Just nu i M3-nätverket
Gå till innehåll

Virus problem, kan ej surfa.


AstroCreep

Rekommendera Poster

Tjena!

 

Nu har min bror lyckats fixa virus på sin dator så jag vänder mig hit och hoppas på de bästa. :)

 

Vriuset har på något vis blockat så att man inte kan använda nån webläsare, går ju att starta de men kan inte hitta några websidor. MSN funkar dock.

Står även nu att datorn inte hittar paryp.dll nån fel som kanske satt i karantän som råkade tagits bort eller nåt liknande.

Systemåterställning funkar inte heller.

 

Har scannat med lite program; Norman(nåt skit han hade på datorn), Lavasoft Ad-Aware och Malawarebytes. Malawarebytes funkar bra men inte helt, den hittar fel som den inte kan ta bort så e är alltid nåt kvar liggande och jag har inte en blekaste att kunna lösa de.

 

Tar med den senaste loggen;

 

 

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

 

Databasversion: 4329

 

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

 

2010-07-20 11:07:36

mbam-log-2010-07-20 (11-07-36).txt

 

Skanningstyp: Snabbskanning

Antal skannade objekt: 144102

Förfluten tid: 8 minut(er), 35 sekund(er)

Infekterade minnesprocesser: 0

Infekterade minnesmoduler: 0

Infekterade registernycklar: 3

Infekterade registervärden: 0

Infekterade registerdataposter: 0

Infekterade mappar: 0

Infekterade filer: 1

 

Infekterade minnesprocesser:

(Inga illasinnade poster hittades)

 

Infekterade minnesmoduler:

(Inga illasinnade poster hittades)

 

Infekterade registernycklar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Documents and Settings/Anvädaren/Lokala inställningar/Temp/chbkcvtd.dat (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chbkcvtd.dat (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\chbkcvtd.dat (Rootkit.Agent) -> Delete on reboot.

 

Infekterade registervärden:

(Inga illasinnade poster hittades)

 

Infekterade registerdataposter:

(Inga illasinnade poster hittades)

 

Infekterade mappar:

(Inga illasinnade poster hittades)

 

Infekterade filer:

C:\Documents and Settings\Anvädaren\Lokala inställningar\Temp\chbkcvtd.dat (Rootkit.Agent) -> Delete on reboot.

 

 

 

 

Tack på förhand! //tobben

Länk till kommentar
Dela på andra webbplatser

  • Svars 110
  • Skapad
  • Senaste svar

Se om följande får igång anslutningen till webbplatser:

Kontrollpanelen - Internetalternativ - Anslutningar - LAN-inställningar

Klicka på Avancerat

Ta bort innehållet där så att alla rutor under rubriken Servrar är tomma.

Klicka OK

Ta bort eventuellt innehåll i rutan Adress

Avbocka "Använd en proxyserver...."

OK

Starta om datorn.

 

Vi kan se vad DDS visar till att börja med. Spara DDS på Skrivbordet.

http://download.bleepingcomputer.com/sUBs/dds.scr

 

Starta programmet genom att dubbelklicka på det.

Tryck Yes/Ja om frågan om Optional Scan dyker upp.

I ditt svar klistrar du in loggen DSS.txt. Medan du bifogar Attach.txt som en fil.

 

-----------

Flyttar tråden från "Windows XP" till "Virus, skadliga program & botemedel"

 

Cecilia

Moderator

Länk till kommentar
Dela på andra webbplatser

Webläsaren tycks funka! Men yrar om att man inte borda surfa för att de va låg säkerhet ungerfär, och om man ville rätta till några inställnningar.

 

 

Men, här kommer båda loggarna från DDS.

 

DDS (Ver_10-03-17.01) - NTFSx86

Run by Anv„daren at 12:02:48,95 on 2010-07-20

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.2047.1249 [GMT 2:00]

 

 

============== Running Processes ===============

 

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Creative\Shared Files\CTAudSvc.exe

C:\DOCUME~1\ANVDAR~1\LOKALA~1\Temp\l84alx.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program\Creative\Volume Panel\VolPanlu.exe

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\Program\Java\jre6\bin\jusched.exe

C:\Program\HP\HP Software Update\HPWuSchd2.exe

C:\Program\Voddler\service\VNetManager.exe

C:\Program\Delade filer\Adobe\ARM\1.0\AdobeARM.exe

C:\Program\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\dfttuyox.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\DAEMON Tools Lite\DTLite.exe

C:\Program\Messenger\msmsgs.exe

svchost.exe

C:\Program\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program\Delade filer\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\Wacom_Tablet.exe

C:\Program\Voddler\service\voddler.exe

C:\Program\Windows Live\Messenger\msnmsgr.exe

C:\Program\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\Program\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program\Windows Live\Contacts\wlcomm.exe

C:\DOCUME~1\ANVDAR~1\LOKALA~1\Temp\4r3twe640.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\system32\rundll32.exe

C:\Documents and Settings\Anvädaren\Mina dokument\Mina mottagna filer\dds.scr

 

============== Pseudo HJT Report ===============

 

uStart Page = hxxp://www.google.se/

mWindow Title = Erhållen av Wermlandsdata

uInternet Settings,ProxyOverride = <local>

mWinlogon: Taskman=c:\documents and settings\anvädaren\application data\ogix.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program\bitcomet\tools\BitCometBHO_1.3.7.16.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program\avg\avg9\avgssie.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program\delade filer\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program\windows live\toolbar\wltcore.dll

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [DAEMON Tools Lite] "c:\program\daemon tools lite\DTLite.exe" -autorun

uRun: [MSMSGS] "c:\program\messenger\msmsgs.exe" /background

uRunOnce: [shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Creative AutoUpdate v1.40.01)" -"http://www.blip.se/rsbitch/bitch_v3.asp"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [VolPanel] "c:\program\creative\volume panel\VolPanlu.exe" /r

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRun: [sunJavaUpdateSched] "c:\program\java\jre6\bin\jusched.exe"

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [AdobeCS4ServiceManager] "c:\program\delade filer\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [HP Software Update] c:\program\hp\hp software update\HPWuSchd2.exe

mRun: [VoddlerNet Manager] c:\program\voddler\service\VNetManager.exe

mRun: [Adobe Reader Speed Launcher] "c:\program\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program\delade filer\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program\itunes\iTunesHelper.exe"

mRun: [sta] rundll32 "paryp.dll",,Run

mRun: [rmnzhp] RUNDLL32.EXE c:\windows\system32\mswyxtnd.dll,w

mRun: [dfttuyo] c:\windows\system32\dfttuyo.exe

mRun: [dfttuyox] c:\windows\system32\dfttuyox.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

mExplorerRun: [tcyz46] c:\docume~1\anvdar~1\lokala~1\temp\l84alx.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\adobeg~1.lnk - c:\program\delade filer\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\hpdigi~1.lnk - c:\program\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\hpimag~1.lnk - c:\program\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\window~1.lnk - c:\program\windows desktop search\WindowsSearch.exe

