Misstänkta objekt

[gest]

Jag har nyligen bytt säkerhetsprogram till Comodo Internet Security och vid skanning av datorn fick jag virusmeddelande. Datorn har successivt blivit segare med bl a långa hämtningstider av webbsidor, men det trodde jag hade med brandväggen att göra.

Efter att ha kört programmet DDS vet jag inta vad jag ska tro, för då fick jag meddelande om en ny trojan (se bifogad Comodo-fil).

(Det gick varken att bifoga filer eller förhandsgranska utan att koppla bort brandväggen!)

 

DDS (Ver_09-12-01.01) - NTFSx86

Run by GEST at 16:50:33,75 on 2010-03-14

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.511.116 [GMT 1:00]

 

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: PC Tools Firewall Plus *enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

 

============== Running Processes ===============

 

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\System32\gearsec.exe

C:\Program\Java\jre6\bin\jqs.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program\PC Tools Firewall Plus\FWService.exe

C:\Program\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program\PC Tools Firewall Plus\FirewallGUI.exe

C:\Program\Microsoft Security Essentials\msseces.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program\Mozilla Firefox\firefox.exe

C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Documents and Settings\GEST\Mina dokument\Hämtade filer\dds.scr

 

============== Pseudo HJT Report ===============

 

uStart Page = hxxp://www.google.se/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\program\spybot~1\SDHelper.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program\google\googletoolbar3.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program\google\googletoolbarnotifier\3.1.807.1746\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program\google\googletoolbar3.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [00PCTFW] "c:\program\pc tools firewall plus\FirewallGUI.exe" -s

mRun: [MSSE] "c:\program\microsoft security essentials\msseces.exe" -hide -runkey

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\program\delade~1\micros~1\dw\dwtrig20.exe" -t

IE: E&xportera till Microsoft Excel - c:\program\micros~3\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe

IE: {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - {1FBA04EE-3024-11D2-8F1F-0000F87ABD16} c:\program\irfanview\ebay\ebay.htm - c:\program\irfanview\ebay\ebay.htm\inprocserver32 does not exist!

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} - hxxp://www.symantec.com/techsupp/activedata/nprdtinf.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099413911640

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program\delade filer\microsoft shared\web folders\PKMCDO.DLL

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program\superantispyware\SASSEH.DLL

 

================= FIREFOX ===================

 

FF - ProfilePath - c:\docume~1\gest\applic~1\mozilla\firefox\profiles\lnsqzpnm.default\

FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:sv-SE:official

FF - plugin: c:\program\mozilla firefox\plugins\npdjvu.dll

FF - plugin: c:\program\personal\bin\np_prsnl.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

 

---- FIREFOX POLICIES ----

c:\program\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");

c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");

 

============= SERVICES / DRIVERS ===============

 

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 149040]

R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-3-13 233136]

R1 SASDIFSV;SASDIFSV;c:\program\superantispyware\sasdifsv.sys [2006-12-11 5632]

R1 SASKUTIL;SASKUTIL;c:\program\superantispyware\SASKUTIL.SYS [2006-12-11 30720]

R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2010-3-13 88040]

R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program\pc tools firewall plus\FWService.exe [2010-3-13 818432]

R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2010-3-13 70664]

R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [2010-3-13 58816]

R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2010-3-13 115216]

R3 SASENUM;SASENUM;c:\program\superantispyware\SASENUM.SYS [2006-12-11 4096]

S2 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"c:\program\symantec\liveupdate\aluschedulersvc.exe" --> c:\program\symantec\liveupdate\ALUSchedulerSvc.exe [?]

S3 G3GRSC;G3G R Smart Card;c:\windows\system32\drivers\g3grsc.sys [2006-6-21 18688]

S3 G3GRUMDM;G3G R USB Modem;c:\windows\system32\drivers\g3grumdm.sys [2006-6-21 27648]

S3 G3GRUSER;G3G R USB Serial;c:\windows\system32\drivers\g3gruser.sys [2006-6-21 24064]

S3 Tdsshbecr;Handelsbanken card reader;c:\windows\system32\drivers\shbecr.sys [2009-10-25 42368]

S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [2005-5-5 40060]

S3 VNic;ULan Network Driver Module;c:\windows\system32\drivers\vnic.sys --> c:\windows\system32\drivers\VNic.sys [?]

 

=============== Created Last 30 ================

 

2010-03-14 07:10:17 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-03-14 07:10:17 215920 ----a-w- c:\windows\system32\muweb.dll

2010-03-14 07:10:17 17248 ----a-w- c:\windows\system32\mucltui.dll.mui

2010-03-13 22:13:11 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-03-13 21:53:03 0 d-----w- c:\program\Microsoft Security Essentials

2010-03-13 21:51:56 0 d-----w- C:\afb4c9a73ae625070adcd410d3c105ae

2010-03-13 21:34:10 0 d-----w- c:\docume~1\gest\applic~1\PCToolsFirewallPlus

2010-03-13 21:32:00 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-03-13 21:32:00 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat

2010-03-13 21:32:00 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat

2010-03-13 21:32:00 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-03-13 21:31:58 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat

2010-03-13 21:31:58 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-03-13 21:31:05 7435 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.cat

2010-03-13 21:31:05 7399 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.cat

2010-03-13 21:31:05 70664 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys

2010-03-13 21:31:05 58816 ----a-w- c:\windows\system32\drivers\pctNdis.sys

2010-03-13 21:31:05 32680 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys

2010-03-13 21:31:05 0 d-----w- c:\program\delade filer\PC Tools

2010-03-13 21:31:01 7383 ----a-w- c:\windows\system32\drivers\pctplfw.cat

2010-03-13 21:31:01 115216 ----a-w- c:\windows\system32\drivers\pctplfw.sys

2010-03-13 21:30:59 0 d-----w- c:\program\PC Tools Firewall Plus

2010-02-21 20:08:33 0 d-----w- c:\windows\system32\wbem\Repository

 

==================== Find3M ====================

 

2004-12-19 18:35:23 1154253 ----a-w- c:\program\image001.jpg

2003-04-24 02:00:00 94816 --sh--w- c:\windows\twain.dll

2008-04-14 16:04:53 50688 --sh--w- c:\windows\twain_32.dll

2008-04-14 16:04:41 1028096 --sha-w- c:\windows\system32\mfc42.dll

2008-04-14 16:04:44 57344 --sha-w- c:\windows\system32\msvcirt.dll

2008-04-14 16:04:44 413696 --sha-w- c:\windows\system32\msvcp60.dll

2008-04-14 16:04:44 343040 --sha-w- c:\windows\system32\msvcrt.dll

2008-04-14 16:04:47 551936 --sha-w- c:\windows\system32\oleaut32.dll

2008-04-14 16:04:47 84992 --sha-w- c:\windows\system32\olepro32.dll

2008-04-14 16:05:17 11776 --sha-w- c:\windows\system32\regsvr32.exe

2008-11-23 21:20:46 32768 --sha-w- c:\windows\system32\config\systemprofile\lokala inställningar\tidigare\history.ie5\mshist012008112320081124\index.dat

 

============= FINISH: 16:51:46,34 ===============Attach.txtComodo-log.htm

[Cecilia]

Det verkar vara gott om falsklarm i Comodo-loggen, men filen evP.exe som hela tiden återuppstår kan mycket väl vara skadlig. Det är filer i Comodos karantän som borde återställas.

 

På sidan http://www.virustotal.com trycker du på Bläddra-knappen och klistrar in följande filnamn i rutan, tryck på Skicka Fil och vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in resultatet från de olika antivirusprogrammen (inte Övrig information) eller en länk till resultatet här.

C:\Documents and Settings\GEST\Lokala inställningar\Temp\62.tmp\evP.exe

 

DDS-loggen är från 14 mars så gör en ny.

[gest]

Ja,det blev fel DDS-fil. Här är en ny:

 

 

DDS (Ver_10-03-17.01) - NTFSx86

Run by GEST at 19:59:40,39 on 2010-03-25

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.511.204 [GMT 1:00]

 

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}

FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

 

============== Running Processes ===============

 

C:\Program\COMODO\COMODO livePCsupport\CLPSLS.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\WINDOWS\System32\gearsec.exe

C:\Program\Java\jre6\bin\jqs.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\fxssvc.exe

C:\Program\COMODO\COMODO Internet Security\cfp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Mozilla Firefox\firefox.exe

C:\Documents and Settings\GEST\Mina dokument\Hämtade filer\dds(2).scr

 

============== Pseudo HJT Report ===============

 

uStart Page = hxxp://www.google.se/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program\google\googletoolbar3.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program\google\googletoolbarnotifier\3.1.807.1746\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program\google\googletoolbar3.dll

TB: HopSurf toolbar: {e9fab13d-4600-49e1-90d1-ee961c859d39} - c:\program\comodo\hopsurftoolbar\HopSurfToolbar_IE.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [COMODO Internet Security] "c:\program\comodo\comodo internet security\cfp.exe" -h

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\program\delade~1\micros~1\dw\dwtrig20.exe" -t

IE: E&xportera till Microsoft Excel - c:\program\micros~3\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe

IE: {ED98F8D1-09AC-4107-B2FF-91DBE011B0C5} - {6BBCFF8E-D837-4DA4-9141-1F645B34A179} - c:\program\comodo\hopsurftoolbar\HopSurfToolbar_IE.dll

IE: {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - {1FBA04EE-3024-11D2-8F1F-0000F87ABD16} c:\program\irfanview\ebay\ebay.htm - c:\program\irfanview\ebay\ebay.htm\inprocserver32 does not exist!

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} - hxxp://www.symantec.com/techsupp/activedata/nprdtinf.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099413911640

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program\delade filer\microsoft shared\web folders\PKMCDO.DLL

AppInit_DLLs: c:\windows\system32\guard32.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program\superantispyware\SASSEH.DLL

 

================= FIREFOX ===================

 

FF - ProfilePath - c:\docume~1\gest\applic~1\mozilla\firefox\profiles\lnsqzpnm.default\

FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:sv-SE:official

FF - plugin: c:\program\mozilla firefox\plugins\npdjvu.dll

FF - plugin: c:\program\personal\bin\np_prsnl.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

 

---- FIREFOX POLICIES ----

c:\program\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");

c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");

 

============= SERVICES / DRIVERS ===============

 

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-3-3 15376]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-3-3 214056]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-3-3 25160]

R1 SASDIFSV;SASDIFSV;c:\program\superantispyware\sasdifsv.sys [2006-12-11 5632]

R1 SASKUTIL;SASKUTIL;c:\program\superantispyware\SASKUTIL.SYS [2006-12-11 30720]

R2 CLPSLS;COMODO livePCsupport Service;c:\program\comodo\comodo livepcsupport\CLPSLS.exe [2010-2-12 148744]

R2 cmdAgent;COMODO Internet Security Helper Service;c:\program\comodo\comodo internet security\cmdagent.exe [2010-3-3 960080]

S2 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"c:\program\symantec\liveupdate\aluschedulersvc.exe" --> c:\program\symantec\liveupdate\ALUSchedulerSvc.exe [?]

