Problem medTrojan-klicker

[Tomping]

Hej! min dator verkar inte fungera som den ska!

jag använder zonealarm. troligen så har jag fått in skräp i datorn pga en felinställning i mjukvarubrandväggen,som nu är åtgärdad. Den senaste veckan har zonealarm karantänlagt trojaner dagligen. En fil som heter dnt.sys försökt komma åt internet. Har nu dödat den. sist jag startade datorn så var jag tvungen att köra felsäkert läge först innan windows gick igång. vad skall jag göra?

Be happy!

 

[Cecilia]

Kontrollera att inget olämpligt har blivit godkänt i brandväggen.

 

Vi kan ju se om HijackThis visar något till att börja med:

http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Installera, kör, skanna och spara loggen (inget annat).

Klistra in loggen i ditt svar.

 

[Tomping]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:53:42, on 2008-01-28

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\perfs.exe

C:\WINDOWS\system32\routing.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\RunDll32.exe

C:\Program\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe

C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O1 - Hosts: AmsServer

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program\TechSmith\SnagIt 8\SnagItBHO.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program\TechSmith\SnagIt 8\SnagItIEAddin.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] 'C:\Program\Zone Labs\ZoneAlarm\zlclient.exe'

O4 - HKLM\..\Run: [startCCC] 'C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe'

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Ad-Aware] 'C:\Program\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe' +c

O4 - HKCU\..\Run: [AlcoholAutomount] 'C:\Program\Alcohol Soft\Alcohol 120\axcmd.exe' /automount

O4 - HKUS\S-1-5-19\..\Run: [MsnMsgr] 'C:\Program\MSN Messenger\MsnMsgr.Exe' /background (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y '%SystemRoot%\System32\syssetub.dll' '%SystemRoot%\System32\syssetup.dll' (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [MsnMsgr] 'C:\Program\MSN Messenger\MsnMsgr.Exe' /background (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y '%SystemRoot%\System32\syssetub.dll' '%SystemRoot%\System32\syssetup.dll' (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [MsnMsgr] 'C:\Program\MSN Messenger\MsnMsgr.Exe' /background (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y '%SystemRoot%\System32\syssetub.dll' '%SystemRoot%\System32\syssetup.dll' (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [MsnMsgr] 'C:\Program\MSN Messenger\MsnMsgr.Exe' /background (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y '%SystemRoot%\System32\syssetub.dll' '%SystemRoot%\System32\syssetup.dll' (User 'Default user')

O8 - Extra context menu item: E&ampxportera till Microsoft Excel - res://C:\Program\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~1\OFFICE11\REFIEBAR.DLL

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199310692609

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199339247875

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe

O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

--

End of file - 4986 bytes

 

Bifogar lista med de trojaner som rört om.

Trojan-clicker.win32.VB.aaa

Trojan-clicker.win32.Delf.eed

det verkar vara lndt.sys och andt.sys som startar trojanerna

 

 

[Cecilia]

Du ser inte ut att ha något antivirusprogram i datorn. Hur kommer det sig?

 

Ladda ner ComboFix till Skrivbordet:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Dra ur internetanslutningen och stäng av alla program du ser inklusive antivirusprogram, antispionprogram och brandvägg.

Kör ComboFix och följ anvisningarna som visas.

 

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, klistra in den i ditt svar. Kontrollera att antivirusprogram och brandvägg är igång innan du ansluter till internet.

 

Om du får problem med att komma ut på internet:

Kontrollpanelen - Nätverksanslutningar

högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.

 

[Tomping]

ComboFix 08-01-28.2 - Hemmadatorn 2008-01-28 19:07:07.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1053.18.684 [GMT 1:00]

Running from: C:\Documents and Settings\Hemmadatorn\Skrivbord\ComboFix.exe

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\install.exe

C:\WINDOWS\system32\pskill.exe

 

.

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-28 )))))))))))))))))))))))))))))))

.

 

2008-01-28 19:06 . 2006-03-18 18:24 390,656 --a------ C:\kmd.exe

2008-01-27 19:24 . 2008-01-27 19:24 45,056 --a------ C:\WINDOWS\system32\Indt2.sys

2008-01-25 16:06 . 2008-01-25 16:06 <KAT> d-------- C:\Program\Trend Micro

2008-01-24 07:19 . 2008-01-24 07:19 32,256 --a------ C:\WINDOWS\system32\routing.exe

2008-01-22 17:16 . 2008-01-22 17:16 268 --ah----- C:\sqmdata00.sqm

2008-01-22 17:16 . 2008-01-22 17:16 244 --ah----- C:\sqmnoopt00.sqm

2008-01-17 17:11 . 2008-01-17 17:29 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\dvdcss

2008-01-16 17:34 . 2006-05-10 21:36 196,608 --a------ C:\WINDOWS\system32\UpdateDriver.exe

2008-01-16 17:34 . 2006-07-20 19:06 525 --a------ C:\WINDOWS\system32\ucuiinfo.ini

2008-01-14 21:37 . 2008-01-14 21:37 0 --a------ C:\WINDOWS\nsreg.dat

2008-01-13 11:01 . 2008-01-13 11:01 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI

2008-01-13 10:10 . 2008-01-13 10:10 <KAT> d-------- C:\Program\MSXML 4.0

2008-01-12 18:46 . 2008-01-12 18:46 <KAT> d-------- C:\Program\VideoLAN

2008-01-12 13:05 . 2008-01-12 13:05 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\Teleca

2008-01-12 13:05 . 2007-04-23 15:54 108,680 -ra------ C:\WINDOWS\system32\drivers\s115mdm.sys

2008-01-12 13:05 . 2007-04-23 15:54 100,488 -ra------ C:\WINDOWS\system32\drivers\s115mgmt.sys

2008-01-12 13:05 . 2007-04-23 15:54 98,568 -ra------ C:\WINDOWS\system32\drivers\s115obex.sys

2008-01-12 13:05 . 2007-04-23 15:54 83,208 -ra------ C:\WINDOWS\system32\drivers\s115bus.sys

2008-01-12 13:05 . 2007-04-23 15:54 15,112 -ra------ C:\WINDOWS\system32\drivers\s115mdfl.sys

2008-01-12 13:05 . 2007-04-23 15:54 12,424 -ra------ C:\WINDOWS\system32\drivers\s115whnt.sys

2008-01-12 13:05 . 2007-04-23 15:54 12,424 -ra------ C:\WINDOWS\system32\drivers\s115wh.sys

2008-01-12 13:05 . 2007-04-23 15:54 12,424 -ra------ C:\WINDOWS\system32\drivers\s115cmnt.sys

2008-01-12 13:05 . 2007-04-23 15:54 12,424 -ra------ C:\WINDOWS\system32\drivers\s115cm.sys

2008-01-12 13:03 . 2008-01-12 13:03 <KAT> d-------- C:\WINDOWS\Downloaded Installations

2008-01-12 13:03 . 2008-01-12 13:03 <KAT> d-------- C:\Program\Sony Ericsson

2008-01-12 13:03 . 2008-01-12 13:04 <KAT> d-------- C:\Program\Delade filer\Teleca Shared

2008-01-12 13:03 . 2008-01-12 13:03 <KAT> d-------- C:\Program\Delade filer\Sony Ericsson Shared

2008-01-12 13:03 . 2008-01-12 13:03 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\Sony Ericsson

2008-01-12 13:01 . 2008-01-12 13:03 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Teleca

2008-01-12 13:01 . 2008-01-12 13:03 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson

2008-01-09 16:12 . 2008-01-09 16:12 253,952 --a------ C:\WINDOWS\system32\ndt2.sys

2008-01-07 06:23 . 2008-01-07 06:23 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\Lavasoft

2008-01-06 21:00 . 2008-01-12 21:32 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\vlc

2008-01-06 11:24 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-01-05 21:42 . 2008-01-13 17:02 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Contacts

2008-01-05 10:03 . 2008-01-05 10:03 40 --a------ C:\WINDOWS\system32\drmgs.sys

2008-01-04 19:50 . 2008-01-04 19:50 <KAT> d-------- C:\Program\Alcohol Soft

2008-01-04 19:47 . 2008-01-04 19:47 <KAT> d-------- C:\Program Files

2008-01-04 19:47 . 2008-01-04 19:47 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys

2008-01-03 21:12 . 2008-01-03 21:20 <KAT> d-------- C:\Program\MagicISO

2008-01-03 14:59 . 2008-01-09 07:25 <KAT> d-------- C:\Program\World of Warcraft

2008-01-03 14:59 . 2008-01-03 14:59 <KAT> d-------- C:\Program\Delade filer\Blizzard Entertainment

2008-01-03 14:39 . 2008-01-03 14:39 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\ATI

2008-01-03 14:39 . 2008-01-03 14:39 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\ATI

2008-01-03 14:35 . 2007-12-05 14:17 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe

2008-01-03 14:30 . 2008-01-03 14:30 10 --a------ C:\WINDOWS\WININIT.INI

2008-01-03 14:20 . 2008-01-03 14:20 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\TechSmith

2008-01-03 11:45 . 2008-01-03 11:45 <KAT> d-------- C:\Program\TechSmith

2008-01-03 11:45 . 2008-01-03 11:45 <KAT> d-------- C:\Program\Delade filer\Wise Installation Wizard

2008-01-03 11:45 . 2008-01-03 11:45 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith

2008-01-03 08:12 . 2008-01-28 14:19 959 --a------ C:\rollback.ini

2008-01-03 08:03 . 2008-01-03 08:54 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\MailFrontier

2008-01-03 08:03 . 2008-01-28 18:07 4,200,480 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2008-01-03 08:03 . 2008-01-27 10:35 60,884 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2008-01-03 07:51 . 2008-01-03 08:34 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier

2008-01-03 07:51 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll

2008-01-03 06:59 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

2008-01-03 06:59 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

2008-01-03 06:36 . 2008-01-03 06:36 <KAT> d-------- C:\Program\ATI

2008-01-03 00:40 . 2008-01-03 00:40 <KAT> d-------- C:\Program\ULi5289

2008-01-03 00:40 . 2001-11-13 21:24 35,587 --a------ C:\WINDOWS\system32\rm5289.exe

2008-01-03 00:40 . 2006-03-09 22:02 24,415 --a------ C:\WINDOWS\system32\unM5289.exe

2008-01-03 00:38 . 2008-01-03 00:38 <KAT> d-------- C:\WINDOWS\RaidTool

2008-01-03 00:38 . 2008-01-03 00:38 <KAT> d-------- C:\RaidTool

2008-01-03 00:34 . 2007-11-26 11:16 72,704 --a------ C:\WINDOWS\system32\drivers\jraid.sys