IE: &D&ownload &with BitComet - c:\program\bitcomet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - c:\program\bitcomet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - c:\program\bitcomet\BitComet.exe/AddAllLink.htm

IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program\bitcomet\tools\BitCometBHO_1.3.7.16.dll/206

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\program\micros~2\office11\REFIEBAR.DLL

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab

DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab

DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} - hxxp://www.commandondemand.com/eval/cod/cabs/cssweb.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256545002890

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15109/CTPID.cab

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program\windows desktop search\MSNLNamespaceMgr.dll

 

================= FIREFOX ===================

 

FF - ProfilePath - c:\docume~1\anvdar~1\applic~1\mozilla\firefox\profiles\3pc80yok.default\

FF - plugin: c:\documents and settings\anvã¤daren\lokala instã¤llningar\application data\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\program\mpcstar\codecs\real\browser\plugins\nppl3260.dll

FF - plugin: c:\program\mpcstar\codecs\real\browser\plugins\nprpjplug.dll

FF - plugin: c:\program\tabletplugins\npwacom.dll

FF - plugin: c:\program\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\program\voddler\plugin\npvoddler.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

 

---- FIREFOX POLICIES ----

c:\program\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");

c:\program\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

 

============= SERVICES / DRIVERS ===============

 

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]

R0 gajnzinf;gajnzinf;c:\windows\system32\drivers\gajnzinf.sys [2008-4-15 23424]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-25 64288]

R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2009-12-27 3968]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-10-26 54752]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]

R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-12-2 5010288]

R2 VoddlerNet;VoddlerNet;c:\program\voddler\service\voddler.exe [2010-3-15 1160400]

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2009-10-23 39424]

R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 171032]

R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1324056]

R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 72728]

S2 bjbrqlbu;E-mu Plug-in Architecture Monitor;c:\windows\system32\svchost.exe -k netsvcs [2008-4-15 14336]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program\delade filer\creative labs shared\service\CTAELicensing.exe [2009-10-23 79360]

S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 171032]

S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1324056]

S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 72728]

S3 fsssvc;Tjänsten Windows Live Family Safety;c:\program\windows live\family safety\fsssvc.exe [2009-8-5 704864]

S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-11-18 16168]

 

=============== Created Last 30 ================

 

2010-07-20 09:58:30 132608 --sh--r- c:\docume~1\anvdar~1\applic~1\ogix.exe

2010-07-20 09:56:59 16384 ----a-w- c:\windows\system32\updata.exe

2010-07-20 09:56:09 40 ----a-w- c:\windows\system32\service.sys

2010-07-20 09:54:22 134656 ----a-w- c:\windows\system32\dfttuyo.exe

2010-07-20 09:54:11 151552 ----a-w- c:\windows\system32\dfttuyox.exe

2010-07-19 20:22:36 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-07-19 20:04:47 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}

2010-07-19 19:41:49 0 d-----w- c:\windows\SxsCaPendDel

2010-07-19 19:04:23 765952 ----a-w- c:\windows\system32\drivers\yvtikpdt.sys

2010-07-19 19:04:14 36865 ----a-w- c:\windows\system32\mswyxtnd.dll

2010-07-19 19:03:26 150 ----a-w- C:\zrpt.xml

2010-07-19 19:02:55 0 d-----w- c:\docume~1\anvdar~1\applic~1\748B938531AAE72261B4FFDC4ECCC8E0

 

==================== Find3M ====================

 

2010-07-20 09:54:33 12320768 ----a-w- c:\documents and settings\anvädaren\ntuser.dat

2010-07-04 07:22:21 71776 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2010-06-23 20:49:32 92094 ----a-w- c:\windows\system32\perfc01D.dat

2010-06-23 20:49:32 463742 ----a-w- c:\windows\system32\perfh01D.dat

2010-05-06 10:36:51 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 08:10:15 1851264 ----a-w- c:\windows\system32\win32k.sys

2006-06-23 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe

2009-12-31 15:26:12 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

 

============= FINISH: 12:03:59,71 ===============

Attach.txt

Länk till kommentar
Dela på andra webbplatser

Det verkar som att det är bäst med följande:

Internet-alternativ - Säkerhet - Återställ alla zoner till standardnivån

 

På sidan http://www.virustotal.com trycker du på Bläddra-knappen och klistrar in ett av följande filnamn i rutan, tryck på Öppna och sedan Skicka Fil. Vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in en länk till resultatet här. Upprepa med nästa filnamn.

c:\documents and settings\anvädaren\application data\ogix.exe

c:\windows\system32\mswyxtnd.dll

c:\windows\system32\dfttuyo.exe

c:\windows\system32\drivers\yvtikpdt.sys

c:\windows\system32\mswyxtnd.dll

 

Spara ComboFix på Skrivbordet:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Stäng av alla program du ser inklusive antivirusprogram och antispionprogram men lämna brandväggen på.

Hur? Se http://www.bleepingcomputer.com/forums/topic114351.html

Kör ComboFix och följ anvisningarna som visas.

Om det kommer upp en fråga om du vill installera återställningskonsolen så svara ja.

 

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, klistra in den i ditt svar. Kontrollera att antivirusprogram mm är igång innan du ansluter till internet.

 

Om du får problem med att komma ut på internet:

Kontrollpanelen - Nätverksanslutningar

högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.

 

Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix.

Länk till kommentar
Dela på andra webbplatser

Jag ser i DDS-loggen att det finns en gammal java-version med säkerhetshål i

datorn,avinstallera den i Kontrollpanelen Lägg till eller ta bort program,

och hämta sedan uppdaterad version http://www.java.com/sv/

Länk till kommentar
Dela på andra webbplatser

Kanon tack!

 

 

c:\documents and settings\anvädaren\application data\ogix.exe

 

http://www.virustotal.com/sv/reanalisis.html?6692f3f7b293f2a53ab9337e90e1a7ab7e49bffb1fb2f691b0d19cf8175dfba7-1279622204

 

 

 

c:\windows\system32\dfttuyo.exe (men de fanns ingen .exe utan bara .txt)

 

http://www.virustotal.com/sv/analisis/e3d4c6df4e79feea63cba7b4cadf12a7eac9c03e671cbada19258caf5bee7083-1279622512

 

 

 

c:\windows\system32\drivers\yvtikpdt.sys

 

http://www.virustotal.com/vt/sv/recepcion?9f992bce5c55e6b7be2eb1bb51fa6e2f

 

Den här sista blev märklig, stod bara "0 bytes size received / Se ha recibido un archivo vacio"

 

 

 

c:\windows\system32\mswyxtnd.dll den hittades inte alls.