S3 G3GRSC;G3G R Smart Card;c:\windows\system32\drivers\g3grsc.sys [2006-6-21 18688]

S3 G3GRUMDM;G3G R USB Modem;c:\windows\system32\drivers\g3grumdm.sys [2006-6-21 27648]

S3 G3GRUSER;G3G R USB Serial;c:\windows\system32\drivers\g3gruser.sys [2006-6-21 24064]

S3 SASENUM;SASENUM;c:\program\superantispyware\SASENUM.SYS [2006-12-11 4096]

S3 Tdsshbecr;Handelsbanken card reader;c:\windows\system32\drivers\shbecr.sys [2009-10-25 42368]

S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [2005-5-5 40060]

S3 VNic;ULan Network Driver Module;c:\windows\system32\drivers\vnic.sys --> c:\windows\system32\drivers\VNic.sys [?]

 

=============== Created Last 30 ================

 

2010-03-22 22:22:00 0 d-----w- c:\docume~1\alluse~1\applic~1\COMODO

2010-03-22 22:21:52 213537 ----a-w- c:\windows\system32\drivers\sfi.dat

2010-03-22 22:12:40 0 d-----w- c:\docume~1\gest\applic~1\Comodo

2010-03-22 22:11:31 32000 ----a-w- c:\windows\system32\drivers\tap0901.sys

2010-03-22 22:11:31 0 d-----w- c:\program\Comodo

2010-03-22 21:59:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader

2010-03-15 07:09:19 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2010-03-15 07:07:05 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-03-14 07:10:17 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-03-14 07:10:17 215920 ----a-w- c:\windows\system32\muweb.dll

2010-03-14 07:10:17 17248 ----a-w- c:\windows\system32\mucltui.dll.mui

2010-03-13 22:13:11 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-03-03 18:54:42 276648 ----a-w- c:\windows\system32\guard32.dll

2010-03-03 18:54:14 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2010-03-03 18:54:14 214056 ----a-w- c:\windows\system32\drivers\cmdGuard.sys

2010-03-03 18:54:12 15376 ----a-w- c:\windows\system32\drivers\cmderd.sys

 

==================== Find3M ====================

 

2010-03-22 21:43:37 64816 ----a-w- c:\windows\system32\perfc01D.dat

2010-03-22 21:43:37 387550 ----a-w- c:\windows\system32\perfh01D.dat

2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys

2009-12-31 15:35:56 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe

2009-12-31 15:35:56 13824 ----a-w- c:\windows\system32\dllcache\ieudinit.exe

2004-12-19 18:35:23 1154253 ----a-w- c:\program\image001.jpg

2003-04-24 02:00:00 94816 --sh--w- c:\windows\twain.dll

2008-04-14 16:04:53 50688 --sh--w- c:\windows\twain_32.dll

2008-04-14 16:04:41 1028096 --sha-w- c:\windows\system32\mfc42.dll

2008-04-14 16:04:44 57344 --sha-w- c:\windows\system32\msvcirt.dll

2008-04-14 16:04:44 413696 --sha-w- c:\windows\system32\msvcp60.dll

2008-04-14 16:04:44 343040 --sha-w- c:\windows\system32\msvcrt.dll

2008-04-14 16:04:47 551936 --sha-w- c:\windows\system32\oleaut32.dll

2008-04-14 16:04:47 84992 --sha-w- c:\windows\system32\olepro32.dll

2008-04-14 16:05:17 11776 --sha-w- c:\windows\system32\regsvr32.exe

2008-11-23 21:20:46 32768 --sha-w- c:\windows\system32\config\systemprofile\lokala inställningar\tidigare\history.ie5\mshist012008112320081124\index.dat

 

============= FINISH: 20:02:36,04 ===============

 

 

 

Jag kunde inte hitta filen

C:\Documents and Settings\GEST\Lokala inställningar\Temp\62.tmp\evP.exe

så den fil jag skickat till Virustotal är i stället

C:\Documents and Settings\GEST\Lokala inställningar\Temp\CC.tmp\evP.exe

och resultatet blev:

 

Fil A0056097.exe mottagen 2010.03.16 02:12:39 (UTC)

Närvarande status: genomförd

Resultat: 3/42 (7.14%)

Compact Compact

Skriv ut resultat Skriv ut resultat

Antivirus Version Senaste Uppdatering Resultat

a-squared 4.5.0.50 2010.03.16 -

AhnLab-V3 5.0.0.2 2010.03.16 -

AntiVir 8.2.1.180 2010.03.15 -

Antiy-AVL 2.0.3.7 2010.03.15 -

Authentium 5.2.0.5 2010.03.16 -

Avast 4.8.1351.0 2010.03.15 -

Avast5 5.0.332.0 2010.03.15 -

AVG 9.0.0.787 2010.03.15 -

BitDefender 7.2 2010.03.16 -

CAT-QuickHeal 10.00 2010.03.15 (Suspicious) - DNAScan

ClamAV 0.96.0.0-git 2010.03.16 -

Comodo 4278 2010.03.16 TrojWare.Win32.Agent.~JJG

DrWeb 5.0.1.12222 2010.03.16 -

eSafe 7.0.17.0 2010.03.15 Suspicious File

eTrust-Vet 35.2.7364 2010.03.15 -

F-Prot 4.5.1.85 2010.03.15 -

F-Secure 9.0.15370.0 2010.03.15 -

Fortinet 4.0.14.0 2010.03.15 -

GData 19 2010.03.16 -

Ikarus T3.1.1.80.0 2010.03.16 -

Jiangmin 13.0.900 2010.03.15 -

K7AntiVirus 7.10.998 2010.03.15 -

Kaspersky 7.0.0.125 2010.03.16 -

McAfee 5921 2010.03.15 -

McAfee+Artemis 5921 2010.03.15 -

McAfee-GW-Edition 6.8.5 2010.03.15 -

Microsoft 1.5605 2010.03.15 -

NOD32 4947 2010.03.15 -

Norman 6.04.08 2010.03.15 -

nProtect 2009.1.8.0 2010.03.15 -

Panda 10.0.2.2 2010.03.15 -

PCTools 7.0.3.5 2010.03.15 -

Prevx 3.0 2010.03.16 -

Rising 22.39.01.01 2010.03.16 -

Sophos 4.51.0 2010.03.16 -

Sunbelt 5906 2010.03.16 -

Symantec 20091.2.0.41 2010.03.16 -

TheHacker 6.5.2.0.233 2010.03.15 -

TrendMicro 9.120.0.1004 2010.03.15 -

VBA32 3.12.12.2 2010.03.14 -

ViRobot 2010.3.15.2228 2010.03.15 -

VirusBuster 5.0.27.0 2010.03.15 -

 

Ovanstående försökte jag skicka tidigare idag, men misslyckades, anslutningen bröts.

Något fel är det i datorn.

Attach.txt

[Cecilia]

Jag tycker det verkar som att det mesta som Comodos antivirusprogram har reagerat på är bra program, dvs den har falsklarmat. Du bör återställa

C:\SWSETUP\Default\CPQSET.EXE

C:\Program\Genline\GFFinder2\AutoUpdate.exe

C:\Program\HPQ\Default Settings\Cpqset.exe

C:\hp\tmp\src\psptr\Patch\Uninst\enu\HPHuni03.exe

C:\hp\tmp\src\psptr\Patch\Uninst\fra\HPHuni03.exe

C:\Program\Microsoft Office\Office10\OLKFSTUB.DLL

C:\hp\tmp\src\psptr\util\ccc\enu\Q818966_WXP_SP2_x86_ENU.exe

från karantänen. Det rör sig om helt normala program.

 

Jag tror att även evP.exe är okej och hör ihop med DDS, särskilt som du skrev att den dök upp när du försökte köra DDS.

 

Om du inte har något program från Symantec i datorn så bör du avinstallera LiveUpdate 3.2 (Symantec Corporation).

 

Det är gamla Java-versioner med säkerhetshål i datorn. Jag rekommenderar dig att installera en ny från http://www.java.com/sv/ och därefter avinstallera

J2SE Runtime Environment 5.0 Update 4

J2SE Runtime Environment 5.0 Update 6

Java™ 6 Update 13 om den finns kvar

 

Kolla upp om du har fler program med säkerhetshål genom att låta Secunias Software Inspector kolla upp datorn. http://secunia.com/products/consumer/

[gest]

Jag har återställt filerna från karantänen, tagit bort mappar med Symantec (hittade inte Live Update 3.2), uppdaterat Java men inte uppdaterat alla program som Secunia anser har säkerhetshål (de flesta av dem använder jag inte).

Men hur ska jag gå vidare för att få fart på datorn? Har jag inaktiverat tjänster som behövs?

[Cecilia]

Kör Symantecs städprogram för att få bort ytterligare rester:

http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20090910004050EN Step 2

 

När det gäller gamla programversioner, så tänk på det här exemplet:

Även om du inte brukar använda Adobe Reader men webbläsaren är inställd på att visa PDF-filer med hjälp av Adobe Reader så räcker det att du kommer in på en hackad webbsida och den webbsidan försöker utnyttja ett säkerhetshål i Adobe Reader för att datorn ska bli infekterad.

 

Är datorn från 2004 då det ser ut som att Windows installerades?

Hur mycket RAM-minne finns det i datorn?

 

Har jag inaktiverat tjänster som behövs?

Har du följt några anvisningar när du har inaktiverat tjänster? Vilka i så fall? Eller hur har du gått tillväga för att bestämma vad du ska inaktivera?

[gest]

Jag har uppdaterat Adobe Reader.

Datorn är från 2004, 512 MB RAM.

När jag kollade var endast tjänsterna Alerter, Clipbook, Messenger, Network DDE och Network DDE DSDM avaktiverade, men jag kan ha ställt andra på att starta manuellt.

I Autostart finns nu bara Comodo och ctfmon, allt annat är avbockat.

[Cecilia]

Det ska inte vara något problem att inaktivera de tjänsterna. Det här är en bra guide över hur man kan ställa in tjänster i XP: http://www.blackviper.com/WinXP/servicecfg.htm

Default-kolumnen är som XP är inställd som standard och det är mycket sällan som det är något problem med att följa SAFE-kolumnen.

 

Tyvärr så är det så att XP med Service Pack 3 och något bra antivirusprogram behöver mer RAM-minne än 512 MB för att inte bli segt. Antivirusprogrammen har varit tvungna att växa de sista åren eftersom de skadliga programmen har blivit svårare att upptäcka och ta bort.

 

Men även en hårddisk som håller på och blir sämre kan göra datorn långsammare. Det kan vara lämpligt att kolla hårddiskens överföringsläge.

Högerklick på Den här datorn - Hantera - Enhetshanteraren - IDE ATA/ATAPI-styrenheter - Primär IDE-kanal - Avancerade inställningar

Vad står det för Aktuellt överföringsläge för hårddisken?

[gest]

Enhet 0

Överföringsläge: DMA om tillgängligt

Aktuellt överföringsläge: Ultra DMA Mode 5

 

Enhet 1

Överföringsläge: DMA om tillgängligt

Aktuellt överföringsläge: Inte tillämpligt

[Cecilia]

Mod 5 är ett bra värde. Då beror det nog inte på hårddisken att datorn är långsam.

 

Troligen skulle datorn bli något snabbare av att ominstalleras.

 

Vill du ha hjälp med att se om det går att utöka mängden RAM-minne i datorn?

