtCreateProcessEx

Status: Hooked by "PCTCore.sys" at address 0xf8339ed0

 

#: 063 Function Name: NtDeleteKey

Status: Hooked by "PCTCore.sys" at address 0xf8359640

 

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "PCTCore.sys" at address 0xf83598f4

 

#: 068 Function Name: NtDuplicateObject

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaa4f814c

 

#: 071 Function Name: NtEnumerateKey

Status: Hooked by "d346bus.sys" at address 0xf848c4fc

 

#: 073 Function Name: NtEnumerateValueKey

Status: Hooked by "d346bus.sys" at address 0xf8497e00

 

#: 116 Function Name: NtOpenFile

Status: Hooked by "d346bus.sys" at address 0xf848ba60

 

#: 119 Function Name: NtOpenKey

Status: Hooked by "PCTCore.sys" at address 0xf8357b44

 

#: 122 Function Name: NtOpenProcess

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaa4f808c

 

#: 128 Function Name: NtOpenThread

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaa4f80f0

 

#: 160 Function Name: NtQueryKey

Status: Hooked by "d346bus.sys" at address 0xf848c51c

 

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaa4f876e

 

#: 192 Function Name: NtRenameKey

Status: Hooked by "PCTCore.sys" at address 0xf8359d60

 

#: 204 Function Name: NtRestoreKey

Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaa4f872e

 

#: 241 Function Name: NtSetSystemPowerState

Status: Hooked by "d346bus.sys" at address 0xf8497230

 

#: 247 Function Name: NtSetValueKey

Status: Hooked by "PCTCore.sys" at address 0xf8359112

 

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "PCTCore.sys" at address 0xf8339984

 

Stealth Objects

-------------------

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]

Process: System Address: 0x82a5f248 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]

Process: System Address: 0x82975e28 Size: 99

 

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]

Process: System Address: 0x82b72d08 Size: 11

 

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]

Process: System Address: 0x82ba8168 Size: 11

 

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]

Process: System Address: 0x82a5e160 Size: 11

 

Object: Hidden Code [Driver: NpfsЅఊ祓纀, IRP_MJ_READ]

Process: System Address: 0x82a031e8 Size: 11

 

Object: Hidden Code [Driver: MsfsЅఐ卆浩, IRP_MJ_READ]

Process: System Address: 0x82b715c8 Size: 11

 

Object: Hidden Code [Driver: tfsndrctІ瑎獆칸㪸, IRP_MJ_READ]

Process: System Address: 0x82d1cc50 Size: 11

 

Object: Hidden Code [Driver: syst, IRP_MJ_READ]

Process: System Address: 0x82d30030 Size: 11

 

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]

Process: System Address: 0x82b77030 Size: 11

 

Object: Hidden Code [Driver: syst, IRP_MJ_READ]

Process: System Address: 0x82d06428 Size: 11

 

Object: Hidden Code [Driver: tfsnudf, IRP_MJ_READ]

Process: System Address: 0x82d1a920 Size: 11

 

Object: Hidden Code [Driver: SYS, IRP_MJ_READ]

Process: System Address: 0x82c60488 Size: 11

 

Object: Hidden Code [Driver: syst, IRP_MJ_READ]

Process: System Address: 0x82d2f030 Size: 11

 

==EOF==

 

 

Link to comment
Share on other sites

Det var konstigt att datorn påverkades av att du körde programmen för de ska inte göra något utan bara läsa av information.

 

På sidan http://www.virustotal.com trycker du på Bläddra-knappen och klistrar in ett av följande filnamn i rutan, tryck på Skicka Fil och vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in resultatet från de olika antivirusprogrammen (inte Övrig information) eller en länk till resultatet här. Upprepa med nästa filnamn.

C:\WINDOWS\System32\Drivers\syst.sys

C:\WINDOWS\System32\Drivers\dump_atapi.sys

C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

 

Uppdatera och skanna med MBAM.

Ta bort den ComboFix du har och ladda ner en ny innan du kör programmet.

 

Ladda ner och kör detta program:

http://www2.gmer.net/mbr/mbr.exe

Klistra in innehållet i mbr.log som skapas i samma mapp som där mbr.exe ligger (t ex på Skrivbordet om mbr.exe finns på Skrivbordet).

 

Obs! Dra ur internetanslutningen och inaktivera/stäng av antivirus- och andra säkerhetsprogram innan du kör mbr.exe.

Link to comment
Share on other sites

Det var konstigt att datorn påverkades av att du körde programmen för de ska inte göra något utan bara läsa av information.

 

På sidan http://www.virustotal.com trycker du på Bläddra-knappen och klistrar in ett av följande filnamn i rutan, tryck på Skicka Fil och vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in resultatet från de olika antivirusprogrammen (inte Övrig information) eller en länk till resultatet här. Upprepa med nästa filnamn.