2008-01-03 00:19 . 2008-01-26 22:03 116 --a------ C:\WINDOWS\NeroDigital.ini

2008-01-02 23:06 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe

2008-01-02 22:58 . 2007-07-09 14:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

2008-01-02 22:55 . 2008-01-09 05:21 <KAT> d--h----- C:\WINDOWS\$hf_mig$

2008-01-02 22:52 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll

2008-01-02 22:52 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui

2008-01-02 22:52 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui

2008-01-02 22:52 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui

2008-01-02 22:52 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui

2008-01-02 22:51 . 2008-01-02 22:51 <KAT> d---s---- C:\Documents and Settings\Hemmadatorn\UserData

2008-01-02 22:46 . 2008-01-02 22:46 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

2008-01-02 22:23 . 2008-01-03 07:38 <KAT> d-------- C:\WINDOWS\CAVTemp

2008-01-02 22:23 . 2008-01-02 22:23 <KAT> d-------- C:\Program\Driver-Soft

2008-01-02 22:23 . 2004-03-09 16:45 662,288 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX

2008-01-02 22:23 . 2004-06-14 14:56 427,864 --a------ C:\WINDOWS\system32\XceedZip.dll

2008-01-02 21:42 . 2008-01-02 21:42 <KAT> d-------- C:\Program\uTorrent

2008-01-02 21:42 . 2008-01-27 10:35 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\uTorrent

2008-01-02 18:43 . 2008-01-02 18:43 <KAT> d-------- C:\Program\ULiRaid

2008-01-02 18:43 . 2005-07-04 14:21 52,480 --a------ C:\WINDOWS\system32\drivers\m5289.sys

2008-01-02 18:43 . 2005-07-15 15:09 29,696 --a------ C:\WINDOWS\system32\dev32.exe

2008-01-02 18:43 . 2005-12-28 03:32 9,621 --a------ C:\WINDOWS\system32\drivers\ulisata.cat

2008-01-02 17:45 . 2008-01-03 14:36 <KAT> d-------- C:\Program\ATI Technologies

2008-01-02 17:39 . 2008-01-02 17:39 <KAT> d-------- C:\WINDOWS\system32\LogFiles

2008-01-02 17:09 . 2004-08-04 01:34 75,264 --a------ C:\WINDOWS\system32\usbui.dll

2008-01-02 17:01 . 2008-01-28 19:05 450 --a------ C:\WINDOWS\system\C6501.ini

2008-01-02 17:00 . 2008-01-02 17:00 <KAT> d-------- C:\Program\C-Media 6501 Sound

2008-01-02 17:00 . 2006-08-08 09:18 5,713,920 --a------ C:\WINDOWS\system\c6501.cpl

2008-01-02 17:00 . 2006-07-11 07:05 1,419,776 --a------ C:\WINDOWS\system32\drivers\c6501.sys

2008-01-02 17:00 . 2001-11-23 05:08 712,704 --a------ C:\WINDOWS\system32\c6501a3d.dll

2008-01-02 17:00 . 2001-11-23 05:08 712,704 -ra------ C:\WINDOWS\system32\a3d.dll

2008-01-02 17:00 . 2006-06-30 07:05 262,144 -r------- C:\WINDOWS\Cmi6501Uninstall.exe

2008-01-02 17:00 . 2006-06-27 10:14 253,952 --a------ C:\WINDOWS\system32\c6501rm.exe

2008-01-02 17:00 . 2005-12-26 10:23 53,248 --a------ C:\WINDOWS\system32\c6501rm.dll

2008-01-02 17:00 . 2006-06-27 07:54 32,768 --a------ C:\WINDOWS\system32\c6501p.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-25 18:59 --------- d-----w C:\Program\Java

2008-01-14 10:28 2,659,840 ----a-w C:\WINDOWS\Internet Logs\xDBD0.tmp

2008-01-12 20:32 --------- d-----w C:\Documents and Settings\Hemmadatorn\Application Data\vlc

2008-01-12 12:07 58,895 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_11_07_03_31_small.dmp.zip

2008-01-12 12:07 58,052 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_11_07_03_44_small.dmp.zip

2008-01-12 12:01 994,652 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip

2008-01-05 20:41 --------- d-----w C:\Program\MSN Messenger

2008-01-05 09:01 --------- d-----w C:\Program\Google

2008-01-04 18:44 --------- d-----w C:\Documents and Settings\Hemmadatorn\Application Data\Ahead

2008-01-03 13:28 --------- d--h--w C:\Program\InstallShield Installation Information

2008-01-03 05:33 --------- d-----w C:\Program\Delade filer\InstallShield

2008-01-02 15:59 --------- d-----w C:\Program\DIFX

2008-01-02 15:56 --------- d-----w C:\Documents and Settings\Hemmadatorn\Application Data\AdobeUM

2008-01-02 15:45 --------- d--h--w C:\Program\Uninstall Information

2008-01-02 15:37 --------- d-----w C:\Program\Microsoft.NET

2008-01-02 15:36 --------- d-----w C:\Program\Nero

2008-01-02 15:36 --------- d-----w C:\Program\Delade filer\Ahead

2008-01-02 15:35 --------- d-----w C:\Program\Lavasoft

2008-01-02 15:35 --------- d-----w C:\Program\Delade filer\Adobe

2008-01-02 15:17 --------- d-----w C:\Program\Delade filer\Java

2008-01-02 15:16 --------- d-----w C:\Program\Onlinetjänster

2008-01-02 15:15 --------- d-----w C:\Program\Delade filer\MSSoap

2008-01-02 14:59 --------- d-----w C:\Program\Delade filer\SpeechEngines

2008-01-02 14:59 --------- d-----w C:\Program\Delade filer\ODBC

2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys

2007-12-05 03:05 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll

2007-12-05 03:04 269,312 ----a-w C:\WINDOWS\system32\ati2dvag.dll

2007-12-05 02:56 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll

2007-12-05 02:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll

2007-12-05 02:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe

2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll

2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll

2007-12-05 02:54 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll

2007-12-05 02:53 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL

2007-12-05 02:53 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe

2007-12-05 02:48 9,535,488 ----a-w C:\WINDOWS\system32\atioglx2.dll

2007-12-05 02:44 3,175,584 ----a-w C:\WINDOWS\system32\ati3duag.dll

2007-12-05 02:33 1,640,192 ----a-w C:\WINDOWS\system32\ativvaxx.dll

2007-12-05 02:19 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll

2007-12-05 02:19 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll

2007-12-05 02:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll

2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll

2007-12-05 02:14 180,224 ----a-w C:\WINDOWS\system32\atiok3x2.dll

2007-12-05 02:11 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll

2007-11-14 15:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe

2007-11-07 09:29 722,432 ----a-w C:\WINDOWS\system32\lsasrv.dll

2007-10-29 22:45 1,289,728 ----a-w C:\WINDOWS\system32\quartz.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries &amp legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

'AlcoholAutomount'='C:\Program\Alcohol Soft\Alcohol 120\axcmd.exe' [2007-12-22 08:23 221568]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

'NeroFilterCheck'='C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe' [2006-01-12 15:40 155648]

'C6501Sound'='c6501.cpl' []

'JMB36X IDE Setup'='C:\WINDOWS\RaidTool\xInsIDE.exe' [2007-03-20 14:36 36864]

'ZoneAlarm Client'='C:\Program\Zone Labs\ZoneAlarm\zlclient.exe' [2007-11-14 16:05 919016]

'StartCCC'='C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe' [2006-11-10 12:35 90112]

'Ad-Aware'='C:\Program\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe' [2005-05-27 14:24 865280]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

'MsnMsgr'='C:\Program\MSN Messenger\MsnMsgr.exe' [2007-01-19 12:55 5674352]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

'nlsf'='cmd.exe' [2006-03-18 18:24 390656 C:\WINDOWS\system32\cmd.exe]

'tscuninstall'='C:\WINDOWS\system32\tscupgrd.exe' [2006-03-18 18:24 44544]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]

--a------ 2007-10-04 18:38 307200 C:\Program\ATI\ATICustomerCare\ATICustomerCare.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-01-19 12:55 5674352 C:\Program\MSN Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

C:\Program\Steam\Steam.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ULiRaid5289]

--a------ 2005-06-07 15:16 409600 C:\Program\ULI5289\ULi5289.exe

 

R0 jahcijahciC:\WINDOWS\system32\DRIVERS\JAHCI.sys [2005-10-25 04:35]

R0 m5289m5289C:\WINDOWS\system32\DRIVERS\m5289.sys [2005-07-04 14:21]

R0 uliagpkxULi AGP Bus Filter DriverC:\WINDOWS\system32\DRIVERS\agpkx.sys [2005-05-03 17:31]

R2 perfmonsperfmons ServiceC:\WINDOWS\system32\perfs.exe [2006-03-18 18:24]

R2 RoutingRouting ServiceC:\WINDOWS\system32\routing.exe [2008-01-24 07:19]

R3 cm102u32C-Media CM6501 Like Sound InterfaceC:\WINDOWS\system32\drivers\c6501.sys [2006-07-11 07:05]

R3 ULI5261XPULi M526X Ethernet NT DriverC:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 20:36]

S3 s115busSony Ericsson Device 115 driver (WDM)C:\WINDOWS\system32\DRIVERS\s115bus.sys [2007-04-23 15:54]

S3 s115mdflSony Ericsson Device 115 USB WMC Modem FilterC:\WINDOWS\system32\DRIVERS\s115mdfl.sys [2007-04-23 15:54]

S3 s115mdmSony Ericsson Device 115 USB WMC Modem DriverC:\WINDOWS\system32\DRIVERS\s115mdm.sys [2007-04-23 15:54]

S3 s115mgmtSony Ericsson Device 115 USB WMC Device Management Drivers (WDM)C:\WINDOWS\system32\DRIVERS\s115mgmt.sys [2007-04-23 15:54]

S3 s115obexSony Ericsson Device 115 USB WMC OBEX InterfaceC:\WINDOWS\system32\DRIVERS\s115obex.sys [2007-04-23 15:54]

S3 StreamSurgeStreamSurge DriverC:\WINDOWS\system32\DRIVERS\ss.sys []

 

*Newly Created Service* - PROCEXP90

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-28 19:08:11

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs = ?IKI.DLL

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-01-28 19:08:32

ComboFix-quarantined-files.txt 2008-01-28 18:08:29

.

