Vundo

27 november, 2010

Det ser bra ut när det gäller wvtsts.dll

Det är en del kvar när det gäller Firefox och dåliga tillägg. Jag återkommer om det om några timmar för nu är det film som gäller.

27 november, 2010

Cecilia !

Du är väl en pärla...

Ha en härlig helg nu !

/Kalle

27 november, 2010

Tack för alla poäng!

Kopiera alla rader i rutan:

DDS::
FF - ProfilePath - c:\documents and settings\Karl-Erik Karlsson\Application Data\Mozilla\Firefox\Profiles\cg3qn3z1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2088752&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ToggleSW Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2088752&SearchSource=13

och klistra in i Anteckningar. Kontrollera att det ser exakt likadant ut, t ex när det gäller radbrytningar.

Spara filen på Skrivbordet med namnet CFScript.

Förbered datorn på samma sätt som tidigare för ComboFix.

Dra CFScript med musen och släpp den ovanpå ComboFix-ikonen på Skrivbordet så startar programmet på ett särskilt sätt.

Klistra in loggen som kommer ut och en ny DDS-logg.

28 november, 2010

God förmiddag denna snörika söndag !

Inga meddelanden poppar längre upp på skärmen, om missade försök att hitta hem. Tänka sig - jag saknar dem inte alls !

Först en DDS-logg (bifogar också Attach.txt !):

[log]DDS (Ver_10-11-10.01) - NTFSx86

Run by Karl-Erik Karlsson at 11:21:01,70 on 2010-11-28

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.3063.2425 [GMT 1:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program\No-IP\DUC20.exe

C:\Program\DynDNS Updater\DynTray.exe

C:\Program\Apache2.2\bin\ApacheMonitor.exe

svchost.exe

C:\Program\Apache2.2\bin\httpd.exe

C:\Program\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program\DynDNS Updater\DynUpSvc.exe

C:\Program\FileZilla Server\FileZilla Server.exe

C:\Program\Apache2.2\bin\httpd.exe

C:\Program\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program\internet explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Karl-Erik Karlsson\Skrivbord\TrojanJakt\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: H - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - PCTools Site Guard

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program\norton internet security\engine\17.8.0.5\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program\norton internet security\engine\17.8.0.5\IPSBHO.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program\yahoo!\companion\installs\cpn\yt.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program\norton internet security\engine\17.8.0.5\coIEPlg.dll

TB: TerraTec Home Cinema: {ad6e6555-fb2c-47d4-8339-3e2965509877} - c:\program\terratec\terrat~1\THCDES~1.DLL

uRun: [Remote Control Editor] "c:\program\delade filer\terratec\remote\TTTVRC.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Adobe Reader Speed Launcher] "c:\program\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program\delade filer\adobe\arm\1.0\AdobeARM.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\duc20e~1.lnk - c:\program\no-ip\DUC20.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\dyndns~1.lnk - c:\program\dyndns updater\DynTray.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\monito~1.lnk - c:\program\apache2.2\bin\ApacheMonitor.exe

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\start.lnk - c:\program\apache2.2\bin\httpd.exe

IE: E&xportera till Microsoft Excel - d:\program\micros~1\office10\EXCEL.EXE/3000

IE: {4B30061A-5B39-11D3-80F8-0090276F843F} - c:\program files\net2phone\Net2fone.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe

LSP: c:\program\delade filer\pc tools\lsp\PCTLsp.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094970742420

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209494601406

DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://82.51.236.211//activex/AMC.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\karl-e~1\applic~1\mozilla\firefox\profiles\cg3qn3z1.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2088752&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - ToggleSW Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2088752&SearchSource=13

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll

FF - component: c:\documents and settings\karl-erik karlsson\application data\mozilla\firefox\profiles\cg3qn3z1.default\extensions\{6dabbda0-1da5-4a2f-bc89-2ae084c572fa}\components\FFExternalAlert.dll