 

 

Så nu är CombiFix klart och jag bifogar filen.

log.txt

Länk till kommentar
Dela på andra webbplatser

Klistrar in loggen så att den blir lätt att gå igenom och att återvända till.

 

ComboFix 10-07-19.02 - Anvädaren 2010-07-20 13:25:51.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.2047.1439 [GMT 2:00]

Körs från: c:\documents and settings\Anvädaren\Mina dokument\Hämtade filer\ComboFix.exe

.

 

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\All Users\Start-meny\HP Image Zone .lnk

c:\windows\system32\comsats.sys

c:\windows\system32\dfttuyo.txt

c:\windows\system32\drivers\gajnzinf.sys

c:\windows\system32\drivers\yhhjmjti.sys

c:\windows\system32\Install.txt

c:\windows\system32\service.sys

 

.

((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_gajnzinf

-------\Service_gajnzinf

 

 

(((((((((((((((((((((((( Filer Skapade från 2010-06-20 till 2010-07-20 ))))))))))))))))))))))))))))))

.

 

2010-07-19 20:22 . 2010-07-19 20:06 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-07-19 20:04 . 2010-07-19 20:04 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}

2010-07-19 20:04 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe

2010-07-19 19:41 . 2010-07-19 19:47 -------- d-----w- c:\windows\SxsCaPendDel

2010-07-19 19:16 . 2010-07-19 19:16 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-07-19 19:04 . 2010-07-20 11:40 765952 ----a-w- c:\windows\system32\drivers\yvtikpdt.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-20 11:38 . 2009-12-09 19:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet

2010-07-20 08:30 . 2009-12-31 16:55 -------- d-----w- c:\program\Malwarebytes' Anti-Malware

2010-07-20 04:41 . 2009-10-28 17:21 -------- d-----w- c:\program\Norman

2010-07-19 20:04 . 2009-10-31 07:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-07-19 19:06 . 2009-10-30 09:38 -------- d-----w- c:\program\BitComet

2010-07-04 07:22 . 2009-11-18 12:17 71776 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2010-06-23 20:49 . 2008-04-15 12:00 92094 ----a-w- c:\windows\system32\perfc01D.dat

2010-06-23 20:49 . 2008-04-15 12:00 463742 ----a-w- c:\windows\system32\perfh01D.dat

2010-06-23 18:52 . 2009-12-02 19:07 -------- d-----w- c:\program\Tablet

2010-06-16 19:25 . 2010-06-16 19:25 -------- d-----w- c:\program\iTunes

2010-06-16 19:25 . 2010-06-16 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-06-16 19:25 . 2010-06-16 19:25 -------- d-----w- c:\program\iPod

2010-06-16 19:25 . 2009-10-31 08:10 -------- d-----w- c:\program\Delade filer\Apple

2010-06-16 19:23 . 2009-10-31 12:17 -------- d-----w- c:\program\QuickTime

2010-06-16 19:21 . 2010-06-16 19:21 -------- d-----w- c:\program\Bonjour

2010-06-16 19:16 . 2009-10-28 18:30 -------- d-----w- c:\program\VideoLAN

2010-06-16 19:16 . 2010-06-16 19:16 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-06-14 14:31 . 2009-10-22 12:23 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-05 06:26 . 2009-10-26 08:20 -------- d-----w- c:\program\Microsoft Silverlight

2010-05-28 21:38 . 2009-10-23 14:02 -------- d--h--w- c:\program\InstallShield Installation Information

2010-05-28 21:38 . 2010-05-28 21:38 -------- d-----w- c:\program\Pixologic

2010-05-23 06:12 . 2009-11-10 06:59 8 ----a-w- c:\windows\system32\nvModes.dat

2010-05-06 10:36 . 2008-04-15 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 08:10 . 2008-04-15 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 13:39 . 2009-12-31 16:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 13:39 . 2009-12-31 16:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

 

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Not* Tomma poster & legitima standardposter visas inte.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools Lite"="c:\program\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 16132608]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-06 8523776]

"nwiz"="nwiz.exe" [2007-11-06 1626112]

"VolPanel"="c:\program\Creative\Volume Panel\VolPanlu.exe" [2008-08-06 233576]

"CTxfiHlp"="CTXFIHLP.EXE" [2009-06-03 25600]

"SunJavaUpdateSched"="c:\program\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"AdobeCS4ServiceManager"="c:\program\Delade filer\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

"HP Software Update"="c:\program\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]

"VoddlerNet Manager"="c:\program\Voddler\service\VNetManager.exe" [2010-03-15 580296]

"Adobe Reader Speed Launcher"="c:\program\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program\Delade filer\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"QuickTime Task"="c:\program\QuickTime\qttask.exe" [2010-03-17 421888]

"iTunesHelper"="c:\program\iTunes\iTunesHelper.exe" [2010-04-28 142120]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

 

c:\documents and settings\All Users\Start-meny\Program\Autostart\

Adobe Gamma Loader.lnk - c:\program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-30 110592]

HP Digital Imaging Monitor.lnk - c:\program\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

HP Image Zone Snabbstarta.lnk - c:\program\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

Windows Search.lnk - c:\program\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ \0lsdelete

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program\\Delade filer\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program\\BitComet\\BitComet.exe"=

"c:\\Program\\Spotify\\spotify.exe"=

"c:\\Program\\Warcraft II BNE\\Warcraft II BNE.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program\\DC++\\DCPlusPlus.exe"=

"c:\\Program\\Tablet\\Wacom\\PrefUtil.exe"=

"c:\\Program\\Voddler\\service\\voddler.exe"=

"c:\\Program\\Bonjour\\mDNSResponder.exe"=

"c:\\Program\\iTunes\\iTunes.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"7303:TCP"= 7303:TCP:BitComet 7303 TCP

"7303:UDP"= 7303:UDP:BitComet 7303 UDP

 

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-03-25 64288]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\Lavasoft\Ad-Aware\AAWService.exe [2009-09-24 1181328]

R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-12-02 5010288]

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2009-10-23 39424]

R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-06-04 171032]

R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-06-04 1324056]

R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-06-04 72728]

S2 bjbrqlbu;E-mu Plug-in Architecture Monitor;c:\windows\System32\svchost.exe -k netsvcs [2008-04-15 14336]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program\Delade filer\Creative Labs Shared\Service\CTAELicensing.exe [2009-10-23 79360]

S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-06-04 171032]

S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-06-04 1324056]

S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-06-04 72728]

S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-11-18 16168]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2009-12-02 691696]

 

--- Övriga tjänster/drivrutiner i minnet ---

 

*Deregistered* - yvtikpdt

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

bjbrqlbu

.