[gest]

Kan man kolla vad som behöver mycket RAM-minne i datorn? Tar alla dessa uppdateringar som måste göras successivt upp allt mera RAM-minne? De är kanske orsaken till problemet.

 

Jag tror att det går att utöka RAM-minnet i datorn, men det är inte så enkelt, eftersom det är en bärbar. Men kan jag få tag i rätt minne, så ska det väl gå att installera.

[gest]

Jag glömde bort att skriva att jag redan för en månad sedan skannade datorn med Superantispyware och att det då upptäcktes många hot, vilka jag trodde åtgärdades. Men förnyade skanningar visar att det är något som inte stämmer. Skickar en ny log. Det mesta som står där känner jag inte till!

 

[log]SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 03/27/2010 at 09:24 AM

 

Application Version : 4.33.1000

 

Core Rules Database Version : 4621

Trace Rules Database Version: 0

 

Scan type : Quick Scan

Total Scan Time : 00:40:29

 

Memory items scanned : 386

Memory threats detected : 0

Registry items scanned : 535

Registry threats detected : 0

File items scanned : 7803

File threats detected : 244

 

Adware.Ezula

C:\WINDOWS\LastGood\Downloaded Program Files\ezstub.INF

 

Adware.MediaMotor

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\amm06.inf

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\amm06.ocx

 

Browser Hijacker.Favorites

C:\Documents and Settings\GEST\Favoriter\Favorites\Cars.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Domain

 

Names.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Finance.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Games.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Humor.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Movies.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Music and

 

Movies

C:\Documents and Settings\GEST\Favoriter\Favorites\Music and

 

Movies\Albums.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Music and

 

Movies\Artists.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Music and

 

Movies\AudioBooks.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Music and

 

Movies\Collections.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Music and

 

Movies\Mp3 Search.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Music and

 

Movies\New releases.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Music and

 

Movies\Ratings.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Music and

 

Movies\Soundtracks.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Online

 

Pharmacy.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Sex

 

Personals.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Sports.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Spyware

 

Removers

C:\Documents and Settings\GEST\Favoriter\Favorites\Spyware

 

Removers\ADWare Bazooka.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Spyware

 

Removers\Adware Punisher.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Spyware

 

Removers\Adware Sheriff.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Spyware

 

Removers\HIT Virus.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Spyware

 

Removers\Raze Spyware.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Spyware

 

Removers\Reg Freeze.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Spyware

 

Removers\Remedy AntiSpy.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Spyware

 

Removers\SPY iBlock.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Spyware

 

Removers\The Spy Guard Site.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Viagra.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Weather.url

C:\Documents and Settings\GEST\Favoriter\Favorites\Web

 

Hosting.url

C:\Documents and Settings\GEST\Favoriter\Games\Carnival

 

Casino.url

C:\Documents and Settings\GEST\Favoriter\Games\Club Dice

 

Casino.url

C:\Documents and Settings\GEST\Favoriter\Games\New York

 

Casino.url

C:\Documents and Settings\GEST\Favoriter\Games\USA Casino.url

C:\Documents and Settings\GEST\Favoriter\Games\You Bingo.url

C:\Documents and Settings\GEST\Favoriter\Games\Gambling\Aces &

 

Faces.url

C:\Documents and

 

Settings\GEST\Favoriter\Games\Gambling\Baccarat.url

C:\Documents and Settings\GEST\Favoriter\Games\Gambling\Black

 

Jack.url

C:\Documents and

 

Settings\GEST\Favoriter\Games\Gambling\Caribbean Poker.url

C:\Documents and Settings\GEST\Favoriter\Games\Gambling\Casino

 

War.url

C:\Documents and

 

Settings\GEST\Favoriter\Games\Gambling\Cinerama.url

C:\Documents and

 

Settings\GEST\Favoriter\Games\Gambling\Craps.url

C:\Documents and Settings\GEST\Favoriter\Games\Gambling\Deuces

 

Wild.url

C:\Documents and

 

Settings\GEST\Favoriter\Games\Gambling\Diamond Valley.url

C:\Documents and Settings\GEST\Favoriter\Games\Gambling\Fruit

 

Mania.url

C:\Documents and Settings\GEST\Favoriter\Games\Gambling\Gold

 

Rally.url

C:\Documents and Settings\GEST\Favoriter\Games\Gambling\Jacks

 

or Better.url

C:\Documents and Settings\GEST\Favoriter\Games\Gambling\Magic

 

Slots.url

C:\Documents and Settings\GEST\Favoriter\Games\Gambling\Mega

 

Jacks.url

C:\Documents and Settings\GEST\Favoriter\Games\Gambling\Pai

 

Gow Poker.url

C:\Documents and Settings\GEST\Favoriter\Games\Gambling\Red

 

Dog Poker.url

C:\Documents and

 

Settings\GEST\Favoriter\Games\Gambling\Roulette.url

C:\Documents and

 

Settings\GEST\Favoriter\Games\Gambling\SafeCracer.url

C:\Documents and Settings\GEST\Favoriter\Games\Gambling\Sic

 

Bo.url

C:\Documents and Settings\GEST\Favoriter\Games\Gambling\Wall St.

 

Fever.url

C:\Documents and Settings\GEST\Favoriter\Games\Monaco Gold

 

Casino.url

C:\Documents and Settings\GEST\Favoriter\Travel\Adventure

 

Travel.url

C:\Documents and Settings\GEST\Favoriter\Travel\Air Travel.url

C:\Documents and Settings\GEST\Favoriter\Travel\Business

 

Travel.url

C:\Documents and Settings\GEST\Favoriter\Travel\Discount

 

Travel.url

C:\Documents and Settings\GEST\Favoriter\Travel\Food.url

C:\Documents and Settings\GEST\Favoriter\Travel\Hawaii Travel.url

C:\Documents and Settings\GEST\Favoriter\Travel\Lodging.url

C:\Documents and Settings\GEST\Favoriter\Travel\London Travel.url

C:\Documents and Settings\GEST\Favoriter\Travel\Travel Agent.url

C:\Documents and Settings\GEST\Favoriter\Travel\Travel

 

Insurance.url

C:\Documents and Settings\GEST\Favoriter\Travel\Travel package.url

C:\Documents and Settings\GEST\Favoriter\Travel\Travel

 

Reservation.url

C:\Documents and Settings\GEST\Favoriter\Travel\Travel Spain.url

C:\Documents and Settings\GEST\Favoriter\Travel\Travel Web

 

site.url

C:\Documents and Settings\GEST\Favoriter\Travel\Vacation

 

Cruises.url

C:\Documents and Settings\GEST\Favoriter\Travel\Vacations.url

C:\Documents and Settings\GEST\Favoriter\Dating\Adult Gay

 

Personals.url

C:\Documents and Settings\GEST\Favoriter\Dating\Adult

 

Personals.url

C:\Documents and Settings\GEST\Favoriter\Dating\Bondage

 

Personals.url

C:\Documents and Settings\GEST\Favoriter\Dating\Chinese

 

Personals.url

C:\Documents and Settings\GEST\Favoriter\Dating\Christian

 

Personals.url

C:\Documents and Settings\GEST\Favoriter\Dating\Dating &

 

Marriage.url

C:\Documents and Settings\GEST\Favoriter\Dating\Dating Gay

 

Personals.url

C:\Documents and Settings\GEST\Favoriter\Dating\Fillipina

 

Personals.url

C:\Documents and Settings\GEST\Favoriter\Dating\Find Sex

 

Partner.url

C:\Documents and Settings\GEST\Favoriter\Dating\French

 

Personals.url

C:\Documents and Settings\GEST\Favoriter\Dating\German

 

Personals.url

C:\Documents and Settings\GEST\Favoriter\Dating\Indian

 

Personals.url

C:\Documents and Settings\GEST\Favoriter\Dating\Italian

 

Personals.url

C:\Documents and Settings\GEST\Favoriter\Dating\Jewish

 

Personals.url

C:\Documents and Settings\GEST\Favoriter\Dating\Senior

 

Personals.url

C:\Documents and Settings\GEST\Favoriter\Dating\Sex Personals.url

C:\Documents and Settings\GEST\Favoriter\Dating\Spanish &

 

Portuguese.url

 

Adware.Casino Games (Golden Palace Casino)

\Best Casino. $200 signup bonus!.url

 

Malware.Spyware Vanisher

\Spyware Vanisher Free Scan.lnk

 

Malware.Ultimate Defender

\Ultimate Defender.lnk

\Ultimate Defender.pkg

 

DIaler.Super-Adult

\Night Club - Foto Annunci Video - VM18.lnk

 

Malware.SystemDoctor

\SystemDoctor 2006.lnk

 

Malware.AntiVirusGolden

\AntivirusGolden 4.0.lnk

\AntivirusGold 4.4.lnk

 

Trojan.ErrorSafe

C:\Documents and Settings\All

 

Users\Start-meny\Programs\ErrorSafe\ErrorSafe on the Web.lnk

C:\Documents and Settings\All

 

Users\Start-meny\Programs\ErrorSafe\Uninstall ErrorSafe.lnk

 

Malware.Antispyware Soldier

\Antispyware Soldier.lnk

 

Malware.DriveCleaner

C:\Documents and Settings\All

 

Users\Start-meny\Programs\DriveCleaner Freeware

 

Malware.VirusRescue

\VirusRescue v3.0.1.lnk

 

Malware.RepairRegistryPro

\Repair Registry Pro.lnk

 

Malware.SpyLocked

\SpywareLocked 3.3.lnk

\SpywareLocked 3.4.lnk

\SpywareLocked 3.5.lnk

 

Malware.VirusProtectPro

\VirusProtectPro 3.3.lnk

 

Desktop Hijacker.AboutYourPrivacy

\Privacy Protector.url

\Spyware&Malware Protection.url

 

Malware.Ultimate Cleaner

C:\Documents and Settings\All

 

Users\Start-meny\Programs\UltimateCleaner 2007\Uninstall UltimateCleaner

 

2007.lnk

 

Malware.LocusSoftware Inc/BestSellerAntivirus

C:\Documents and Settings\All

 

Users\Start-meny\Programs\BestsellerAntivirus\BestsellerAntivirus.lnk

 

Rogue.XP AntiVirus

\XP Antivirus 2008.lnk

 

Rogue.WinPerformance

C:\Documents and Settings\All

 

Users\Start-meny\Programs\WinPerformance.lnk

 

Rogue.AntiSpywareShield

\AntiSpywareShield.lnk

 

Malware.LocusSoftware Inc/ConfidentSurf

\ConfidentSurf unregistered.lnk

 

Rogue.AntiSpyBoss

C:\Documents and Settings\All

 

Users\Start-meny\Programs\AntiSpyBoss\AntiSpyBoss.lnk

C:\Documents and Settings\All

 

Users\Start-meny\Programs\AntiSpyBoss\Uninstall AntiSpyBoss.ln

 

Rogue.SpyDefender Pro

\SpyDefender Pro.lnk

 

Rogue.TrustedAntiVirus

C:\Documents and Settings\All

 

Users\Start-meny\Programs\TrustedAntivirus\Contact Customer Support.lnk

C:\Documents and Settings\All

 

Users\Start-meny\Programs\TrustedAntivirus\Uninstall TrustedAntivirus.lnk

C:\Documents and Settings\All

 