C:\WINDOWS\System32\Drivers\syst.sys

C:\WINDOWS\System32\Drivers\dump_atapi.sys

C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

 

Jag har bode forsokt att kopiera raderna fran ovan och skrivit in det for hand, men far "file not found"

 

...tittade i utforskaren pa sokvagarna ovan och kan heller inte hitta nagon utav filerna?

 

Jag haller pa att ladda ner en ny combofix och ska kora mbam sa loggarna till dem kommer senare

Link to comment
Share on other sites

Jag hittar ingen av de 3 filerna nar jag soker pa dem...

 

Mbam:

 

Malwarebytes' Anti-Malware 1.44

Database version: 3815

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

 

3/2/2010 7:02:44 PM

mbam-log-2010-03-02 (19-02-43).txt

 

Scan type: Quick Scan

Objects scanned: 144707

Time elapsed: 1 hour(s), 7 minute(s), 0 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

 

Combofix:

 

ComboFix 10-03-02.02 - Roberto 03/02/2010 19:23:13.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.95 [GMT -6:00]

Running from: c:\documents and settings\Roberto\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1368 [VPS 100302-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Roberto\Cookies\roberto@www.managerzone[2].txt

 

.

((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))

.

 

2010-03-02 08:44 . 2004-08-04 22:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-03-02 08:44 . 2004-08-04 22:59 95360 ----a-w- c:\windows\system32\dllcache\atapi.sys

2010-03-01 20:44 . 2004-08-04 04:59 95360 ----a-w- C:\atapi.sys

2010-03-01 04:19 . 2010-03-01 04:19 691696 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-03-01 04:16 . 2010-03-01 04:16 -------- d-----w- c:\program files\LSoft Technologies

2010-02-27 02:04 . 2010-02-27 00:29 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-02-27 00:29 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-02-27 00:29 . 2010-02-27 00:29 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-02-27 00:17 . 2010-02-27 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-02-27 00:17 . 2010-02-27 00:18 -------- d-----w- c:\program files\Lavasoft

2010-02-25 21:06 . 2010-02-27 00:18 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-02-22 04:43 . 2010-02-22 04:43 -------- d-----w- c:\documents and settings\Roberto\Local Settings\Application Data\Threat Expert

2010-02-22 03:57 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-02-22 03:56 . 2010-02-22 03:56 -------- d-----w- c:\program files\Panda Security

2010-02-22 03:55 . 2010-02-28 08:17 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-02-22 01:21 . 2010-01-21 23:21 767952 ----a-w- c:\windows\BDTSupport.dll

2010-02-22 01:21 . 2010-01-21 23:21 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-02-22 01:21 . 2009-10-28 07:36 1152444 ----a-w- c:\windows\UDB.zip

2010-02-22 01:21 . 2008-11-26 18:08 131 ----a-w- c:\windows\IDB.zip

2010-02-22 01:21 . 2010-01-21 23:21 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-02-22 01:21 . 2010-01-21 23:21 1652688 ----a-w- c:\windows\PCTBDCore.dll

2010-02-22 00:33 . 2009-10-30 17:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-02-22 00:32 . 2009-11-09 17:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-02-22 00:32 . 2009-10-06 22:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-02-22 00:32 . 2009-09-03 15:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-02-22 00:32 . 2010-02-22 01:22 -------- d-----w- c:\program files\Common Files\PC Tools

2010-02-22 00:32 . 2010-03-02 19:58 -------- d-----w- c:\program files\Spyware Doctor

2010-02-22 00:32 . 2010-02-22 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-02-22 00:31 . 2010-03-03 01:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-02-21 05:27 . 2010-02-21 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-02 22:07 . 2009-08-22 11:32 -------- d-----w- c:\documents and settings\Roberto\Application Data\Skype

2010-03-02 22:06 . 2009-08-22 11:32 -------- d-----w- c:\documents and settings\Roberto\Application Data\skypePM

2010-03-02 08:55 . 2005-03-02 10:06 -------- d-----w- c:\program files\Java

2010-03-02 06:49 . 2009-12-09 08:00 -------- d-----w- c:\program files\MzMgr by isvicare

2010-03-01 04:16 . 2005-03-02 10:08 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-02-22 04:03 . 2009-09-13 16:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-14 18:32 . 2009-06-22 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-02-09 15:14 . 2009-09-10 22:34 -------- d-----w- c:\program files\Google

2010-01-11 16:29 . 2009-08-14 21:22 -------- d-----w- c:\program files\Verizon

2010-01-07 22:07 . 2009-09-13 16:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 22:07 . 2009-09-13 16:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-05 10:00 . 2004-08-04 11:00 832512 ------w- c:\windows\system32\wininet.dll

2010-01-05 10:00 . 2004-08-04 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-12-31 16:50 . 2004-08-04 11:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-16 18:43 . 2004-08-04 11:00 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2004-08-04 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-14 05:15 . 2009-09-03 17:47 44528 ----a-w- c:\documents and settings\Roberto\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-08 19:27 . 2004-08-04 11:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2004-08-04 11:00 2066048 ------w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2004-08-04 11:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-09-13 16:35 . 2009-09-13 16:35 12556 ----a-w- c:\program files\Common Files\akik.bin