2008-01-21 14:59:41 --- E O F ---

 

Jag vet inte men varför det inte syns men zonealarm är på!!

 

[Cecilia]

Det syns att brandväggen och ett antispamprogram är igång, men antiviruset syns inte. Men om ZoneAlarm-programmet ska innehålla antivirus så är det kanske otrevligheterna som stänger av.

 

Gå till http://www.virustotal.com/ klistra in ett av följande filnamn i rutan, tryck på Skicka Fil och vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in resultatet från de olika antivirusprogrammen här. Upprepa med nästa filnamn.

C:\kmd.exe

C:\WINDOWS\system32\Indt2.sys

C:\WINDOWS\system32\routing.exe

C:\WINDOWS\system32\UpdateDriver.exe

C:\WINDOWS\system32\drmgs.sys

C:\WINDOWS\system32\perfs.exe

C:\WINDOWS\system32\IKI.DLL

 

Ladda ner SDFix till Skrivbordet:

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Dubbelklicka på SDFix.exe och en ny mapp skapas, C:\SDFix.

 

Starta om datorn i felsäkert läge (tryck F8 upprepade gånger under uppstarten och välj felsäkert läge i menyn).

 

Öppna den nya mappen C:\SDFix och dubbelklicka på RunThis.bat för att starta programmet.

Tryck Y för att fortsätta.

Det arbetar ett tag och när det är klart så kommer det upp en fråga om du vill starta om datorn.

Tryck på godtycklig tangent för att omstarten ska påbörjas.

Datorn kommer att ta lång tid på sig under uppstarten eftersom programmet kommer att gå igång och fixa till en massa.

När det är klart visas Finished.

Tryck på valfri tangent för att avsluta programmet.

 

Öppna mappen SDFix och öppna filen Report.txt i Anteckningar.

Klistra in innehållet i filen i ditt svar här och en ny ComboFix-logg.

 

[Tomping]

Fil kmd.exe mottagen 2008.01.28 20:17:50 (CET)

Närvarande status: Laddar ... köad väntar söker genomförd EJ FUNNEN STOPPAD

 

 

Resultat: 0/32 (0%)

Laddar server information...

Din fil är köad i position: 13.

Uppskattat starttid är mellan 76 och 109 sekunder.

Stäng inte ner detta fönster förens sökningen är genomförd.

Scannern som arbetade med din fil har stoppat, vi kommer att vänta ett par sekunder för att försöka återställa ditt resultat.

Om du väntar i mer än 5 minuter måste du skicka in din fil igen.

Din fil blir genomsökt av VirusTotal för tillfället,

resultat kommer att visas när de är klara.

Compact Skriv ut resultat

Din fil har upphört eller existerar inte.

Tjänsten är stoppad för tillfället, din fil väntar på att bli genomsökt (position: ) för en obestämd tid.

 

Du kan vänta på ett svar (automatisk uppdatering) eller ange din email i formuläret nedan och klicka 'begär' så kommer systemet att skicka dig ett email när sökningen är genomförd.

Email:

 

 

Antivirus Version Senaste Uppdatering Resultat

AhnLab-V3 2008.1.28.10 2008.01.28 -

AntiVir 7.6.0.56 2008.01.28 -

Authentium 4.93.8 2008.01.26 -

Avast 4.7.1098.0 2008.01.27 -

AVG 7.5.0.516 2008.01.28 -

BitDefender 7.2 2008.01.28 -

CAT-QuickHeal 9.00 2008.01.25 -

ClamAV 0.91.2 2008.01.28 -

DrWeb 4.44.0.09170 2008.01.28 -

eSafe 7.0.15.0 2008.01.16 -

eTrust-Vet 31.3.5486 2008.01.26 -

Ewido 4.0 2008.01.27 -

FileAdvisor 1 2008.01.28 -

Fortinet 3.14.0.0 2008.01.28 -

F-Prot 4.4.2.54 2008.01.27 -

F-Secure 6.70.13260.0 2008.01.28 -

Ikarus T3.1.1.20 2008.01.28 -

Kaspersky 7.0.0.125 2008.01.28 -

McAfee 5216 2008.01.26 -

Microsoft 1.3109 2008.01.28 -

NOD32v2 2828 2008.01.28 -

Norman 5.80.02 2008.01.28 -

Panda 9.0.0.4 2008.01.28 -

Prevx1 V2 2008.01.28 -

Rising 20.29.01.00 2008.01.28 -

Sophos 4.25.0 2008.01.28 -

Sunbelt 2.2.907.0 2008.01.25 -

Symantec 10 2008.01.28 -

TheHacker 6.2.9.200 2008.01.28 -

VBA32 3.12.2.5 2008.01.21 -

VirusBuster 4.3.26:9 2008.01.28 -

Webwasher-Gateway 6.6.2 2008.01.28 -

Övrig information

File size: 390656 bytes

MD5: d7621a67fc39f0072bd1b64d9b9fbacb

SHA1: 7003a52d0d2aefab2a372fed29a9ed12c50d8262

PEiD: -

Den verkade vara ok??

Be happy!

 

[Tomping]

Fil Indt2.sys mottagen 2008.01.28 20:29:39 (CET)

Närvarande status: Laddar ... köad väntar söker genomförd EJ FUNNEN STOPPAD

 

 

Resultat: 4/32 (12.5%)

Laddar server information...

Din fil är köad i position: 13.

Uppskattat starttid är mellan 76 och 109 sekunder.

Stäng inte ner detta fönster förens sökningen är genomförd.

Scannern som arbetade med din fil har stoppat, vi kommer att vänta ett par sekunder för att försöka återställa ditt resultat.

Om du väntar i mer än 5 minuter måste du skicka in din fil igen.

Din fil blir genomsökt av VirusTotal för tillfället,

resultat kommer att visas när de är klara.

Compact Skriv ut resultat

Din fil har upphört eller existerar inte.

Tjänsten är stoppad för tillfället, din fil väntar på att bli genomsökt (position: ) för en obestämd tid.

 

Du kan vänta på ett svar (automatisk uppdatering) eller ange din email i formuläret nedan och klicka 'begär' så kommer systemet att skicka dig ett email när sökningen är genomförd.

Email:

 

 

Antivirus Version Senaste Uppdatering Resultat

AhnLab-V3 2008.1.29.10 2008.01.28 -

AntiVir 7.6.0.56 2008.01.28 -

Authentium 4.93.8 2008.01.26 -

Avast 4.7.1098.0 2008.01.27 -

AVG 7.5.0.516 2008.01.28 Clicker.KXC

BitDefender 7.2 2008.01.28 -

CAT-QuickHeal 9.00 2008.01.25 -

ClamAV 0.91.2 2008.01.28 -

DrWeb 4.44.0.09170 2008.01.28 Trojan.Click.5002

eSafe 7.0.15.0 2008.01.28 -

eTrust-Vet 31.3.5486 2008.01.26 -

Ewido 4.0 2008.01.27 -

FileAdvisor 1 2008.01.28 -

Fortinet 3.14.0.0 2008.01.28 -

F-Prot 4.4.2.54 2008.01.27 -

F-Secure 6.70.13260.0 2008.01.28 -

Ikarus T3.1.1.20 2008.01.28 -

Kaspersky 7.0.0.125 2008.01.28 -

McAfee 5216 2008.01.26 -

Microsoft 1.3109 2008.01.28 -

NOD32v2 2828 2008.01.28 a variant of Win32/TrojanClicker.VB.NDJ

Norman 5.80.02 2008.01.28 -

Panda 9.0.0.4 2008.01.28 -

Prevx1 V2 2008.01.28 Generic.Malware

Rising 20.29.01.00 2008.01.28 -

Sophos 4.25.0 2008.01.28 -

Sunbelt 2.2.907.0 2008.01.25 -

Symantec 10 2008.01.28 -

TheHacker 6.2.9.200 2008.01.28 -

VBA32 3.12.2.5 2008.01.21 -

VirusBuster 4.3.26:9 2008.01.28 -

Webwasher-Gateway 6.6.2 2008.01.28 -

Övrig information

File size: 45056 bytes

MD5: c2567d8612d0900d8a03b2cae0123951

SHA1: 4d1be9770db19f7c64edf13c2a1a9a104cdf5728

PEiD: -

Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=E228FFE700D2AC20B0BC00F6C9FF6000AD02C531

Nasty!!!!

Be happy!

 

[Tomping]

AhnLab-V3 2008.1.29.10 2008.01.28 -

AntiVir 7.6.0.56 2008.01.28 -

Authentium 4.93.8 2008.01.26 -

Avast 4.7.1098.0 2008.01.28 -

AVG 7.5.0.516 2008.01.28 Downloader.Generic6.AEXN

BitDefender 7.2 2008.01.28 Trojan.Agent.Delf.FQ

CAT-QuickHeal 9.00 2008.01.28 -

ClamAV 0.91.2 2008.01.28 -

DrWeb 4.44.0.09170 2008.01.28 -

eSafe 7.0.15.0 2008.01.28 -

eTrust-Vet 31.3.5486 2008.01.26 -

Ewido 4.0 2008.01.27 -

FileAdvisor 1 2008.01.28 -

Fortinet 3.14.0.0 2008.01.28 -

F-Prot 4.4.2.54 2008.01.27 -

F-Secure 6.70.13260.0 2008.01.28 -

Ikarus T3.1.1.20 2008.01.28 Trojan.Agent.Delf.FQ

Kaspersky 7.0.0.125 2008.01.28 -

McAfee 5216 2008.01.26 -

Microsoft 1.3109 2008.01.28 -

NOD32v2 2828 2008.01.28 a variant of Win32/TrojanDownloader.Delf.OBC

Norman 5.80.02 2008.01.28 -

Panda 9.0.0.4 2008.01.28 -

Prevx1 V2 2008.01.28 Generic.Rootkit

Rising 20.29.01.00 2008.01.28 -

Sophos 4.25.0 2008.01.28 -

Sunbelt 2.2.907.0 2008.01.25 -

Symantec 10 2008.01.28 -

TheHacker 6.2.9.201 2008.01.28 -

VBA32 3.12.2.5 2008.01.21 suspected of Backdoor.XiaoBird.150 (paranoid heuristics)

VirusBuster 4.3.26:9 2008.01.28 -

Webwasher-Gateway 6.6.2 2008.01.28 -

Övrig information

File size: 32256 bytes

MD5: 3240aac8540893eaac76c7c438842200

SHA1: 89f1f7d43a3f6155061d4d96484bae46f1d66665

PEiD: -

Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=54BD10C900696B747EB400038D2C34006EB4F40F

Oops det var inte heller så bra!