Users\Start-meny\Programs\TrustedAntivirus\TrustedAntivirus.lnk

 

Rogue.AntiSpyCheck

\AntiSpyCheck v2.4.lnk

 

Trojan.Unknown Origin

C:\Documents and Settings\GEST\Local Settings\Temporary Internet

 

Files\bestwiner.stt

C:\Documents and Settings\GEST\Local Settings\Temporary Internet

 

Files\CPV.stt

 

Trojan.Multi-Dropper

C:\WINDOWS\..\ktgmhs.exe

C:\WINDOWS\..\rwhucv.exe

 

Rogue.PC-Cleaner

\filemanagerclient.exe

 

Rogue.AntiSpywareMaster

\AntiSpywareMaster.lnk

 

Rogue.MasterAntiVirus

\master anti virus.lnk

 

Rogue.IEAntiVirus

C:\Documents and Settings\GEST\Start Menu\Programs\IE AntiVirus

 

3.3.lnk

 

Rogue.CrisysTecSentry

C:\Documents and Settings\GEST\Desktop\CrisysTec Sentry 3.0.lnk

 

Rogue.MySpyProtector

C:\Documents and Settings\GEST\Desktop\MySpyProtector.lnk

 

Rogue.PCHealthPlan

C:\Documents and Settings\GEST\Desktop\PC Health Plan.lnk

C:\Documents and Settings\GEST\Start Menu\PC Health Plan.lnk

 

Rogue.PrivacyGuarantor

C:\Documents and Settings\GEST\Start Menu\Privacy Guarantor

 

v2.0.lnk

 

Rogue.PrivacyRedeemer

C:\Documents and Settings\GEST\Desktop\Privacy Redeemer.lnk

 

Rogue.RaptorDefence

C:\Documents and Settings\GEST\Desktop\RaptorDefence.lnk

 

Rogue.AntiVirus 2008 Pro

C:\Documents and Settings\GEST\Application

 

Data\TmpRecentIcons\Advanced XP Defender.lnk

C:\Documents and Settings\GEST\Application

 

Data\TmpRecentIcons\Advanced XP Fixer.lnk

C:\Documents and Settings\GEST\Application

 

Data\TmpRecentIcons\antivirus-2008pro.lnk

C:\Documents and Settings\GEST\Application

 

Data\TmpRecentIcons\SystemDefender.lnk

\antivirus-2008pro.lnk

 

Rogue.AntiSpywareExpert

\AntiSpywareExpert.lnk

C:\Documents and Settings\GEST\Desktop\AntiSpywareExpert.lnk

 

Rogue.UltimateAntiVirus

C:\Documents and Settings\GEST\Desktop\Ultimate Antivirus.lnk

\Ultimate Antivirus.lnk

 

Rogue.Advanced AntiVirus 2008

\Advanced Antivirus.lnk

 

Rogue.MandelEnterprise/Variants

C:\Documents and Settings\GEST\Desktop\Adware Deluxe.lnk

C:\Documents and Settings\GEST\Desktop\Adware Patrol.lnk

C:\Documents and Settings\GEST\Desktop\Doctor Adware Pro.lnk

C:\Documents and Settings\GEST\Desktop\Doctor Adware.lnk

 

Rogue.WinAntiSpyware2008

\WinAntispyware2008.lnk

 

Rogue.AntiVirus XP 2008

C:\Documents and Settings\All Users\Start-meny\Programs\Antivirus

 

XP 2008.lnk

 

Rogue.WistaAntiVirus

C:\Documents and Settings\GEST\Desktop\WistaAntivirus.lnk

 

Rogue.Doctor AntiVirus 2008

C:\Documents and Settings\GEST\Desktop\antvr.exe

 

Rogue.VirusRemover2008

C:\Documents and Settings\GEST\Desktop\VirusRemover2008.lnk

C:\Documents and Settings\GEST\Desktop\Viruses.bdt

 

Rogue.XP Cleaner

C:\Documents and Settings\GEST\Desktop\XP Cleaner.lnk

 

Rogue.RegistryDoctor2008

\RegistryDoctor2008.lnk

 

Adware.Media-Codec/ZLob

C:\Program\Applications\IEBTMM.EXE

C:\Program\Applications\WCM.EXE

C:\Program\Applications\WCS.EXE

 

Rogue.WinAntiVirus2008

\Win Antivirus 2008.lnk

 

Rogue.WinDefender2008

C:\Documents and Settings\GEST\Desktop\Launch WinDefender

 

2008.lnk

 

Rogue.PyroAntiSpy

C:\Documents and Settings\GEST\Start Menu\PyroAntiSpy 2.2.lnk

C:\Documents and Settings\GEST\Desktop\PyroAntiSpy.lnk

 

Rogue.AntiVir64

C:\Documents and Settings\GEST\Start

 

Menu\Programs\Startup\Antivir64.lnk

 

Rogue.SpyGuarder

C:\Documents and Settings\GEST\Desktop\SpyGuarder.lnk

 

Rogue.XP Protector 2009

C:\Documents and Settings\All Users\Start-meny\Programs\XP

 

Protector 2009.lnk

 

Rogue.VirusResponseLab2009

\VirusResponse Lab 2009 2.1.lnk

 

Rogue.SecureExpertCleaner

C:\Documents and Settings\All Users\Skrivbord\Secure

 

ExpertCleaner.lnk

 

Rogue.eAntivirusPro

C:\Documents and Settings\All

 

Users\Start-meny\Programs\eAntivirusPro.lnk

 

Rogue.TotalSecure2009

\readme.bat

\Total Secure 2009.lnk

C:\Documents and Settings\GEST\Start Menu\Free MP3 Search.url

C:\Documents and Settings\GEST\Start Menu\Free Porn.url

C:\Documents and Settings\GEST\Start Menu\Programs\Total Secure

 

2009.lnk

C:\Documents and Settings\GEST\Start Menu\Search Online.url

C:\Documents and Settings\GEST\Start Menu\VIP Casino.url

 

Rogue.SpywareGuard2008

\Spyware Guard 2008.lnk

 

Rogue.AntiSpywareXP2009

\AntiSpywareXP2009.lnk

 

Rogue.AntiVirusSentry

C:\Documents and Settings\GEST\Desktop\AntiVirus Sentry.lnk

 

Rogue.RealAntiVirus

\RealAV.lnk

 

Rogue.PersonalDefender2009

C:\Documents and Settings\GEST\Start Menu\Personal Defender

 

2009.lnk

 

Trojan.Fake-Alert/Trace

C:\Documents and Settings\GEST\Local Settings\Temporary Internet

 

Files\fbk.sts

 

Rogue.VirusTrigger

C:\Documents and Settings\GEST\Start Menu\Programs\VirusTrigger

 

2.1\VirusTrigger 2.1.lnk

C:\Documents and Settings\GEST\Start Menu\VirusTrigger 2.1.lnk

 

Rogue.XPProtectionCenter

\XPProtectionCenter.lnk

 

Rogue.PerfectDefender2009

C:\Documents and Settings\GEST\Start Menu\Perfect Defender

 

2009.lnk

C:\Documents and Settings\All Users\Start-meny\Programs\Perfect

 

Defender 2009\Uninstall Perfect Defender 2009.lnk

 

Rogue.AntiVirus360

C:\Documents and Settings\GEST\Desktop\Antivirus 360.lnk

 

Rogue.ISafeAntiVirus

C:\Documents and Settings\GEST\Start Menu\iSafe AntiVirus 2.1.lnk

\iSafe AntiVirus 2.1.lnk

 

Rogue.XPPolice

C:\Documents and Settings\GEST\Start Menu\XP Police Antivirus.LNK

 

Rogue.AntiVirusAgentPro

\Antivirus Agent Pro.lnk

 

Rogue.PrivacyCenter

C:\Documents and Settings\GEST\Application Data\pc\agent.exe

C:\Documents and Settings\GEST\Application Data\pc\pc.exe

C:\Documents and Settings\GEST\Application Data\pc\uninstall.exe

C:\Documents and Settings\GEST\Desktop\Control center.lnk

C:\Documents and Settings\GEST\Desktop\Privacy Tools.lnk

 

Rogue.MalwareCatcher2009

C:\Documents and Settings\GEST\Desktop\Malware Catcher 2009.lnk

C:\Documents and Settings\GEST\Start Menu\Malware Catcher

 

2009.lnk

C:\Documents and Settings\GEST\Start Menu\Programs\Malware

 

Catcher 2009.lnk

 

Rogue.SystemSecurity

C:\Documents and Settings\GEST\Desktop\System Security 2009.lnk

 

Rogue.TotalDefender

C:\Documents and Settings\GEST\Desktop\Total Defender.lnk

 

Rogue.AdvancedVirusRemover

C:\Documents and Settings\GEST\Desktop\Advanced Virus

 

Remover.lnk

C:\Documents and Settings\GEST\Start Menu\Advanced Virus

 

Remover.lnk

 

Rogue.PrivacyComponents

\Privacy components.lnk

C:\Documents and Settings\GEST\Desktop\Privacy components.lnk

 

Trojan.Agent/Gen

C:\WINDOWS\system32\lowsec\local.ds

C:\WINDOWS\system32\lowsec\user.ds

C:\WINDOWS\system32\config\systemprofile\Start

 

Menu\Programs\Startup\scandisk.lnk

 

Rogue.AntiVirusBest

C:\Documents and Settings\All Users\Application

 

Data\AB\QWPROTECT.DLL

C:\Documents and Settings\All Users\Application

 

Data\AB\INSTALLER.EXE

C:\Documents and Settings\All Users\Application Data\AB\ABEST.EXE

 

Rogue.Contraviro

C:\Documents and Settings\All

 

Users\Start-meny\Programs\Contraviro.lnk

 

Rogue.SmartProtector

C:\Documents and Settings\GEST\Desktop\Smart Protector.lnk

 

Rogue.WindowsSecuritySuite

C:\Documents and Settings\GEST\Desktop\Windows Security

 

Suite.lnk

C:\Documents and Settings\GEST\Start Menu\Programs\Windows

 

Security Suite.lnk

C:\Documents and Settings\GEST\Start Menu\Windows Security

 

Suite.lnk

 

Rogue.WindowsSystemSuite

C:\Documents and Settings\GEST\Desktop\Windows System Suite.lnk

C:\Documents and Settings\GEST\Start Menu\Programs\Windows

 

System Suite.lnk

C:\Documents and Settings\GEST\Start Menu\Windows System

 

Suite.lnk

 

Trojan.ThunMail

C:\Program\ThunMail\testabd.dll

 

Rogue.GreenAntiVirus

C:\Documents and Settings\All Users\Application Data\GAV\GAV.EXE

C:\Documents and Settings\All Users\Application Data\GRA\GRA.EXE

 

Rogue.BlockProtector

C:\Documents and Settings\GEST\Start

 

Menu\Programs\BlockProtector.lnk

 

Rogue.SystemFighter

C:\Documents and Settings\GEST\Desktop\SystemFighter.lnk

C:\Documents and Settings\GEST\Start

 

Menu\Programs\SystemFighter.lnk

 

Rogue.SafetyAntiSpyware

C:\Documents and Settings\GEST\Desktop\Safety Anti-Spyware 3.lnk

 

Rogue.SecurityTool

C:\Documents and Settings\GEST\Start Menu\Programs\Security

 

Tool.lnk

C:\Documents and Settings\GEST\Desktop\Security Tool.lnk

 

Rogue.InternetSecurity2010

C:\Documents and Settings\GEST\Desktop\Internet Security 2010.lnk

C:\Documents and Settings\GEST\Start Menu\Internet Security

 

2010.lnk

 

Rogue.ProtectSoldier

C:\Documents and Settings\GEST\Desktop\ProtectSoldier.lnk

C:\Documents and Settings\GEST\Start

 

Menu\Programs\ProtectSoldier.lnk

 

Rogue.SecurityAntivirus

\Security Antivirus.lnk

C:\Documents and Settings\GEST\Desktop\Security Antivirus.lnk

C:\Documents and Settings\GEST\Start Menu\Programs\Security

 

Antivirus.lnk

C:\Documents and Settings\GEST\Start Menu\Security Antivirus.lnk

[/log]

[Cecilia]

Många uppdateringar byter bara ut en bit kod mot en annan bit som är i stort sett lika stor, men ofta så måste man fixa problem i koden genom att lägga till mer kod vilket då medför att filer i Windows blir större. Du kan inte heller vara utan uppdateringarna för då blir datorn sårbar och lätt att infektera via en hackad webbsida, ett spammejl osv.