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

 

------- Sigcheck -------

 

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\DLLCACHE\atapi.sys

[-] 2004-08-04 22:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\SYSTEM32\DRIVERS\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-10 68856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-11-10 598016]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-03-13 81920]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]

"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-3-2 24576]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\LunaImaging\\jres\\Sun\\1.4.2_05\\bin\\javaw.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

R0 d346bus;d346bus;c:\windows\SYSTEM32\DRIVERS\d346bus.sys [6/22/2009 12:47 AM 156800]

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [2/26/2010 6:29 PM 64288]

R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [2/21/2010 9:57 PM 28552]

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [2/21/2010 6:32 PM 207792]

R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [6/22/2009 6:07 AM 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [6/22/2009 6:07 AM 20560]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2/21/2010 7:21 PM 112592]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/16/2009 5:50 PM 133104]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1229232]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/21/2010 6:32 PM 359624]

S4 d346prt;d346prt;c:\windows\SYSTEM32\DRIVERS\d346prt.sys [6/22/2009 12:47 AM 5248]

S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [2/28/2010 10:19 PM 691696]

.

Contents of the 'Scheduled Tasks' folder

 

2010-03-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 00:26]

 

2010-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

 

2010-03-03 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-10 23:46]

 

2010-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-16 23:50]

 

2010-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-16 23:50]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

FF - ProfilePath - c:\documents and settings\Roberto\Application Data\Mozilla\Firefox\Profiles\gsl31wgh.default\

FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-02 19:40

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x82B89F00]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf8676f28

\Driver\ACPI -> ACPI.sys @ 0xf8462cb8

\Driver\atapi -> 0x82b89f00

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf825fbb0

PacketIndicateHandler -> NDIS.sys @ 0xf824ea0d

SendHandler -> NDIS.sys @ 0xf8262b40

Warning: possible MBR rootkit infection !

user & kernel MBR OK

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(684)

c:\windows\System32\BCMLogon.dll

 

- - - - - - - > 'explorer.exe'(1104)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\windows\system32\WLTRAY.exe

c:\program files\Apoint\Apntex.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-03-02 19:50:56 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-03 01:50

ComboFix2.txt 2010-03-02 01:04

ComboFix3.txt 2010-03-01 22:59

ComboFix4.txt 2010-02-28 22:18

 

Pre-Run: 35,404,169,216 bytes free

Post-Run: 35,454,697,472 bytes free

 

- - End Of File - - A4D282D20DA82432E571CEE17611284D

 

MBR:

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

 

 

 

Link to comment
Share on other sites

Kan du klistra in C:\rkill.log?

 

Ladda ner och kör Normans TDSS Cleaner: http://download.norman.no/public/Norman_TDSS_Cleaner.exe

Acceptera licensvillkoren och tryck sedan på "Start scan".

Om programmet tycker att datorn behöver startas om så gör det.

Det blir en ny skanning efter omstarten. Klistra in logfilen NFix.

 

Kommer du ihåg vad filnamnet för Gmer är? Om inte så ladda ner på nytt.

 

Starta om datorn i felsäkert läge (tryck F8 upprepade gånger under uppstarten och välj felsäkert läge i menyn).

 

Dra ur internetanslutningen.

Stäng alla program, även antivirusprogram och brandvägg om nu något sådant skulle vara igång i felsäkert läge.

Starta Gmer-programmet.

En första snabbskanning startar.

Om det kommer upp en WARNING som nämner ROOTKIT och frågar om "fully scan" så välj Nej/No. Spara loggen. Gör inte mer.

 

Om frågan inte kommer så välj fliken Rootkit/Malware, kontrollera att allt är förbockat till höger utom Show All och andra partitioner än C:\. Tryck på Scan. Låt datorn stå ifred medan Gmer håller på.

Tryck på Save och spara resultatet på Skrivbordet.

 

Starta om datorn i normalt läge och klistra in loggen/resultatet i ditt svar.

 

Om Gmer inte fungerade i felsäkert läge så kör OTL.

 

Spara OTL på Skrivbordet. http://oldtimer.geekstogo.com/OTL.exe

Stäng alla program.

Kör OTL (i Vista och Windows 7 högerklicka och Kör som administratör).

Under Output högt upp så välj Minimal Output.

Under Standard Registry välj All.

 

I rutan Custom scan's and fixes klistra in följande rader (kolla att du verkligen får med alla raderna):

%SYSTEMDRIVE%\*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles

 

Bocka för LOP Check och Purity Check.

Tryck på Run Scan och låt programmet köra ostört.

 

När det är klart så skapas två loggfiler på Skrivbordet, OTL.txt och Extras.txt. I ditt svar klistrar du in loggen OTL.txt. Medan du bifogar Extras.txt som en fil.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...