Be happy!

 

[Tomping]

AhnLab-V3 2008.1.29.10 2008.01.28 -

AntiVir 7.6.0.56 2008.01.28 -

Authentium 4.93.8 2008.01.26 -

Avast 4.7.1098.0 2008.01.28 -

AVG 7.5.0.516 2008.01.28 -

BitDefender 7.2 2008.01.28 -

CAT-QuickHeal 9.00 2008.01.28 -

ClamAV 0.91.2 2008.01.28 -

DrWeb 4.44.0.09170 2008.01.28 -

eSafe 7.0.15.0 2008.01.28 -

eTrust-Vet 31.3.5486 2008.01.26 -

Ewido 4.0 2008.01.27 -

FileAdvisor 1 2008.01.28 -

Fortinet 3.14.0.0 2008.01.28 -

F-Prot 4.4.2.54 2008.01.27 -

F-Secure 6.70.13260.0 2008.01.28 -

Ikarus T3.1.1.20 2008.01.28 -

Kaspersky 7.0.0.125 2008.01.28 -

McAfee 5216 2008.01.26 -

Microsoft 1.3109 2008.01.28 -

NOD32v2 2829 2008.01.28 -

Norman 5.80.02 2008.01.28 -

Panda 9.0.0.4 2008.01.28 -

Prevx1 V2 2008.01.28 -

Rising 20.29.01.00 2008.01.28 -

Sophos 4.25.0 2008.01.28 -

Sunbelt 2.2.907.0 2008.01.25 -

Symantec 10 2008.01.28 -

TheHacker 6.2.9.201 2008.01.28 -

VBA32 3.12.2.5 2008.01.21 -

VirusBuster 4.3.26:9 2008.01.28 -

Webwasher-Gateway 6.6.2 2008.01.28 -

Övrig information

File size: 196608 bytes

MD5: 3c8277af74bf74132ac740b847587c5c

SHA1: 14768614c9bbbc093229ce25140a2747a4121010

PEiD: Armadillo v1.71

Den såg ren ut!

Be happy!

 

[Tomping]

AhnLab-V3 2008.1.29.10 2008.01.28 -

AntiVir 7.6.0.56 2008.01.28 -

Authentium 4.93.8 2008.01.26 -

Avast 4.7.1098.0 2008.01.28 -

AVG 7.5.0.516 2008.01.28 -

BitDefender 7.2 2008.01.28 -

CAT-QuickHeal 9.00 2008.01.28 -

ClamAV 0.91.2 2008.01.28 -

DrWeb 4.44.0.09170 2008.01.28 -

eSafe 7.0.15.0 2008.01.28 -

eTrust-Vet 31.3.5486 2008.01.26 -

Ewido 4.0 2008.01.27 -

FileAdvisor 1 2008.01.28 -

Fortinet 3.14.0.0 2008.01.28 -

F-Prot 4.4.2.54 2008.01.27 -

F-Secure 6.70.13260.0 2008.01.28 -

Ikarus T3.1.1.20 2008.01.28 -

Kaspersky 7.0.0.125 2008.01.28 -

McAfee 5216 2008.01.26 -

Microsoft 1.3109 2008.01.28 -

NOD32v2 2829 2008.01.28 -

Norman 5.80.02 2008.01.28 -

Panda 9.0.0.4 2008.01.28 -

Prevx1 V2 2008.01.28 -

Rising 20.29.01.00 2008.01.28 -

Sophos 4.25.0 2008.01.28 -

Sunbelt 2.2.907.0 2008.01.25 -

Symantec 10 2008.01.28 -

TheHacker 6.2.9.201 2008.01.28 -

VBA32 3.12.2.5 2008.01.21 -

VirusBuster 4.3.26:9 2008.01.28 -

Webwasher-Gateway 6.6.2 2008.01.28 -

Övrig information

File size: 40 bytes

MD5: 9adcfc8aaa872eda440df91c3173a946

SHA1: b51576d6a185a1916684e8295a8e2f30b60dca0b

PEiD: -

Denverkar också ok!

Be happy!

 

[Tomping]

Antivirus Version Senaste Uppdatering Resultat

AhnLab-V3 2008.1.29.10 2008.01.28 -

AntiVir 7.6.0.56 2008.01.28 -

Authentium 4.93.8 2008.01.26 -

Avast 4.7.1098.0 2008.01.28 -

AVG 7.5.0.516 2008.01.28 Downloader.Generic6.AFOE

BitDefender 7.2 2008.01.28 -

CAT-QuickHeal 9.00 2008.01.28 -

ClamAV 0.91.2 2008.01.28 -

DrWeb 4.44.0.09170 2008.01.28 -

eSafe 7.0.15.0 2008.01.28 -

eTrust-Vet 31.3.5486 2008.01.26 -

Ewido 4.0 2008.01.27 -

FileAdvisor 1 2008.01.28 -

Fortinet 3.14.0.0 2008.01.28 -

F-Prot 4.4.2.54 2008.01.27 -

F-Secure 6.70.13260.0 2008.01.28 -

Ikarus T3.1.1.20 2008.01.28 Trojan.Agent.Delf.FQ

Kaspersky 7.0.0.125 2008.01.28 -

McAfee 5216 2008.01.26 -

Microsoft 1.3109 2008.01.28 -

NOD32v2 2829 2008.01.28 Win32/TrojanDownloader.Delf.OBC

Norman 5.80.02 2008.01.28 -

Panda 9.0.0.4 2008.01.28 Trj/Dropper.ZV

Prevx1 V2 2008.01.28 Generic.Rootkit

Rising 20.29.01.00 2008.01.28 -

Sophos 4.25.0 2008.01.28 -

Sunbelt 2.2.907.0 2008.01.25 -

Symantec 10 2008.01.28 -

TheHacker 6.2.9.201 2008.01.28 -

VBA32 3.12.2.5 2008.01.21 -

VirusBuster 4.3.26:9 2008.01.28 -

Webwasher-Gateway 6.6.2 2008.01.28 -

Övrig information

File size: 32768 bytes

MD5: 3c9d614cf180dd485aa925e8747bb442

SHA1: 5547bf52d1b45e9967fe48d218f6b5202e74b483

PEiD: -

Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=2F5D45A100A26896801000AB7D70C8006C9E6237

Den såg inte alls bra ut

Be happy!

 

[Tomping]

C:\WINDOWS\system32\IKI.DLL svaret jag fick från virustotal var 0 bytes size received.

 

Jag har fräckt nog inte tackat dig för att du tog dig an fallet. Men jag önskar att alla människor var lika hjälpsamma som du! Tack Cecilia

Be happy!

 

[Tomping]

här är sdfix rapporten

 

SDFix: Version 1.131

 

Run by Hemmadatorn on 2008-01-28 at 22:10

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\DOCUME~1\HEMMAD~1\SKRIVB~1\SDFix

 

Safe Mode:

Checking Services:

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting...

 

 

Normal Mode:

Checking Files:

 

Trojan Files Found:

 

C:\WINDOWS\system32\comsa32.sys - Deleted

C:\WINDOWS\system32\perfs.txt - Deleted

 

 

 

 

 

Removing Temp Files...

 

ADS Check:

 

C:\WINDOWS

No streams found.

 

C:\WINDOWS\explorer.exe

No streams found.

 

C:\WINDOWS\system32

No streams found.

 

C:\WINDOWS\system32\svchost.exe

No streams found.

 

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

 

 

 

Final Check:

 

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-28 22:15:31

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services &amp system hive ...

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

's1'=dword:2df9c43f

's2'=dword:110480d0

'h0'=dword:00000001

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

'p0'='C:\Program\Alcohol Soft\Alcohol 120\'

'h0'=dword:00000000

'ujdew'=hex:4c,c6,8e,ea,26,96,54,3e,06,f3,39,4a,b5,76,06,ae,d9,43,68,fe,b9,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

'p0'='C:\Program\Alcohol Soft\Alcohol 120\'

'h0'=dword:00000000

'ujdew'=hex:4c,c6,8e,ea,26,96,54,3e,06,f3,39,4a,b5,76,06,ae,d9,43,68,fe,b9,..

 

scanning hidden registry entries ...

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\xd8\x2022\x20ac|\xff\xff\xff\xff\22\x2022\x20ac|\xf9\x20226~\2]

'D140110900063D11C8EF10054038389C'='C?\WINDOWS\system32\FM20ENU.DLL'

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

 

Remaining Files:

---------------

 

File Backups: - C:\DOCUME~1\HEMMAD~1\SKRIVB~1\SDFix\backups\backups.zip

 

Files with Hidden Attributes:

 

 

Finished!

 

Be happy!

 

[Tomping]

Hej Cecilia här kommer combologgen!

det känns som om datorn är snabbare nu kan det stämma? Ska gå och lägga mig nu! vi hörs i morgon hoppas på goda nyheter. än en gång du é en ängel

/Tomping

ComboFix 08-01-28.2 - Hemmadatorn 2008-01-28 22:24:18.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1053.18.703 [GMT 1:00]

Running from: C:\Documents and Settings\Hemmadatorn\Skrivbord\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-28 )))))))))))))))))))))))))))))))

.