 

Du ser minnesåtgången översiktligt genom att titta i Aktivitetshanteraren, fliken Processer, och det går att välja till att visa ytterligare kolumner i menyn. Men det går ju inte att härleda till en viss uppdatering eller så.

 

Undertill på din bärbara dator så borde det finnas en lucka för att komma åt en eller två minnesplatser. Vad är det för datortillverkare och datormodell?

[Cecilia]

Det var ju skillnad.

 

Listan är lång men det mesta är genvägar till webbsidor (.url) eller genvägar i startmenyn (.lnk) och de är ju inte skadliga i sig utan har tagits bort för att du inte ska riskera att få datorn infekterad. Men det är en del programfiler (.exe) också. Eftersom det kan vara mer än en månad sedan de kom in i datorn så syns de inte i en DDS-logg eftersom den bara tittar 30 dagar tillbaka i tiden.

 

Med tanke på typen av skadligt program (falska program) är ComboFix bra. Spara ComboFix på Skrivbordet:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Stäng av alla program du ser inklusive antivirusprogram och antispionprogram men lämna brandväggen på.

Hur? Se http://www.bleepingcomputer.com/forums/topic114351.html

Kör ComboFix och följ anvisningarna som visas.

Om det kommer upp en fråga om du vill installera återställningskonsolen så svara ja.

 

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, klistra in den i ditt svar. Kontrollera att antivirusprogram mm är igång innan du ansluter till internet.

 

Om du får problem med att komma ut på internet:

Kontrollpanelen - Nätverksanslutningar

högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.

 

Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix.

[gest]

Andra försöket att skicka Combofix-loggen:

 

ComboFix 10-03-26.02 - GEST 2010-03-27 12:27:12.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.511.246 [GMT 1:00]

Körs från: c:\documents and settings\GEST\Skrivbord\ComboFix.exe

AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}

FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

.

 

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\recycler\S-1-5-21-2052111302-1604221776-839522115-1003

c:\recycler\S-1-5-21-2143077712-2417723160-2741302876-1003

 

.

(((((((((((((((((((((((( Filer Skapade från 2010-02-27 till 2010-03-27 ))))))))))))))))))))))))))))))

.

 

2010-03-26 13:06 . 2010-03-26 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-03-26 13:06 . 2010-03-26 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2010-03-26 13:05 . 2010-03-26 13:05 -------- d-----w- c:\program\McAfee Security Scan

2010-03-26 11:40 . 2010-03-26 11:40 -------- d-----w- C:\Sandbox

2010-03-26 00:29 . 2010-03-26 00:29 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-03-22 22:22 . 2010-03-22 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\COMODO

2010-03-22 22:21 . 2010-03-27 11:11 592401 ----a-w- c:\windows\system32\drivers\sfi.dat

2010-03-22 22:12 . 2010-03-22 22:12 -------- d-----w- c:\documents and settings\GEST\Application Data\Comodo

2010-03-22 22:11 . 2010-03-22 22:18 -------- d-----w- c:\program\Comodo

2010-03-22 22:11 . 2009-10-14 18:08 32000 ----a-w- c:\windows\system32\drivers\tap0901.sys

2010-03-22 21:59 . 2010-03-22 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader

2010-03-15 07:09 . 2009-11-21 16:03 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2010-03-15 07:07 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-03-14 07:10 . 2009-08-06 18:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-03-14 07:10 . 2009-08-06 18:23 215920 ----a-w- c:\windows\system32\muweb.dll

2010-03-13 22:13 . 2010-02-24 09:16 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-03-13 21:31 . 2010-03-22 21:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-03-03 18:54 . 2010-03-03 18:54 276648 ----a-w- c:\windows\system32\guard32.dll

2010-03-03 18:54 . 2010-03-03 18:54 86720 ----a-w- c:\windows\system32\drivers\inspect.sys

2010-03-03 18:54 . 2010-03-03 18:54 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2010-03-03 18:54 . 2010-03-03 18:54 214056 ----a-w- c:\windows\system32\drivers\cmdGuard.sys

2010-03-03 18:54 . 2010-03-03 18:54 15376 ----a-w- c:\windows\system32\drivers\cmderd.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-26 13:19 . 2004-11-02 09:03 -------- d-----w- c:\program\Delade filer\Adobe

2010-03-26 11:45 . 2010-03-26 11:44 20841968 ----a-w- c:\documents and settings\GEST\Application Data\Real\Update\setup\rp\RealPlayerSPGold.exe

2010-03-26 11:44 . 2010-03-26 11:44 8406648 ----a-w- c:\documents and settings\GEST\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe

2010-03-26 11:44 . 2010-03-26 11:43 10309448 ----a-w- c:\documents and settings\GEST\Application Data\Real\Update\setup\chr\ChromeInstaller.exe

2010-03-26 11:42 . 2010-03-26 11:42 52288 ----a-w- c:\documents and settings\GEST\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll

2010-03-26 11:42 . 2010-03-26 11:42 64000 ----a-w- c:\documents and settings\GEST\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll

2010-03-26 11:42 . 2010-03-26 11:42 50688 ----a-w- c:\documents and settings\GEST\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll

2010-03-26 11:42 . 2010-03-26 11:42 114688 ----a-w- c:\documents and settings\GEST\Application Data\Real\Update\setup\RUP\inst_config\compat.dll

2010-03-26 10:21 . 2004-11-01 07:18 -------- d--h--w- c:\program\InstallShield Installation Information

2010-03-26 00:24 . 2009-08-24 19:43 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-26 00:23 . 2004-11-01 07:18 -------- d-----w- c:\program\Java

2010-03-26 00:23 . 2010-03-26 00:23 152576 ----a-w- c:\documents and settings\GEST\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2010-03-26 00:22 . 2010-03-26 00:22 79488 ----a-w- c:\documents and settings\GEST\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-03-25 23:59 . 2004-11-01 07:17 -------- d-----w- c:\program\Delade filer\Java

2010-03-25 23:58 . 2010-03-25 23:58 503808 ----a-w- c:\documents and settings\GEST\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-60840bc6-n\msvcp71.dll

2010-03-25 23:58 . 2010-03-25 23:58 499712 ----a-w- c:\documents and settings\GEST\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-60840bc6-n\jmc.dll

2010-03-25 23:58 . 2010-03-25 23:58 348160 ----a-w- c:\documents and settings\GEST\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-60840bc6-n\msvcr71.dll

2010-03-25 23:58 . 2010-03-25 23:58 61440 ----a-w- c:\documents and settings\GEST\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-65fefac6-n\decora-sse.dll

2010-03-25 23:58 . 2010-03-25 23:58 12800 ----a-w- c:\documents and settings\GEST\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-65fefac6-n\decora-d3d.dll

2010-03-24 22:35 . 2004-11-14 23:50 -------- d-----w- c:\program\Spybot - Search & Destroy

2010-03-24 21:30 . 2004-11-15 07:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-22 22:08 . 2010-03-22 22:08 1510584 ----a-w- c:\documents and settings\All Users\Application Data\Comodo Downloader\trustconnectclient.exe

2010-03-22 22:08 . 2010-03-22 22:08 5542592 ----a-w- c:\documents and settings\All Users\Application Data\Comodo Downloader\hopsurf.exe

2010-03-22 21:47 . 2005-01-22 22:58 -------- d-----w- c:\documents and settings\GEST\Application Data\Share-to-Web Upload Folder

2010-03-22 21:43 . 2003-10-07 08:46 64816 ----a-w- c:\windows\system32\perfc01D.dat

2010-03-22 21:43 . 2003-10-07 08:46 387550 ----a-w- c:\windows\system32\perfh01D.dat

2010-03-14 18:17 . 2010-03-14 18:17 1 ----a-w- c:\documents and settings\GEST\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-03-14 15:12 . 2006-12-11 17:02 -------- d-----w- c:\program\SUPERAntiSpyware

2010-03-13 21:23 . 2005-01-15 21:57 -------- d-----w- c:\program\Delade filer\Symantec Shared

2010-01-05 09:59 . 2004-02-06 16:09 832512 ----a-w- c:\windows\system32\wininet.dll

2010-01-05 09:59 . 2004-08-04 08:33 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 09:59 . 2003-04-24 02:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-12-31 16:50 . 2003-04-24 02:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2004-12-19 18:35 . 2004-12-19 18:35 1154253 ----a-w- c:\program\image001.jpg

2003-04-24 02:00 . 2003-04-24 02:00 94816 --sh--w- c:\windows\twain.dll

2008-04-14 16:04 . 2003-04-24 02:00 50688 --sh--w- c:\windows\twain_32.dll

2008-04-14 16:04 . 2003-04-24 02:00 1028096 --sha-w- c:\windows\system32\mfc42.dll

2008-04-14 16:04 . 2003-04-24 02:00 57344 --sha-w- c:\windows\system32\msvcirt.dll

2008-04-14 16:04 . 2003-04-24 02:00 413696 --sha-w- c:\windows\system32\msvcp60.dll

2008-04-14 16:04 . 2003-04-24 02:00 343040 --sha-w- c:\windows\system32\msvcrt.dll

2008-04-14 16:04 . 2003-04-24 02:00 551936 --sha-w- c:\windows\system32\oleaut32.dll

2008-04-14 16:04 . 2003-04-24 02:00 84992 --sha-w- c:\windows\system32\olepro32.dll

2008-04-14 16:05 . 2003-04-24 02:00 11776 --sha-w- c:\windows\system32\regsvr32.exe

.

