Just nu i M3-nätverket
Jump to content

Olmarik Trojan mm.


Ercie

Recommended Posts

Hej!

 

Har haft en hel del problem med datorn som dykt upp senaste tiden.

 

Nyligen hade jag ett falskt antivirusprogram "Total PC defender" som jag fick bort med en guide ifrån bleedingcomputer.

 

Det händer att jag får blåskärm med felkoden: 0x0000008E (0xC0000047, 0x804FCF44 0xBA4E3780, 0x00000000). Kan hända precis när som helst, tex uppstart, spelande surfande.

 

Vid jämna mellanrum (det verkar ha avtagit nu dock) så stängs firefox ner och det kommer upp en ruta som säger: "You're computer is vulnerable to malware attacks" eller liknande. Stänger ner med aktivitethant.

 

Nu har även nod32 börjat varna för "Win32/Olmarik.XG trojan" i C:\WINDOWS\system32\drivers\Tcpip6.sys.

Nod talar om att den är "cleaned - quarantined" men den bara fortsätter poppa upp oavbrutet hela tiden.

 

Bifogar DDS-logfiler.

 

Jag är väldigt tacksam för hjälp. Är helt lost nu, då mina datorkunskaper inte är dom bästa ;)

 

Tusen Tack/ Eric

DDS.txt

Attach.txt

Link to comment
Share on other sites

Jag klistrar in DDS-loggen så att det blir lättare att titta på den, både nu och när man behöver gå tillbaks och titta på den senare. Jag går igenom den och återkommer till dig lite senare.

 

 

DDS (Ver_10-03-17.01) - NTFSx86

Run by Eric at 14:29:56,79 on 2010-04-21

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.3071.2232 [GMT 2:00]

 

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

 

============== Running Processes ===============

 

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program\Bonjour\mDNSResponder.exe

C:\Program\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\FsUsbExService.Exe

C:\Program\LogMeIn Hamachi\hamachi-2.exe

C:\Program\Java\jre6\bin\jqs.exe

C:\Program\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program\Delade filer\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Razer\Diamondback 3G\razerhid.exe

C:\Program\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe

C:\Program\RocketDock\RocketDock.exe

C:\Program\Windows Live\Messenger\MsnMsgr.Exe

C:\Program\Delade filer\Ahead\Lib\NMIndexingService.exe

C:\Program\Delade filer\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program\Razer\Diamondback 3G\razertra.exe

C:\Program\Razer\Diamondback 3G\razerofa.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program\Windows Live\Contacts\wlcomm.exe

C:\Program\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\rundll32.exe

C:\DOCUME~1\Eric\SKRIVB~1\dds.scr

 

============== Pseudo HJT Report ===============

 

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: H - No File

BHO: Länkhjälp till Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program\delade filer\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program\messenger\msmsgs.exe" /background

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program\delade filer\ahead\lib\NMBgMonitor.exe"

uRun: [RocketDock] "c:\program\rocketdock\RocketDock.exe"

uRun: [msnmsgr] "c:\program\windows live\messenger\MsnMsgr.Exe" /background

mRun: [Diamondback] c:\program\razer\diamondback 3g\razerhid.exe

mRun: [egui] "c:\program\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

mRun: [RTHDCPL] RTHDCPL.EXE

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

IE: E&xportera till Microsoft Excel - c:\program\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\program\micros~2\office11\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program\delade~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

 

================= FIREFOX ===================

 

FF - ProfilePath - c:\docume~1\eric\applic~1\mozilla\firefox\profiles\zgzlu6h9.default\

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\documents and settings\eric\application data\mozilla\firefox\profiles\zgzlu6h9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\eric\lokala instã¤llningar\application data\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll

FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll

FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll

FF - plugin: c:\program\mozilla firefox\plugins\NPBILLARD8.dll

FF - plugin: c:\program\mozilla firefox\plugins\npganymedenet.dll

FF - plugin: c:\program\voddler\plugin\npvoddler.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

 

---- FIREFOX POLICIES ----

c:\program\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");

c:\program\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

 

============= SERVICES / DRIVERS ===============

 

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-3-19 107256]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-3-19 93848]

R2 ekrn;ESET Service;c:\program\eset\eset nod32 antivirus\ekrn.exe [2009-3-19 731840]

R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-12-30 233472]

R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program\logmein hamachi\hamachi-2.exe [2010-3-30 1107336]

R2 OMSI download service;Sony Ericsson OMSI download service;c:\program\sony ericsson\sony ericsson pc suite\SupServ.exe [2009-11-7 90112]

R2 SSHNAS;SSHNAS;c:\windows\system32\svchost.exe -k netsvcs [2006-3-2 14336]

R2 VoddlerNet;VoddlerNet;c:\program\voddler\service\voddler.exe [2010-3-18 1160912]

R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2007-12-18 38656]

R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-12-30 36608]

R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]

R3 Razerlow;Diamondback 3G USB Filter Driver;c:\windows\system32\drivers\DB3G.sys [2009-7-20 13225]

R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2009-11-7 27632]

S1 ethagewl;ethagewl;c:\windows\system32\drivers\ethagewl.sys [2010-4-8 140288]

S2 NetCM;Network Connection Manager;c:\program\common files\microsoft shared\speech\svchost.exe --> c:\program\common files\microsoft shared\speech\svchost.exe [?]

S2 SBAMSvc;Sunbelt VIPRE Antivirus Service;"c:\program\sunbelt software\counterspy\sbamsvc.exe" --> c:\program\sunbelt software\counterspy\SBAMSvc.exe [?]

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-11-7 13224]

S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [2009-11-7 86824]

S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2009-11-7 15016]

S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [2009-11-7 114600]

S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [2009-11-7 108328]

S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [2009-11-7 26024]

S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2009-11-7 104616]

S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [2009-11-7 109736]

S3 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [2008-2-28 61536]

S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [2008-2-28 9360]

S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [2008-2-28 97088]

S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\sea1mgmt.sys [2008-2-28 88624]

S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);c:\windows\system32\drivers\sea1nd5.sys [2008-2-28 18704]

S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\drivers\sea1obex.sys [2008-2-28 86432]

S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\drivers\sea1unic.sys [2008-2-28 90800]

S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2009-12-30 90112]

S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2009-12-30 14976]

S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2009-12-30 121856]

 

=============== Created Last 30 ================

 

2010-04-21 12:29:56 226880 ----a-w- c:\windows\system32\drivers\OLD557.tmp

2010-04-21 12:29:51 226880 ----a-w- c:\windows\system32\drivers\OLD551.tmp

2010-04-21 12:29:45 226880 ----a-w- c:\windows\system32\drivers\OLD54D.tmp

2010-04-21 12:29:40 226880 ----a-w- c:\windows\system32\drivers\OLD54A.tmp

2010-04-21 12:29:35 226880 ----a-w- c:\windows\system32\drivers\OLD546.tmp

2010-04-21 12:29:29 226880 ----a-w- c:\windows\system32\drivers\OLD543.tmp

2010-04-21 12:29:24 226880 ----a-w- c:\windows\system32\drivers\OLD53F.tmp

2010-04-21 12:29:17 226880 ----a-w- c:\windows\system32\drivers\OLD53C.tmp

2010-04-21 12:29:12 226880 ----a-w- c:\windows\system32\drivers\OLD538.tmp

2010-04-21 12:29:06 226880 ----a-w- c:\windows\system32\drivers\OLD535.tmp

2010-04-21 12:29:01 226880 ----a-w- c:\windows\system32\drivers\OLD531.tmp

2010-04-21 12:28:54 226880 ----a-w- c:\windows\system32\drivers\OLD503.tmp

2010-04-21 12:28:49 226880 ----a-w- c:\windows\system32\drivers\OLD4EA.tmp

2010-04-21 12:28:43 226880 ----a-w- c:\windows\system32\drivers\OLD4CD.tmp

2010-04-21 12:28:36 226880 ----a-w- c:\windows\system32\drivers\OLD4C4.tmp

2010-04-21 12:28:30 226880 ----a-w- c:\windows\system32\drivers\OLD499.tmp

2010-04-21 12:28:25 226880 ----a-w- c:\windows\system32\drivers\OLD495.tmp

2010-04-21 12:28:20 226880 ----a-w- c:\windows\system32\drivers\OLD491.tmp

2010-04-21 12:28:14 226880 ----a-w- c:\windows\system32\drivers\OLD48D.tmp

2010-04-21 12:28:09 226880 ----a-w- c:\windows\system32\drivers\OLD466.tmp

2010-04-21 12:16:03 225664 ----a-w- c:\windows\system32\drivers\OLD262.tmp

2010-04-21 12:14:46 225664 ----a-w- c:\windows\system32\drivers\OLD24E.tmp

2010-04-20 18:40:22 187904 ----a-w- c:\windows\system32\sshnas21.dll

2010-04-15 20:10:55 665600 ----a-w- c:\windows\system32\pdfgenx.ocx

2010-04-15 20:10:55 518064 ----a-w- c:\windows\system32\Codejock.SkinFramework.Unicode.v11.2.0.ocx