 

2008-01-28 22:12 . 2008-01-28 22:12 <KAT> d-------- C:\WINDOWS\system32\xircom

2008-01-28 22:12 . 2008-01-28 22:12 <KAT> d-------- C:\Program\microsoft frontpage

2008-01-28 22:10 . 2008-01-28 22:10 <KAT> d-------- C:\WINDOWS\ERUNT

2008-01-27 19:24 . 2008-01-27 19:24 45,056 --a------ C:\WINDOWS\system32\Indt2.sys

2008-01-25 16:06 . 2008-01-25 16:06 <KAT> d-------- C:\Program\Trend Micro

2008-01-24 07:19 . 2008-01-24 07:19 32,256 --a------ C:\WINDOWS\system32\routing.exe

2008-01-22 17:16 . 2008-01-22 17:16 268 --ah----- C:\sqmdata00.sqm

2008-01-22 17:16 . 2008-01-22 17:16 244 --ah----- C:\sqmnoopt00.sqm

2008-01-17 17:11 . 2008-01-17 17:29 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\dvdcss

2008-01-16 17:34 . 2006-05-10 21:36 196,608 --a------ C:\WINDOWS\system32\UpdateDriver.exe

2008-01-16 17:34 . 2006-07-20 19:06 525 --a------ C:\WINDOWS\system32\ucuiinfo.ini

2008-01-14 21:37 . 2008-01-14 21:37 0 --a------ C:\WINDOWS\nsreg.dat

2008-01-13 11:01 . 2008-01-13 11:01 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI

2008-01-13 10:10 . 2008-01-13 10:10 <KAT> d-------- C:\Program\MSXML 4.0

2008-01-12 18:46 . 2008-01-12 18:46 <KAT> d-------- C:\Program\VideoLAN

2008-01-12 13:05 . 2008-01-12 13:05 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\Teleca

2008-01-12 13:05 . 2007-04-23 15:54 108,680 -ra------ C:\WINDOWS\system32\drivers\s115mdm.sys

2008-01-12 13:05 . 2007-04-23 15:54 100,488 -ra------ C:\WINDOWS\system32\drivers\s115mgmt.sys

2008-01-12 13:05 . 2007-04-23 15:54 98,568 -ra------ C:\WINDOWS\system32\drivers\s115obex.sys

2008-01-12 13:05 . 2007-04-23 15:54 83,208 -ra------ C:\WINDOWS\system32\drivers\s115bus.sys

2008-01-12 13:05 . 2007-04-23 15:54 15,112 -ra------ C:\WINDOWS\system32\drivers\s115mdfl.sys

2008-01-12 13:05 . 2007-04-23 15:54 12,424 -ra------ C:\WINDOWS\system32\drivers\s115whnt.sys

2008-01-12 13:05 . 2007-04-23 15:54 12,424 -ra------ C:\WINDOWS\system32\drivers\s115wh.sys

2008-01-12 13:05 . 2007-04-23 15:54 12,424 -ra------ C:\WINDOWS\system32\drivers\s115cmnt.sys

2008-01-12 13:05 . 2007-04-23 15:54 12,424 -ra------ C:\WINDOWS\system32\drivers\s115cm.sys

2008-01-12 13:03 . 2008-01-12 13:03 <KAT> d-------- C:\WINDOWS\Downloaded Installations

2008-01-12 13:03 . 2008-01-12 13:03 <KAT> d-------- C:\Program\Sony Ericsson

2008-01-12 13:03 . 2008-01-12 13:04 <KAT> d-------- C:\Program\Delade filer\Teleca Shared

2008-01-12 13:03 . 2008-01-12 13:03 <KAT> d-------- C:\Program\Delade filer\Sony Ericsson Shared

2008-01-12 13:03 . 2008-01-12 13:03 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\Sony Ericsson

2008-01-12 13:01 . 2008-01-12 13:03 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Teleca

2008-01-12 13:01 . 2008-01-12 13:03 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson

2008-01-09 16:12 . 2008-01-09 16:12 253,952 --a------ C:\WINDOWS\system32\ndt2.sys

2008-01-07 06:23 . 2008-01-07 06:23 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\Lavasoft

2008-01-06 21:00 . 2008-01-12 21:32 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\vlc

2008-01-06 11:24 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-01-05 21:42 . 2008-01-13 17:02 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Contacts

2008-01-05 10:03 . 2008-01-05 10:03 40 --a------ C:\WINDOWS\system32\drmgs.sys

2008-01-04 19:50 . 2008-01-04 19:50 <KAT> d-------- C:\Program\Alcohol Soft

2008-01-04 19:47 . 2008-01-04 19:47 <KAT> d-------- C:\Program Files

2008-01-04 19:47 . 2008-01-04 19:47 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys

2008-01-03 21:12 . 2008-01-03 21:20 <KAT> d-------- C:\Program\MagicISO

2008-01-03 14:59 . 2008-01-09 07:25 <KAT> d-------- C:\Program\World of Warcraft

2008-01-03 14:59 . 2008-01-03 14:59 <KAT> d-------- C:\Program\Delade filer\Blizzard Entertainment

2008-01-03 14:39 . 2008-01-03 14:39 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\ATI

2008-01-03 14:39 . 2008-01-03 14:39 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\ATI

2008-01-03 14:35 . 2007-12-05 14:17 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe

2008-01-03 14:30 . 2008-01-03 14:30 10 --a------ C:\WINDOWS\WININIT.INI

2008-01-03 14:20 . 2008-01-03 14:20 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\TechSmith

2008-01-03 11:45 . 2008-01-03 11:45 <KAT> d-------- C:\Program\TechSmith

2008-01-03 11:45 . 2008-01-03 11:45 <KAT> d-------- C:\Program\Delade filer\Wise Installation Wizard

2008-01-03 11:45 . 2008-01-03 11:45 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith

2008-01-03 08:12 . 2008-01-28 20:19 1,113 --a------ C:\rollback.ini

2008-01-03 08:03 . 2008-01-03 08:54 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\MailFrontier

2008-01-03 08:03 . 2008-01-28 22:25 4,238,112 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2008-01-03 08:03 . 2008-01-28 22:06 61,772 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2008-01-03 07:51 . 2008-01-03 08:34 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier

2008-01-03 07:51 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll

2008-01-03 06:59 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

2008-01-03 06:59 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

2008-01-03 06:36 . 2008-01-03 06:36 <KAT> d-------- C:\Program\ATI

2008-01-03 00:40 . 2008-01-03 00:40 <KAT> d-------- C:\Program\ULi5289

2008-01-03 00:40 . 2001-11-13 21:24 35,587 --a------ C:\WINDOWS\system32\rm5289.exe

2008-01-03 00:40 . 2006-03-09 22:02 24,415 --a------ C:\WINDOWS\system32\unM5289.exe

2008-01-03 00:38 . 2008-01-03 00:38 <KAT> d-------- C:\WINDOWS\RaidTool

2008-01-03 00:38 . 2008-01-03 00:38 <KAT> d-------- C:\RaidTool

2008-01-03 00:34 . 2007-11-26 11:16 72,704 --a------ C:\WINDOWS\system32\drivers\jraid.sys

2008-01-03 00:19 . 2008-01-26 22:03 116 --a------ C:\WINDOWS\NeroDigital.ini

2008-01-02 23:06 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe

2008-01-02 22:58 . 2007-07-09 14:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

2008-01-02 22:55 . 2008-01-09 05:21 <KAT> d--h----- C:\WINDOWS\$hf_mig$

2008-01-02 22:52 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll

2008-01-02 22:52 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui

2008-01-02 22:52 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui

2008-01-02 22:52 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui

2008-01-02 22:52 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui

2008-01-02 22:51 . 2008-01-02 22:51 <KAT> d---s---- C:\Documents and Settings\Hemmadatorn\UserData

2008-01-02 22:46 . 2008-01-02 22:46 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

2008-01-02 22:23 . 2008-01-03 07:38 <KAT> d-------- C:\WINDOWS\CAVTemp

2008-01-02 22:23 . 2008-01-02 22:23 <KAT> d-------- C:\Program\Driver-Soft

2008-01-02 22:23 . 2004-03-09 16:45 662,288 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX

2008-01-02 22:23 . 2004-06-14 14:56 427,864 --a------ C:\WINDOWS\system32\XceedZip.dll

2008-01-02 21:42 . 2008-01-02 21:42 <KAT> d-------- C:\Program\uTorrent

2008-01-02 21:42 . 2008-01-27 10:35 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\uTorrent

2008-01-02 18:43 . 2008-01-02 18:43 <KAT> d-------- C:\Program\ULiRaid

2008-01-02 18:43 . 2005-07-04 14:21 52,480 --a------ C:\WINDOWS\system32\drivers\m5289.sys

2008-01-02 18:43 . 2005-07-15 15:09 29,696 --a------ C:\WINDOWS\system32\dev32.exe

2008-01-02 18:43 . 2005-12-28 03:32 9,621 --a------ C:\WINDOWS\system32\drivers\ulisata.cat

2008-01-02 17:45 . 2008-01-03 14:36 <KAT> d-------- C:\Program\ATI Technologies

2008-01-02 17:39 . 2008-01-02 17:39 <KAT> d-------- C:\WINDOWS\system32\LogFiles

2008-01-02 17:09 . 2004-08-04 01:34 75,264 --a------ C:\WINDOWS\system32\usbui.dll

2008-01-02 17:01 . 2008-01-28 19:05 450 --a------ C:\WINDOWS\system\C6501.ini

2008-01-02 17:00 . 2008-01-02 17:00 <KAT> d-------- C:\Program\C-Media 6501 Sound

2008-01-02 17:00 . 2006-08-08 09:18 5,713,920 --a------ C:\WINDOWS\system\c6501.cpl

2008-01-02 17:00 . 2006-07-11 07:05 1,419,776 --a------ C:\WINDOWS\system32\drivers\c6501.sys

2008-01-02 17:00 . 2001-11-23 05:08 712,704 --a------ C:\WINDOWS\system32\c6501a3d.dll

2008-01-02 17:00 . 2001-11-23 05:08 712,704 -ra------ C:\WINDOWS\system32\a3d.dll

2008-01-02 17:00 . 2006-06-30 07:05 262,144 -r------- C:\WINDOWS\Cmi6501Uninstall.exe

2008-01-02 17:00 . 2006-06-27 10:14 253,952 --a------ C:\WINDOWS\system32\c6501rm.exe

2008-01-02 17:00 . 2005-12-26 10:23 53,248 --a------ C:\WINDOWS\system32\c6501rm.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-25 18:59 --------- d-----w C:\Program\Java

2008-01-14 10:28 2,659,840 ----a-w C:\WINDOWS\Internet Logs\xDBD0.tmp

2008-01-12 20:32 --------- d-----w C:\Documents and Settings\Hemmadatorn\Application Data\vlc

2008-01-12 12:07 58,895 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_11_07_03_31_small.dmp.zip

2008-01-12 12:07 58,052 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_11_07_03_44_small.dmp.zip

2008-01-12 12:01 994,652 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip

2008-01-05 20:41 --------- d-----w C:\Program\MSN Messenger

2008-01-05 09:01 --------- d-----w C:\Program\Google

2008-01-04 18:44 --------- d-----w C:\Documents and Settings\Hemmadatorn\Application Data\Ahead

2008-01-03 13:28 --------- d--h--w C:\Program\InstallShield Installation Information

2008-01-03 05:33 --------- d-----w C:\Program\Delade filer\InstallShield

2008-01-02 15:59 --------- d-----w C:\Program\DIFX

2008-01-02 15:56 --------- d-----w C:\Documents and Settings\Hemmadatorn\Application Data\AdobeUM