 

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Not* Tomma poster & legitima standardposter visas inte.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"COMODO Internet Security"="c:\program\COMODO\COMODO Internet Security\cfp.exe" [2010-03-03 1983760]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program\SUPERAntiSpyware\SASSEH.DLL" [2007-02-15 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\guard32.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]

@="Service"

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Gamma Loader.exe.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Adobe Gamma Loader.exe.lnk

backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Ashampoo Magical Defrag.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Ashampoo Magical Defrag.lnk

backup=c:\windows\pss\Ashampoo Magical Defrag.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^BankID säkerhetsprogram.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\BankID säkerhetsprogram.lnk

backup=c:\windows\pss\BankID säkerhetsprogram.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Certificate Mover.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Certificate Mover.lnk

backup=c:\windows\pss\Certificate Mover.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^HPAiODevice(hp psc 900 series) - 1.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\HPAiODevice(hp psc 900 series) - 1.lnk

backup=c:\windows\pss\HPAiODevice(hp psc 900 series) - 1.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^McAfee Security Scan Plus.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\McAfee Security Scan Plus.lnk

backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Personal.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Personal.lnk

backup=c:\windows\pss\Personal.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^WinZip Quick Pick.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\WinZip Quick Pick.lnk

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2009-12-11 14:57 948672 ----a-r- c:\program\Delade filer\Adobe\ARM\1.0\AdobeARM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-12-22 00:57 35760 ----a-w- c:\program\Adobe\Reader 9.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

2004-01-30 16:01 88363 ----a-w- c:\windows\AGRSMMSG.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

2003-10-08 03:40 159744 ----a-w- c:\program\Apoint2K\Apoint.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bredbandsbolaget]

2006-08-08 00:36 94208 ----a-w- c:\program\Bredbandsbolaget\Servicecenter\servicecenter.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]

2004-03-01 11:05 200766 ----a-w- c:\program\HPQ\Default Settings\Cpqset.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 16:05 15360 ------w- c:\windows\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]

2004-01-13 07:21 245760 ----a-w- c:\program\HPQ\Quick Launch Buttons\eabservr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2003-06-25 09:24 49152 ----a-w- c:\program\Hewlett-Packard\HP Software Update\hpwuSchd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]

2003-05-22 18:00 483328 ----a-w- c:\windows\system32\hphmon05.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWBMOUSE]

2000-04-27 01:05 359424 ----a-w- c:\program\iWare\iWare Mouse\3.2\LwbWheel.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2001-07-09 02:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2004-04-07 19:22 4730880 ----a-w- c:\windows\system32\nvcpl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2004-04-07 19:22 323584 ----a-w- c:\windows\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2004-05-31 18:53 98304 ----a-w- c:\program\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]

2001-07-03 07:11 57344 ----a-w- c:\program\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2005-11-10 12:03 36975 ----a-w- c:\program\Java\jre1.5.0_06\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2007-02-15 10:44 1310720 ----a-w- c:\program\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2007-07-27 04:45 68856 ----a-w- c:\program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2004-11-17 21:28 180269 ----a-w- c:\program\Delade filer\Real\Update_OB\realsched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

2003-08-18 23:01 110592 ----a-w- c:\program\Delade filer\Sonic\Update Manager\sgtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program\\Mozilla Firefox\\firefox.exe"=

"c:\\WS_FTP\\WS_FTP95.exe"=

"c:\\WINDOWS\\system32\\mshta.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program\\Messenger\\msmsgs.exe"=

"c:\\xpipcfg\\xpipcfg.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

 

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-03-03 15376]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-03-03 214056]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-03-03 25160]

R1 SASDIFSV;SASDIFSV;c:\program\SUPERAntiSpyware\sasdifsv.sys [2006-12-11 5632]

R1 SASKUTIL;SASKUTIL;c:\program\SUPERAntiSpyware\SASKUTIL.SYS [2006-12-11 30720]

R2 CLPSLS;COMODO livePCsupport Service;c:\program\Comodo\COMODO livePCsupport\CLPSLS.exe [2010-02-12 148744]

R3 SASENUM;SASENUM;c:\program\SUPERAntiSpyware\SASENUM.SYS [2006-12-11 4096]

S2 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"c:\program\Symantec\LiveUpdate\ALUSchedulerSvc.exe" --> c:\program\Symantec\LiveUpdate\ALUSchedulerSvc.exe [?]

S3 G3GRSC;G3G R Smart Card;c:\windows\system32\drivers\g3grsc.sys [2006-06-21 18688]

S3 G3GRUMDM;G3G R USB Modem;c:\windows\system32\drivers\g3grumdm.sys [2006-06-21 27648]

S3 G3GRUSER;G3G R USB Serial;c:\windows\system32\drivers\g3gruser.sys [2006-06-21 24064]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]

S3 Tdsshbecr;Handelsbanken card reader;c:\windows\system32\drivers\shbecr.sys [2009-10-25 42368]

S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [2005-05-05 40060]

S3 VNic;ULan Network Driver Module;c:\windows\system32\DRIVERS\VNic.sys --> c:\windows\system32\DRIVERS\VNic.sys [?]

.

.

------- Extra genomsökning -------

.

uStart Page = hxxp://www.google.se/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xportera till Microsoft Excel - c:\program\MICROS~3\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\GEST\Application Data\Mozilla\Firefox\Profiles\lnsqzpnm.default\

FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:sv-SE:official

FF - plugin: c:\program\Mozilla Firefox\plugins\npdjvu.dll

FF - plugin: c:\program\Personal\bin\np_prsnl.dll

 

---- FIREFOX POLICY ----

c:\program\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");

.

- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -

 

HKU-Default-Run-DWQueuedReporting - c:\program\DELADE~1\MICROS~1\DW\dwtrig20.exe

MSConfigStartUp-HPHUPD05 - c:\program\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

MSConfigStartUp-iTunesHelper - c:\program\iTunes\iTunesHelper.exe

MSConfigStartUp-NPCTray - c:\program\Norman\npc\bin\npc_tray.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-27 12:37

Windows 5.1.2600 Service Pack 3 NTFS

 

detected NTDLL code modification:

ZwClose, ZwOpenFile

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLer som "laddats" under processer som körs ---------------------

 

- - - - - - - > 'winlogon.exe'(596)

c:\windows\system32\guard32.dll

 

- - - - - - - > 'lsass.exe'(652)

c:\windows\system32\guard32.dll

.

Sluttid: 2010-03-27 12:44:17

ComboFix-quarantined-files.txt 2010-03-27 11:43

 

Före genomsökningen: 19 797 057 536 byte ledigt

Efter genomsökningen: 19 900 489 728 byte ledigt

 

WindowsXP-KB310994-SP2-Home-BootDisk-SVE.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

 

- - End Of File - - 5F37C720248CFC415AF0AE267D287279

[Cecilia]

En rest av Norton att ta bort:

Kontrollpanelen - Administrationsverktyg - Tjänster

Leta upp Automatisk LiveUpdate-schemaläggare i listan, dubbelklicka och välj Startmetod Inaktiverad.

 

Syns inte till något aktivt. Om du vill vara ändå säkrare som kör Malwarebytes Anti-Malware (MBAM) från: http://www.malwarebytes.org/mbam.php

Om något hittas så klistra in den loggen.

[gest]

Malwarebytes hittade ingenting, men jag var tvungen att stänga av både brandvägg och antivirus för att skanningen skulle kunna genomföras (då utan internetuppkoppling).

 

Hur kommer adresser till otrevliga webbsidor in i min dator och vem har lagt in för oss främmande och osynliga genvägar på skrivbordet?

 

Tack Cecilia för ditt tålamod med att försöka lösa problem med datorn. Du är en stor resurs!

 

Nu ska jag först undersöka var vi får tag i minnen, installera dem och se om det löser problemet med sega datorer, annars får jag väl be om ytterligare hjälp.

[Cecilia]

På sidan http://www.virustotal.com trycker du på Bläddra-knappen och klistrar in ett av följande filnamn i rutan, tryck på Skicka Fil och vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in en länk till resultatet här. Upprepa med nästa filnamn

C:\Program\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\Explorer.EXE

 

SUPERAntiSpyware hittade ju ett antal skadliga filer i datorn förutom alla länkar och genvägar så det är säkert något av dem som har lagt dit länkar/genvägar.

[log]Trojan.Unknown Origin

C:\Documents and Settings\GEST\Local Settings\Temporary Internet Files\bestwiner.stt

C:\Documents and Settings\GEST\Local Settings\Temporary Internet Files\CPV.stt

 

Trojan.Multi-Dropper

C:\WINDOWS\..\ktgmhs.exe

C:\WINDOWS\..\rwhucv.exe

 

Rogue.PC-Cleaner

\filemanagerclient.exe

 

Rogue.Doctor AntiVirus 2008

C:\Documents and Settings\GEST\Desktop\antvr.exe

 

Adware.Media-Codec/ZLob

C:\Program\Applications\IEBTMM.EXE

C:\Program\Applications\WCM.EXE

C:\Program\Applications\WCS.EXE

 

Rogue.PrivacyCenter

C:\Documents and Settings\GEST\Application Data\pc\agent.exe

C:\Documents and Settings\GEST\Application Data\pc\pc.exe

C:\Documents and Settings\GEST\Application Data\pc\uninstall.exe

 

Rogue.AntiVirusBest

C:\Documents and Settings\All Users\Application Data\AB\QWPROTECT.DLL

C:\Documents and Settings\All Users\Application Data\AB\INSTALLER.EXE

C:\Documents and Settings\All Users\Application Data\AB\ABEST.EXE

 

Trojan.ThunMail

C:\Program\ThunMail\testabd.dll

 

Rogue.GreenAntiVirus

C:\Documents and Settings\All Users\Application Data\GAV\GAV.EXE

C:\Documents and Settings\All Users\Application Data\GRA\GRA.EXE

[/log]

Kopiera alla rader i rutan:

DirLook::
C:\Documents and Settings\GEST\Desktop
C:\Program\Applications
C:\Documents and Settings\GEST\Application Data\pc
C:\Documents and Settings\All Users\Application Data\AB
C:\Documents and Settings\All Users\Application Data\GAV
C:\Documents and Settings\All Users\Application Data\GRA
C:\Program\ThunMail

och klistra in i Anteckningar.

Spara filen på Skrivbordet med namnet CFScript.

 

Förbered datorn på samma sätt som tidigare för ComboFix.

Dra CFScript med musen och släpp den ovanpå ComboFix-ikonen på Skrivbordet så startar programmet på ett särskilt sätt.

Klistra in loggen som kommer ut.

[gest]

Det låg en "Ny mapp" på Skrivbordet som inte gick att ta bort, men idag hamnade den, till synes tom, i papperskorgen. Under Användarkonto finns .NET Passport till en skum hotmail-adress som jag inte känner till. Hur tar jag bort det? Jag har hittat Passport Net\*(Passport) under Lagrade användarnamn och lösenord. Om jag väljer Ta bort blir jag då av med detta Net Passport eller raderar jag bara ett lösenord som jag inte känner till?