FF - component: c:\documents and settings\karl-erik karlsson\application data\mozilla\firefox\profiles\cg3qn3z1.default\extensions\{6dabbda0-1da5-4a2f-bc89-2ae084c572fa}\components\RadioWMPCore.dll

---- FIREFOX POLICIES ----

c:\program\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

c:\program\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");

c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-11-25 237632]

R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-11-25 338880]

R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-11-25 656320]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1108000.005\symds.sys [2010-9-21 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1108000.005\symefa.sys [2010-9-21 173104]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20101104.001\BHDrvx86.sys [2010-11-4 691248]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys [2010-9-21 501888]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1108000.005\ironx86.sys [2010-9-21 116784]

R2 Apache2.2;Apache2.2;c:\program\apache2.2\bin\httpd.exe [2008-1-17 24635]

R2 DynDNS Updater;DynDNS Updater;c:\program\dyndns updater\DynUpSvc.exe [2008-4-8 61440]

R2 NIS;Norton Internet Security;c:\program\norton internet security\engine\17.8.0.5\ccsvchst.exe [2010-9-21 126392]

R3 Cinergy_HT_PCI_MKII;Cinergy HT PCI (MKII) service;c:\windows\system32\drivers\Cinergy_HT_PCI_MKII.sys [2010-6-15 221184]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program\delade filer\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20101124.002\IDSXpx86.sys [2010-10-19 341880]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20101127.002\NAVENG.SYS [2010-11-27 86064]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20101127.002\NAVEX15.SYS [2010-11-27 1371184]

S2 ATTSCAP;AVerMedia, WDM MPEG-2 TS Capture (DVBT);c:\windows\system32\drivers\attscap.sys [2004-9-23 18048]

S2 ATVCAP;AVerMedia, DVB-T WDM Video Capture;c:\windows\system32\drivers\atvcap.sys [2004-9-23 56320]

S2 ATXBAR;AVerMedia, DVB-T WDM Crossbar;c:\windows\system32\drivers\atxbar.sys [2004-9-23 8576]

S2 TTDec;ATI WDM Teletext Decoder;c:\windows\system32\drivers\atinttxx.sys [2004-9-8 20960]

S2 WebDriveFSD;WebDrive File System Driver;\??\e:\fpt\netdrive\rffsd.sys --> e:\fpt\netdrive\rffsd.sys [?]

S3 3xHybrid;Philips SAA713x PCI Card;c:\windows\system32\drivers\3xHybrid.sys [2010-6-9 554112]

S3 Atkcfg;Cordless Device Configuration;c:\windows\system32\drivers\atkcfg.sys [2006-7-7 46592]

S3 Gig5gu;Cordless Internet Access;c:\windows\system32\drivers\gig5gu.sys [2006-7-7 55680]

S3 Gigsrf;Cordless Device Line Access;c:\windows\system32\drivers\gigsrf.sys [2006-7-7 94592]

S3 Gigtnc;Cordless PC Control;c:\windows\system32\drivers\gigtnc.sys [2006-7-7 45440]

S3 glidehid;GlidePoint HID Touchpad Minidriver;c:\windows\system32\drivers\glidehid.sys [2005-9-30 33920]

S3 glideps2;GlidePoint PS/2 Touchpad Filter;c:\windows\system32\drivers\glideps2.sys [2005-9-30 12672]

S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\manycam.sys --> c:\windows\system32\drivers\ManyCam.sys [?]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program\pc tools security\pctsAuxs.exe [2010-11-25 366840]

S3 sdCoreService;PC Tools Security Service;c:\program\pc tools security\pctsSvc.exe [2010-11-25 1145304]

S3 siellif;siellif;c:\windows\system32\drivers\siellif.sys [2005-3-1 113408]

S3 Sieupapp;Cordless Device Update;c:\windows\system32\drivers\sieupapp.sys [2006-7-7 32128]

S3 Sieupdfu;Cordless Device in update mode;c:\windows\system32\drivers\sieupdfu.sys [2006-7-7 32000]

S3 TodosAgmII;Driver for Todos Argosmini II USB;c:\windows\system32\drivers\AgmIIusb.sys [2004-11-23 22016]

S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\vmuvc.sys --> c:\windows\system32\drivers\VMUVC.sys [?]