2010-04-15 20:10:55 1746864 ----a-w- c:\windows\system32\Codejock.CommandBars.Unicode.v11.2.0.ocx

2010-04-15 20:10:54 0 d-----w- c:\program\PDFArea

2010-04-15 19:09:36 0 d-----w- c:\docume~1\eric\applic~1\PrimoPDF

2010-04-15 19:08:50 176235 ----a-w- c:\windows\system32\Primomonnt.dll

2010-04-15 19:08:48 0 d-----w- c:\program\Nitro PDF

2010-04-12 20:34:13 0 d-----w- c:\program\Microsoft Windows 7 Upgrade Advisor

2010-04-08 15:46:00 140288 ----a-w- c:\windows\system32\drivers\ethagewl.sys

2010-04-05 12:36:47 32274 ----a-w- c:\windows\DIIUnin.dat

2010-04-05 12:36:45 94208 ----a-w- c:\windows\DIIUnin.exe

2010-04-05 12:36:45 2829 ----a-w- c:\windows\DIIUnin.pif

2010-04-05 12:35:02 0 d-----w- c:\program\Diablo II

2010-04-05 12:31:32 4516 ----a-w- C:\INSTALL_Eric_01000005.ERR

2010-04-03 14:50:35 0 d-----w- c:\docume~1\eric\applic~1\Malwarebytes

2010-04-03 14:50:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-03 14:50:28 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-03 14:50:28 0 d-----w- c:\program\Malwarebytes' Anti-Malware

2010-04-03 14:50:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-03-30 15:05:29 26176 ---ha-w- c:\windows\system32\hamachi.sys

2010-03-30 15:05:20 0 d-----w- c:\program\LogMeIn Hamachi

 

==================== Find3M ====================

 

3427-09-25 20:40:30 74416 ----a-w- c:\windows\fonts\Ravie.TTF

2010-04-21 12:30:01 226880 ----a-w- c:\windows\system32\drivers\OLD55B.tmp

2010-04-13 15:13:04 64768 ----a-w- c:\windows\system32\drivers\Serial.sys

2010-03-28 13:28:19 92210 ----a-w- c:\windows\system32\perfc01D.dat

2010-03-28 13:28:19 465308 ----a-w- c:\windows\system32\perfh01D.dat

2010-03-19 20:40:05 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2010-03-19 20:23:42 21840 ----a-w- c:\windows\system32\SIntfNT.dll

2010-03-19 20:23:41 17212 ----a-w- c:\windows\system32\SIntf32.dll

2010-03-19 20:23:41 12067 ----a-w- c:\windows\system32\SIntf16.dll

2010-03-11 12:37:44 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:37:41 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:37:41 17408 ------w- c:\windows\system32\corpol.dll

2010-03-09 11:11:42 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 19:09:26 2147328 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 19:09:26 2025472 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 10:03:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-12 04:35:03 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-01-29 14:27:10 52892 ---ha-w- c:\windows\system32\mlfcache.dat

2006-06-23 22:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe

2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

2008-05-17 12:33:44 32768 --sha-w- c:\windows\system32\config\systemprofile\lokala inställningar\tidigare\history.ie5\mshist012008051720080518\index.dat

 

============= FINISH: 14:30:52,45 ===============

Link to comment
Share on other sites

Okej, vad bra. Anledningen att jag bifogade var att inlägget blev för långt, fast jag använde LOG-taggar.

 

Tänkte också tillägga att Nod ibland varnar : Adress has been blocked, med efterföljande URL och Ipnummer.

Link to comment
Share on other sites

Tjenare Ercie,

 

Såg att du bor i Uddevalla under din profil - skulle det vara så att du vill ha hjälp på plats och eventuellt lära dig lite på kuppen skulle vi kunna ordna det.

 

Är din dator ett eget bygge eller köpt utav någon tillverkare? Isf, vad är det för märke och modell ?

 

Mvh,

Daniel Ekeroth

Link to comment
Share on other sites

Uppdatera MBAM och gör en snabbskanning. Klistra in loggen om något hittas.

 

Spara ComboFix på Skrivbordet:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Stäng av alla program du ser inklusive antivirusprogram och antispionprogram men lämna brandväggen på.

Hur? Se http://www.bleepingcomputer.com/forums/topic114351.html

Kör ComboFix och följ anvisningarna som visas.

Om det kommer upp en fråga om du vill installera återställningskonsolen så svara ja.

 

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, klistra in den i ditt svar. Kontrollera att antivirusprogram mm är igång innan du ansluter till internet.

 

Om du får problem med att komma ut på internet:

Kontrollpanelen - Nätverksanslutningar

högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.

 

Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix.

Link to comment
Share on other sites

MBAM har inte sökt klart än, men redan hittat 7 infekterade objekt...

 

Ska jag rensa dom, eller bara klistra logen?

 

[log]Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

 

Databasversion: 4015

 

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

 

2010-04-21 16:06:47

mbam-log-2010-04-21 (16-06-47).txt

 

Skanningstyp: Snabbskanning

Antal skannade objekt: 132445

Förfluten tid: 5 minut(er), 7 sekund(er)

 

Infekterade minnesprocesser: 0

Infekterade minnesmoduler: 1

Infekterade registernycklar: 2

Infekterade registervärden: 0

Infekterade registerdataposter: 0

Infekterade mappar: 0

Infekterade filer: 6

 

Infekterade minnesprocesser:

(Inga illasinnade poster hittades)

 

Infekterade minnesmoduler:

c:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> No action taken.

 

Infekterade registernycklar:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshnas (Trojan.Downloader) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> No action taken.

 

Infekterade registervärden:

(Inga illasinnade poster hittades)

 

Infekterade registerdataposter:

(Inga illasinnade poster hittades)

 

Infekterade mappar:

(Inga illasinnade poster hittades)

 

Infekterade filer:

C:\Documents and Settings\Eric\Lokala inställningar\Temp\orawxnescm.tmp (Malware.Packer.Gen) -> No action taken.

C:\Documents and Settings\Eric\Lokala inställningar\Temp\uaf6qNtd.exe.part (Trojan.FakeAV) -> No action taken.

C:\Documents and Settings\Eric\Lokala inställningar\Temp\Ikb.exe (Trojan.CodecPack) -> No action taken.

C:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> No action taken.

C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> No action taken.

C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> No action taken.[/log]

Link to comment
Share on other sites

Låt MBAM åtgärda det som hittades. Starta sedan om datorn och gör en ny snabbskanning med MBAM. Om något hittas så klistra in den loggen.

Kör sedan ComboFix enligt tidigare beskrivning.

Link to comment
Share on other sites

MBAM hittade inget efter omstarten.

 

När sedan combofix kördes så lämnade ag datorn ett par minuter. Den hade då gjort klart steg 5.

 

När jag kom tillbaka hade jag blåskärm. Det stog:

 

BAD_POOL_HEADER

 

Teknisk information:

*** STOP: 0x00000019 (0x00000020, 0x89C1D000, 0x89C1D418, 0x1A890000)

Link to comment
Share on other sites

Japp, inga problem. Dock hängde sig datorn en gång när ComboFix startade om (när den avaktiverade automatiska cd-körningen), när xp laddar i början. Detta har också varit ett återkommande problem.