2008-01-02 15:45 --------- d--h--w C:\Program\Uninstall Information

2008-01-02 15:37 --------- d-----w C:\Program\Microsoft.NET

2008-01-02 15:36 --------- d-----w C:\Program\Nero

2008-01-02 15:36 --------- d-----w C:\Program\Delade filer\Ahead

2008-01-02 15:35 --------- d-----w C:\Program\Lavasoft

2008-01-02 15:35 --------- d-----w C:\Program\Delade filer\Adobe

2008-01-02 15:17 --------- d-----w C:\Program\Delade filer\Java

2008-01-02 15:16 --------- d-----w C:\Program\Onlinetjänster

2008-01-02 15:15 --------- d-----w C:\Program\Delade filer\MSSoap

2008-01-02 14:59 --------- d-----w C:\Program\Delade filer\SpeechEngines

2008-01-02 14:59 --------- d-----w C:\Program\Delade filer\ODBC

2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys

2007-12-05 03:05 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll

2007-12-05 03:04 269,312 ----a-w C:\WINDOWS\system32\ati2dvag.dll

2007-12-05 02:56 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll

2007-12-05 02:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll

2007-12-05 02:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe

2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll

2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll

2007-12-05 02:54 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll

2007-12-05 02:53 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL

2007-12-05 02:53 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe

2007-12-05 02:48 9,535,488 ----a-w C:\WINDOWS\system32\atioglx2.dll

2007-12-05 02:44 3,175,584 ----a-w C:\WINDOWS\system32\ati3duag.dll

2007-12-05 02:33 1,640,192 ----a-w C:\WINDOWS\system32\ativvaxx.dll

2007-12-05 02:19 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll

2007-12-05 02:19 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll

2007-12-05 02:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll

2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll

2007-12-05 02:14 180,224 ----a-w C:\WINDOWS\system32\atiok3x2.dll

2007-12-05 02:11 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll

2007-11-14 15:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe

2007-11-07 09:29 722,432 ----a-w C:\WINDOWS\system32\lsasrv.dll

2007-10-29 22:45 1,289,728 ----a-w C:\WINDOWS\system32\quartz.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries &amp legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

'AlcoholAutomount'='C:\Program\Alcohol Soft\Alcohol 120\axcmd.exe' [2007-12-22 08:23 221568]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

'NeroFilterCheck'='C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe' [2006-01-12 15:40 155648]

'C6501Sound'='c6501.cpl' []

'JMB36X IDE Setup'='C:\WINDOWS\RaidTool\xInsIDE.exe' [2007-03-20 14:36 36864]

'ZoneAlarm Client'='C:\Program\Zone Labs\ZoneAlarm\zlclient.exe' [2007-11-14 16:05 919016]

'StartCCC'='C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe' [2006-11-10 12:35 90112]

'Ad-Aware'='C:\Program\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe' [2005-05-27 14:24 865280]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

'MsnMsgr'='C:\Program\MSN Messenger\MsnMsgr.exe' [2007-01-19 12:55 5674352]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

'nlsf'='cmd.exe' [2006-03-18 18:24 390656 C:\WINDOWS\system32\cmd.exe]

'tscuninstall'='C:\WINDOWS\system32\tscupgrd.exe' [2006-03-18 18:24 44544]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]

--a------ 2007-10-04 18:38 307200 C:\Program\ATI\ATICustomerCare\ATICustomerCare.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-01-19 12:55 5674352 C:\Program\MSN Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

C:\Program\Steam\Steam.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ULiRaid5289]

--a------ 2005-06-07 15:16 409600 C:\Program\ULI5289\ULi5289.exe

 

R0 jahcijahciC:\WINDOWS\system32\DRIVERS\JAHCI.sys [2005-10-25 04:35]

R0 m5289m5289C:\WINDOWS\system32\DRIVERS\m5289.sys [2005-07-04 14:21]

R0 uliagpkxULi AGP Bus Filter DriverC:\WINDOWS\system32\DRIVERS\agpkx.sys [2005-05-03 17:31]

R2 perfmonsperfmons ServiceC:\WINDOWS\system32\perfs.exe [2006-03-18 18:24]

R2 RoutingRouting ServiceC:\WINDOWS\system32\routing.exe [2008-01-24 07:19]

R3 cm102u32C-Media CM6501 Like Sound InterfaceC:\WINDOWS\system32\drivers\c6501.sys [2006-07-11 07:05]

R3 ULI5261XPULi M526X Ethernet NT DriverC:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 20:36]

S3 s115busSony Ericsson Device 115 driver (WDM)C:\WINDOWS\system32\DRIVERS\s115bus.sys [2007-04-23 15:54]

S3 s115mdflSony Ericsson Device 115 USB WMC Modem FilterC:\WINDOWS\system32\DRIVERS\s115mdfl.sys [2007-04-23 15:54]

S3 s115mdmSony Ericsson Device 115 USB WMC Modem DriverC:\WINDOWS\system32\DRIVERS\s115mdm.sys [2007-04-23 15:54]

S3 s115mgmtSony Ericsson Device 115 USB WMC Device Management Drivers (WDM)C:\WINDOWS\system32\DRIVERS\s115mgmt.sys [2007-04-23 15:54]

S3 s115obexSony Ericsson Device 115 USB WMC OBEX InterfaceC:\WINDOWS\system32\DRIVERS\s115obex.sys [2007-04-23 15:54]

S3 StreamSurgeStreamSurge DriverC:\WINDOWS\system32\DRIVERS\ss.sys []

 

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-28 22:25:04

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs = ?IKI.DLL

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-01-28 22:25:24

ComboFix-quarantined-files.txt 2008-01-28 21:25:21

ComboFix2.txt 2008-01-28 18:08:32

.

2008-01-21 14:59:41 --- E O F ---

 

Be happy!

 

[Cecilia]

Tack för poäng!

 

Både ComboFix och SDFix har tagit bort filer så visst börjar datorn må bättre.

 

Kopiera alla rader nedan

[KOD]

 

File::

C:\kmd.exe okej

C:\WINDOWS\system32\Indt2.sys

C:\WINDOWS\system32\routing.exe

C:\WINDOWS\system32\perfs.exe

C:\WINDOWS\system32\IKI.DLL

C:\WINDOWS\system32\comsa32.sys

[/KOD]

och klistra in i Anteckningar.

Spara filen på Skrivbordet med namnet CFScript.

 

Dra CFScript med musen och släpp den ovanpå ComboFix-ikonen på Skrivbordet så startar programmet på ett särskilt sätt.

Klistra in loggen som kommer ut.

 

Skanna denna fil på virustotal-sidan:

C:\WINDOWS\system32\ndt2.sys

 

[Tomping]

Fick ingen loggfil från combo!? letade under c/combofix.

 

en filsom jag tror heter pers.exe försöker få åtkomst till internet. bifogar Vtotal loggen. Går till jobbet nu tillbaks vid 15:00

Be happy!

AhnLab-V3 2008.1.29.10 2008.01.28 -

AntiVir 7.6.0.56 2008.01.28 -

Authentium 4.93.8 2008.01.26 -

Avast 4.7.1098.0 2008.01.28 Win32:Delf-HWS

AVG 7.5.0.516 2008.01.29 -

BitDefender 7.2 2008.01.29 -

CAT-QuickHeal 9.00 2008.01.28 -

ClamAV 0.91.2 2008.01.29 -

DrWeb 4.44.0.09170 2008.01.28 -

eSafe 7.0.15.0 2008.01.28 -

eTrust-Vet 31.3.5493 2008.01.28 -

Ewido 4.0 2008.01.29 -

FileAdvisor 1 2008.01.29 -

Fortinet 3.14.0.0 2008.01.29 -

F-Prot 4.4.2.54 2008.01.28 -

F-Secure 6.70.13260.0 2008.01.29 -

Ikarus T3.1.1.20 2008.01.29 Virus.Win32.Delf.HTI

Kaspersky 7.0.0.125 2008.01.29 -

McAfee 5217 2008.01.28 -

Microsoft 1.3109 2008.01.28 TrojanDownloader:Win32/Delf.HA

NOD32v2 2830 2008.01.29 a variant of Win32/TrojanDownloader.Delf.DSX

Norman 5.80.02 2008.01.28 -

Panda 9.0.0.4 2008.01.28 -

Prevx1 V2 2008.01.29 Generic.Rootkit

Rising 20.29.10.00 2008.01.29 -

Sophos 4.25.0 2008.01.29 -

Sunbelt 2.2.907.0 2008.01.29 -

Symantec 10 2008.01.29 -

TheHacker 6.2.9.201 2008.01.28 -

VBA32 3.12.2.5 2008.01.21 -

VirusBuster 4.3.26:9 2008.01.28 -

Webwasher-Gateway 6.6.2 2008.01.29 -

Övrig information

File size: 253952 bytes

MD5: dd2aab77bfeca055b342778d0c6af031

SHA1: 1155731b21816e69f8777458fc325ca3a458cd01

PEiD: -

Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=C42B94F000751AC0E08D037816F87B002CFF8DC4

Fortfarande knas.

 

[Cecilia]

Det finns ingen C:\ComboFix.txt?

I så fall kör programmet igen på vanligt sätt.

 

[Tomping]

Filen som försöker få åtkomst till nätet heter perfs.exe

Bifogar combofix loggen!

ComboFix 08-01-28.2 - Hemmadatorn 2008-01-29 14:24:01.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1053.18.625 [GMT 1:00]

Running from: C:\Documents and Settings\Hemmadatorn\Skrivbord\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))

.

