Virus problem, kan ej surfa.

22 juli, 2010

Okay här kommer den;

DDS (Ver_10-03-17.01) - NTFSx86

Run by Anv„daren at 10:08:49,59 on 2010-07-22

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.2047.1153 [GMT 2:00]

AV: ESET NOD32 Antivirus 4.2 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Creative\Shared Files\CTAudSvc.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program\Delade filer\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\Wacom_Tablet.exe

C:\Program\Voddler\service\voddler.exe

C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\Wacom_Tablet.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program\Creative\Volume Panel\VolPanlu.exe

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\Program\Java\jre6\bin\jusched.exe

C:\Program\HP\HP Software Update\HPWuSchd2.exe

C:\Program\Voddler\service\VNetManager.exe

C:\Program\iTunes\iTunesHelper.exe

C:\Program\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\Program\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program\Windows Live\Messenger\msnmsgr.exe

C:\Program\Windows Live\Contacts\wlcomm.exe

C:\Program\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program\Lavasoft\Ad-Aware\AAWService.exe

C:\Documents and Settings\Anvädaren\Skrivbord\dds.scr

C:\WINDOWS\system32\SearchProtocolHost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.se/

mWindow Title = Erhållen av Wermlandsdata

uInternet Settings,ProxyOverride = <local>

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program\bitcomet\tools\BitCometBHO_1.3.7.16.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program\avg\avg9\avgssie.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program\delade filer\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program\windows live\toolbar\wltcore.dll

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

uRunOnce: [shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Creative AutoUpdate v1.40.01)" -"http://www.blip.se/rsbitch/bitch_v3.asp"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [VolPanel] "c:\program\creative\volume panel\VolPanlu.exe" /r

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRun: [sunJavaUpdateSched] "c:\program\java\jre6\bin\jusched.exe"

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [AdobeCS4ServiceManager] "c:\program\delade filer\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [HP Software Update] c:\program\hp\hp software update\HPWuSchd2.exe

mRun: [VoddlerNet Manager] c:\program\voddler\service\VNetManager.exe

mRun: [Adobe Reader Speed Launcher] "c:\program\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program\delade filer\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program\itunes\iTunesHelper.exe"

mRun: [egui] "c:\program\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\adobeg~1.lnk - c:\program\delade filer\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\hpdigi~1.lnk - c:\program\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\hpimag~1.lnk - c:\program\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\window~1.lnk - c:\program\windows desktop search\WindowsSearch.exe

IE: &D&ownload &with BitComet - c:\program\bitcomet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - c:\program\bitcomet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - c:\program\bitcomet\BitComet.exe/AddAllLink.htm

IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program\bitcomet\tools\BitCometBHO_1.3.7.16.dll/206

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\program\micros~2\office11\REFIEBAR.DLL

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab

DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab

DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} - hxxp://www.commandondemand.com/eval/cod/cabs/cssweb.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256545002890

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15109/CTPID.cab

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\anvdar~1\applic~1\mozilla\firefox\profiles\3pc80yok.default\

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");

c:\program\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-25 64288]

R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2009-12-27 3968]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-4-27 114984]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-4-27 95872]

R2 ekrn;ESET Service;c:\program\eset\eset nod32 antivirus\ekrn.exe [2010-4-27 810120]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-10-26 54752]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]

R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-12-2 5010288]

R2 VoddlerNet;VoddlerNet;c:\program\voddler\service\voddler.exe [2010-3-15 1160400]

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2009-10-23 39424]

R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 171032]

R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1324056]

R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 72728]

S0 yvtikpdt;yvtikpdt;c:\windows\system32\drivers\yvtikpdt.sys [2010-7-19 0]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program\delade filer\creative labs shared\service\CTAELicensing.exe [2009-10-23 79360]

S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 171032]

S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1324056]

S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 72728]

S3 fsssvc;Tjänsten Windows Live Family Safety;c:\program\windows live\family safety\fsssvc.exe [2009-8-5 704864]

S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-11-18 16168]