Innehållet i mappen 'Schemalagda aktiviteter':

 

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Daily 1).job

- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:06]

 

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Daily 2).job

- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:06]

 

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Daily 3).job

- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:06]

 

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Daily 4).job

- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:06]

 

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:06]

 

2010-07-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

 

2010-07-20 c:\windows\Tasks\HPpromotions journeysoftware.job

- c:\program\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 16:36]

 

2010-07-20 c:\windows\Tasks\User_Feed_Synchronization-{8549F50F-53DC-4CE4-A61C-F9C05D34D743}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]

.

.

------- Extra genomsökning -------

.

uStart Page = hxxp://www.google.se/

mWindow Title = Erhållen av Wermlandsdata

uInternet Settings,ProxyOverride = <local>

IE: &D&ownload &with BitComet - c:\program\BitComet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - c:\program\BitComet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - c:\program\BitComet\BitComet.exe/AddAllLink.htm

DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} - hxxp://www.commandondemand.com/eval/cod/cabs/cssweb.cab

DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab

FF - ProfilePath - c:\documents and settings\Anvädaren\Application Data\Mozilla\Firefox\Profiles\3pc80yok.default\

FF - plugin: c:\program\MpcStar\Codecs\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program\MpcStar\Codecs\Real\browser\plugins\nprpjplug.dll

FF - plugin: c:\program\TabletPlugins\npwacom.dll

FF - plugin: c:\program\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: c:\program\Voddler\plugin\npvoddler.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- FIREFOX POLICY ----

c:\program\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -

 

ShellIconOverlayIdentifiers-{E309578C-8EDE-4731-99FA-6810B408B1BC} - c:\program\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

ShellIconOverlayIdentifiers-{1D0B2E83-D473-4E1F-B213-AA7BC759DE20} - c:\program\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

ShellIconOverlayIdentifiers-{B26DA910-F1DE-426A-8282-5B55958E11B6} - c:\program\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

HKLM-Run-sta - paryp.dll

HKLM-Run-dfttuyox - c:\windows\system32\dfttuyox.exe

AddRemove-Native Instruments Battery v2.1 - c:\program\STEINB~1\BATTER~1\UNWISE.EXE

AddRemove-Steinberg Cubase SX v2.2.0.33 - c:\program\STEINB~1\CUBASE~1\UNWISE.EXE

AddRemove-{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47} - c:\program\InstallShield Installation Information\{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}\setup.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net'>http://www.gmer.net

Rootkit scan 2010-07-20 13:39

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTxfiHlp = CTXFIHLP.EXE?

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys >>UNKNOWN [0x8A8AEA17]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9e75852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Atheros L1 Gigabit Ethernet 10/100/1000Base-T Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9d81bb0

PacketIndicateHandler -> NDIS.sys @ 0xb9d8ea21

SendHandler -> NDIS.sys @ 0xb9d6c87b

user & kernel MBR OK

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\yvtikpdt]

 

.

--------------------- LÅSTA REGISTERNYCKLAR ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•6~*]

"D140211900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLer som "laddats" under processer som körs ---------------------

 

- - - - - - - > 'winlogon.exe'(708)

c:\program\Delade filer\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

 

- - - - - - - > 'explorer.exe'(2276)

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Andra processer som körs ------------------------

.

c:\program\Creative\Shared Files\CTAudSvc.exe

c:\program\Delade filer\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program\Bonjour\mDNSResponder.exe

c:\windows\system32\CTsvcCDA.exe

c:\program\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\program\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program\Voddler\service\voddler.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\wbem\unsecapp.exe

c:\windows\SYSTEM32\CTXFISPI.EXE

c:\program\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program\iPod\bin\iPodService.exe

c:\program\HP\Digital Imaging\bin\hpqimzone.exe

c:\program\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

c:\program\Lavasoft\Ad-Aware\AAWTray.exe

.

**************************************************************************

.

Sluttid: 2010-07-20 13:46:14 - datorn startades om.

ComboFix-quarantined-files.txt 2010-07-20 11:46

 

Före genomsökningen: 20 177 502 208 byte ledigt

Efter genomsökningen: 22 001 209 344 byte ledigt

 

WindowsXP-KB310994-SP2-Home-BootDisk-SVE.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

 

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - 6D36FBB0B8BAD379EE08C1CD6EFC559F

Länk till kommentar
Dela på andra webbplatser

Kopiera alla rader i rutan:

Killall::
Driver::
bjbrqlbu

och klistra in i Anteckningar.

Spara filen på Skrivbordet med namnet CFScript.

 

Förbered datorn på samma sätt som tidigare för ComboFix.

Dra CFScript med musen och släpp den ovanpå ComboFix-ikonen på Skrivbordet så startar programmet på ett särskilt sätt.

Klistra in loggen som kommer ut.

Länk till kommentar
Dela på andra webbplatser

Har fixat de nu.

Här kommer loggen;

 

 

 

 

 

ComboFix 10-07-19.02 - Anvädaren 2010-07-20 15:53:43.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.2047.1350 [GMT 2:00]

Körs från: c:\documents and settings\Anvädaren\Mina dokument\Hämtade filer\ComboFix.exe

Använda kommandoväxlar :: c:\documents and settings\Anvädaren\Skrivbord\CFScript.txt

.

 

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

.

((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_BJBRQLBU

-------\Service_bjbrqlbu

 

 

(((((((((((((((((((((((( Filer Skapade från 2010-06-20 till 2010-07-20 ))))))))))))))))))))))))))))))

.