S3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftuvc.sys --> c:\windows\system32\drivers\vvftUVC.sys [?]

S4 RFNP32;WebDrive Provider; [x]

=============== Created Last 30 ================

2010-11-26 18:16:13 -------- d-----w- c:\documents and settings\karl-erik karlsson\DoctorWeb

2010-11-26 17:58:16 52552760 ----a-w- C:\cureit.exe

2010-11-25 18:39:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2010-11-24 19:58:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-24 19:58:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-24 19:58:23 -------- d-----w- c:\program\Malwarebytes' Anti-Malware

2010-11-24 17:59:52 -------- d-sha-r- C:\cmdcons

2010-11-24 17:57:28 98816 ----a-w- c:\windows\sed.exe

2010-11-24 17:57:28 89088 ----a-w- c:\windows\MBR.exe

2010-11-24 17:57:28 256512 ----a-w- c:\windows\PEV.exe

2010-11-24 17:57:28 161792 ----a-w- c:\windows\SWREG.exe

2010-11-24 09:55:54 -------- d-----w- c:\docume~1\karl-e~1\applic~1\Malwarebytes

2010-11-24 09:55:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-11-23 16:54:47 -------- d-----w- C:\VundoFix Backups

2010-11-22 17:16:41 -------- d-----w- c:\docume~1\karl-e~1\lokala~1\applic~1\ToggleSW

2010-11-22 17:16:38 -------- d-----w- c:\docume~1\karl-e~1\lokala~1\applic~1\ConduitEngine

2010-11-22 17:16:34 -------- d-----w- c:\program\ConduitEngine

2010-11-22 17:16:28 -------- d-----w- c:\program\ToggleSW

2010-11-22 17:16:28 -------- d-----w- c:\docume~1\karl-e~1\lokala~1\applic~1\Temp

2010-11-22 17:15:51 25048 ----a-w- c:\program\mozilla firefox\components\browserdirprovider.dll

2010-11-22 17:15:51 140248 ----a-w- c:\program\mozilla firefox\components\brwsrcmp.dll

2010-11-22 17:15:50 719832 ----a-w- c:\program\mozilla firefox\mozcpp19.dll

2010-11-22 17:15:50 16856 ----a-w- c:\program\mozilla firefox\plugin-container.exe

==================== Find3M ====================

2010-09-18 10:23:44 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:42 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:42 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:42 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:52:34 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:52:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:52:30 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:52:44 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-09-01 07:57:46 1852800 ----a-w- c:\windows\system32\win32k.sys

2008-05-15 12:21:16 1233306 ----a-w- c:\program\wrar371sw.exe

============= FINISH: 11:21:43,65 ===============

[/log]

Har kört ComboFix enligt anvisningar och har denna logg att redovisa.:

[log]ComboFix 10-11-23.05 - Karl-Erik Karlsson 2010-11-28 9:48.8.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.3063.2433 [GMT 1:00]

Körs från: c:\documents and settings\Karl-Erik Karlsson\Skrivbord\ComboFix.exe

Använda kommandoväxlar :: c:\documents and settings\Karl-Erik Karlsson\Skrivbord\CFScript

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

* Skapade en ny återställningspunkt

.

(((((((((((((((((((((((( Filer Skapade från 2010-10-28 till 2010-11-28 ))))))))))))))))))))))))))))))

.