=============== Created Last 30 ================

2010-07-21 16:58:40 0 d-----w- c:\windows\system32\wbem\Repository

2010-07-21 16:58:25 0 d-----w- c:\program\ESET

2010-07-20 17:22:06 12247040 ----a-w- c:\documents and settings\anvädaren\ntuser.dat

2010-07-20 17:06:13 164 ----a-w- c:\documents and settings\anvädaren\defogger_reenable

2010-07-20 11:20:18 0 d-sha-r- C:\cmdcons

2010-07-20 11:11:35 98816 ----a-w- c:\windows\sed.exe

2010-07-20 11:11:35 77312 ----a-w- c:\windows\MBR.exe

2010-07-20 11:11:35 256512 ----a-w- c:\windows\PEV.exe

2010-07-20 11:11:35 161792 ----a-w- c:\windows\SWREG.exe

2010-07-20 09:58:30 132608 --sh--r- c:\docume~1\anvdar~1\applic~1\ogix.exe

2010-07-19 20:22:36 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-07-19 20:04:47 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}

2010-07-19 19:41:49 0 d-----w- c:\windows\SxsCaPendDel

2010-07-19 19:04:23 0 ----a-w- c:\windows\system32\drivers\yvtikpdt.sys

2010-07-19 19:03:26 150 ----a-w- C:\zrpt.xml

2010-07-19 19:02:55 0 d-----w- c:\docume~1\anvdar~1\applic~1\748B938531AAE72261B4FFDC4ECCC8E0

==================== Find3M ====================

2010-07-04 07:22:21 71776 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2010-06-23 20:49:32 92094 ----a-w- c:\windows\system32\perfc01D.dat

2010-06-23 20:49:32 463742 ----a-w- c:\windows\system32\perfh01D.dat

2010-05-06 10:36:51 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 08:10:15 1851264 ----a-w- c:\windows\system32\win32k.sys

2006-06-23 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe

2009-12-31 15:26:12 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 10:09:55,90 ===============

Attach.txt

22 juli, 2010

Kan inte se något som startar automatiskt och som ändrar något. Det skulle ha kunnat finnas en start av combofix t ex.

Har du säkerhetskopior av alla viktiga filer med tanke på de problem som varit?

Vi gör ett nytt försök med en variant på skriptet till ComboFix.

Kopiera alla rader i rutan:

Killall::
Rootkit::
C:\WINDOWS\system32\drivers\yvtikpdt.sys

och klistra in i Anteckningar.

Spara filen på Skrivbordet med namnet CFScript.

Förbered datorn på samma sätt som tidigare för ComboFix.

Dra CFScript med musen och släpp den ovanpå ComboFix-ikonen på Skrivbordet så startar programmet på ett särskilt sätt.

Klistra in loggen som kommer ut.

22 juli, 2010

Japp har kopierat allt som är på c: det som är på min andra partion är de väl ingen fara med?

Här äf förövrigt Gmer loggen som kom innan datan började krångla med startupen;

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit quick scan 2010-07-20 19:51:00

Windows 5.1.2600 Service Pack 3

Running: r7xypgys.exe; Driver: C:\DOCUME~1\ANVDAR~1\LOKALA~1\Temp\fwnyyaod.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AA87258

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [bOOT] yvtikpdt <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

22 juli, 2010

Den andra partitionen är det ju meningen att den ska lämnas orörd om du behöver installera om Windows.

Om du inte har gjort det där med ComboFix så vänta med det. Man ska kunna fixa det med Gmer i stället.

22 juli, 2010

Inte gjort de än, men är lite rädd för Gmer nu när den segade med datorn så sen krasha i princip.

22 juli, 2010

Okej, men jag är mer orolig för att det var ComboFix som har strulat till det med datorn. Du får välja själv antingen ComboFix med CFScript enligt inlägg 27 eller nedanstående.

Kör GMER igen och när listan kommer upp där raden

Service (*** hidden *** ) [bOOT] yvtikpdt <-- ROOTKIT !!!