 

Logfiler från Virustotal:

 

[log] Fil explorer.exe mottagen 2010.03.06 02:17:50 (UTC)

Närvarande status: genomförd

Resultat: 0/42 (0.00%)

Compact Compact

Skriv ut resultat Skriv ut resultat

Antivirus Version Senaste Uppdatering Resultat

a-squared 4.5.0.50 2010.03.05 -

AhnLab-V3 5.0.0.2 2010.03.05 -

AntiVir 8.2.1.180 2010.03.05 -

Antiy-AVL 2.0.3.7 2010.03.05 -

Authentium 5.2.0.5 2010.03.06 -

Avast 4.8.1351.0 2010.03.05 -

Avast5 5.0.332.0 2010.03.05 -

AVG 9.0.0.787 2010.03.05 -

BitDefender 7.2 2010.03.06 -

CAT-QuickHeal 10.00 2010.03.05 -

ClamAV 0.96.0.0-git 2010.03.05 -

Comodo 4091 2010.02.28 -

DrWeb 5.0.1.12222 2010.03.06 -

eSafe 7.0.17.0 2010.03.04 -

eTrust-Vet 35.2.7342 2010.03.05 -

F-Prot 4.5.1.85 2010.03.05 -

F-Secure 9.0.15370.0 2010.03.06 -

Fortinet 4.0.14.0 2010.03.04 -

GData 19 2010.03.06 -

Ikarus T3.1.1.80.0 2010.03.05 -

Jiangmin 13.0.900 2010.03.05 -

K7AntiVirus 7.10.990 2010.03.04 -

Kaspersky 7.0.0.125 2010.03.06 -

McAfee 5911 2010.03.05 -

McAfee+Artemis 5911 2010.03.05 -

McAfee-GW-Edition 6.8.5 2010.03.05 -

Microsoft 1.5502 2010.03.06 -

NOD32 4919 2010.03.05 -

Norman 6.04.08 2010.03.05 -

nProtect 2009.1.8.0 2010.03.05 -

Panda 10.0.2.2 2010.03.04 -

PCTools 7.0.3.5 2010.03.04 -

Prevx 3.0 2010.03.06 -

Rising 22.37.05.00 2010.03.06 -

Sophos 4.51.0 2010.03.06 -

Sunbelt 5766 2010.03.06 -

Symantec 20091.2.0.41 2010.03.06 -

TheHacker 6.5.1.8.222 2010.03.06 -

TrendMicro 9.120.0.1004 2010.03.05 -

VBA32 3.12.12.2 2010.03.05 -

ViRobot 2010.3.5.2214 2010.03.05 -

VirusBuster 5.0.27.0 2010.03.05 -

Övrig information[/log]

 

[log] Fil iexplore.exe mottagen 2010.03.27 08:58:53 (UTC)

Närvarande status: genomförd

Resultat: 0/42 (0.00%)

Compact Compact

Skriv ut resultat Skriv ut resultat

Antivirus Version Senaste Uppdatering Resultat

a-squared 4.5.0.50 2010.03.27 -

AhnLab-V3 5.0.0.2 2010.03.26 -

AntiVir 7.10.5.241 2010.03.26 -

Antiy-AVL 2.0.3.7 2010.03.26 -

Authentium 5.2.0.5 2010.03.27 -

Avast 4.8.1351.0 2010.03.26 -

Avast5 5.0.332.0 2010.03.26 -

AVG 9.0.0.787 2010.03.27 -

BitDefender 7.2 2010.03.27 -

CAT-QuickHeal 10.00 2010.03.27 -

ClamAV 0.96.0.0-git 2010.03.27 -

Comodo 4401 2010.03.27 -

DrWeb 5.0.1.12222 2010.03.27 -

eSafe 7.0.17.0 2010.03.25 -

eTrust-Vet 35.2.7391 2010.03.26 -

F-Prot 4.5.1.85 2010.03.26 -

F-Secure 9.0.15370.0 2010.03.27 -

Fortinet 4.0.14.0 2010.03.26 -

GData 19 2010.03.27 -

Ikarus T3.1.1.80.0 2010.03.27 -

Jiangmin 13.0.900 2010.03.27 -

K7AntiVirus 7.10.1004 2010.03.22 -

Kaspersky 7.0.0.125 2010.03.27 -

McAfee 5932 2010.03.26 -

McAfee+Artemis 5932 2010.03.26 -

McAfee-GW-Edition 6.8.5 2010.03.26 -

Microsoft 1.5605 2010.03.27 -

NOD32 4978 2010.03.26 -

Norman 6.04.10 2010.03.26 -

nProtect 2009.1.8.0 2010.03.26 -

Panda 10.0.2.2 2010.03.26 -

PCTools 7.0.3.5 2010.03.27 -

Prevx 3.0 2010.03.27 -

Rising 22.40.05.04 2010.03.27 -

Sophos 4.52.0 2010.03.27 -

Sunbelt 6101 2010.03.26 -

Symantec 20091.2.0.41 2010.03.27 -

TheHacker 6.5.2.0.245 2010.03.26 -

TrendMicro 9.120.0.1004 2010.03.27 -

VBA32 3.12.12.2 2010.03.27 -

ViRobot 2010.3.27.2248 2010.03.27 -

VirusBuster 5.0.27.0 2010.03.26 -

Övrig information[/log]

 

 

 

Log-fil med Combofix:

 

[log]ComboFix 10-03-26.02 - GEST 2010-03-28 17:09:20.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.511.207 [GMT 2:00]

Körs från: c:\documents and settings\GEST\Skrivbord\ComboFix.exe

Använda kommandoväxlar :: c:\documents and settings\GEST\Skrivbord\CFScript.txt

AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}

FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

* Skapade en ny återställningspunkt

.

 

(((((((((((((((((((((((( Filer Skapade från 2010-02-28 till 2010-03-28 ))))))))))))))))))))))))))))))

.

 

2010-03-27 13:10 . 2010-03-27 13:10 -------- d-----w- c:\documents and settings\GEST\Application Data\Malwarebytes

2010-03-27 13:10 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-27 13:10 . 2010-03-27 13:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-27 13:09 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-27 13:09 . 2010-03-27 13:10 -------- d-----w- c:\program\Malwarebytes' Anti-Malware

2010-03-26 13:06 . 2010-03-26 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-03-26 13:06 . 2010-03-26 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2010-03-26 13:05 . 2010-03-26 13:05 -------- d-----w- c:\program\McAfee Security Scan

2010-03-26 11:40 . 2010-03-26 11:40 -------- d-----w- C:\Sandbox

2010-03-26 00:29 . 2010-03-26 00:29 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-03-22 22:22 . 2010-03-22 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\COMODO

2010-03-22 22:21 . 2010-03-28 14:53 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat

2010-03-22 22:12 . 2010-03-22 22:12 -------- d-----w- c:\documents and settings\GEST\Application Data\Comodo

2010-03-22 22:11 . 2010-03-22 22:18 -------- d-----w- c:\program\Comodo

2010-03-22 22:11 . 2009-10-14 18:08 32000 ----a-w- c:\windows\system32\drivers\tap0901.sys

2010-03-22 21:59 . 2010-03-22 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader

2010-03-15 07:09 . 2009-11-21 16:03 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2010-03-15 07:07 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-03-14 07:10 . 2009-08-06 18:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-03-14 07:10 . 2009-08-06 18:23 215920 ----a-w- c:\windows\system32\muweb.dll

2010-03-13 22:13 . 2010-02-24 09:16 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-03-13 21:31 . 2010-03-22 21:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-03-03 18:54 . 2010-03-03 18:54 276648 ----a-w- c:\windows\system32\guard32.dll

2010-03-03 18:54 . 2010-03-03 18:54 86720 ----a-w- c:\windows\system32\drivers\inspect.sys

2010-03-03 18:54 . 2010-03-03 18:54 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2010-03-03 18:54 . 2010-03-03 18:54 214056 ----a-w- c:\windows\system32\drivers\cmdGuard.sys

2010-03-03 18:54 . 2010-03-03 18:54 15376 ----a-w- c:\windows\system32\drivers\cmderd.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-28 08:50 . 2003-10-07 08:46 64816 ----a-w- c:\windows\system32\perfc01D.dat

2010-03-28 08:50 . 2003-10-07 08:46 387550 ----a-w- c:\windows\system32\perfh01D.dat

2010-03-26 13:19 . 2004-11-02 09:03 -------- d-----w- c:\program\Delade filer\Adobe

2010-03-26 11:45 . 2010-03-26 11:44 20841968 ----a-w- c:\documents and settings\GEST\Application Data\Real\Update\setup\rp\RealPlayerSPGold.exe

2010-03-26 11:44 . 2010-03-26 11:44 8406648 ----a-w- c:\documents and settings\GEST\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe

2010-03-26 11:44 . 2010-03-26 11:43 10309448 ----a-w- c:\documents and settings\GEST\Application Data\Real\Update\setup\chr\ChromeInstaller.exe

2010-03-26 11:42 . 2010-03-26 11:42 52288 ----a-w- c:\documents and settings\GEST\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll

2010-03-26 11:42 . 2010-03-26 11:42 64000 ----a-w- c:\documents and settings\GEST\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll

2010-03-26 11:42 . 2010-03-26 11:42 50688 ----a-w- c:\documents and settings\GEST\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll

2010-03-26 11:42 . 2010-03-26 11:42 114688 ----a-w- c:\documents and settings\GEST\Application Data\Real\Update\setup\RUP\inst_config\compat.dll

2010-03-26 10:21 . 2004-11-01 07:18 -------- d--h--w- c:\program\InstallShield Installation Information

2010-03-26 00:24 . 2009-08-24 19:43 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-26 00:23 . 2004-11-01 07:18 -------- d-----w- c:\program\Java

2010-03-26 00:23 . 2010-03-26 00:23 152576 ----a-w- c:\documents and settings\GEST\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2010-03-26 00:22 . 2010-03-26 00:22 79488 ----a-w- c:\documents and settings\GEST\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-03-25 23:59 . 2004-11-01 07:17 -------- d-----w- c:\program\Delade filer\Java

2010-03-25 23:58 . 2010-03-25 23:58 503808 ----a-w- c:\documents and settings\GEST\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-60840bc6-n\msvcp71.dll

2010-03-25 23:58 . 2010-03-25 23:58 499712 ----a-w- c:\documents and settings\GEST\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-60840bc6-n\jmc.dll

2010-03-25 23:58 . 2010-03-25 23:58 348160 ----a-w- c:\documents and settings\GEST\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-60840bc6-n\msvcr71.dll

2010-03-25 23:58 . 2010-03-25 23:58 61440 ----a-w- c:\documents and settings\GEST\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-65fefac6-n\decora-sse.dll

2010-03-25 23:58 . 2010-03-25 23:58 12800 ----a-w- c:\documents and settings\GEST\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-65fefac6-n\decora-d3d.dll

2010-03-24 22:35 . 2004-11-14 23:50 -------- d-----w- c:\program\Spybot - Search & Destroy

2010-03-24 21:30 . 2004-11-15 07:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-22 22:08 . 2010-03-22 22:08 1510584 ----a-w- c:\documents and settings\All Users\Application Data\Comodo Downloader\trustconnectclient.exe

2010-03-22 22:08 . 2010-03-22 22:08 5542592 ----a-w- c:\documents and settings\All Users\Application Data\Comodo Downloader\hopsurf.exe

2010-03-22 21:47 . 2005-01-22 22:58 -------- d-----w- c:\documents and settings\GEST\Application Data\Share-to-Web Upload Folder

2010-03-14 18:17 . 2010-03-14 18:17 1 ----a-w- c:\documents and settings\GEST\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-03-14 15:12 . 2006-12-11 17:02 -------- d-----w- c:\program\SUPERAntiSpyware

2010-03-13 21:23 . 2005-01-15 21:57 -------- d-----w- c:\program\Delade filer\Symantec Shared

2010-01-05 09:59 . 2004-02-06 16:09 832512 ------w- c:\windows\system32\wininet.dll

2010-01-05 09:59 . 2004-08-04 08:33 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 09:59 . 2003-04-24 02:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-12-31 16:50 . 2003-04-24 02:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2004-12-19 18:35 . 2004-12-19 18:35 1154253 ----a-w- c:\program\image001.jpg

2003-04-24 02:00 . 2003-04-24 02:00 94816 --sh--w- c:\windows\twain.dll

2008-04-14 16:04 . 2003-04-24 02:00 50688 --sh--w- c:\windows\twain_32.dll

2008-04-14 16:04 . 2003-04-24 02:00 1028096 --sha-w- c:\windows\system32\mfc42.dll

2008-04-14 16:04 . 2003-04-24 02:00 57344 --sha-w- c:\windows\system32\msvcirt.dll

2008-04-14 16:04 . 2003-04-24 02:00 413696 --sha-w- c:\windows\system32\msvcp60.dll

2008-04-14 16:04 . 2003-04-24 02:00 551936 --sha-w- c:\windows\system32\oleaut32.dll

2008-04-14 16:04 . 2003-04-24 02:00 84992 --sha-w- c:\windows\system32\olepro32.dll

2008-04-14 16:05 . 2003-04-24 02:00 11776 --sha-w- c:\windows\system32\regsvr32.exe

.