Link to comment
Share on other sites

Antagligen blir det blåskärm för att ComboFix är inne och försöker ta bort eller byta ut någon drivrutin som hör till det skadliga programmet och det gillar inte det skadliga programmet. Står det något filnamn långt ner på blåskärmen?

 

Den automatiska CD-körningen ska väl även detta program stänga av.

Spara Flash Disinfector by sUBs på Skrivbordet:

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe

Dubbelklicka på den nedladdade filen för att starta programmet.

Följ de anvisningar som kommer upp.

När det står att du ska sätta in flash-diskar så låter du bara bli det.

När allt är klart så avsluta programmet och starta om datorn.

 

Se om ComboFix fungerar bättre nu.

 

Om det fortfarande är problem starta om datorn i felsäkert läge (tryck F8 upprepade gånger under uppstarten och välj felsäkert läge i menyn) och se om det går bättre med ComboFix då.

 

Om inte det heller hjälper så klistra in en ny DDS-logg så får vi se hur den ser ut nu efter MBAM-körningen.

Link to comment
Share on other sites

Sådär! Äntligen kunde ComboFix köra klart utan problem. Har varit ett jäkla krångel.

 

[log]ComboFix 10-04-20.03 - Eric 2010-04-22 21:15:30.4.4 - x86 MINIMAL

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.3071.2764 [GMT 2:00]

Körs från: c:\documents and settings\Eric\Skrivbord\ComboFix.exe

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

 

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Föregående körning -------

.

c:\documents and settings\Eric\Application Data\.#\MBX@100C@3C39C0.###

c:\documents and settings\Eric\Application Data\.#\MBX@100C@3C39D0.###

c:\windows\system32\_000006_.tmp.dll

c:\windows\system32\Chip.dll

c:\windows\system32\Thumbs.db

c:\windows\system32\tmp33.tmp

c:\windows\system32\tmp34.tmp

 

.

((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_SSHNAS

 

 

(((((((((((((((((((((((( Filer Skapade från 2010-03-22 till 2010-04-22 ))))))))))))))))))))))))))))))

.

 

2010-04-21 16:20 . 2010-04-21 16:20 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SecuROM

2010-04-17 16:09 . 2010-03-26 08:33 43008 ----a-w- c:\documents and settings\Ole\Application Data\Mozilla\Firefox\Profiles\dms8wahl.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll

2010-04-17 16:09 . 2010-03-26 08:33 339456 ----a-w- c:\documents and settings\Ole\Application Data\Mozilla\Firefox\Profiles\dms8wahl.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll

2010-04-17 16:09 . 2010-03-26 08:32 346112 ----a-w- c:\documents and settings\Ole\Application Data\Mozilla\Firefox\Profiles\dms8wahl.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

2010-04-17 16:09 . 2010-03-26 08:33 1496064 ----a-w- c:\documents and settings\Ole\Application Data\Mozilla\Firefox\Profiles\dms8wahl.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

2010-04-15 20:10 . 2010-04-15 20:10 -------- d-----w- c:\program\PDFArea

2010-04-15 19:09 . 2010-04-15 19:09 -------- d-----w- c:\documents and settings\Eric\Application Data\PrimoPDF

2010-04-15 19:08 . 2009-07-31 01:44 176235 ----a-w- c:\windows\system32\Primomonnt.dll

2010-04-15 19:08 . 2010-04-16 21:43 -------- d-----w- c:\program\Nitro PDF

2010-04-13 22:27 . 2010-03-26 08:33 43008 ----a-w- c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\zgzlu6h9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll

2010-04-13 22:27 . 2010-03-26 08:33 339456 ----a-w- c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\zgzlu6h9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll

2010-04-13 22:27 . 2010-03-26 08:33 1496064 ----a-w- c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\zgzlu6h9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

2010-04-13 22:27 . 2010-03-26 08:32 346112 ----a-w- c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\zgzlu6h9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

2010-04-12 20:34 . 2010-04-12 20:34 -------- d-----w- c:\program\Microsoft Windows 7 Upgrade Advisor

2010-04-08 15:46 . 2010-04-08 15:46 140288 ----a-w- c:\windows\system32\drivers\ethagewl.sys

2010-04-07 10:24 . 2010-04-07 10:24 -------- d-----r- c:\documents and settings\NetworkService\Favoriter

2010-04-05 12:36 . 2010-04-05 12:56 32274 ----a-w- c:\windows\DIIUnin.dat

2010-04-05 12:36 . 2010-04-05 12:36 94208 ----a-w- c:\windows\DIIUnin.exe

2010-04-05 12:36 . 2010-04-05 12:36 2829 ----a-w- c:\windows\DIIUnin.pif

2010-04-05 12:35 . 2010-04-16 17:34 -------- d-----w- c:\program\Diablo II

2010-04-05 10:16 . 2010-03-26 08:33 43008 ----a-w- c:\documents and settings\Clara\Application Data\Mozilla\Firefox\Profiles\s7owosfa.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll

2010-04-05 10:16 . 2010-03-26 08:33 339456 ----a-w- c:\documents and settings\Clara\Application Data\Mozilla\Firefox\Profiles\s7owosfa.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll

2010-04-05 10:16 . 2010-03-26 08:33 1496064 ----a-w- c:\documents and settings\Clara\Application Data\Mozilla\Firefox\Profiles\s7owosfa.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

2010-04-05 10:16 . 2010-03-26 08:32 346112 ----a-w- c:\documents and settings\Clara\Application Data\Mozilla\Firefox\Profiles\s7owosfa.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

2010-04-03 14:50 . 2010-04-03 14:50 -------- d-----w- c:\documents and settings\Eric\Application Data\Malwarebytes

2010-04-03 14:50 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-03 14:50 . 2010-04-03 14:50 -------- d-----w- c:\program\Malwarebytes' Anti-Malware

2010-04-03 14:50 . 2010-04-03 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-04-03 14:50 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-30 15:05 . 2010-02-03 13:56 26176 ---ha-w- c:\windows\system32\hamachi.sys

2010-03-30 15:05 . 2010-03-30 15:05 -------- d-----w- c:\program\LogMeIn Hamachi

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-21 18:23 . 2007-01-20 15:38 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-21 15:47 . 2008-03-29 12:50 -------- d-----w- c:\program\Rockstar Games

2010-04-21 15:47 . 2007-12-18 16:24 -------- d--h--w- c:\program\InstallShield Installation Information

2010-04-21 15:46 . 2007-12-20 20:39 -------- d-----w- c:\documents and settings\Eric\Application Data\uTorrent

2010-04-20 18:41 . 2009-04-03 14:02 -------- d-----w- c:\documents and settings\Eric\Application Data\Spotify

2010-04-13 15:13 . 2006-03-02 12:00 64768 ----a-w- c:\windows\system32\drivers\Serial.sys

2010-04-10 15:47 . 2007-12-21 20:10 -------- d-----w- c:\documents and settings\Eric\Application Data\dvdcss

2010-04-05 10:07 . 2010-04-05 10:07 -------- d-----w- c:\documents and settings\Clara\Application Data\ATI

2010-04-04 10:58 . 2009-02-11 14:47 -------- d-----w- c:\program\Steam

2010-04-01 23:26 . 2002-01-15 19:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-03-28 13:28 . 2006-03-02 12:00 92210 ----a-w- c:\windows\system32\perfc01D.dat

2010-03-28 13:28 . 2006-03-02 12:00 465308 ----a-w- c:\windows\system32\perfh01D.dat

2010-03-23 17:17 . 2010-03-23 17:17 85504 ----a-w- c:\documents and settings\Eric\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll

2010-03-23 17:17 . 2008-01-06 22:19 -------- d-----w- c:\documents and settings\Eric\Application Data\SystemRequirementsLab

2010-03-23 12:23 . 2008-02-24 13:43 -------- d-----w- c:\documents and settings\Eric\Application Data\Skype