2010-11-26 18:16 . 2010-11-26 18:20 -------- d-----w- c:\documents and settings\Karl-Erik Karlsson\DoctorWeb

2010-11-26 17:58 . 2010-11-26 17:58 52552760 ----a-w- C:\cureit.exe

2010-11-24 19:58 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-24 19:58 . 2010-11-27 19:03 -------- d-----w- c:\program\Malwarebytes' Anti-Malware

2010-11-24 19:58 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-24 12:46 . 2010-11-24 12:46 -------- d-sh--w- c:\documents and settings\Administratör\IETldCache

2010-11-24 09:55 . 2010-11-24 09:55 -------- d-----w- c:\documents and settings\Karl-Erik Karlsson\Application Data\Malwarebytes

2010-11-24 09:55 . 2010-11-24 09:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-11-23 16:54 . 2010-11-23 16:54 -------- d-----w- C:\VundoFix Backups

2010-11-22 17:16 . 2010-11-22 18:21 -------- d-----w- c:\documents and settings\Karl-Erik Karlsson\Lokala inställningar\Application Data\ToggleSW

2010-11-22 17:16 . 2010-11-22 18:21 -------- d-----w- c:\documents and settings\Karl-Erik Karlsson\Lokala inställningar\Application Data\ConduitEngine

2010-11-22 17:16 . 2010-11-26 14:46 -------- d-----w- c:\program\ConduitEngine

2010-11-22 17:16 . 2010-11-26 14:46 -------- d-----w- c:\program\ToggleSW

2010-11-22 17:16 . 2010-11-22 17:16 -------- d-----w- c:\documents and settings\Karl-Erik Karlsson\Lokala inställningar\Application Data\Temp

2010-11-22 17:15 . 2010-10-27 06:23 25048 ----a-w- c:\program\Mozilla Firefox\components\browserdirprovider.dll

2010-11-22 17:15 . 2010-10-27 06:23 140248 ----a-w- c:\program\Mozilla Firefox\components\brwsrcmp.dll

2010-11-22 17:15 . 2010-10-27 06:23 719832 ----a-w- c:\program\Mozilla Firefox\mozcpp19.dll

2010-11-22 17:15 . 2010-10-27 06:23 16856 ----a-w- c:\program\Mozilla Firefox\plugin-container.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 10:23 . 2001-09-28 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2001-09-28 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2001-09-28 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2001-09-28 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:52 . 2006-06-23 11:30 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:52 . 2002-09-09 12:08 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-10 05:52 . 2002-09-09 12:07 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-01 11:52 . 2001-09-28 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-09-01 07:57 . 2002-09-09 11:44 1852800 ----a-w- c:\windows\system32\win32k.sys

2008-05-15 12:21 . 2008-05-15 12:21 1233306 ----a-w- c:\program\wrar371sw.exe

.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

*Not* Tomma poster & legitima standardposter visas inte.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Remote Control Editor"="c:\program\Delade filer\TerraTec\Remote\TTTVRC.exe" [2009-09-22 1528320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]

"Adobe ARM"="c:\program\Delade filer\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start-meny\Program\Autostart\

DUC20.exe.lnk - c:\program\No-IP\DUC20.exe [2008-4-19 1172992]

DynDNS Updater Tray Icon.lnk - c:\program\DynDNS Updater\DynTray.exe [2008-4-8 65536]

Monitor Apache Servers.lnk - c:\program\Apache2.2\bin\ApacheMonitor.exe [2008-1-17 41041]

Start.lnk - c:\program\Apache2.2\bin\httpd.exe [2008-1-17 24635]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Norton Internet Security"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program\\uTorrent\\uTorrent.exe"=

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program\\TerraTec\\TerraTec Home Cinema\\tvtvSetup\\tvtv_Wizard.exe"=

"c:\\Program\\TerraTec\\TerraTec Home Cinema\\CinergyDvr.exe"=

"c:\\Program\\TerraTec\\TerraTec Home Cinema\\VersionCheck\\VersionCheck.exe"=

"c:\\Program\\TerraTec\\TerraTec Home Cinema\\InstTool.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"86:TCP"= 86:TCP:BroadCam Video Streaming Server Web Server

"4100:UDP"= 4100:UDP:uPNP Router Control Port

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-11-25 237632]