är markerad i rött, högerklicka på raden och välj Delete the service. Svara Yes/Ja på frågorna som kommer upp.

Datorn bör startas om automatiskt och då kör du Gmer igen för att kontrollera att den raden inte dyker upp något mer.

22 juli, 2010

Då testar jag Gmer!

22 juli, 2010

Om du inte har börjat så vänta lite

22 juli, 2010

Om det i Gmer finns ett alternativ Disable service i högerklicksmenyn så välj det i stället.

22 juli, 2010

Har redan börjat med Gmer, ska jag trycka stop?

Nån Disable Service kan jag inte se i den högra spalten.

22 juli, 2010

Services ser jag om du menade att jag skulle bocka ur den?

22 juli, 2010

Inte högra spalten utan när listan kommer upp efter skanningen så ska du högerklicka på raden med ROOTKIT, se inlägg 31, och i första hand välja Disable och i andra hand välja Delete the service.

22 juli, 2010

Aha då är jag med tror jag.

Håller på scanna nu så de är inte klart än.

Scanning startades dock inte automatiskt så fick starta den själv, men de har väl kanske ingen betydelse.

22 juli, 2010

Konstigt nog så kom de inte upp nåt om någon rootkit.

Här är den senaste loggen iaf;

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-07-22 13:34:05

Windows 5.1.2600 Service Pack 3

Running: 93u6mbnh.exe; Driver: C:\DOCUME~1\ANVDAR~1\LOKALA~1\Temp\fwnyyaod.sys

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA0F887E]

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA0F8BFE]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB96B6360, 0x3441C7, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[492] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

.text C:\WINDOWS\System32\svchost.exe[1076] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009F000A

.text C:\WINDOWS\System32\svchost.exe[1076] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A0000A

.text C:\WINDOWS\System32\svchost.exe[1076] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009E000C

.text C:\WINDOWS\System32\svchost.exe[1076] USER32.dll!GetCursorPos 7E37974E 5 Bytes JMP 00F2000A

.text C:\WINDOWS\System32\svchost.exe[1076] ole32.dll!CoCreateInstance 774F057E 5 Bytes JMP 00F8000A

.text C:\WINDOWS\Explorer.EXE[1552] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BD000A

.text C:\WINDOWS\Explorer.EXE[1552] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CB000A

.text C:\WINDOWS\Explorer.EXE[1552] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BC000C

.text C:\Program\Internet Explorer\IEXPLORE.EXE[1708] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E2000A

.text C:\Program\Internet Explorer\IEXPLORE.EXE[1708] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E3000A

.text C:\Program\Internet Explorer\IEXPLORE.EXE[1708] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E1000C

.text C:\Program\Internet Explorer\IEXPLORE.EXE[1708] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 414F54C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[1708] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 415CDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[1708] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 416C480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[1708] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 416C4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[1708] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 416C47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[1708] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 416C4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[1708] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 416C4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[1708] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 416C4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[1708] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 416C46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\ESET\ESET NOD32 Antivirus\ekrn.exe[1772] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

.text C:\Program\Internet Explorer\IEXPLORE.EXE[2712] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E2000A

.text C:\Program\Internet Explorer\IEXPLORE.EXE[2712] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E3000A

.text C:\Program\Internet Explorer\IEXPLORE.EXE[2712] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E1000C

.text C:\Program\Internet Explorer\IEXPLORE.EXE[2712] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 414F54C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[2712] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 415C9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[2712] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 415BD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[2712] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 415CDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[2712] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 4153467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[2712] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 416C480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[2712] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 416C4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[2712] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 416C47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[2712] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 416C4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[2712] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 416C4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[2712] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 416C4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[2712] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 416C46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[2712] ole32.dll!CoCreateInstance 774F057E 5 Bytes JMP 415CDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program\Internet Explorer\IEXPLORE.EXE[2712] ole32.dll!OleLoadFromStream 77519C85 5 Bytes JMP 416C4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program\Internet Explorer\IEXPLORE.EXE[2712] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@start 1

Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@type 1

Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTdlhhlggibr.sys

Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@group file system

Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTdlhhlggibr.sys

Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTkcvjxdlmlq.dll

Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTbonrhsghdl.dat

Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTvtttypyrgk.dll

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3A 0xFB 0x63 0x48 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x92 0x3B 0x41 0xA8 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x82 0x73 0x1F 0xF8 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x35 0xDE 0xD0 0x99 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x8B 0xCD 0x6B 0xBE ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x92 0x3B 0x41 0xA8 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x82 0x73 0x1F 0xF8 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xED 0xD8 0xB3 0xB0 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x94 0x0C 0xBB 0x12 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x92 0x3B 0x41 0xA8 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x82 0x73 0x1F 0xF8 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xED 0xD8 0xB3 0xB0 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x94 0x0C 0xBB 0x12 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x92 0x3B 0x41 0xA8 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x82 0x73 0x1F 0xF8 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xED 0xD8 0xB3 0xB0 ...

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x94 0x0C 0xBB 0x12 ...

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x92 0x3B 0x41 0xA8 ...

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x82 0x73 0x1F 0xF8 ...

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xED 0xD8 0xB3 0xB0 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x94 0x0C 0xBB 0x12 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x92 0x3B 0x41 0xA8 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x82 0x73 0x1F 0xF8 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xED 0xD8 0xB3 0xB0 ...

Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x94 0x0C 0xBB 0x12 ...

Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x92 0x3B 0x41 0xA8 ...

Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x82 0x73 0x1F 0xF8 ...

Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xED 0xD8 0xB3 0xB0 ...

---- EOF - GMER 1.0.15 ----

22 juli, 2010

I och för sig så borde det vara ett bra tecken. Starta om datorn och kör sedan ComboFix utan något CFScript så får vi se vad det programmet tycker om datorn nu.

22 juli, 2010

Combofix verkade hitta ett rootkit, men klantade mig o hittar inte loggen så jag ska göra en ny scan.

Undrade en sak också, är kommandot sfc /scannow nånting som kan hjälpa mig att få datorn att starta normalt som innan jag drog igång combofix/gmer?

22 juli, 2010

Loggen finns normalt som C:\ComboFix.txt.

Jag vet inte om sfc /scannow hjälper så länge som datorn är infekterad.

22 juli, 2010

Och om jag provar att reparera windows med en XP skiva, inte trycka på R på en gång så de går via recovery console utan om jag först trycker på "installera winxp" och sen reparera, hur funkar de? Filerna på datorn som är sparade försvinner väl inte då?

Ska ta fram log filen så fort jag får igång datan.

22 juli, 2010

Det blir en reparationsinstallation av Windows, men de skadliga filerna kommer inte att tas bort. Jag vet tyvärr lika lite med det alternativet som med sfc/scannow vad det kommer att bli för resultat, oförändrat, bättre eller sämre. Jag har inte sett någon annan webbsida där man har gjort så.

22 juli, 2010

Aha okay, good to know!

Har gjort ännu en chkdsk /r nu igen, och windows har startats normalt, trodde först att de berodde på att xp skivan satt i under uppstart den här gången men funkade utan som vanligt. jäkligt märkligt.

Här är senaste CF loggen;

ComboFix 10-07-21.02 - Anvädaren 2010-07-22 14:40:12.4.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.2047.1371 [GMT 2:00]

Körs från: c:\documents and settings\Anvädaren\Skrivbord\ComboFix.exe

AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\driVERs\yvtikpdt.sys

.

((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_yvtikpdt

-------\Service_yvtikpdt

(((((((((((((((((((((((( Filer Skapade från 2010-06-22 till 2010-07-22 ))))))))))))))))))))))))))))))

.