2010-03-21 22:33 . 2010-03-21 22:33 -------- d-----w- c:\program\Homeenter

2010-03-21 09:01 . 2010-03-21 09:01 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll

2010-03-21 09:01 . 2010-03-21 09:01 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll

2010-03-21 09:01 . 2010-03-21 09:01 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll

2010-03-21 09:01 . 2010-03-21 09:01 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll

2010-03-21 09:01 . 2010-03-21 09:01 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll

2010-03-21 09:01 . 2010-03-21 09:01 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll

2010-03-21 09:01 . 2010-03-21 09:01 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

2010-03-21 09:01 . 2010-03-21 09:01 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll

2010-03-21 09:01 . 2010-03-21 09:01 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

2010-03-21 09:01 . 2009-04-15 14:48 -------- d-----w- c:\program\Delade filer\Real

2010-03-21 09:01 . 2010-03-21 09:01 -------- d-----w- c:\program\Real

2010-03-21 09:00 . 2010-03-21 09:00 -------- d-----w- c:\program\Delade filer\xing shared

2010-03-19 20:40 . 2007-12-28 21:56 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2010-03-19 20:23 . 2010-03-19 20:23 21840 ----a-w- c:\windows\system32\SIntfNT.dll

2010-03-19 20:23 . 2010-03-19 20:23 17212 ----a-w- c:\windows\system32\SIntf32.dll

2010-03-19 20:23 . 2010-03-19 20:23 12067 ----a-w- c:\windows\system32\SIntf16.dll

2010-03-19 16:11 . 2010-01-05 15:49 -------- d-----w- c:\program\Voddler

2010-03-19 16:10 . 2010-03-19 16:10 -------- d-----w- c:\program\Delade filer\Adobe AIR

2010-03-19 16:10 . 2010-04-05 10:07 38784 ----a-w- c:\documents and settings\Clara\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-03-19 16:10 . 2010-03-19 16:11 38784 ----a-w- c:\documents and settings\Eric\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-03-19 16:10 . 2010-03-19 16:10 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-03-13 10:54 . 2008-07-02 23:04 -------- d-----w- c:\program\Google

2010-03-12 23:01 . 2010-03-12 23:01 -------- d-----w- c:\windows\Fonts\NON COMMERCIAL USE ONLY

2010-03-11 12:37 . 2006-03-02 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:37 . 2006-03-02 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:37 . 2006-03-02 12:00 17408 ------w- c:\windows\system32\corpol.dll

2010-03-09 11:11 . 2006-03-02 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-02-28 18:18 . 2008-01-05 16:15 -------- d-----w- c:\documents and settings\Eric\Application Data\Bioshock

2010-02-24 21:05 . 2010-02-24 21:05 -------- d-----w- c:\documents and settings\Eric\Application Data\LucasArts

2010-02-24 16:22 . 2008-01-27 14:23 -------- d-----w- c:\program\CCleaner

2010-02-24 16:14 . 2010-02-23 20:14 -------- d-----w- c:\program\Secret Of Monkey Island SE

2010-02-24 13:11 . 2006-03-02 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 19:44 . 2010-02-16 19:44 90112 ----a-w- c:\documents and settings\Eric\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\DXPlugin.dll

2010-02-16 19:44 . 2010-02-16 19:44 69632 ----a-w- c:\documents and settings\Eric\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\SystemInfo.dll

2010-02-16 19:44 . 2010-02-16 19:44 6656 ----a-w- c:\documents and settings\Eric\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\NativeDiskfree.dll

2010-02-16 19:44 . 2010-02-16 19:44 61440 ----a-w- c:\documents and settings\Eric\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\NativeUnzip.dll

2010-02-16 19:44 . 2010-02-16 19:44 59904 ----a-w- c:\documents and settings\Eric\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\zlib1.dll

2010-02-16 19:44 . 2010-02-16 19:44 57344 ----a-w- c:\documents and settings\Eric\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\DXT.dll

2010-02-16 19:44 . 2010-02-16 19:44 315392 ----a-w- c:\documents and settings\Eric\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\jogl.dll

2010-02-16 19:44 . 2010-02-16 19:44 20480 ----a-w- c:\documents and settings\Eric\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\jogl_awt.dll

2010-02-16 19:44 . 2010-02-16 19:44 20480 ----a-w- c:\documents and settings\Eric\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\gluegen-rt.dll

2010-02-16 19:44 . 2010-02-16 19:44 155648 ----a-w- c:\documents and settings\Eric\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\NativeJpegDecoder.dll

2010-02-16 19:09 . 2006-03-02 12:00 2147328 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 19:09 . 2004-08-04 01:25 2025472 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 10:03 . 2010-03-11 16:40 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-12 04:35 . 2006-03-02 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2006-03-02 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2010-01-29 14:27 . 2010-01-29 14:27 52892 ---ha-w- c:\windows\system32\mlfcache.dat

2006-05-03 09:06 . 2009-12-27 17:21 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 10:47 . 2009-12-27 17:21 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 12:30 . 2009-12-27 17:21 216064 --sh--r- c:\windows\system32\nbDX.dll

.

 

((((((((((((((((((((((((((((( SnapShot@2010-04-21_21.45.00 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-04-22 12:36 . 2009-05-26 11:43 18296 c:\windows\system32\spmsg.dll

+ 2006-03-02 12:00 . 2010-02-11 12:02 226880 c:\windows\system32\dllcache\tcpip6.sys

- 2006-03-02 12:00 . 2008-04-13 22:30 226880 c:\windows\system32\dllcache\tcpip6.sys

.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Not* Tomma poster & legitima standardposter visas inte.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program\Delade filer\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]

"RocketDock"="c:\program\RocketDock\RocketDock.exe" [2007-09-02 495616]

"msnmsgr"="c:\program\Windows Live\Messenger\MsnMsgr.Exe" [2009-10-03 3883840]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Diamondback"="c:\program\Razer\Diamondback 3G\razerhid.exe" [2007-08-01 147456]

"egui"="c:\program\ESET\ESET NOD32 Antivirus\egui.exe" [2009-03-19 2029640]

"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 16126464]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

 

[HKLM\~\startupfolder\C:^Documents and Settings^Eric^Start-meny^Program^Autostart^Password Safe.lnk]

path=c:\documents and settings\Eric\Start-meny\Program\Autostart\Password Safe.lnk

backup=c:\windows\pss\Password Safe.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]

2007-03-21 16:23 1953792 ------r- c:\windows\system32\xRaidSetup.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2005-06-06 22:46 57344 ----a-w- c:\program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-01-11 21:16 39792 ----a-w- c:\program\Adobe\Reader 8.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]

2008-08-14 05:58 611712 ----a-w- c:\program\Delade filer\Adobe\CS4ServiceManager\CS4ServiceManager.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2005-05-03 18:43 69632 ------r- c:\windows\Alcmtr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]

2009-04-02 17:05 102400 ----a-w- c:\program\Samsung\Samsung New PC Studio\NPSAgent.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

2007-04-03 16:50 1603152 ----a-w- c:\program\Canon\MyPrinter\BJMYPRT.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]

2007-05-14 16:01 644696 ----a-w- c:\program\Canon\SolutionMenu\CNSLMAIN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2007-04-03 22:29 165784 ----a-w- c:\program\DAEMON Tools\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2008-11-26 17:26 133104 ----atw- c:\documents and settings\Eric\Lokala inställningar\Application Data\Google\Update\GoogleUpdate.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2006-09-10 20:56 218032 ----a-w- c:\program\Delade filer\InstallShield\UpdateService\ISUSPM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-11-12 15:33 141600 ----a-w- c:\program\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]

2007-03-20 14:36 36864 ------r- c:\windows\RaidTool\xInsIDE.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]

2010-03-30 09:16 1820040 ----a-w- c:\program\LogMeIn Hamachi\hamachi-2-ui.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2007-03-01 14:57 153136 ----a-w- c:\program\Delade filer\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