R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-11-25 338880]

R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-11-25 656320]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\symds.sys [2010-09-21 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\symefa.sys [2010-09-21 173104]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20101104.001\BHDrvx86.sys [2010-11-04 691248]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\cchpx86.sys [2010-09-21 501888]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\ironx86.sys [2010-09-21 116784]

R2 Apache2.2;Apache2.2;c:\program\Apache2.2\bin\httpd.exe [2008-01-17 24635]

R2 NIS;Norton Internet Security;c:\program\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe [2010-09-21 126392]

R3 Cinergy_HT_PCI_MKII;Cinergy HT PCI (MKII) service;c:\windows\system32\drivers\Cinergy_HT_PCI_MKII.sys [2010-06-15 221184]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program\Delade filer\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20101124.002\IDSXpx86.sys [2010-10-19 341880]

S2 ATTSCAP;AVerMedia, WDM MPEG-2 TS Capture (DVBT);c:\windows\system32\drivers\attscap.sys [2004-09-23 18048]

S2 ATVCAP;AVerMedia, DVB-T WDM Video Capture;c:\windows\system32\drivers\atvcap.sys [2004-09-23 56320]

S2 ATXBAR;AVerMedia, DVB-T WDM Crossbar;c:\windows\system32\drivers\atxbar.sys [2004-09-23 8576]

S2 DynDNS Updater;DynDNS Updater;c:\program\DynDNS Updater\DynUpSvc.exe [2008-04-08 61440]

S2 TTDec;ATI WDM Teletext Decoder;c:\windows\system32\drivers\atinttxx.sys [2004-09-08 20960]

S2 WebDriveFSD;WebDrive File System Driver;\??\e:\fpt\NetDrive\rffsd.sys --> e:\fpt\NetDrive\rffsd.sys [?]

S3 3xHybrid;Philips SAA713x PCI Card;c:\windows\system32\drivers\3xHybrid.sys [2010-06-09 554112]

S3 Atkcfg;Cordless Device Configuration;c:\windows\system32\drivers\atkcfg.sys [2006-07-07 46592]

S3 Gig5gu;Cordless Internet Access;c:\windows\system32\drivers\gig5gu.sys [2006-07-07 55680]

S3 Gigsrf;Cordless Device Line Access;c:\windows\system32\drivers\gigsrf.sys [2006-07-07 94592]

S3 Gigtnc;Cordless PC Control;c:\windows\system32\drivers\gigtnc.sys [2006-07-07 45440]

S3 glidehid;GlidePoint HID Touchpad Minidriver;c:\windows\system32\drivers\glidehid.sys [2005-09-30 33920]

S3 glideps2;GlidePoint PS/2 Touchpad Filter;c:\windows\system32\drivers\glideps2.sys [2005-09-30 12672]

S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys --> c:\windows\system32\DRIVERS\ManyCam.sys [?]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program\PC Tools Security\pctsAuxs.exe [2010-11-25 366840]

S3 siellif;siellif;c:\windows\system32\drivers\siellif.sys [2005-03-01 113408]

S3 Sieupapp;Cordless Device Update;c:\windows\system32\drivers\sieupapp.sys [2006-07-07 32128]

S3 Sieupdfu;Cordless Device in update mode;c:\windows\system32\drivers\sieupdfu.sys [2006-07-07 32000]

S3 TodosAgmII;Driver for Todos Argosmini II USB;c:\windows\system32\drivers\AgmIIusb.sys [2004-11-23 22016]

S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\Drivers\VMUVC.sys --> c:\windows\system32\Drivers\VMUVC.sys [?]

S3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys --> c:\windows\system32\drivers\vvftUVC.sys [?]

S4 RFNP32;WebDrive Provider; [x]

.

Innehållet i mappen 'Schemalagda aktiviteter':

2010-11-28 c:\windows\Tasks\TipsScanna.job

- d:\wwwroot\Kalle\Tipset\TipsScanna.exe [2008-07-31 14:32]

.