 

2010-07-19 20:22 . 2010-07-19 20:06 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-07-19 20:04 . 2010-07-19 20:04 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}

2010-07-19 20:04 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe

2010-07-19 19:41 . 2010-07-19 19:47 -------- d-----w- c:\windows\SxsCaPendDel

2010-07-19 19:16 . 2010-07-19 19:16 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-07-19 19:04 . 2010-07-20 14:05 765952 ----a-w- c:\windows\system32\drivers\yvtikpdt.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-20 14:03 . 2009-12-09 19:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet

2010-07-20 08:30 . 2009-12-31 16:55 -------- d-----w- c:\program\Malwarebytes' Anti-Malware

2010-07-20 04:41 . 2009-10-28 17:21 -------- d-----w- c:\program\Norman

2010-07-19 20:04 . 2009-10-31 07:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-07-19 19:06 . 2009-10-30 09:38 -------- d-----w- c:\program\BitComet

2010-07-04 07:22 . 2009-11-18 12:17 71776 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2010-06-23 20:49 . 2008-04-15 12:00 92094 ----a-w- c:\windows\system32\perfc01D.dat

2010-06-23 20:49 . 2008-04-15 12:00 463742 ----a-w- c:\windows\system32\perfh01D.dat

2010-06-23 18:52 . 2009-12-02 19:07 -------- d-----w- c:\program\Tablet

2010-06-16 19:25 . 2010-06-16 19:25 -------- d-----w- c:\program\iTunes

2010-06-16 19:25 . 2010-06-16 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-06-16 19:25 . 2010-06-16 19:25 -------- d-----w- c:\program\iPod

2010-06-16 19:25 . 2009-10-31 08:10 -------- d-----w- c:\program\Delade filer\Apple

2010-06-16 19:23 . 2009-10-31 12:17 -------- d-----w- c:\program\QuickTime

2010-06-16 19:21 . 2010-06-16 19:21 -------- d-----w- c:\program\Bonjour

2010-06-16 19:16 . 2009-10-28 18:30 -------- d-----w- c:\program\VideoLAN

2010-06-16 19:16 . 2010-06-16 19:16 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-06-14 14:31 . 2009-10-22 12:23 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-05 06:26 . 2009-10-26 08:20 -------- d-----w- c:\program\Microsoft Silverlight

2010-05-28 21:38 . 2009-10-23 14:02 -------- d--h--w- c:\program\InstallShield Installation Information

2010-05-28 21:38 . 2010-05-28 21:38 -------- d-----w- c:\program\Pixologic

2010-05-23 06:12 . 2009-11-10 06:59 8 ----a-w- c:\windows\system32\nvModes.dat

2010-05-06 10:36 . 2008-04-15 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 08:10 . 2008-04-15 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 13:39 . 2009-12-31 16:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 13:39 . 2009-12-31 16:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

 

((((((((((((((((((((((((((((( SnapShot@2010-07-20_11.40.15 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-07-20 14:03 . 2010-07-20 14:03 16384 c:\windows\temp\Perflib_Perfdata_754.dat

.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Not* Tomma poster & legitima standardposter visas inte.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools Lite"="c:\program\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 16132608]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-06 8523776]

"nwiz"="nwiz.exe" [2007-11-06 1626112]

"VolPanel"="c:\program\Creative\Volume Panel\VolPanlu.exe" [2008-08-06 233576]

"CTxfiHlp"="CTXFIHLP.EXE" [2009-06-03 25600]

"SunJavaUpdateSched"="c:\program\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"AdobeCS4ServiceManager"="c:\program\Delade filer\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

"HP Software Update"="c:\program\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]

"VoddlerNet Manager"="c:\program\Voddler\service\VNetManager.exe" [2010-03-15 580296]

"Adobe Reader Speed Launcher"="c:\program\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program\Delade filer\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"QuickTime Task"="c:\program\QuickTime\qttask.exe" [2010-03-17 421888]

"iTunesHelper"="c:\program\iTunes\iTunesHelper.exe" [2010-04-28 142120]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

 

c:\documents and settings\All Users\Start-meny\Program\Autostart\

Adobe Gamma Loader.lnk - c:\program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-30 110592]

HP Digital Imaging Monitor.lnk - c:\program\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

HP Image Zone Snabbstarta.lnk - c:\program\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

Windows Search.lnk - c:\program\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ \0lsdelete

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program\\Delade filer\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program\\BitComet\\BitComet.exe"=

"c:\\Program\\Spotify\\spotify.exe"=

"c:\\Program\\Warcraft II BNE\\Warcraft II BNE.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program\\DC++\\DCPlusPlus.exe"=

"c:\\Program\\Tablet\\Wacom\\PrefUtil.exe"=

"c:\\Program\\Voddler\\service\\voddler.exe"=

"c:\\Program\\Bonjour\\mDNSResponder.exe"=

"c:\\Program\\iTunes\\iTunes.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"7303:TCP"= 7303:TCP:BitComet 7303 TCP

"7303:UDP"= 7303:UDP:BitComet 7303 UDP

 

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-03-25 64288]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\Lavasoft\Ad-Aware\AAWService.exe [2009-09-24 1181328]

R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-12-02 5010288]

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2009-10-23 39424]

R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-06-04 171032]

R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-06-04 1324056]

R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-06-04 72728]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program\Delade filer\Creative Labs Shared\Service\CTAELicensing.exe [2009-10-23 79360]

S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-06-04 171032]

S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-06-04 1324056]

S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-06-04 72728]

S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-11-18 16168]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2009-12-02 691696]

 

--- Övriga tjänster/drivrutiner i minnet ---

 

*Deregistered* - yvtikpdt

.

Innehållet i mappen 'Schemalagda aktiviteter':

 

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Daily 1).job

- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:06]

 

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Daily 2).job

- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:06]

 

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Daily 3).job

- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:06]

 

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Daily 4).job

- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:06]

 

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:06]

 

2010-07-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

 

2010-07-20 c:\windows\Tasks\HPpromotions journeysoftware.job

- c:\program\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 16:36]

 

2010-07-20 c:\windows\Tasks\User_Feed_Synchronization-{8549F50F-53DC-4CE4-A61C-F9C05D34D743}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]

.

.

------- Extra genomsökning -------

.

uStart Page = hxxp://www.google.se/

mWindow Title = Erhållen av Wermlandsdata

uInternet Settings,ProxyOverride = <local>

IE: &D&ownload &with BitComet - c:\program\BitComet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - c:\program\BitComet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - c:\program\BitComet\BitComet.exe/AddAllLink.htm

DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} - hxxp://www.commandondemand.com/eval/cod/cabs/cssweb.cab

DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab

FF - ProfilePath - c:\documents and settings\Anvädaren\Application Data\Mozilla\Firefox\Profiles\3pc80yok.default\

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- FIREFOX POLICY ----

c:\program\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net'>http://www.gmer.net

Rootkit scan 2010-07-20 16:04

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTxfiHlp = CTXFIHLP.EXE?

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys >>UNKNOWN [0x8A8B0A17]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9e75852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Atheros L1 Gigabit Ethernet 10/100/1000Base-T Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9d81bb0

PacketIndicateHandler -> NDIS.sys @ 0xb9d70a0d

SendHandler -> NDIS.sys @ 0xb9d84b40

user & kernel MBR OK

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\yvtikpdt]

 

.