2008-07-07 07:34 167936 ----a-w- c:\program\PowerISO\PWRISOVM.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-10 22:08 417792 ----a-w- c:\program\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

2007-01-26 12:36 495616 ----a-r- c:\program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

2008-08-01 14:23 61440 ----a-w- c:\program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-03-09 03:19 148888 ----a-w- c:\program\Java\jre6\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2010-03-21 09:00 202256 ----a-w- c:\program\Delade filer\Real\Update_OB\realsched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Rainbar]

c:\program\Vista Rainbar\Rainmeter.exe [bU]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoddlerNet Manager]

2010-03-18 08:56 580296 ----a-w- c:\program\Voddler\service\VNetManager.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=

"c:\\Program\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program\\Mozilla Firefox\\firefox.exe"=

"c:\\Program\\Counter-Strike 1.6\\hl.exe"=

"c:\\Program\\Warcraft III\\Warcraft III.exe"=

"c:\\Program\\Warcraft III\\war3.exe"=

"c:\\Program\\Messenger\\msmsgs.exe"=

"c:\\Program\\Microsoft Games\\Age of Empires III\\age3x.exe"=

"c:\\Program\\THQ\\Juiced2_HIN\\Juiced2_HIN.exe"=

"c:\\Program\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=

"c:\\Program\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=

"c:\\Program\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=

"c:\\Program\\Delade filer\\Ahead\\Nero Web\\SetupX.exe"=

"c:\\Program\\World of Warcraft\\WoW-2.4.0-enGB-downloader.exe"=

"c:\\Program\\mIRC\\mirc.exe"=

"c:\\Program\\Empire Interactive\\FlatOut2\\FlatOut2.exe"=

"c:\\Program\\uTorrent\\uTorrent.exe"=

"c:\\Program\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"c:\\Program\\Sony\\Vegas Pro 8.0\\VegSrv80.exe"=

"c:\\Program\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program\\Disney Interactive Studios\\Pure\\Pure.exe"=

"c:\\Program\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=

"c:\\Program\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

"c:\\Program\\Codemasters\\GRID\\GRID.exe"=

"c:\\Program\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=

"c:\\Program\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=

"c:\\Program\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=

"c:\\Program\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=

"c:\\Program\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=

"c:\\Program\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=

"c:\\Program\\EA Games\\Mirror's Edge\\Binaries\\MirrorsEdge.exe"=

"c:\\Program\\Steam\\steamapps\\brazil6401\\counter-strike\\hl.exe"=

"c:\\Program\\Sierra\\FEAR\\FEAR.exe"=

"c:\\Program\\Sierra\\FEAR\\FEARMP.exe"=

"c:\\Program\\Steam\\steamapps\\mir1994\\counter-strike\\hl.exe"=

"f:\\Nedladdning\\Q3\\Quake 3 Arena\\Quake3\\quake3.exe"=

"c:\\Program\\Spotify\\spotify.exe"=

"c:\\Program\\Quake III Arena\\quake3.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program\\Codemasters\\FUEL\\FUEL.exe"=

"c:\\Program\\Delade filer\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program\\Eidos\\Batman Arkham Asylum\\Binaries\\ShippingPC-BmGame.exe"=

"c:\\Program\\Ubisoft\\Techland\\Call of Juarez - Bound in Blood\\CoJBiBGame_x86.exe"=

"c:\\Program\\Java\\jre6\\bin\\java.exe"=

"c:\\Program\\Sony Ericsson\\Update Service\\Update Service.exe"=

"c:\\Program\\Steam\\steamapps\\antonnoreen\\counter-strike\\hl.exe"=

"c:\\Program\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=

"c:\\Program\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=

"c:\\Program\\Voddler\\service\\VNetManager.exe"=

"c:\\Program\\Bonjour\\mDNSResponder.exe"=

"c:\\Program\\iTunes\\iTunes.exe"=

"c:\\Program\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program\\Voddler\\service\\voddler.exe"=

"c:\\Program\\Skype\\Phone\\Skype.exe"=

"c:\\Program\\Diablo II\\D2Loader-1.12.exe"=

"c:\\Program\\Rockstar Games\\EFLC\\EFLC.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"2540:UDP"= 2540:UDP:Windows Media Format SDK (iexplore.exe)

"2543:UDP"= 2543:UDP:Windows Media Format SDK (iexplore.exe)

"2542:UDP"= 2542:UDP:Windows Media Format SDK (iexplore.exe)

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"5353:TCP"= 5353:TCP:Adobe CSI CS4

 

R3 Razerlow;Diamondback 3G USB Filter Driver;c:\windows\system32\drivers\DB3G.sys [2009-07-20 13225]

R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2009-11-07 27632]

S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2007-12-21 682232]

S1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-03-19 107256]

S1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-03-19 93848]

S1 ethagewl;ethagewl;c:\windows\system32\drivers\ethagewl.sys [2010-04-08 140288]

S2 ekrn;ESET Service;c:\program\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-03-19 731840]

S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-12-30 233472]

S2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program\LogMeIn Hamachi\hamachi-2.exe [2010-03-30 1107336]

S2 NetCM;Network Connection Manager;c:\program\Common Files\Microsoft Shared\Speech\svchost.exe --> c:\program\Common Files\Microsoft Shared\Speech\svchost.exe [?]

S2 OMSI download service;Sony Ericsson OMSI download service;c:\program\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-11-07 90112]

S2 SBAMSvc;Sunbelt VIPRE Antivirus Service;"c:\program\Sunbelt Software\CounterSpy\SBAMSvc.exe" --> c:\program\Sunbelt Software\CounterSpy\SBAMSvc.exe [?]

S2 VoddlerNet;VoddlerNet;c:\program\Voddler\service\voddler.exe [2010-03-18 1160912]

S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2007-12-18 38656]

S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-12-30 36608]

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-11-07 13224]

S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-01-14 21632]

S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [2009-11-07 86824]

S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2009-11-07 15016]

S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [2009-11-07 114600]

S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [2009-11-07 108328]

S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [2009-11-07 26024]

S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2009-11-07 104616]

S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [2009-11-07 109736]

S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [2008-02-28 61536]

S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [2008-02-28 9360]

S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [2008-02-28 97088]

S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\sea1mgmt.sys [2008-02-28 88624]

S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);c:\windows\system32\drivers\sea1nd5.sys [2008-02-28 18704]

S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\drivers\sea1obex.sys [2008-02-28 86432]

S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\drivers\sea1unic.sys [2008-02-28 90800]

S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2009-12-30 90112]

S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2009-12-30 14976]

S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2009-12-30 121856]

.

Innehållet i mappen 'Schemalagda aktiviteter':

 

2010-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

 

2010-04-20 c:\windows\Tasks\close.job

- c:\documents and settings\Eric\Skrivbord\close.bat [2010-04-20 21:09]

 

2010-04-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-329068152-789336058-839522115-1005.job

- c:\program\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

 

2010-04-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-329068152-789336058-839522115-1009.job

- c:\program\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

 

2010-04-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-329068152-789336058-839522115-1005.job

- c:\program\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

 

2010-04-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-329068152-789336058-839522115-1009.job

- c:\program\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

.

.