 

2008-01-28 22:12 . 2008-01-28 22:12 <KAT> d-------- C:\WINDOWS\system32\xircom

2008-01-28 22:12 . 2008-01-28 22:12 <KAT> d-------- C:\Program\microsoft frontpage

2008-01-28 22:10 . 2008-01-28 22:10 <KAT> d-------- C:\WINDOWS\ERUNT

2008-01-27 19:24 . 2008-01-27 19:24 45,056 --a------ C:\WINDOWS\system32\Indt2.sys

2008-01-25 16:06 . 2008-01-25 16:06 <KAT> d-------- C:\Program\Trend Micro

2008-01-24 07:19 . 2008-01-24 07:19 32,256 --a------ C:\WINDOWS\system32\routing.exe

2008-01-22 17:16 . 2008-01-22 17:16 268 --ah----- C:\sqmdata00.sqm

2008-01-22 17:16 . 2008-01-22 17:16 244 --ah----- C:\sqmnoopt00.sqm

2008-01-17 17:11 . 2008-01-17 17:29 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\dvdcss

2008-01-16 17:34 . 2006-05-10 21:36 196,608 --a------ C:\WINDOWS\system32\UpdateDriver.exe

2008-01-16 17:34 . 2006-07-20 19:06 525 --a------ C:\WINDOWS\system32\ucuiinfo.ini

2008-01-14 21:37 . 2008-01-14 21:37 0 --a------ C:\WINDOWS\nsreg.dat

2008-01-13 11:01 . 2008-01-13 11:01 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI

2008-01-13 10:10 . 2008-01-13 10:10 <KAT> d-------- C:\Program\MSXML 4.0

2008-01-12 18:46 . 2008-01-12 18:46 <KAT> d-------- C:\Program\VideoLAN

2008-01-12 13:05 . 2008-01-12 13:05 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\Teleca

2008-01-12 13:05 . 2007-04-23 15:54 108,680 -ra------ C:\WINDOWS\system32\drivers\s115mdm.sys

2008-01-12 13:05 . 2007-04-23 15:54 100,488 -ra------ C:\WINDOWS\system32\drivers\s115mgmt.sys

2008-01-12 13:05 . 2007-04-23 15:54 98,568 -ra------ C:\WINDOWS\system32\drivers\s115obex.sys

2008-01-12 13:05 . 2007-04-23 15:54 83,208 -ra------ C:\WINDOWS\system32\drivers\s115bus.sys

2008-01-12 13:05 . 2007-04-23 15:54 15,112 -ra------ C:\WINDOWS\system32\drivers\s115mdfl.sys

2008-01-12 13:05 . 2007-04-23 15:54 12,424 -ra------ C:\WINDOWS\system32\drivers\s115whnt.sys

2008-01-12 13:05 . 2007-04-23 15:54 12,424 -ra------ C:\WINDOWS\system32\drivers\s115wh.sys

2008-01-12 13:05 . 2007-04-23 15:54 12,424 -ra------ C:\WINDOWS\system32\drivers\s115cmnt.sys

2008-01-12 13:05 . 2007-04-23 15:54 12,424 -ra------ C:\WINDOWS\system32\drivers\s115cm.sys

2008-01-12 13:03 . 2008-01-12 13:03 <KAT> d-------- C:\WINDOWS\Downloaded Installations

2008-01-12 13:03 . 2008-01-12 13:03 <KAT> d-------- C:\Program\Sony Ericsson

2008-01-12 13:03 . 2008-01-12 13:04 <KAT> d-------- C:\Program\Delade filer\Teleca Shared

2008-01-12 13:03 . 2008-01-12 13:03 <KAT> d-------- C:\Program\Delade filer\Sony Ericsson Shared

2008-01-12 13:03 . 2008-01-12 13:03 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\Sony Ericsson

2008-01-12 13:01 . 2008-01-12 13:03 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Teleca

2008-01-12 13:01 . 2008-01-12 13:03 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson

2008-01-09 16:12 . 2008-01-09 16:12 253,952 --a------ C:\WINDOWS\system32\ndt2.sys

2008-01-07 06:23 . 2008-01-07 06:23 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\Lavasoft

2008-01-06 21:00 . 2008-01-12 21:32 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\vlc

2008-01-06 11:24 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-01-05 21:42 . 2008-01-13 17:02 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Contacts

2008-01-05 10:03 . 2008-01-05 10:03 40 --a------ C:\WINDOWS\system32\drmgs.sys

2008-01-04 19:50 . 2008-01-04 19:50 <KAT> d-------- C:\Program\Alcohol Soft

2008-01-04 19:47 . 2008-01-04 19:47 <KAT> d-------- C:\Program Files

2008-01-04 19:47 . 2008-01-04 19:47 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys

2008-01-03 21:12 . 2008-01-03 21:20 <KAT> d-------- C:\Program\MagicISO

2008-01-03 14:59 . 2008-01-09 07:25 <KAT> d-------- C:\Program\World of Warcraft

2008-01-03 14:59 . 2008-01-03 14:59 <KAT> d-------- C:\Program\Delade filer\Blizzard Entertainment

2008-01-03 14:39 . 2008-01-03 14:39 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\ATI

2008-01-03 14:39 . 2008-01-03 14:39 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\ATI

2008-01-03 14:35 . 2007-12-05 14:17 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe

2008-01-03 14:30 . 2008-01-03 14:30 10 --a------ C:\WINDOWS\WININIT.INI

2008-01-03 14:20 . 2008-01-03 14:20 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\TechSmith

2008-01-03 11:45 . 2008-01-03 11:45 <KAT> d-------- C:\Program\TechSmith

2008-01-03 11:45 . 2008-01-03 11:45 <KAT> d-------- C:\Program\Delade filer\Wise Installation Wizard

2008-01-03 11:45 . 2008-01-03 11:45 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith

2008-01-03 08:12 . 2008-01-29 14:19 805 --a------ C:\rollback.ini

2008-01-03 08:03 . 2008-01-03 08:54 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\MailFrontier

2008-01-03 08:03 . 2008-01-29 14:24 4,293,664 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2008-01-03 08:03 . 2008-01-28 22:41 62,156 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2008-01-03 07:51 . 2008-01-03 08:34 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier

2008-01-03 07:51 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll

2008-01-03 06:59 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

2008-01-03 06:59 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

2008-01-03 06:36 . 2008-01-03 06:36 <KAT> d-------- C:\Program\ATI

2008-01-03 00:40 . 2008-01-03 00:40 <KAT> d-------- C:\Program\ULi5289

2008-01-03 00:40 . 2001-11-13 21:24 35,587 --a------ C:\WINDOWS\system32\rm5289.exe

2008-01-03 00:40 . 2006-03-09 22:02 24,415 --a------ C:\WINDOWS\system32\unM5289.exe

2008-01-03 00:38 . 2008-01-03 00:38 <KAT> d-------- C:\WINDOWS\RaidTool

2008-01-03 00:38 . 2008-01-03 00:38 <KAT> d-------- C:\RaidTool

2008-01-03 00:34 . 2007-11-26 11:16 72,704 --a------ C:\WINDOWS\system32\drivers\jraid.sys

2008-01-03 00:19 . 2008-01-26 22:03 116 --a------ C:\WINDOWS\NeroDigital.ini

2008-01-02 23:06 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe

2008-01-02 22:58 . 2007-07-09 14:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

2008-01-02 22:55 . 2008-01-09 05:21 <KAT> d--h----- C:\WINDOWS\$hf_mig$

2008-01-02 22:52 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll

2008-01-02 22:52 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui

2008-01-02 22:52 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui

2008-01-02 22:52 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui

2008-01-02 22:52 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui

2008-01-02 22:51 . 2008-01-02 22:51 <KAT> d---s---- C:\Documents and Settings\Hemmadatorn\UserData

2008-01-02 22:46 . 2008-01-02 22:46 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

2008-01-02 22:23 . 2008-01-03 07:38 <KAT> d-------- C:\WINDOWS\CAVTemp

2008-01-02 22:23 . 2008-01-02 22:23 <KAT> d-------- C:\Program\Driver-Soft

2008-01-02 22:23 . 2004-03-09 16:45 662,288 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX

2008-01-02 22:23 . 2004-06-14 14:56 427,864 --a------ C:\WINDOWS\system32\XceedZip.dll

2008-01-02 21:42 . 2008-01-02 21:42 <KAT> d-------- C:\Program\uTorrent

2008-01-02 21:42 . 2008-01-27 10:35 <KAT> d-------- C:\Documents and Settings\Hemmadatorn\Application Data\uTorrent

2008-01-02 18:43 . 2008-01-02 18:43 <KAT> d-------- C:\Program\ULiRaid

2008-01-02 18:43 . 2005-07-04 14:21 52,480 --a------ C:\WINDOWS\system32\drivers\m5289.sys

2008-01-02 18:43 . 2005-07-15 15:09 29,696 --a------ C:\WINDOWS\system32\dev32.exe

2008-01-02 18:43 . 2005-12-28 03:32 9,621 --a------ C:\WINDOWS\system32\drivers\ulisata.cat

2008-01-02 17:45 . 2008-01-03 14:36 <KAT> d-------- C:\Program\ATI Technologies

2008-01-02 17:39 . 2008-01-02 17:39 <KAT> d-------- C:\WINDOWS\system32\LogFiles

2008-01-02 17:09 . 2004-08-04 01:34 75,264 --a------ C:\WINDOWS\system32\usbui.dll

2008-01-02 17:01 . 2008-01-28 19:05 450 --a------ C:\WINDOWS\system\C6501.ini

2008-01-02 17:00 . 2008-01-02 17:00 <KAT> d-------- C:\Program\C-Media 6501 Sound

2008-01-02 17:00 . 2006-08-08 09:18 5,713,920 --a------ C:\WINDOWS\system\c6501.cpl

2008-01-02 17:00 . 2006-07-11 07:05 1,419,776 --a------ C:\WINDOWS\system32\drivers\c6501.sys

2008-01-02 17:00 . 2001-11-23 05:08 712,704 --a------ C:\WINDOWS\system32\c6501a3d.dll

2008-01-02 17:00 . 2001-11-23 05:08 712,704 -ra------ C:\WINDOWS\system32\a3d.dll

2008-01-02 17:00 . 2006-06-30 07:05 262,144 -r------- C:\WINDOWS\Cmi6501Uninstall.exe

2008-01-02 17:00 . 2006-06-27 10:14 253,952 --a------ C:\WINDOWS\system32\c6501rm.exe

2008-01-02 17:00 . 2005-12-26 10:23 53,248 --a------ C:\WINDOWS\system32\c6501rm.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-25 18:59 --------- d-----w C:\Program\Java

2008-01-14 10:28 2,659,840 ----a-w C:\WINDOWS\Internet Logs\xDBD0.tmp

2008-01-12 20:32 --------- d-----w C:\Documents and Settings\Hemmadatorn\Application Data\vlc

2008-01-12 12:07 58,895 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_11_07_03_31_small.dmp.zip

2008-01-12 12:07 58,052 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_11_07_03_44_small.dmp.zip

2008-01-12 12:01 994,652 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip

2008-01-05 20:41 --------- d-----w C:\Program\MSN Messenger

2008-01-05 09:01 --------- d-----w C:\Program\Google

2008-01-04 18:44 --------- d-----w C:\Documents and Settings\Hemmadatorn\Application Data\Ahead

2008-01-03 13:28 --------- d--h--w C:\Program\InstallShield Installation Information

2008-01-03 05:33 --------- d-----w C:\Program\Delade filer\InstallShield

2008-01-02 15:59 --------- d-----w C:\Program\DIFX

2008-01-02 15:56 --------- d-----w C:\Documents and Settings\Hemmadatorn\Application Data\AdobeUM