--------------------- LÅSTA REGISTERNYCKLAR ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•6~*]

"D140211900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLer som "laddats" under processer som körs ---------------------

 

- - - - - - - > 'winlogon.exe'(536)

c:\program\Delade filer\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

 

- - - - - - - > 'explorer.exe'(3480)

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Andra processer som körs ------------------------

.

c:\program\Creative\Shared Files\CTAudSvc.exe

c:\program\Delade filer\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program\Bonjour\mDNSResponder.exe

c:\windows\system32\CTsvcCDA.exe

c:\program\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\HPZipm12.exe

c:\program\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program\Voddler\service\voddler.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\RTHDCPL.EXE

c:\windows\SYSTEM32\CTXFISPI.EXE

c:\program\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

c:\program\HP\Digital Imaging\bin\hpqimzone.exe

c:\windows\system32\msiexec.exe

c:\program\iPod\bin\iPodService.exe

c:\program\Lavasoft\Ad-Aware\AAWTray.exe

.

**************************************************************************

.

Sluttid: 2010-07-20 16:10:19 - datorn startades om.

ComboFix-quarantined-files.txt 2010-07-20 14:10

ComboFix2.txt 2010-07-20 11:46

 

Före genomsökningen: 22 031 187 968 byte ledigt

Efter genomsökningen: 22 016 925 696 byte ledigt

 

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - 41B7C0634B46FFFEA37A2D796DEE9FC1

Länk till kommentar
Dela på andra webbplatser

Starta om datorn.

Uppdatera MBAM och gör en snabbskanning.

Starta om datorn.

Kör ComboFix igen och klistra in den nya loggen.

Länk till kommentar
Dela på andra webbplatser

MBAM hittar inga fler virus skräp! :)

 

Men ComboFix hittar alltid någon root-kit som gör att datan startas om och så att han plockar bort det ser de ut som, men samma sak har hänt varje gång vi har kört programmet.

 

Här är senaste loggen;

 

 

 

ComboFix 10-07-19.02 - Anvädaren 2010-07-20 17:25:13.3.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.2047.1343 [GMT 2:00]

Körs från: c:\documents and settings\Anvädaren\Mina dokument\Hämtade filer\ComboFix.exe

.

 

(((((((((((((((((((((((( Filer Skapade från 2010-06-20 till 2010-07-20 ))))))))))))))))))))))))))))))

.

 

2010-07-19 20:22 . 2010-07-19 20:06 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-07-19 20:04 . 2010-07-19 20:04 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}

2010-07-19 20:04 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe

2010-07-19 19:41 . 2010-07-19 19:47 -------- d-----w- c:\windows\SxsCaPendDel

2010-07-19 19:16 . 2010-07-19 19:16 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-07-19 19:04 . 2010-07-20 15:34 765952 ----a-w- c:\windows\system32\drivers\yvtikpdt.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-20 15:22 . 2009-12-09 19:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet

2010-07-20 08:30 . 2009-12-31 16:55 -------- d-----w- c:\program\Malwarebytes' Anti-Malware

2010-07-20 04:41 . 2009-10-28 17:21 -------- d-----w- c:\program\Norman

2010-07-19 20:04 . 2009-10-31 07:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-07-19 19:06 . 2009-10-30 09:38 -------- d-----w- c:\program\BitComet

2010-07-04 07:22 . 2009-11-18 12:17 71776 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2010-06-23 20:49 . 2008-04-15 12:00 92094 ----a-w- c:\windows\system32\perfc01D.dat

2010-06-23 20:49 . 2008-04-15 12:00 463742 ----a-w- c:\windows\system32\perfh01D.dat

2010-06-23 18:52 . 2009-12-02 19:07 -------- d-----w- c:\program\Tablet

2010-06-16 19:25 . 2010-06-16 19:25 -------- d-----w- c:\program\iTunes

2010-06-16 19:25 . 2010-06-16 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-06-16 19:25 . 2010-06-16 19:25 -------- d-----w- c:\program\iPod

2010-06-16 19:25 . 2009-10-31 08:10 -------- d-----w- c:\program\Delade filer\Apple

2010-06-16 19:23 . 2009-10-31 12:17 -------- d-----w- c:\program\QuickTime

2010-06-16 19:21 . 2010-06-16 19:21 -------- d-----w- c:\program\Bonjour

2010-06-16 19:16 . 2009-10-28 18:30 -------- d-----w- c:\program\VideoLAN

2010-06-16 19:16 . 2010-06-16 19:16 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-06-14 14:31 . 2009-10-22 12:23 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-05 06:26 . 2009-10-26 08:20 -------- d-----w- c:\program\Microsoft Silverlight

2010-05-28 21:38 . 2009-10-23 14:02 -------- d--h--w- c:\program\InstallShield Installation Information

2010-05-28 21:38 . 2010-05-28 21:38 -------- d-----w- c:\program\Pixologic

2010-05-23 06:12 . 2009-11-10 06:59 8 ----a-w- c:\windows\system32\nvModes.dat

2010-05-06 10:36 . 2008-04-15 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 08:10 . 2008-04-15 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 13:39 . 2009-12-31 16:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 13:39 . 2009-12-31 16:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

 

((((((((((((((((((((((((((((( SnapShot@2010-07-20_11.40.15 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-07-20 15:22 . 2010-07-20 15:22 16384 c:\windows\temp\Perflib_Perfdata_72c.dat

.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Not* Tomma poster & legitima standardposter visas inte.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools Lite"="c:\program\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 16132608]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-06 8523776]

"nwiz"="nwiz.exe" [2007-11-06 1626112]

"VolPanel"="c:\program\Creative\Volume Panel\VolPanlu.exe" [2008-08-06 233576]

"CTxfiHlp"="CTXFIHLP.EXE" [2009-06-03 25600]

"SunJavaUpdateSched"="c:\program\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"AdobeCS4ServiceManager"="c:\program\Delade filer\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

"HP Software Update"="c:\program\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]

"VoddlerNet Manager"="c:\program\Voddler\service\VNetManager.exe" [2010-03-15 580296]

"Adobe Reader Speed Launcher"="c:\program\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program\Delade filer\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"QuickTime Task"="c:\program\QuickTime\qttask.exe" [2010-03-17 421888]

"iTunesHelper"="c:\program\iTunes\iTunesHelper.exe" [2010-04-28 142120]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

 

c:\documents and settings\All Users\Start-meny\Program\Autostart\

Adobe Gamma Loader.lnk - c:\program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-30 110592]

HP Digital Imaging Monitor.lnk - c:\program\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

HP Image Zone Snabbstarta.lnk - c:\program\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

Windows Search.lnk - c:\program\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ \0lsdelete

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program\\Delade filer\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program\\BitComet\\BitComet.exe"=

"c:\\Program\\Spotify\\spotify.exe"=

"c:\\Program\\Warcraft II BNE\\Warcraft II BNE.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program\\DC++\\DCPlusPlus.exe"=