------- Extra genomsökning -------

.

uInternet Settings,ProxyOverride = *.local

IE: E&xportera till Microsoft Excel - c:\program\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\zgzlu6h9.default\

FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

FF - component: c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\zgzlu6h9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

FF - plugin: c:\program files\real\realplayer\Netscape6\nppl3260.dll

FF - plugin: c:\program files\real\realplayer\Netscape6\nprjplug.dll

FF - plugin: c:\program files\real\realplayer\Netscape6\nprpjplug.dll

FF - plugin: c:\program\Mozilla Firefox\plugins\NPBILLARD8.dll

FF - plugin: c:\program\Mozilla Firefox\plugins\npganymedenet.dll

FF - plugin: c:\program\Voddler\plugin\npvoddler.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- FIREFOX POLICY ----

c:\program\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-22 21:25

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- LÅSTA REGISTERNYCKLAR ---------------------

 

[HKEY_USERS\S-1-5-21-329068152-789336058-839522115-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:ea,c3,8d,8b,40,72,80,43,dd,42,2e,b6,61,54,08,97,6c,42,63,85,10,49,65,

0f,98,20,c5,e9,e5,d5,aa,9e,18,eb,22,94,70,a6,7e,37,59,ee,55,55,cb,c0,7f,ab,\

"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

 

[HKEY_USERS\S-1-5-21-329068152-789336058-839522115-1005\Software\SecuROM\License information*]

"datasecu"=hex:e4,8e,d8,67,3c,31,bc,bd,95,4f,7c,f8,07,8b,38,6d,d9,c9,b2,1a,07,

e7,c4,76,4e,54,e8,6e,3d,5d,30,88,67,ab,c1,87,bb,2e,e4,6c,51,3e,bd,8a,05,cd,\

"rkeysecu"=hex:ef,90,32,2f,3b,00,29,b2,b6,c3,84,f4,39,9d,06,79

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•6~*]

"D140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLer som "laddats" under processer som körs ---------------------

 

- - - - - - - > 'winlogon.exe'(220)

c:\windows\system32\Ati2evxx.dll

 

- - - - - - - > 'explorer.exe'(1712)

c:\windows\system32\msi.dll

.

Sluttid: 2010-04-22 21:27:46

ComboFix-quarantined-files.txt 2010-04-22 19:27

 

Före genomsökningen: 159 986 327 552 byte ledigt

Efter genomsökningen: 159 977 791 488 byte ledigt

 

Current=14 Default=14 Failed=13 LastKnownGood=15 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15

- - End Of File - - 5CDFD426556102D957BA06365C891405

[/log]

 

Nu hittar inte MBAM något längre iaf...

 

[log]Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Databasversion: 4015 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 2010-04-22 21:48:00 mbam-log-2010-04-22 (21-48-00).txt Skanningstyp: Snabbskanning Antal skannade objekt: 128986 Förfluten tid: 3 minut(er), 57 sekund(er) Infekterade minnesprocesser: 0 Infekterade minnesmoduler: 0 Infekterade registernycklar: 0 Infekterade registervärden: 0 Infekterade registerdataposter: 0 Infekterade mappar: 0 Infekterade filer: 0 Infekterade minnesprocesser: (Inga illasinnade poster hittades) Infekterade minnesmoduler: (Inga illasinnade poster hittades) Infekterade registernycklar: (Inga illasinnade poster hittades) Infekterade registervärden: (Inga illasinnade poster hittades) Infekterade registerdataposter: (Inga illasinnade poster hittades) Infekterade mappar: (Inga illasinnade poster hittades) Infekterade filer: (Inga illasinnade poster hittades)[/log]

Link to comment
Share on other sites

På sidan http://www.virustotal.com trycker du på Bläddra-knappen och klistrar in ett av följande filnamn i rutan, tryck på Öppna och sedan Skicka Fil. Vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in resultatet från de olika antivirusprogrammen (inte Övrig information) eller en länk till resultatet här. Upprepa med nästa filnamn.c:\windows\system32\drivers\ethagewl.sys

c:\windows\system32\drivers\Serial.sys

c:\windows\system32\dllcache\tcpip6.sys

 

Starta Enhetshanteraren (högerklick på Den här datorn - Hantera) och i den väljer du att den även skall visa dolda enheter. Under en rubrik som är något med enheter som inte är Plug and Play, leta reda på något som heter NetCM och högerklicka på den och välj Inaktivera.

Starta om datorn.

Link to comment
Share on other sites

c:\windows\system32\drivers\ethagewl.sys:

 

[log]a-squared 4.5.0.50 2010.04.23 -

AhnLab-V3 5.0.0.2 2010.04.23 -

AntiVir 8.2.1.220 2010.04.23 TR/Rootkit.Gen

Antiy-AVL 2.0.3.7 2010.04.23 -

Authentium 5.2.0.5 2010.04.23 -

Avast 4.8.1351.0 2010.04.23 -

Avast5 5.0.332.0 2010.04.23 -

AVG 9.0.0.787 2010.04.23 -

BitDefender 7.2 2010.04.23 -

CAT-QuickHeal 10.00 2010.04.23 -

ClamAV 0.96.0.3-git 2010.04.23 -

Comodo 4670 2010.04.23 -

DrWeb 5.0.2.03300 2010.04.23 -

eSafe 7.0.17.0 2010.04.22 -

eTrust-Vet 35.2.7445 2010.04.23 -

F-Prot 4.5.1.85 2010.04.23 -

F-Secure 9.0.15370.0 2010.04.23 -

Fortinet 4.0.14.0 2010.04.21 -

GData 21 2010.04.23 -

Ikarus T3.1.1.80.0 2010.04.23 -

Jiangmin 13.0.900 2010.04.23 -

Kaspersky 7.0.0.125 2010.04.23 -

McAfee 5.400.0.1158 2010.04.23 -

McAfee-GW-Edition 6.8.5 2010.04.23 Trojan.Rootkit.Gen

Microsoft 1.5703 2010.04.23 -

NOD32 5052 2010.04.23 -

Norman 6.04.11 2010.04.23 -

nProtect 2010-04-23.01 2010.04.23 -

Panda 10.0.2.7 2010.04.22 -

PCTools 7.0.3.5 2010.04.23 -

Prevx 3.0 2010.04.23 -

Rising 22.44.04.03 2010.04.23 -

Sophos 4.53.0 2010.04.23 -

Sunbelt 6212 2010.04.23 -

Symantec 20091.2.0.41 2010.04.23 -

TheHacker 6.5.2.0.267 2010.04.22 -

TrendMicro 9.120.0.1004 2010.04.23 -

TrendMicro-HouseCall 9.120.0.1004 2010.04.23 -

VBA32 3.12.12.4 2010.04.23 -

ViRobot 2010.4.23.2291 2010.04.23 -

VirusBuster 5.0.27.0 2010.04.23 -[/log]

 

c:\windows\system32\drivers\Serial.sys:

 

[log]a-squared 4.5.0.50 2010.04.23 -

AhnLab-V3 5.0.0.2 2010.04.23 -

AntiVir 8.2.1.220 2010.04.23 -

Antiy-AVL 2.0.3.7 2010.04.23 -

Authentium 5.2.0.5 2010.04.23 -

Avast 4.8.1351.0 2010.04.23 -

Avast5 5.0.332.0 2010.04.23 -

AVG 9.0.0.787 2010.04.23 -

BitDefender 7.2 2010.04.23 -

CAT-QuickHeal 10.00 2010.04.23 -

ClamAV 0.96.0.3-git 2010.04.23 -

Comodo 4670 2010.04.23 TrojWare.Win32.Rootkit.TDL3.gen

DrWeb 5.0.2.03300 2010.04.23 -

eSafe 7.0.17.0 2010.04.22 -

eTrust-Vet 35.2.7445 2010.04.23 -

F-Prot 4.5.1.85 2010.04.23 -

F-Secure 9.0.15370.0 2010.04.23 -

Fortinet 4.0.14.0 2010.04.21 -

GData 21 2010.04.23 -

Ikarus T3.1.1.80.0 2010.04.23 -

Jiangmin 13.0.900 2010.04.23 -

Kaspersky 7.0.0.125 2010.04.23 -

McAfee 5.400.0.1158 2010.04.23 -

McAfee-GW-Edition 6.8.5 2010.04.23 -

Microsoft 1.5703 2010.04.23 -

NOD32 5052 2010.04.23 -

Norman 6.04.11 2010.04.23 -

nProtect 2010-04-23.01 2010.04.23 -

Panda 10.0.2.7 2010.04.22 -

PCTools 7.0.3.5 2010.04.23 -

Prevx 3.0 2010.04.23 -

Rising 22.44.04.03 2010.04.23 -

Sophos 4.53.0 2010.04.23 -

Sunbelt 6212 2010.04.23 LooksLike.Win32.PatchedDriver!A (v)