2008-01-02 15:45 --------- d--h--w C:\Program\Uninstall Information

2008-01-02 15:37 --------- d-----w C:\Program\Microsoft.NET

2008-01-02 15:36 --------- d-----w C:\Program\Nero

2008-01-02 15:36 --------- d-----w C:\Program\Delade filer\Ahead

2008-01-02 15:35 --------- d-----w C:\Program\Lavasoft

2008-01-02 15:35 --------- d-----w C:\Program\Delade filer\Adobe

2008-01-02 15:17 --------- d-----w C:\Program\Delade filer\Java

2008-01-02 15:16 --------- d-----w C:\Program\Onlinetjänster

2008-01-02 15:15 --------- d-----w C:\Program\Delade filer\MSSoap

2008-01-02 14:59 --------- d-----w C:\Program\Delade filer\SpeechEngines

2008-01-02 14:59 --------- d-----w C:\Program\Delade filer\ODBC

2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys

2007-12-05 03:05 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll

2007-12-05 03:04 269,312 ----a-w C:\WINDOWS\system32\ati2dvag.dll

2007-12-05 02:56 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll

2007-12-05 02:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll

2007-12-05 02:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe

2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll

2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll

2007-12-05 02:54 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll

2007-12-05 02:53 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL

2007-12-05 02:53 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe

2007-12-05 02:48 9,535,488 ----a-w C:\WINDOWS\system32\atioglx2.dll

2007-12-05 02:44 3,175,584 ----a-w C:\WINDOWS\system32\ati3duag.dll

2007-12-05 02:33 1,640,192 ----a-w C:\WINDOWS\system32\ativvaxx.dll

2007-12-05 02:19 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll

2007-12-05 02:19 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll

2007-12-05 02:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll

2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll

2007-12-05 02:14 180,224 ----a-w C:\WINDOWS\system32\atiok3x2.dll

2007-12-05 02:11 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll

2007-11-14 15:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe

2007-11-07 09:29 722,432 ----a-w C:\WINDOWS\system32\lsasrv.dll

2007-10-29 22:45 1,289,728 ----a-w C:\WINDOWS\system32\quartz.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries &amp legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

'AlcoholAutomount'='C:\Program\Alcohol Soft\Alcohol 120\axcmd.exe' [2007-12-22 08:23 221568]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

'NeroFilterCheck'='C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe' [2006-01-12 15:40 155648]

'C6501Sound'='c6501.cpl' []

'JMB36X IDE Setup'='C:\WINDOWS\RaidTool\xInsIDE.exe' [2007-03-20 14:36 36864]

'ZoneAlarm Client'='C:\Program\Zone Labs\ZoneAlarm\zlclient.exe' [2007-11-14 16:05 919016]

'StartCCC'='C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe' [2006-11-10 12:35 90112]

'Ad-Aware'='C:\Program\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe' [2005-05-27 14:24 865280]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

'MsnMsgr'='C:\Program\MSN Messenger\MsnMsgr.exe' [2007-01-19 12:55 5674352]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

'nlsf'='cmd.exe' [2006-03-18 18:24 390656 C:\WINDOWS\system32\cmd.exe]

'tscuninstall'='C:\WINDOWS\system32\tscupgrd.exe' [2006-03-18 18:24 44544]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]

--a------ 2007-10-04 18:38 307200 C:\Program\ATI\ATICustomerCare\ATICustomerCare.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-01-19 12:55 5674352 C:\Program\MSN Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

C:\Program\Steam\Steam.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ULiRaid5289]

--a------ 2005-06-07 15:16 409600 C:\Program\ULI5289\ULi5289.exe

 

R0 jahcijahciC:\WINDOWS\system32\DRIVERS\JAHCI.sys [2005-10-25 04:35]

R0 m5289m5289C:\WINDOWS\system32\DRIVERS\m5289.sys [2005-07-04 14:21]

R0 uliagpkxULi AGP Bus Filter DriverC:\WINDOWS\system32\DRIVERS\agpkx.sys [2005-05-03 17:31]

R2 perfmonsperfmons ServiceC:\WINDOWS\system32\perfs.exe [2006-03-18 18:24]

R2 RoutingRouting ServiceC:\WINDOWS\system32\routing.exe [2008-01-24 07:19]

R3 cm102u32C-Media CM6501 Like Sound InterfaceC:\WINDOWS\system32\drivers\c6501.sys [2006-07-11 07:05]

R3 ULI5261XPULi M526X Ethernet NT DriverC:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 20:36]

S3 s115busSony Ericsson Device 115 driver (WDM)C:\WINDOWS\system32\DRIVERS\s115bus.sys [2007-04-23 15:54]

S3 s115mdflSony Ericsson Device 115 USB WMC Modem FilterC:\WINDOWS\system32\DRIVERS\s115mdfl.sys [2007-04-23 15:54]

S3 s115mdmSony Ericsson Device 115 USB WMC Modem DriverC:\WINDOWS\system32\DRIVERS\s115mdm.sys [2007-04-23 15:54]

S3 s115mgmtSony Ericsson Device 115 USB WMC Device Management Drivers (WDM)C:\WINDOWS\system32\DRIVERS\s115mgmt.sys [2007-04-23 15:54]

S3 s115obexSony Ericsson Device 115 USB WMC OBEX InterfaceC:\WINDOWS\system32\DRIVERS\s115obex.sys [2007-04-23 15:54]

S3 StreamSurgeStreamSurge DriverC:\WINDOWS\system32\DRIVERS\ss.sys []

 

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-29 14:24:47

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs = ?IKI.DLL

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-01-29 14:25:08

ComboFix-quarantined-files.txt 2008-01-29 13:25:05

ComboFix2.txt 2008-01-28 21:25:24

ComboFix3.txt 2008-01-28 18:08:32

.

2008-01-21 14:59:41 --- E O F ---

 

Be happy!

 

[Cecilia]

Jo, perfs.exe var en av filerna som jag hoppades att ComboFix skulle kunna ta bort förut, men det gick ju inte.

 

Start - Program - Tillbehör - Kommandotolken

Skriv in (kopiera) följande rader:

sc stop perfmons

sc stop Routing

sc delete perfmons

sc delete Routing

 

Försök sedan igen med denna CFScript-fil:

[KOD]

File::

C:\WINDOWS\system32\Indt2.sys

C:\WINDOWS\system32\ndt2.sys

C:\WINDOWS\system32\routing.exe

C:\WINDOWS\system32\perfs.exe

C:\WINDOWS\system32\IKI.DLL

C:\WINDOWS\system32\comsa32.sys

[/KOD]

Dra CFScript med musen och släpp den ovanpå ComboFix-ikonen på Skrivbordet.

 

Om det fortfarande inte går så starta om datorn i felsäkert läge (tryck F8 upprepade gånger under uppstarten och välj felsäkert läge i menyn) och se om det går bättre.

 

[Tomping]

klistrar in resultat från komandotolkenMicrosoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corporation

 

C:\Documents and Settings\Hemmadatorn>sc stop perfmons

 

SERVICE_NAME: perfmons

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

 

C:\Documents and Settings\Hemmadatorn>sc stop Routing

 

SERVICE_NAME: Routing

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

 

C:\Documents and Settings\Hemmadatorn>sc delete perfmons

[sC] DeleteService SUCCESS

 

C:\Documents and Settings\Hemmadatorn>sc delete Routing

[sC] DeleteService SUCCESS

 

C:\Documents and Settings\Hemmadatorn>

Be happy!

 

[Cecilia]

Det var ju bra att det gick att 'deleta' dem. Då får vi se om det går bättre med ComboFix nu.

 

[Tomping]

Nä det fungerar inte i felsäkert läge!

jag berättar vad som händer. jag drar filen till combofix, en ruta kommer upp och frågar om om jag vill köra combofix. Jag väljer kör.... combofix går igång jag ser att 'dospromtern' blinkar till sedan händer inget mer? det är inget löjligt som att det ska stå med små bokstäver eller att cfscript är felstavat?

/Tomping

 

Be happy!

 

[Cecilia]

Jag tror inte det. Ladda ner Avenger på Skrivbordet och packa upp filen där:

http://swandog46.geekstogo.com/avenger.zip

Kopiera in följande i Anteckningar:

[KOD]

Drivers to unload:

RoutingRouting

perfmonsperfmons

 

Files to delete:

C:\WINDOWS\system32\Indt2.sys

C:\WINDOWS\system32\ndt2.sys

C:\WINDOWS\system32\routing.exe

C:\WINDOWS\system32\perfs.exe

C:\WINDOWS\system32\IKI.DLL

C:\WINDOWS\system32\comsa32.sys

[/KOD]

 

Starta Avenger

Bocka i 'Input Script Manually'

Klicka på förstoringsglaset och i 'View/edit script' så klistrar du in texten som finns i Anteckningar.

Klicka på Done

Klicka på det gröna ljuset och svara Ja på frågorna.

Datorn startar nu om (kanske två gånger).

Ett DOS-fönster ska komma fram och sedan ska loggen komma upp.

Klistra in den här.

 

[Tomping]

Hej!när datorn startade om så hittade zonealarm Trojan-clicker.win32.vb.aai Path C\Avenger\lndt2.sys var det bra?

 

Bifogar loggen

 

 

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\iqtwonq^

 

*******************

 

Script file located at: \??\C:\Documents and Settings\lfkdfvoe.txt

Script file opened successfully.

 

Script file read successfully

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

 

 

Registry key \Registry\Machine\System\CurrentControlSet\Services\RoutingRouting not found!

Unload of driver RoutingRouting failed!

 

Could not process line:

RoutingRouting

Status: 0xc0000034

 

 

 

Registry key \Registry\Machine\System\CurrentControlSet\Services\perfmonsperfmons not found!

Unload of driver perfmonsperfmons failed!

 

Could not process line:

perfmonsperfmons

Status: 0xc0000034

 

File C:\WINDOWS\system32\Indt2.sys deleted successfully.

File C:\WINDOWS\system32\ndt2.sys deleted successfully.

File C:\WINDOWS\system32\routing.exe deleted successfully.

File C:\WINDOWS\system32\perfs.exe deleted successfully.

 

 

File C:\WINDOWS\system32\IKI.DLL not found!

Deletion of file C:\WINDOWS\system32\IKI.DLL failed!

 

Could not process line:

C:\WINDOWS\system32\IKI.DLL

Status: 0xc0000034

 

File C:\WINDOWS\system32\comsa32.sys deleted successfully.

 

Completed script processing.

 

*******************

 

Finished! Terminate.

Be happy!