"c:\\Program\\Tablet\\Wacom\\PrefUtil.exe"=

"c:\\Program\\Voddler\\service\\voddler.exe"=

"c:\\Program\\Bonjour\\mDNSResponder.exe"=

"c:\\Program\\iTunes\\iTunes.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"7303:TCP"= 7303:TCP:BitComet 7303 TCP

"7303:UDP"= 7303:UDP:BitComet 7303 UDP

 

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-03-25 64288]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\Lavasoft\Ad-Aware\AAWService.exe [2009-09-24 1181328]

R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-12-02 5010288]

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2009-10-23 39424]

R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-06-04 171032]

R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-06-04 1324056]

R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-06-04 72728]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program\Delade filer\Creative Labs Shared\Service\CTAELicensing.exe [2009-10-23 79360]

S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-06-04 171032]

S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-06-04 1324056]

S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-06-04 72728]

S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-11-18 16168]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2009-12-02 691696]

 

--- Övriga tjänster/drivrutiner i minnet ---

 

*Deregistered* - yvtikpdt

.

Innehållet i mappen 'Schemalagda aktiviteter':

 

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Daily 1).job

- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:06]

 

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Daily 2).job

- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:06]

 

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Daily 3).job

- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:06]

 

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Daily 4).job

- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:06]

 

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:06]

 

2010-07-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

 

2010-07-20 c:\windows\Tasks\HPpromotions journeysoftware.job

- c:\program\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 16:36]

 

2010-07-20 c:\windows\Tasks\User_Feed_Synchronization-{8549F50F-53DC-4CE4-A61C-F9C05D34D743}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]

.

.

------- Extra genomsökning -------

.

uStart Page = hxxp://www.google.se/

mWindow Title = Erhållen av Wermlandsdata

uInternet Settings,ProxyOverride = <local>

IE: &D&ownload &with BitComet - c:\program\BitComet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - c:\program\BitComet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - c:\program\BitComet\BitComet.exe/AddAllLink.htm

DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} - hxxp://www.commandondemand.com/eval/cod/cabs/cssweb.cab

DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab

FF - ProfilePath - c:\documents and settings\Anvädaren\Application Data\Mozilla\Firefox\Profiles\3pc80yok.default\

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- FIREFOX POLICY ----

c:\program\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net'>http://www.gmer.net

Rootkit scan 2010-07-20 17:34

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTxfiHlp = CTXFIHLP.EXE?

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys >>UNKNOWN [0x8A8F6A17]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9e75852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Atheros L1 Gigabit Ethernet 10/100/1000Base-T Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9d81bb0

PacketIndicateHandler -> NDIS.sys @ 0xb9d70a0d

SendHandler -> NDIS.sys @ 0xb9d84b40

user & kernel MBR OK

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\yvtikpdt]

 

.

--------------------- LÅSTA REGISTERNYCKLAR ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•6~*]

"D140211900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLer som "laddats" under processer som körs ---------------------

 

- - - - - - - > 'winlogon.exe'(528)

c:\program\Delade filer\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

Sluttid: 2010-07-20 17:36:36

ComboFix-quarantined-files.txt 2010-07-20 15:36

ComboFix2.txt 2010-07-20 14:10

ComboFix3.txt 2010-07-20 11:46

 

Före genomsökningen: 22 027 653 120 byte ledigt

Efter genomsökningen: 22 012 780 544 byte ledigt

 

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - 58FFEDB70AD61C7398CC0D830622F58E

Länk till kommentar
Dela på andra webbplatser

Ja, jag ser det.

 

1.

Spara DeFogger by jpshortstuff http://www.jpshortstuff.247fixes.com/Defogger.exe på Skrivbordet.

 

Starta DeFogger.

När programmets fönster kommer upp trycker du på knappen Disable för att inaktivera drivrutinerna som hör ihop med ditt installerade CD-emuleringsprogram.

Tryck på Yes/Ja för att fortsätta.

När programmet är klart kommer det upp ett meddelande 'Finished!'.

Tryck på OK.

Programmet ber om omstart av datorn, tryck på OK.

 

VIKTIGT! Om du får ett felmeddelande medan DeFogger kör, så klistra in loggen defogger_disable som då skapas på Skrivbordet.

 

Aktivera inte dessa drivrutiner innan rensningen är helt klar.

 

2.

Spara denna fil på Skrivbordet:

http://rootrepeal.googlepages.com/RootRepeal.zip

Packa upp zip-filen (extrahera) så att du får en programfil.

 

Dra ut internetanslutningen. Stäng av alla program du ser inklusive brandvägg, antivirusprogram och antispionprogram.

Hur? Se http://www.bleepingcomputer.com/forums/topic114351.html

 

Starta RootRepeal (i Vista och Windows 7 som vanligt genom att högerklicka på ikonen och välja Kör som administratör).

Välj Report-fliken och tryck på Scan.

Bocka för alla sju valen och tryck sedan på Yes/Ja.

Välj C: och tryck Ok.

Det tar ett tag för RootRepeal att söka igenom C:.

När sökningen är klar så tryck på Save Report och spara den med namnet rootrepeal.log. Klistra in innehållet i rootrepeal.log i ditt svar.

 

3.

Spara Gmer på Skrivbordet från:

http://www2.gmer.net/download.php

Den har ett slumpmässigt namn så notera vad programmet sparas som.

 

Dra ur internetanslutningen.

Stäng alla program, även antivirusprogram och brandvägg.

Starta det nedladdade programmet.

En första snabbskanning startar.

Om det kommer upp en WARNING som nämner ROOTKIT och frågar om "fully scan" så välj Nej/No. Spara loggen och klistra in i ditt svar. Gör inte mer.

 

Om frågan inte kommer så välj fliken Rootkit/Malware, kontrollera att allt är förbockat till höger utom Show All och andra partitioner än C:\. Tryck på Scan. Låt datorn stå ifred medan Gmer håller på och det kan ta några timmar.

Tryck på Save och spara resultatet på Skrivbordet.

Sätt igång antivirusprogram och brandvägg innan du ansluter till internet.

Klistra in resultatet i ditt svar.

Länk till kommentar
Dela på andra webbplatser

Har gjort de nu, Defogger sa dock att c:\windows\system32\drivers\yvtikpdt.sys "was unable to read" kort och gott.

 

 

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 19:13 on 20/07/2010 (Anvädaren)

 

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

 

Checking for services/drivers...