2010-07-21 16:58 . 2010-07-21 16:58 -------- d-----w- c:\windows\system32\wbem\Repository

2010-07-21 16:58 . 2010-07-21 16:58 -------- d-----w- c:\program\ESET

2010-07-21 16:58 . 2010-07-21 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2010-07-19 20:22 . 2010-07-19 20:06 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-07-19 20:04 . 2010-07-19 20:04 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}

2010-07-19 19:41 . 2010-07-19 19:47 -------- d-----w- c:\windows\SxsCaPendDel

2010-07-19 19:16 . 2010-07-19 19:16 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-21 16:58 . 2009-12-09 19:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet

2010-07-21 16:47 . 2010-07-21 16:55 214694 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1053.dat

2010-07-20 08:30 . 2009-12-31 16:55 -------- d-----w- c:\program\Malwarebytes' Anti-Malware

2010-07-20 04:41 . 2009-10-28 17:21 -------- d-----w- c:\program\Norman

2010-07-19 20:04 . 2009-10-31 07:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-07-19 19:06 . 2009-10-30 09:38 -------- d-----w- c:\program\BitComet

2010-07-04 07:22 . 2009-11-18 12:17 71776 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2010-06-23 20:49 . 2008-04-15 12:00 92094 ----a-w- c:\windows\system32\perfc01D.dat

2010-06-23 20:49 . 2008-04-15 12:00 463742 ----a-w- c:\windows\system32\perfh01D.dat

2010-06-23 18:52 . 2009-12-02 19:07 -------- d-----w- c:\program\Tablet

2010-06-16 19:25 . 2010-06-16 19:25 -------- d-----w- c:\program\iTunes

2010-06-16 19:25 . 2010-06-16 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-06-16 19:25 . 2010-06-16 19:25 -------- d-----w- c:\program\iPod

2010-06-16 19:25 . 2009-10-31 08:10 -------- d-----w- c:\program\Delade filer\Apple

2010-06-16 19:23 . 2009-10-31 12:17 -------- d-----w- c:\program\QuickTime

2010-06-16 19:21 . 2010-06-16 19:21 -------- d-----w- c:\program\Bonjour

2010-06-16 19:16 . 2009-10-28 18:30 -------- d-----w- c:\program\VideoLAN

2010-06-16 19:16 . 2010-06-16 19:16 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-06-14 14:31 . 2009-10-22 12:23 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-05 06:26 . 2009-10-26 08:20 -------- d-----w- c:\program\Microsoft Silverlight

2010-05-28 21:38 . 2009-10-23 14:02 -------- d--h--w- c:\program\InstallShield Installation Information

2010-05-28 21:38 . 2010-05-28 21:38 -------- d-----w- c:\program\Pixologic

2010-05-23 06:12 . 2009-11-10 06:59 8 ----a-w- c:\windows\system32\nvModes.dat

2010-05-06 10:36 . 2008-04-15 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 08:10 . 2008-04-15 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 13:39 . 2009-12-31 16:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 13:39 . 2009-12-31 16:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-27 09:13 . 2010-04-27 09:13 95872 ----a-w- c:\windows\system32\drivers\epfwtdir.sys

2010-04-27 09:12 . 2010-04-27 09:12 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys

2010-04-27 09:09 . 2010-04-27 09:09 140216 ----a-w- c:\windows\system32\drivers\eamon.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-07-20_11.40.15 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-07-22 12:50 . 2010-07-22 12:50 16384 c:\windows\temp\Perflib_Perfdata_770.dat

+ 2010-07-20 16:17 . 2010-07-20 16:17 10134 c:\windows\Installer\{E839B84A-7D33-4BFA-B2E0-F386D1AE8881}\callmsi.exe

+ 2009-11-13 14:56 . 2010-07-21 17:13 144476 c:\windows\system32\Restore\rstrlog.dat

+ 2010-07-20 16:17 . 2010-07-20 16:17 954368 c:\windows\Installer\31a107.msi

+ 2010-07-20 16:17 . 2010-07-20 16:17 101480 c:\windows\Installer\{E839B84A-7D33-4BFA-B2E0-F386D1AE8881}\egui.exe

.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

*Not* Tomma poster & legitima standardposter visas inte.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 16132608]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-06 8523776]

"nwiz"="nwiz.exe" [2007-11-06 1626112]