Symantec 20091.2.0.41 2010.04.23 -

TheHacker 6.5.2.0.267 2010.04.22 -

TrendMicro 9.120.0.1004 2010.04.23 -

TrendMicro-HouseCall 9.120.0.1004 2010.04.23 -

VBA32 3.12.12.4 2010.04.23 -

ViRobot 2010.4.23.2291 2010.04.23 -

VirusBuster 5.0.27.0 2010.04.23 -[/log]

 

c:\windows\system32\dllcache\tcpip6.sys:

 

[log]a-squared 4.5.0.50 2010.04.21 -

AhnLab-V3 5.0.0.2 2010.04.21 -

AntiVir 7.10.6.169 2010.04.21 -

Antiy-AVL 2.0.3.7 2010.04.21 -

Authentium 5.2.0.5 2010.04.21 -

Avast 4.8.1351.0 2010.04.21 -

Avast5 5.0.332.0 2010.04.21 -

AVG 9.0.0.787 2010.04.21 -

BitDefender 7.2 2010.04.21 -

CAT-QuickHeal 10.00 2010.04.21 -

ClamAV 0.96.0.3-git 2010.04.21 -

Comodo 4660 2010.04.21 -

DrWeb 5.0.2.03300 2010.04.22 -

eSafe 7.0.17.0 2010.04.21 -

eTrust-Vet 35.2.7442 2010.04.21 -

F-Prot 4.5.1.85 2010.04.21 -

F-Secure 9.0.15370.0 2010.04.21 -

Fortinet 4.0.14.0 2010.04.21 -

GData 21 2010.04.21 -

Ikarus T3.1.1.80.0 2010.04.21 -

Jiangmin 13.0.900 2010.04.20 -

K7AntiVirus 7.10.1004 2010.03.22 -

Kaspersky 7.0.0.125 2010.04.21 -

McAfee 5.400.0.1158 2010.04.22 -

McAfee+Artemis 5937 2010.03.31 -

McAfee-GW-Edition 6.8.5 2010.04.21 -

Microsoft 1.5703 2010.04.21 -

NOD32 5048 2010.04.21 -

Norman 6.04.11 2010.04.21 -

nProtect 2010-04-21.01 2010.04.21 -

Panda 10.0.2.7 2010.04.21 -

PCTools 7.0.3.5 2010.04.21 -

Prevx 3.0 2010.04.22 -

Rising 22.44.02.05 2010.04.21 -

Sophos 4.53.0 2010.04.21 -

Sunbelt 6205 2010.04.22 -

Symantec 20091.2.0.41 2010.04.22 -

TheHacker 6.5.2.0.266 2010.04.21 -

TrendMicro 9.120.0.1004 2010.04.21 -

VBA32 3.12.12.4 2010.04.19 -

ViRobot 2010.4.21.2288 2010.04.21 -

VirusBuster 5.0.27.0 2010.04.21 -[/log]

 

 

Hittade tyvärr inte NetCM. Endast en som hette "NetBios over Tcpip".

Link to comment
Share on other sites

Det ser ut att vara ett besvärligt rootkit i datorn.

 

1. Spara DeFogger by jpshortstuff http://www.jpshortstuff.247fixes.com/Defogger.exe på Skrivbordet.

 

Starta DeFogger.

När programmets fönster kommer upp trycker du på knappen Disable för att inaktivera drivrutinerna som hör ihop med ditt installerade CD-emuleringsprogram.

Tryck på Yes/Ja för att fortsätta.

När programmet är klart kommer det upp ett meddelande 'Finished!'.

Tryck på OK.

Programmet ber om omstart av datorn, tryck på OK.

 

VIKTIGT! Om du får ett felmeddelande medan DeFogger kör, så klistra in loggen defogger_disable som då skapas på Skrivbordet.

 

Aktivera inte dessa drivrutiner innan rensningen är helt klar.

 

2. Spara denna fil på Skrivbordet:

http://rootrepeal.googlepages.com/RootRepeal.zip

Packa upp zip-filen (extrahera) så att du får en programfil.

 

Dra ut internetanslutningen. Stäng av alla program du ser inklusive brandvägg, antivirusprogram och antispionprogram.

Hur? Se http://www.bleepingcomputer.com/forums/topic114351.html

 

Starta RootRepeal (i Vista och Windows 7 som vanligt genom att högerklicka på ikonen och välja Kör som administratör).

Välj Report-fliken och tryck på Scan.

Bocka för alla sju valen och tryck sedan på Yes/Ja.

Välj C: och tryck Ok.

Det tar ett tag för RootRepeal att söka igenom C:.

När sökningen är klar så tryck på Save Report och spara den med namnet rootrepeal.log. Klistra in innehållet i rootrepeal.log i ditt svar.

 

3. Spara Gmer på Skrivbordet från:

http://www2.gmer.net/download.php

Den har ett slumpmässigt namn så notera vad programmet sparas som.

 

Dra ur internetanslutningen.

Stäng alla program, även antivirusprogram och brandvägg.

Starta det nedladdade programmet.

En första snabbskanning startar.

Om det kommer upp en WARNING som nämner ROOTKIT och frågar om "fully scan" så välj Nej/No. Spara loggen och klistra in i ditt svar. Gör inte mer.

 

Om frågan inte kommer så välj fliken Rootkit/Malware, kontrollera att allt är förbockat till höger utom Show All och andra partitioner än C:\. Tryck på Scan. Låt datorn stå ifred medan Gmer håller på.

Tryck på Save och spara resultatet på Skrivbordet.

Sätt igång antivirusprogram och brandvägg innan du ansluter till internet.

Klistra in resultatet i ditt svar.

Link to comment
Share on other sites

Inga problem med RootRepeal:

 

[log]ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/04/23 16:28

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

 

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xAB28F000 Size: 98304 File Visible: No Signed: -

Status: -

 

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBA668000 Size: 8192 File Visible: No Signed: -

Status: -

 

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA846B000 Size: 49152 File Visible: No Signed: -

Status: -

 

Hidden/Locked Files

-------------------

Path: C:\Documents and Settings\Eric\Lokala inställningar\Application Data\Microsoft\Messenger\Erc.94@hotmail.com\SharingMetadata\hoofnauer@hotmail.com\DFSR\Staging\CS{EA6F13AA-AA8D-2979-FC0F-4F38BBC31C81}\00\100-{8731992B-D37A-4114-BB71-D3591D657317}-v100-{8731992B-D37A-4114-BB71-D3591D657317}-v100-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

 

Path: C:\Documents and Settings\Eric\Lokala inställningar\Application Data\Microsoft\Messenger\Erc.94@hotmail.com\SharingMetadata\hoofnauer@hotmail.com\DFSR\Staging\CS{EA6F13AA-AA8D-2979-FC0F-4F38BBC31C81}\90\90-{8731992B-D37A-4114-BB71-D3591D657317}-v90-{8731992B-D37A-4114-BB71-D3591D657317}-v90-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

 

Path: C:\Documents and Settings\Eric\Lokala inställningar\Application Data\Microsoft\Messenger\Erc.94@hotmail.com\SharingMetadata\hoofnauer@hotmail.com\DFSR\Staging\CS{EA6F13AA-AA8D-2979-FC0F-4F38BBC31C81}\91\91-{8731992B-D37A-4114-BB71-D3591D657317}-v91-{8731992B-D37A-4114-BB71-D3591D657317}-v91-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

 

Path: C:\Documents and Settings\Eric\Lokala inställningar\Application Data\Microsoft\Messenger\Erc.94@hotmail.com\SharingMetadata\hoofnauer@hotmail.com\DFSR\Staging\CS{EA6F13AA-AA8D-2979-FC0F-4F38BBC31C81}\92\92-{8731992B-D37A-4114-BB71-D3591D657317}-v92-{8731992B-D37A-4114-BB71-D3591D657317}-v92-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

 

Path: C:\Documents and Settings\Eric\Lokala inställningar\Application Data\Microsoft\Messenger\Erc.94@hotmail.com\SharingMetadata\hoofnauer@hotmail.com\DFSR\Staging\CS{EA6F13AA-AA8D-2979-FC0F-4F38BBC31C81}\93\93-{8731992B-D37A-4114-BB71-D3591D657317}-v93-{8731992B-D37A-4114-BB71-D3591D657317}-v93-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