 

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\All Users\Application Data\AB ----

 

 

---- Directory of c:\documents and settings\All Users\Application Data\GAV ----

 

 

---- Directory of c:\documents and settings\All Users\Application Data\GRA ----

 

 

---- Directory of c:\documents and settings\GEST\Application Data\pc ----

 

 

---- Directory of c:\documents and settings\GEST\Desktop ----

 

 

---- Directory of c:\program\Applications ----

 

 

---- Directory of c:\program\ThunMail ----

 

 

 

((((((((((((((((((((((((((((( SnapShot@2010-03-27_11.37.13 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-03-28 08:44 . 2010-03-28 08:44 16384 c:\windows\Temp\Perflib_Perfdata_640.dat

+ 2003-10-07 08:46 . 2010-03-28 08:50 54686 c:\windows\system32\perfc009.dat

- 2003-10-07 08:46 . 2010-03-22 21:43 54686 c:\windows\system32\perfc009.dat

+ 2003-10-07 08:46 . 2010-03-28 08:50 384248 c:\windows\system32\perfh009.dat

- 2003-10-07 08:46 . 2010-03-22 21:43 384248 c:\windows\system32\perfh009.dat

.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Not* Tomma poster & legitima standardposter visas inte.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"COMODO Internet Security"="c:\program\COMODO\COMODO Internet Security\cfp.exe" [2010-03-03 1983760]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program\SUPERAntiSpyware\SASSEH.DLL" [2007-02-15 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\guard32.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]

@="Service"

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Gamma Loader.exe.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Adobe Gamma Loader.exe.lnk

backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Ashampoo Magical Defrag.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Ashampoo Magical Defrag.lnk

backup=c:\windows\pss\Ashampoo Magical Defrag.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^BankID säkerhetsprogram.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\BankID säkerhetsprogram.lnk

backup=c:\windows\pss\BankID säkerhetsprogram.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Certificate Mover.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Certificate Mover.lnk

backup=c:\windows\pss\Certificate Mover.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^HPAiODevice(hp psc 900 series) - 1.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\HPAiODevice(hp psc 900 series) - 1.lnk

backup=c:\windows\pss\HPAiODevice(hp psc 900 series) - 1.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^McAfee Security Scan Plus.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\McAfee Security Scan Plus.lnk

backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Personal.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Personal.lnk

backup=c:\windows\pss\Personal.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^WinZip Quick Pick.lnk]

path=c:\documents and settings\All Users\Start-meny\Program\Autostart\WinZip Quick Pick.lnk

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2009-12-11 14:57 948672 ----a-r- c:\program\Delade filer\Adobe\ARM\1.0\AdobeARM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-12-22 00:57 35760 ----a-w- c:\program\Adobe\Reader 9.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

2004-01-30 16:01 88363 ----a-w- c:\windows\AGRSMMSG.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

2003-10-08 03:40 159744 ----a-w- c:\program\Apoint2K\Apoint.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bredbandsbolaget]

2006-08-08 00:36 94208 ----a-w- c:\program\Bredbandsbolaget\Servicecenter\servicecenter.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]

2004-03-01 11:05 200766 ----a-w- c:\program\HPQ\Default Settings\Cpqset.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 16:05 15360 ------w- c:\windows\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]

2004-01-13 07:21 245760 ----a-w- c:\program\HPQ\Quick Launch Buttons\eabservr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2003-06-25 09:24 49152 ----a-w- c:\program\Hewlett-Packard\HP Software Update\hpwuSchd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]

2003-05-22 18:00 483328 ----a-w- c:\windows\system32\hphmon05.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWBMOUSE]

2000-04-27 01:05 359424 ----a-w- c:\program\iWare\iWare Mouse\3.2\LwbWheel.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2001-07-09 02:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2004-04-07 19:22 4730880 ----a-w- c:\windows\system32\nvcpl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2004-04-07 19:22 323584 ----a-w- c:\windows\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2004-05-31 18:53 98304 ----a-w- c:\program\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]

2001-07-03 07:11 57344 ----a-w- c:\program\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2005-11-10 12:03 36975 ----a-w- c:\program\Java\jre1.5.0_06\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2007-02-15 10:44 1310720 ----a-w- c:\program\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2007-07-27 04:45 68856 ----a-w- c:\program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2004-11-17 21:28 180269 ----a-w- c:\program\Delade filer\Real\Update_OB\realsched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

2003-08-18 23:01 110592 ----a-w- c:\program\Delade filer\Sonic\Update Manager\sgtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program\\Mozilla Firefox\\firefox.exe"=

"c:\\WS_FTP\\WS_FTP95.exe"=

"c:\\WINDOWS\\system32\\mshta.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program\\Messenger\\msmsgs.exe"=

"c:\\xpipcfg\\xpipcfg.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

 

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-03-03 15376]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-03-03 214056]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-03-03 25160]

R1 SASDIFSV;SASDIFSV;c:\program\SUPERAntiSpyware\sasdifsv.sys [2006-12-11 5632]

R1 SASKUTIL;SASKUTIL;c:\program\SUPERAntiSpyware\SASKUTIL.SYS [2006-12-11 30720]

R2 CLPSLS;COMODO livePCsupport Service;c:\program\Comodo\COMODO livePCsupport\CLPSLS.exe [2010-02-12 148744]

S3 G3GRSC;G3G R Smart Card;c:\windows\system32\drivers\g3grsc.sys [2006-06-21 18688]

S3 G3GRUMDM;G3G R USB Modem;c:\windows\system32\drivers\g3grumdm.sys [2006-06-21 27648]

S3 G3GRUSER;G3G R USB Serial;c:\windows\system32\drivers\g3gruser.sys [2006-06-21 24064]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]

S3 SASENUM;SASENUM;c:\program\SUPERAntiSpyware\SASENUM.SYS [2006-12-11 4096]

S3 Tdsshbecr;Handelsbanken card reader;c:\windows\system32\drivers\shbecr.sys [2009-10-25 42368]

S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [2005-05-05 40060]

S3 VNic;ULan Network Driver Module;c:\windows\system32\DRIVERS\VNic.sys --> c:\windows\system32\DRIVERS\VNic.sys [?]

S4 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"c:\program\Symantec\LiveUpdate\ALUSchedulerSvc.exe" --> c:\program\Symantec\LiveUpdate\ALUSchedulerSvc.exe [?]

.

.

------- Extra genomsökning -------

.

uStart Page = hxxp://www.google.se/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xportera till Microsoft Excel - c:\program\MICROS~3\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\GEST\Application Data\Mozilla\Firefox\Profiles\lnsqzpnm.default\

FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:sv-SE:official

FF - plugin: c:\program\Mozilla Firefox\plugins\npdjvu.dll

FF - plugin: c:\program\Personal\bin\np_prsnl.dll

 

---- FIREFOX POLICY ----

c:\program\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-28 17:19

Windows 5.1.2600 Service Pack 3 NTFS

 

detected NTDLL code modification:

ZwClose, ZwOpenFile

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLer som "laddats" under processer som körs ---------------------

 

- - - - - - - > 'winlogon.exe'(596)

c:\windows\system32\guard32.dll

 

- - - - - - - > 'lsass.exe'(652)

c:\windows\system32\guard32.dll

.

Sluttid: 2010-03-28 17:25:47

ComboFix-quarantined-files.txt 2010-03-28 15:25

ComboFix2.txt 2010-03-27 11:44

 

Före genomsökningen: 19 830 030 336 byte ledigt

Efter genomsökningen: 19 791 118 336 byte ledigt

 

- - End Of File - - F00D65735D76C3A8074507D577ED9A06

[/log]

[Cecilia]

Jag har inget .NET password, dvs Windows Live ID, så jag vet inte hur de fungerar. Menar du att det ligger i "C:\Documents and Settings" eller?

 

Kopiera alla rader i rutan:

DirLook::
C:\Program\
C:\Documents and Settings\GEST\Application Data
C:\Documents and Settings\All Users\Application Data\
C:\Documents and Settings\All Users\Application Data\
C:\Documents and Settings\All Users\Application Data\

och klistra in i Anteckningar.

Spara filen på Skrivbordet med namnet CFScript.

 

Förbered datorn på samma sätt som tidigare för ComboFix.

Dra CFScript med musen och släpp den ovanpå ComboFix-ikonen på Skrivbordet så startar programmet på ett särskilt sätt.

Klistra in loggen som kommer ut.

[gest]

Jag misslyckas med att skicka Combofix-loggen. Jag har försökt från flera datorer.

Här är sista meddelandet:

Fatal error: Allowed memory size of 104857600 bytes exhausted (tried to allocate 15866867 bytes) in /var/www/eforum/admin/sources/classes/editor/class_editor.php on line 242

 

Tidigare har detta visats:

 

Det verkar som om jag slåss med något på min bärbara, där jag i alla fall använde Ta bort på .Net Passport. Jag vet inget om :Net Passport, bara att "Trixxa" har ett från min dator!

För övrigt återkommer IE-ikonen till mitt skrivbord fastän jag tar bort den (använder ytterst lite Internet Explorer) och Start-menyn ändras.

[Cecilia]

Se om det går bättre om du klistrar in loggen direkt i svaret utan att använda Log-knappen ([]). Eller är loggen mycket längre än den förra ComboFix-loggen?

[gest]

Den är superlång, 4,81 MB. Jag vet inte hur lång den förra var.

[Cecilia]

Det låter verkligen inte normalt. Ladda upp filen på http://sprend.com/ och skicka mig länken du får tillbaka i ett meddelande/PM till mig.

[gest]

Jag var tvungen att skicka filen från en annan dator, anslutningen bröts!

 

Meddelande från avsändaren: Fil att ladda ner: res.txt

 

För att ladda ner filen, klicka på följande länk:

 

http://sprend.com/download.jsp?FileId=3AxLqjMcuTeQs8APVAfs

 

Filnamn: res.txt

Storlek: 4,8 MB

Lagras t.o.m: 2010-04-05 14:03:48