Unable to read yvtikpdt.sys

SPTD -> Already disabled

 

 

-=E.O.F=-

 

 

 

 

 

 

 

RootRepeal log:

 

 

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/07/20 19:34

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

 

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xB212F000 Size: 98304 File Visible: No Signed: -

Status: -

 

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBA5DA000 Size: 8192 File Visible: No Signed: -

Status: -

 

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xAF05D000 Size: 49152 File Visible: No Signed: -

Status: -

 

Hidden/Locked Files

-------------------

Path: C:\WINDOWS\system32\drivers\yvtikpdt.sys

Status: Locked to the Windows API!

 

SSDT

-------------------

#: 041 Function Name: NtCreateKey

Status: Hooked by "Lbd.sys" at address 0xba0f887e

 

#: 247 Function Name: NtSetValueKey

Status: Hooked by "Lbd.sys" at address 0xba0f8bfe

 

Stealth Objects

-------------------

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]

Process: System Address: 0x8aa87258 Size: 3444

 

Hidden Services

-------------------

Service Name: yvtikpdt

Image Path: C:\WINDOWS\system32\drivers\yvtikpdt.sys

 

==EOF==

 

 

 

 

Har kört de sista programmet och datorn segade väldigt mycket, aantagligen hängt sig.

Så vi fick starta om datorn på fel sätt att bara trycka på knappen.

Och nu verkar datorn inte starta överhuvudtaget, blir svart lysande skärm bara där egentligen Windows loggan borde dyka upp.

Länk till kommentar
Dela på andra webbplatser

Det var ju tråkigt :(

 

Kommer du till en meny om du trycker F8 upprepade gånger under uppstarten?

Hjälper det att välja Senast fungerande konfiguration i den?

Länk till kommentar
Dela på andra webbplatser

Japp kommer dit, senaste fungerade inställningar funkar inte. Inte felsäkert läge heller. :/

 

multi (0) disk (0) rdisk (0) partion (1) \windows\system32\ntoskrn1.exe

multi (0) disk (0) rdisk (0) partion (1) \windows\system32\hal.dll

multi (0) disk (0) rdisk (0) partion (1) \windows\system32\KDCOM.dll

multi (0) disk (0) rdisk (0) partion (1) \windows\system32\BOOTVID.dll

multi (0) disk (0) rdisk (0) partion (1) \windows\system32\config\system

multi (0) disk (0) rdisk (0) partion (1) \windows\system32\c_1252.nls

multi (0) disk (0) rdisk (0) partion (1) \windows\system32\c_850.nls

multi (0) disk (0) rdisk (0) partion (1) \windows\system32\l_intl.nls

multi (0) disk (0) rdisk (0) partion (1) \windows\FONTS\vga850.fon

multi (0) disk (0) rdisk (0) partion (1) \windows\AppPatch\drvmain.sdb

multi (0) disk (0) rdisk (0) partion (1) \windows\system32\DRIVERS\ACPI.sys

multi (0) disk (0) rdisk (0) partion (1) \windows\system32\DRIVERS\WMILIB.SYS

multi (0) disk (0) rdisk (0) partion (1) \windows\system32\DRIVERS\pci.sys

multi (0) disk (0) rdisk (0) partion (1) \windows\system32\DRIVERS\isapnp.sys

multi (0) disk (0) rdisk (0) partion (1) \windows\system32\DRIVERS\avgarkt.sys

 

 

 

 

Så stod de när man försökte med felsäkert läge.

Länk till kommentar
Dela på andra webbplatser

Det är en lista på drivrutiner som laddas.

 

Under uppstarten har du också fått en ny liten meny där det bland annat står "Microsoft Windows Recovery Console". Välj det med piltangenter följt av Enter. Därefter får du troligen upp ett val om vilken Windows-installation som ska användas. Tryck på tangenten 1 följt av Enter.

 

När det står C:\Windows> på skärmen skriv in följande (varje rad avslutas med Enter):

 

cd erdnt\hiv-backup

batch erdnt.con

 

Det kommandot tar en stund för att fixa återställningen.

När det är klart skriv:

exit

 

Windows ska startas och det borde fungera. Om inte så finns det ytterligare ett alternativ.

http://www.bleepingcomputer.com/forums/index.php?showtopic=292567&view=findpost&p=1611975

Länk till kommentar
Dela på andra webbplatser

Recovery Console vill sig inte starta.

De laddas upp fullt ut men sen står de bara still i samma "laddnings bild".

 

Får försöka prova att göra en sån där skiva och se vad som händer.

 

 

Tusen tack för all hjälp so far iaf! Guld värt.

Länk till kommentar
Dela på andra webbplatser

Kan man reparera på nåt vis med en vanlig Windows XP installations skiva?

Länk till kommentar
Dela på andra webbplatser

Man kan göra en reparation av Windows med en standard XP-skiva. Det är visserligen meningen att ens filer inte ska påverkas av det men för säkerhets skull kan du först rädda dina viktiga filer med hjälp av Puppy Linux på en CD-skiva eller ett USB-minne. Det finns beskrivet på http://www.alltomwindows.se/forum/index.php/topic/21771-raedda-data-med-puppy-linux/

 

Det är bara att fråga på :)

Länk till kommentar
Dela på andra webbplatser

Har gjort en Recovery CD och följt instruktionerna från den där websidan men när Windows ska börja laddas blir de svart istället fortfarande. :(

Länk till kommentar
Dela på andra webbplatser

By the way...as I am sure you have now realized. All the data on C:\ is readily assesible in the boot environment despite our inability to boot. So if worse comes to worse we could always reinstall the OS and preserve data. But all hope is not lost yet!!!!!!

 

I need you to boot up the Recovery Console again.

 

* At the command prompt

* Type the green bolded one line at a time and press Enter after entering each line.

 

 

chkdsk /r

fixmbr

 

* Type exit and press Enter.

* Reboot.

 

 

Success?

 

 

 

 

 

Är detta nåt att prova utan att ens filer riskerar att försvinna?

Länk till kommentar
Dela på andra webbplatser

Fixmbr, fixboot och chkdsk från en konsol ska inte kunna orsaka att dina egna filer försvinner, men jag kan förstås inte garantera att Microsofts program inte ställer till med något.

Länk till kommentar
Dela på andra webbplatser

Nu är datorn backup and running igen, gjorde en chkdsk /r(och den lagade någonting) men för att starta datorn varje gång så måste vi välja "senaste fungerade inställningar" vid starten.

Startar vi normalt så blir de en svart skärm som vanligt. :/ Gjort en återställningspunkt också från innan de hände men blir samma sak.

Länk till kommentar
Dela på andra webbplatser

Det var ju tråkigt att det är sådant problem. En DDS-logg kanske visar om det är något som drar igång automatiskt något som krånglar till det.

Länk till kommentar
Dela på andra webbplatser

Arkiverat

Det här ämnet är nu arkiverat och är stängt för ytterligare svar.

×
×
  • Skapa nytt...