"VolPanel"="c:\program\Creative\Volume Panel\VolPanlu.exe" [2008-08-06 233576]

"CTxfiHlp"="CTXFIHLP.EXE" [2009-06-03 25600]

"SunJavaUpdateSched"="c:\program\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"AdobeCS4ServiceManager"="c:\program\Delade filer\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

"HP Software Update"="c:\program\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]

"VoddlerNet Manager"="c:\program\Voddler\service\VNetManager.exe" [2010-03-15 580296]

"Adobe Reader Speed Launcher"="c:\program\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program\Delade filer\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"QuickTime Task"="c:\program\QuickTime\qttask.exe" [2010-03-17 421888]

"iTunesHelper"="c:\program\iTunes\iTunesHelper.exe" [2010-04-28 142120]

"egui"="c:\program\ESET\ESET NOD32 Antivirus\egui.exe" [2010-04-27 2161480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

c:\documents and settings\All Users\Start-meny\Program\Autostart\

Adobe Gamma Loader.lnk - c:\program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-30 110592]

HP Digital Imaging Monitor.lnk - c:\program\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

HP Image Zone Snabbstarta.lnk - c:\program\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

Windows Search.lnk - c:\program\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ \0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program\\Delade filer\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program\\BitComet\\BitComet.exe"=

"c:\\Program\\Spotify\\spotify.exe"=

"c:\\Program\\Warcraft II BNE\\Warcraft II BNE.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program\\DC++\\DCPlusPlus.exe"=

"c:\\Program\\Tablet\\Wacom\\PrefUtil.exe"=

"c:\\Program\\Voddler\\service\\voddler.exe"=

"c:\\Program\\Bonjour\\mDNSResponder.exe"=

"c:\\Program\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"7303:TCP"= 7303:TCP:BitComet 7303 TCP

"7303:UDP"= 7303:UDP:BitComet 7303 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-03-25 64288]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-04-27 114984]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-04-27 95872]

R2 ekrn;ESET Service;c:\program\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-04-27 810120]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\Lavasoft\Ad-Aware\AAWService.exe [2009-09-24 1181328]

R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-12-02 5010288]

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2009-10-23 39424]

R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-06-04 171032]

R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-06-04 1324056]

R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-06-04 72728]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program\Delade filer\Creative Labs Shared\Service\CTAELicensing.exe [2009-10-23 79360]

S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-06-04 171032]

S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-06-04 1324056]

S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-06-04 72728]

S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-11-18 16168]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2009-12-02 691696]

.

Innehållet i mappen 'Schemalagda aktiviteter':

2010-07-22 c:\windows\Tasks\Ad-Aware Update (Daily 1).job

- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:06]

2010-07-22 c:\windows\Tasks\Ad-Aware Update (Daily 2).job

- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:06]

2010-07-22 c:\windows\Tasks\Ad-Aware Update (Daily 3).job

- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:06]

2010-07-22 c:\windows\Tasks\Ad-Aware Update (Daily 4).job

- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:06]

2010-07-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:06]

2010-07-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

2010-07-22 c:\windows\Tasks\HPpromotions journeysoftware.job

- c:\program\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 16:36]

2010-07-22 c:\windows\Tasks\User_Feed_Synchronization-{8549F50F-53DC-4CE4-A61C-F9C05D34D743}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]

.

------- Extra genomsökning -------

.

uStart Page = hxxp://www.google.se/

mWindow Title = Erhållen av Wermlandsdata

uInternet Settings,ProxyOverride = <local>

IE: &D&ownload &with BitComet - c:\program\BitComet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - c:\program\BitComet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - c:\program\BitComet\BitComet.exe/AddAllLink.htm

DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} - hxxp://www.commandondemand.com/eval/cod/cabs/cssweb.cab

DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab

FF - ProfilePath - c:\documents and settings\Anvädaren\Application Data\Mozilla\Firefox\Profiles\3pc80yok.default\