 

Path: C:\Documents and Settings\Eric\Lokala inställningar\Application Data\Microsoft\Messenger\Erc.94@hotmail.com\SharingMetadata\hoofnauer@hotmail.com\DFSR\Staging\CS{EA6F13AA-AA8D-2979-FC0F-4F38BBC31C81}\94\94-{8731992B-D37A-4114-BB71-D3591D657317}-v94-{8731992B-D37A-4114-BB71-D3591D657317}-v94-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

 

Path: C:\Documents and Settings\Eric\Lokala inställningar\Application Data\Microsoft\Messenger\Erc.94@hotmail.com\SharingMetadata\hoofnauer@hotmail.com\DFSR\Staging\CS{EA6F13AA-AA8D-2979-FC0F-4F38BBC31C81}\95\95-{87~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

 

Path: C:\Documents and Settings\Eric\Lokala inställningar\Application Data\Microsoft\Messenger\Erc.94@hotmail.com\SharingMetadata\hoofnauer@hotmail.com\DFSR\Staging\CS{EA6F13AA-AA8D-2979-FC0F-4F38BBC31C81}\96\96-{8731992B-D37A-4114-BB71-D3591D657317}-v96-{8731992B-D37A-4114-BB71-D3591D657317}-v96-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

 

Path: C:\Documents and Settings\Eric\Lokala inställningar\Application Data\Microsoft\Messenger\Erc.94@hotmail.com\SharingMetadata\hoofnauer@hotmail.com\DFSR\Staging\CS{EA6F13AA-AA8D-2979-FC0F-4F38BBC31C81}\97\97-{8731992B-D37A-4114-BB71-D3591D657317}-v97-{8731992B-D37A-4114-BB71-D3591D657317}-v97-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

 

Path: C:\Documents and Settings\Eric\Lokala inställningar\Application Data\Microsoft\Messenger\Erc.94@hotmail.com\SharingMetadata\hoofnauer@hotmail.com\DFSR\Staging\CS{EA6F13AA-AA8D-2979-FC0F-4F38BBC31C81}\98\98-{8731992B-D37A-4114-BB71-D3591D657317}-v98-{8731992B-D37A-4114-BB71-D3591D657317}-v98-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

 

Path: C:\Documents and Settings\Eric\Lokala inställningar\Application Data\Microsoft\Messenger\Erc.94@hotmail.com\SharingMetadata\hoofnauer@hotmail.com\DFSR\Staging\CS{EA6F13AA-AA8D-2979-FC0F-4F38BBC31C81}\99\99-{8731992B-D37A-4114-BB71-D3591D657317}-v99-{8731992B-D37A-4114-BB71-D3591D657317}-v99-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

 

SSDT

-------------------

#: 019 Function Name: NtAssignProcessToJobObject

Status: Hooked by "<unknown>" at address 0x8a5f7580

 

#: 057 Function Name: NtDebugActiveProcess

Status: Hooked by "<unknown>" at address 0x8a5f8100

 

#: 068 Function Name: NtDuplicateObject

Status: Hooked by "<unknown>" at address 0x8a5f7b30

 

#: 122 Function Name: NtOpenProcess

Status: Hooked by "<unknown>" at address 0x8a5f6cc0

 

#: 128 Function Name: NtOpenThread

Status: Hooked by "<unknown>" at address 0x8a5f6fc0

 

#: 137 Function Name: NtProtectVirtualMemory

Status: Hooked by "<unknown>" at address 0x8a5f79c0

 

#: 213 Function Name: NtSetContextThread

Status: Hooked by "<unknown>" at address 0x8a5f7860

 

#: 229 Function Name: NtSetInformationThread

Status: Hooked by "<unknown>" at address 0x8a5f76e0

 

#: 237 Function Name: NtSetSecurityObject

Status: Hooked by "<unknown>" at address 0x8a5f4700

 

#: 253 Function Name: NtSuspendProcess

Status: Hooked by "<unknown>" at address 0x8a5f7420

 

#: 254 Function Name: NtSuspendThread

Status: Hooked by "<unknown>" at address 0x8a5f72c0

 

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "<unknown>" at address 0x8a5f6e50

 

#: 258 Function Name: NtTerminateThread

Status: Hooked by "<unknown>" at address 0x8a5f7150

 

#: 277 Function Name: NtWriteVirtualMemory

Status: Hooked by "<unknown>" at address 0x8a5f7f50

 

Stealth Objects

-------------------

Object: Hidden Code [ETHREAD: 0x8af76180]

Process: System Address: 0x8a525add Size: 499

 

Object: Hidden Code [ETHREAD: 0x8a376020]

Process: System Address: 0x8a525add Size: 499

 

Object: Hidden Code [ETHREAD: 0x8a36d020]

Process: System Address: 0x8a525add Size: 499

 

Object: Hidden Code [ETHREAD: 0x8a36a020]

Process: System Address: 0x8a525add Size: 499

 

Object: Hidden Code [ETHREAD: 0x8a368da8]

Process: System Address: 0x8a525add Size: 499

 

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8b3d25b0 Size: 118

 

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]

Process: System Address: 0x8a523ef9 Size: 263

 

==EOF==[/log]

 

Men med GMER fick jag bluescreen när jag startade programmet. Stog att jag skulle använda Drivrutinsverifiering mot alla använda eller misstänkta drivrutiner.

 

Jag prövade igen men fick samma bluescreen som med combofix igår..

Prövade då köra det i felsäkert, startade scanen men fick sedan bluescreen igen.

Link to comment
Share on other sites

Kan du hitta något av följande två namn i Enhetshanteraren när du gör som jag skrev i inlägg #18?

Network Connection Manager

ethagewl

I så fall inaktivera dem och starta sedan om datorn.

Om du kunde inaktivera dem kör MBAM och ComboFix igen. Klistra in de loggarna i så fall.

 

Kolla upp denna fil på virustotal-sidan:

c:\windows\system32\spmsg.dll

Link to comment
Share on other sites

Ingen av dom finns i enhetshanteraren.

 

Virustotal hittade inget i spmsg.dll.

 

Förresten, förut när jag skulle kolla upp filen tcpip6.sys så fanns inte mappen dllcache i systen32. (Visar dolda filer/mappar). Öppnade med kör-> "%systemroot%\system32\dllcache" och skickade till virustotal med deras "uploader".

 

Det stog då "Hash found - opening browser". Men sedan på virustotal stod det att de kollat filen "3A552BBF40EF7A3276190332D8722400C0237629.sys" utan att hittat något.

 

Tyckte detta var lite skumt bara?

Link to comment
Share on other sites

Förresten, förut när jag skulle kolla upp filen tcpip6.sys så fanns inte mappen dllcache i systen32. (Visar dolda filer/mappar). Öppnade med kör-> "%systemroot%\system32\dllcache" och skickade till virustotal med deras "uploader".
Det finns även ett val som handlar om att visa operativsystemfiler. Pröva det.

 

Kolla upp C:\WINDOWS\system32\drivers\Tcpip6.sys på virustotal också. Det är ju den fil som Nod32 klagar på men det kan ju vara bra att se vad de andra programmen tycker.

 

Du kan se om Enhetshanteraren möjligen visar fler rader om du startar den så här:

Start - Program - Tillbehör - Kommandotolken

Skriv:

set DEVMGR_SHOW_DETAILS=1

set DEVMGR_SHOW_NONPRESENT_DEVICES=1

start devmgmt.msc

 

Välj att visa dolda enheter också. Kolla även under de andra rubrikerna efter namnen du har letat efter förut.

Link to comment
Share on other sites

"Filen har redan blivid analyserad:

MD5: 4e53bbcc4be37d7a4bd6ef1098c89ff7"

 

Döper virustotal om den?

 

 

Enhetshanteraren visar fler saker, men tyvärr ingen av dem.

 

 

Tyvärr måste jag lämna datorn nu. Så svarar inte förrän imorgon.

Men vill säga att jag är väldigt tacksam för denna hjälp! :)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...