------- Extra genomsökning -------

.

IE: E&xportera till Microsoft Excel - d:\program\MICROS~1\Office10\EXCEL.EXE/3000

LSP: c:\program\Delade filer\PC Tools\Lsp\PCTLsp.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Karl-Erik Karlsson\Application Data\Mozilla\Firefox\Profiles\cg3qn3z1.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2088752&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - ToggleSW Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2088752&SearchSource=13

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll

FF - component: c:\documents and settings\Karl-Erik Karlsson\Application Data\Mozilla\Firefox\Profiles\cg3qn3z1.default\extensions\{6dabbda0-1da5-4a2f-bc89-2ae084c572fa}\components\FFExternalAlert.dll

FF - component: c:\documents and settings\Karl-Erik Karlsson\Application Data\Mozilla\Firefox\Profiles\cg3qn3z1.default\extensions\{6dabbda0-1da5-4a2f-bc89-2ae084c572fa}\components\RadioWMPCore.dll

---- FIREFOX POLICY ----

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

c:\program\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");

c:\program\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-28 09:54

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NIS]

"ImagePath"="\"c:\program\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"

.

--------------------- LÅSTA REGISTERNYCKLAR ---------------------

[HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLer som "laddats" under processer som körs ---------------------

- - - - - - - > 'winlogon.exe'(436)

c:\windows\system32\RFNP32.DLL

c:\windows\system32\RFHelper.dll

c:\windows\system32\rfhres.dll

- - - - - - - > 'lsass.exe'(492)

c:\program\Delade filer\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(576)

c:\windows\system32\webcheck.dll

c:\program\Delade filer\PC Tools\Lsp\PCTLsp.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Sluttid: 2010-11-28 09:57:18

ComboFix-quarantined-files.txt 2010-11-28 08:57

ComboFix2.txt 2010-11-27 20:13

ComboFix3.txt 2010-11-26 21:02

ComboFix4.txt 2010-11-26 14:56

ComboFix5.txt 2010-11-28 08:46

Före genomsökningen: 65 679 519 744 byte ledigt

Efter genomsökningen: 65 675 321 344 byte ledigt

- - End Of File - - 22C541C33AFBF776B20BD0FA075D2FC8

[/log]

Intressant vad den nu kan förmedla !

/Kalle

Attach.txt

28 november, 2010

God middag och trevlig första advent!

Kopiera alla rader i rutan:

Killall::
DDS::
2010-11-22 17:16:41 -------- d-----w- c:\docume~1\karl-e~1\lokala~1\applic~1\ToggleSW
2010-11-22 17:16:38 -------- d-----w- c:\docume~1\karl-e~1\lokala~1\applic~1\ConduitEngine
2010-11-22 17:16:34 -------- d-----w- c:\program\ConduitEngine
2010-11-22 17:16:28 -------- d-----w- c:\program\ToggleSW
FF - ProfilePath - c:\docume~1\karl-e~1\applic~1\mozilla\firefox\profiles\cg3qn3z1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2088752&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ToggleSW Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2088752&SearchSource=13

och klistra in i Anteckningar. Kontrollera att det ser exakt likadant ut, t ex när det gäller radbrytningar.

Spara filen på Skrivbordet med namnet CFScript.

Förbered datorn på samma sätt som tidigare för ComboFix.

Dra CFScript med musen och släpp den ovanpå ComboFix-ikonen på Skrivbordet så startar programmet på ett särskilt sätt.

Klistra in loggen som kommer ut.

28 november, 2010

Efter senaste körningen, kunde t o m jag konstatera att t ex de program som vi inledningsvis diskuterade, nu är borta (ToggleSW, ConduitEngine).

Men här kommer loggen:

[log]ComboFix 10-11-23.05 - Karl-Erik Karlsson 2010-11-28 12:09:38.9.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.3063.2460 [GMT 1:00]