FF - plugin: c:\program\MpcStar\Codecs\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program\MpcStar\Codecs\Real\browser\plugins\nprpjplug.dll

FF - plugin: c:\program\TabletPlugins\npwacom.dll

FF - plugin: c:\program\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: c:\program\Voddler\plugin\npvoddler.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICY ----

c:\program\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net'>http://www.gmer.net

Rootkit scan 2010-07-22 14:51

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys >>UNKNOWN [0x8A864A17]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9f37852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Atheros L1 Gigabit Ethernet 10/100/1000Base-T Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9e43bb0

PacketIndicateHandler -> NDIS.sys @ 0xb9e32a0d

SendHandler -> NDIS.sys @ 0xb9e46b40

user & kernel MBR OK

**************************************************************************

.

--------------------- LÅSTA REGISTERNYCKLAR ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•6~*]

"D140211900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLer som "laddats" under processer som körs ---------------------

- - - - - - - > 'winlogon.exe'(520)

c:\program\Delade filer\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3864)

c:\program\ESET\ESET NOD32 Antivirus\eplgHooks.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Andra processer som körs ------------------------

.

c:\program\Creative\Shared Files\CTAudSvc.exe

c:\program\Delade filer\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program\Bonjour\mDNSResponder.exe

c:\windows\system32\CTsvcCDA.exe

c:\program\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\HPZipm12.exe

c:\program\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program\Voddler\service\voddler.exe

c:\windows\system32\WTablet\Wacom_TabletUser.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\RTHDCPL.EXE

c:\windows\SYSTEM32\CTXFISPI.EXE

c:\program\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

c:\program\iPod\bin\iPodService.exe

c:\program\HP\Digital Imaging\bin\hpqimzone.exe

c:\windows\system32\msiexec.exe

c:\program\Lavasoft\Ad-Aware\AAWTray.exe

.

**************************************************************************

.

Sluttid: 2010-07-22 14:58:17 - datorn startades om.

ComboFix-quarantined-files.txt 2010-07-22 12:58

ComboFix2.txt 2010-07-20 15:36

ComboFix3.txt 2010-07-20 14:10

ComboFix4.txt 2010-07-20 11:46

Före genomsökningen: 19 711 479 808 byte ledigt

Efter genomsökningen: 21 701 353 472 byte ledigt

Current=9 Default=9 Failed=8 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10

- - End Of File - - 40C1BAF1DC763BE39C8292813ED565E6

22 juli, 2010

Datorn börjar väl friskna till lite grann för där försvann en skadlig fil.

Starta om datorn och kör ComboFix en gång till. Klistra in loggen.

Starta om datorn och kör RootRepeal. Klistra in loggen.

I båda fallen förstås med avstängda program på samma sätt som tidigare.

22 juli, 2010

Man får hoppas!

Men verkade som att CF tog bort nåt mer nu;

ComboFix 10-07-21.04 - Anvädaren 2010-07-22 17:54:39.5.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.2047.1301 [GMT 2:00]

Körs från: c:\documents and settings\Anvädaren\Skrivbord\ComboFix.exe

AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))

.

Infekterad kopia av c:\windows\system32\userinit.exe hittades och desinficerades.

Återställd kopia från - c:\windows\ERDNT\cache\userinit.exe

.

(((((((((((((((((((((((( Filer Skapade från 2010-06-22 till 2010-07-22 ))))))))))))))))))))))))))))))

.

2010-07-21 16:58 . 2010-07-21 16:58 -------- d-----w- c:\windows\system32\wbem\Repository

2010-07-21 16:58 . 2010-07-21 16:58 -------- d-----w- c:\program\ESET

2010-07-21 16:58 . 2010-07-21 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2010-07-19 20:22 . 2010-07-19 20:06 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-07-19 20:04 . 2010-07-19 20:04 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}

2010-07-19 19:41 . 2010-07-19 19:47 -------- d-----w- c:\windows\SxsCaPendDel

2010-07-19 19:16 . 2010-07-19 19:16 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-22 15:50 . 2009-12-09 19:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet