TechSpot

System Check virus, a lot of problems

Inactive
By MjuTaS
Feb 8, 2012
  1. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    there is no * before disk 0
     
  2. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    Go ahead.....
     
  3. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    Disk 0 online 465 GB 1024 kb
     
  4. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    startup repair fixed , im gonna send u the logs you wanted
     
  5. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    Woohoo! :)
     
  6. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    Now google is working for me again, no redirection =)

    ListParts by Farbar
    Ran by Simon on 10-02-2012 at 23:33:23
    Windows 7 (X86)
    Running From: C:\Users\Simon\Desktop
    Language: 0409
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 22%
    Total physical RAM: 3327.18 MB
    Available physical RAM: 2583.12 MB
    Total Pagefile: 6652.64 MB
    Available Pagefile: 5815.63 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1954.29 MB

    ======================= Partitions =========================

    1 Drive c: (System) (Fixed) (Total:78.03 GB) (Free:30.99 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
    2 Drive d: (Backup) (Fixed) (Total:387.63 GB) (Free:148.05 GB) NTFS
    3 Drive e: (Reparationsskiva för Windows 7, ) (CDROM) (Total:0.14 GB) (Free:0 GB) UDF

    Disk nr Status Storlek Ledigt Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk nr 0 Online 465 G B 1024 K B

    DiskPart avslutas...

    Partitions of Disk Disk nr 0 Online 465 G B 1024 K B :
    ===============

    Argumenten som angetts f”r kommandot „r inte giltiga.
    Om du vill ha mer information om kommandot skriver du: HELP SELECT DISK

    Ingen disk har valts.


    ****** End Of Log ******




    Bootkit remover is a Green color on the physicaldrive0 now, it was red before :)

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Ultimate Edition Service Pack 1 (build 7601), 32
    -bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`06500000
    Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  7. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    It looks like we beat the sucker :)

    See if aswMBR will run now.
     
  8. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    :D

    aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
    Run date: 2012-02-10 23:40:09
    -----------------------------
    23:40:09.200 OS Version: Windows 6.1.7601 Service Pack 1
    23:40:09.200 Number of processors: 4 586 0x402
    23:40:09.200 ComputerName: SIMON-PC UserName: Simon
    23:40:09.543 Initialize success
    23:41:19.826 AVAST engine defs: 12021001
    23:41:30.402 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    23:41:30.402 Disk 0 Vendor: WDC_WD5001AALS-00L3B2 01.03B01 Size: 476940MB BusType: 3
    23:41:30.418 Disk 0 MBR read successfully
    23:41:30.418 Disk 0 MBR scan
    23:41:30.418 Disk 0 Windows 7 default MBR code
    23:41:30.418 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 100 MB offset 2048
    23:41:30.434 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 79900 MB offset 206848
    23:41:30.449 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 396937 MB offset 163842048
    23:41:30.449 Disk 0 scanning sectors +976769024
    23:41:30.512 Disk 0 scanning C:\Windows\system32\drivers
    23:41:41.525 File: C:\Windows\system32\drivers\tdx.sys **INFECTED** Win32:Sirefef-JQ [Trj]
    23:41:42.648 Disk 0 trace - called modules:
    23:41:42.664 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8d3f0fc0]<<
    23:41:42.680 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x875f7030]
    23:41:42.680 3 CLASSPNP.SYS[8d2c359e] -> nt!IofCallDriver -> [0x87855028]
    23:41:42.680 \Driver\00000418[0x87855ab8] -> IRP_MJ_CREATE -> 0x8d3f0fc0
    23:41:43.101 AVAST engine scan C:\Windows
    23:41:44.754 AVAST engine scan C:\Windows\system32
    23:43:27.247 AVAST engine scan C:\Windows\system32\drivers
    23:43:40.429 File: C:\Windows\system32\drivers\tdx.sys **INFECTED** Win32:Sirefef-JQ [Trj]
    23:43:41.864 AVAST engine scan C:\Users\Simon
    23:47:32.745 AVAST engine scan C:\ProgramData
    23:50:15.750 Scan finished successfully
    23:51:14.297 Disk 0 MBR has been saved successfully to "C:\Users\Simon\Desktop\MBR.dat"
    23:51:14.312 The log file has been saved successfully to "C:\Users\Simon\Desktop\aswMBR.txt"
     
  9. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    Excellent!

    We still have work to do but the worst seems to be over.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  10. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    ok last time i ran combofix it says that AVG Antivirus FREE is running both as virus protection and spyware protection, the thing is.. i dont have AVG antivirus free, ive uninstalled ALL my virusprograms, i had avg before,

    i tryed that addremoval program but it didnt find anything, should i run combofix anyway?
     
  11. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    Yes.........
     
     
  12. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    ComboFix 12-02-02.02 - Simon 2012-02-11 0:22.3.4 - x86
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1033.18.3327.2268 [GMT 1:00]
    Körs från: c:\users\Simon\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Skapade en ny återställningspunkt
    .
    - REDUCERAD FUNKTIONALITETSMOD -
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -- Föregående körning --
    .
    c:\windows\system32\drivers\netbt.sys saknades
    Återställd kopia från - c:\windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys
    .
    c:\windows\system32\drivers\cdrom.sys saknades
    Återställd kopia från - c:\windows\System32\DriverStore\FileRepository\cdrom.inf_x86_neutral_6381e09675524225\cdrom.sys
    .
    c:\windows\system32\drivers\Serial.sys saknades
    Återställd kopia från - c:\windows\System32\DriverStore\FileRepository\msports.inf_x86_neutral_c1a802e06677f73f\serial.sys
    .
    c:\windows\system32\drivers\tdx.sys saknades
    Återställd kopia från - c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys
    .
    --------
    .
    .
    (((((((((((((((((((((((( Filer skapade från 2012-01-10 till 2012-02-10 ))))))))))))))))))))))))))))))
    .
    .
    2012-02-11 07:13 . 2012-02-11 07:31 -------- d-----w- C:\Boot
    2012-02-10 23:22 . 2012-02-10 23:22 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-09 23:37 . 2012-02-10 23:23 -------- d-----w- c:\users\Simon\AppData\Local\temp
    2012-02-09 23:37 . 2009-07-13 23:12 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
    2012-02-09 22:09 . 2009-07-13 23:12 338944 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-02-09 22:09 . 2012-02-09 22:09 -------- d-----w- C:\_OTL
    2012-02-08 17:37 . 2012-02-08 17:45 -------- d-----w- c:\program files\GridinSoft Trojan Killer
    2012-02-08 13:49 . 2012-02-10 00:53 -------- d-----w- c:\programdata\AVAST Software
    2012-02-08 13:49 . 2012-02-08 13:49 -------- d-----w- c:\program files\AVAST Software
    2012-02-08 13:26 . 2012-02-08 13:26 -------- d-----w- c:\program files\Common Files\Java
    2012-02-08 02:51 . 2012-02-08 13:10 -------- d-----w- c:\programdata\MFAData
    2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\users\Simon\AppData\Roaming\Malwarebytes
    2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-08 01:41 . 2012-02-08 01:41 -------- d-----w- c:\program files\Enigma Software Group
    2012-02-08 01:40 . 2012-02-08 01:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2012-02-07 22:25 . 2012-02-10 22:32 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
    2012-01-25 18:19 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-25 18:19 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-01-25 18:19 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-01-25 18:19 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
    2012-01-25 18:19 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
    2012-01-25 18:19 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
    2012-01-25 18:19 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
    2012-01-25 18:19 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
    2012-01-25 18:19 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-25 18:19 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-10 00:46 . 2011-11-16 00:40 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
    2012-02-07 22:25 . 2011-08-08 19:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-05 17:00 . 2012-01-05 17:00 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\tmpidcrl.dll
    2012-01-05 17:00 . 2011-03-28 17:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-11-24 04:25 . 2011-12-15 04:45 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-11-19 14:01 . 2012-01-10 19:28 67072 ----a-w- c:\windows\system32\packager.dll
    2011-11-17 05:38 . 2012-01-10 19:28 1288472 ----a-w- c:\windows\system32\ntdll.dll
    2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2011-11-16 01:25 . 2011-11-16 01:25 161792 ----a-w- c:\windows\system32\msls31.dll
    2011-11-16 01:25 . 2011-11-16 01:25 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2011-11-16 01:25 . 2011-11-16 01:25 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2011-11-16 01:25 . 2011-11-16 01:25 63488 ----a-w- c:\windows\system32\tdc.ocx
    2011-11-16 01:25 . 2011-11-16 01:25 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2011-11-16 01:25 . 2011-11-16 01:25 367104 ----a-w- c:\windows\system32\html.iec
    2011-11-16 01:25 . 2011-11-16 01:25 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\iesetup.dll
    2011-11-16 01:25 . 2011-11-16 01:25 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-11-16 01:25 . 2011-11-16 01:25 35840 ----a-w- c:\windows\system32\imgutil.dll
    2011-11-16 01:25 . 2011-11-16 01:25 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-16 01:25 . 2011-11-16 01:25 152064 ----a-w- c:\windows\system32\wextract.exe
    2011-11-16 01:25 . 2011-11-16 01:25 150528 ----a-w- c:\windows\system32\iexpress.exe
    2011-11-16 01:25 . 2011-11-16 01:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-11-16 01:25 . 2011-11-16 01:25 11776 ----a-w- c:\windows\system32\mshta.exe
    2011-11-16 01:25 . 2011-11-16 01:25 101888 ----a-w- c:\windows\system32\admparse.dll
    2011-11-16 01:16 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-11-15 23:37 . 2009-11-26 18:25 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-07-13 23:12 . 38F57D262164CB35BC8659785703CD6B . 74240 . . [------] . . c:\windows\System32\drivers\tdx.sys
    [7] 2009-07-13 . CB39E896A2A83702D1737BFD402B3542 . 74240 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys
    .
    (((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not* tomma poster & legitima standardposter visas inte.
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
    "Facebook Update"="c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-18 137536]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-04 98304]
    "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    BankID säkerhetsprogram.lnk - c:\program files\Personal\bin\Personal.exe [2012-1-24 1140632]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opretuq]
    2012-02-10 12:10 10752 ----a-w- c:\windows\System32\config\systemprofile\AppData\Local\opretuq.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\PhotoshopElementsFileAgent.exe [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Tjänsten Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
    R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\PhotoshopElementsDeviceConnect.exe [x]
    R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\DRIVERS\BazisVirtualCDBus.sys [2010-10-28 98400]
    R3 gupdatem;Tjänsten Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
    R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-02-20 47360]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt; [x]
    S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-02-10 239168]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 243712]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
    .
    .
    --- Övriga tjänster/drivrutiner i minnet ---
    .
    *NewlyCreated* - ASWMBR
    *Deregistered* - aswMBR
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    procexp100
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{537d904e-0ff4-11e1-bf24-806e6f6e6963}]
    \shell\AutoRun\command - G:\INSTALL.EXE
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e686c22-d79b-11de-9ee0-806e6f6e6963}]
    \shell\AutoRun\command - E:\SETUP.EXE
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{963aaa25-16b3-11df-964d-002618f04b04}]
    \shell\AutoRun\command - G:\LaunchU3.exe -a
    .
    Innehåll i mappen 'Schemalagda aktiviteter':
    .
    2012-02-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000Core.job
    - c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
    .
    2012-02-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000UA.job
    - c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
    .
    2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
    .
    2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
    .
    .
    ------- Extra genomsökning -------
    .
    uStart Page = hxxp://www.google.se/
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\clbeh0im.default\
    FF - user.js: extensions.BabylonToolbar_i.id - 3ce818f1000000000000002618f04b04
    FF - user.js: extensions.BabylonToolbar_i.hardId - 3ce818f1000000000000002618f04b04
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15344
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1717:57
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
    FF - user.js: extensions.BabylonToolbar_i.newTab - false
    FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100478
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    .
    - - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -
    .
    Toolbar-10 - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKLM-Run-facemoods - c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe
    AddRemove-facemoods - c:\program files\facemoods.com\facemoods\1.4.17.11\uninstall.exe
    AddRemove-Svenska Spels Poker - c:\casino\SVENSK~1\UNWISE.EXE
    .
    .
    .
    --------------------- LÅSTA REGISTERNYCKLAR ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLL'er som "laddats" under processer som körs ---------------------
    .
    - - - - - - - > 'lsass.exe'(496)
    c:\windows\system32\mswsock.dll
    mswsock.dll 75160000 245760 \\.\globalroot\systemroot\system32\mswsock.dll
    .
    Sluttid: 2012-02-11 00:24:14
    ComboFix-quarantined-files.txt 2012-02-10 23:24
    .
    Före genomsökningen: 35*363*512*320 byte ledigt
    Efter genomsökningen: 35*421*814*784 byte ledigt
    .
    - - End Of File - - 8909D7E98BE8BCF7E4EA5AA79315ACF8
     
  13. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
    c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys | c:\windows\System32\drivers\tdx.sys
    
    File::
    c:\windows\system32\dds_trash_log.cmd
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  14. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    ComboFix 12-02-02.02 - Simon 2012-02-11 1:22.4.4 - x86
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1033.18.3327.2286 [GMT 1:00]
    Körs från: c:\users\Simon\Desktop\ComboFix.exe
    Kommandoväxlar som använts :: c:\users\Simon\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    - REDUCERAD FUNKTIONALITETSMOD -
    .
    FILE ::
    "c:\windows\system32\dds_trash_log.cmd"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\dds_trash_log.cmd
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys --> c:\windows\System32\drivers\tdx.sys
    .
    (((((((((((((((((((((((( Filer skapade från 2012-01-11 till 2012-02-11 ))))))))))))))))))))))))))))))
    .
    .
    2012-02-11 07:13 . 2012-02-11 07:31 -------- d-----w- C:\Boot
    2012-02-11 00:22 . 2012-02-11 00:22 -------- d-----w- c:\users\Simon\AppData\Local\temp
    2012-02-11 00:22 . 2012-02-11 00:22 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-09 23:37 . 2009-07-13 23:12 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
    2012-02-09 23:37 . 2009-07-13 23:45 83456 ----a-w- c:\windows\system32\drivers\Serial.sys
    2012-02-09 23:36 . 2010-11-20 08:38 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2012-02-09 23:36 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
    2012-02-09 22:09 . 2009-07-13 23:12 338944 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-02-09 22:09 . 2012-02-09 22:09 -------- d-----w- C:\_OTL
    2012-02-08 17:37 . 2012-02-08 17:45 -------- d-----w- c:\program files\GridinSoft Trojan Killer
    2012-02-08 13:49 . 2012-02-10 00:53 -------- d-----w- c:\programdata\AVAST Software
    2012-02-08 13:49 . 2012-02-08 13:49 -------- d-----w- c:\program files\AVAST Software
    2012-02-08 13:26 . 2012-02-08 13:26 -------- d-----w- c:\program files\Common Files\Java
    2012-02-08 02:51 . 2012-02-08 13:10 -------- d-----w- c:\programdata\MFAData
    2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\users\Simon\AppData\Roaming\Malwarebytes
    2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-08 01:41 . 2012-02-08 01:41 -------- d-----w- c:\program files\Enigma Software Group
    2012-02-08 01:40 . 2012-02-08 01:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2012-01-25 18:19 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-25 18:19 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-01-25 18:19 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-01-25 18:19 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
    2012-01-25 18:19 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
    2012-01-25 18:19 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
    2012-01-25 18:19 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
    2012-01-25 18:19 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
    2012-01-25 18:19 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-25 18:19 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-10 00:46 . 2011-11-16 00:40 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
    2012-02-07 22:25 . 2011-08-08 19:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-05 17:00 . 2012-01-05 17:00 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\tmpidcrl.dll
    2012-01-05 17:00 . 2011-03-28 17:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-11-24 04:25 . 2011-12-15 04:45 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-11-19 14:01 . 2012-01-10 19:28 67072 ----a-w- c:\windows\system32\packager.dll
    2011-11-17 05:38 . 2012-01-10 19:28 1288472 ----a-w- c:\windows\system32\ntdll.dll
    2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2011-11-16 01:25 . 2011-11-16 01:25 161792 ----a-w- c:\windows\system32\msls31.dll
    2011-11-16 01:25 . 2011-11-16 01:25 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2011-11-16 01:25 . 2011-11-16 01:25 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2011-11-16 01:25 . 2011-11-16 01:25 63488 ----a-w- c:\windows\system32\tdc.ocx
    2011-11-16 01:25 . 2011-11-16 01:25 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2011-11-16 01:25 . 2011-11-16 01:25 367104 ----a-w- c:\windows\system32\html.iec
    2011-11-16 01:25 . 2011-11-16 01:25 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\iesetup.dll
    2011-11-16 01:25 . 2011-11-16 01:25 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-11-16 01:25 . 2011-11-16 01:25 35840 ----a-w- c:\windows\system32\imgutil.dll
    2011-11-16 01:25 . 2011-11-16 01:25 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-16 01:25 . 2011-11-16 01:25 152064 ----a-w- c:\windows\system32\wextract.exe
    2011-11-16 01:25 . 2011-11-16 01:25 150528 ----a-w- c:\windows\system32\iexpress.exe
    2011-11-16 01:25 . 2011-11-16 01:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-11-16 01:25 . 2011-11-16 01:25 11776 ----a-w- c:\windows\system32\mshta.exe
    2011-11-16 01:25 . 2011-11-16 01:25 101888 ----a-w- c:\windows\system32\admparse.dll
    2011-11-16 01:16 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-11-15 23:37 . 2009-11-26 18:25 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
    .
    .
    (((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not* tomma poster & legitima standardposter visas inte.
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
    "Facebook Update"="c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-18 137536]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-04 98304]
    "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    BankID säkerhetsprogram.lnk - c:\program files\Personal\bin\Personal.exe [2012-1-24 1140632]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opretuq]
    2012-02-10 12:10 10752 ----a-w- c:\windows\System32\config\systemprofile\AppData\Local\opretuq.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\PhotoshopElementsFileAgent.exe [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Tjänsten Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
    R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\PhotoshopElementsDeviceConnect.exe [x]
    R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\DRIVERS\BazisVirtualCDBus.sys [2010-10-28 98400]
    R3 gupdatem;Tjänsten Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
    R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-02-20 47360]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt; [x]
    S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-02-10 239168]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 243712]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
    .
    .
    --- Övriga tjänster/drivrutiner i minnet ---
    .
    *NewlyCreated* - ASWMBR
    *Deregistered* - aswMBR
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    procexp100
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{537d904e-0ff4-11e1-bf24-806e6f6e6963}]
    \shell\AutoRun\command - G:\INSTALL.EXE
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e686c22-d79b-11de-9ee0-806e6f6e6963}]
    \shell\AutoRun\command - E:\SETUP.EXE
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{963aaa25-16b3-11df-964d-002618f04b04}]
    \shell\AutoRun\command - G:\LaunchU3.exe -a
    .
    Innehåll i mappen 'Schemalagda aktiviteter':
    .
    2012-02-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000Core.job
    - c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
    .
    2012-02-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000UA.job
    - c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
    .
    2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
    .
    2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
    .
    .
    ------- Extra genomsökning -------
    .
    uStart Page = hxxp://www.google.se/
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\clbeh0im.default\
    FF - user.js: extensions.BabylonToolbar_i.id - 3ce818f1000000000000002618f04b04
    FF - user.js: extensions.BabylonToolbar_i.hardId - 3ce818f1000000000000002618f04b04
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15344
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1717:57
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
    FF - user.js: extensions.BabylonToolbar_i.newTab - false
    FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100478
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    .
    .
    --------------------- LÅSTA REGISTERNYCKLAR ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLL'er som "laddats" under processer som körs ---------------------
    .
    - - - - - - - > 'lsass.exe'(496)
    c:\windows\system32\mswsock.dll
    mswsock.dll 75160000 245760 \\.\globalroot\systemroot\system32\mswsock.dll
    .
    Sluttid: 2012-02-11 01:23:21
    ComboFix-quarantined-files.txt 2012-02-11 00:23
    ComboFix2.txt 2012-02-10 23:24
    .
    Före genomsökningen: 35*442*483*200 byte ledigt
    Efter genomsökningen: 35*422*539*776 byte ledigt
    .
    - - End Of File - - 6B553B50FB04B6572B908D834239EB3C
     
  15. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    Your Combofix version is a bit outdated.
    Delete Combofix file, download fresh one, run it and post new log.
    I doubt anything new will be found but i want to play safe.

    Then.....

    Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
     
  16. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    i think we got a new problem... the new version i installed of combofix found a Zeroaccess rootkit in tcp/ip. i got the log out on a usb stick, computer is pretty screwed now cant access anything. restarted, was stuck on preparing your desktop... for a while, now a window came up " C:\windows\system32\cinfig\systemprofile\desktop is now accessible. Access denied.
    This happend sometime yesterday also

    ComboFix 12-02-10.03 - Simon 2012-02-11 2:09.5.4 - x86
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1033.18.3327.2499 [GMT 1:00]
    Körs från: G:\ComboFix.exe
    AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Simon\AppData\Roaming\desktop.ini
    c:\windows\$NtUninstallKB21072$\2418786939\@
    c:\windows\$NtUninstallKB21072$\2418786939\cfg.ini
    c:\windows\$NtUninstallKB21072$\2418786939\Desktop.ini
    c:\windows\$NtUninstallKB21072$\2418786939\L\xadqgnnk
    c:\windows\$NtUninstallKB21072$\3066712622
    .
    En infekterad kopia av c:\windows\system32\drivers\dtsoftbus01.sys hittades och desinficerades.
    Återställd kopia från - The cat found it :)
    c:\windows\system32\drivers\tdx.sys saknades
    Återställd kopia från - c:\windows\ERDNT\cache\tdx.sys
    .
    .
    (((((((((((((((((((((((( Filer skapade från 2012-01-11 till 2012-02-11 ))))))))))))))))))))))))))))))
    .
    .
    2012-02-11 07:13 . 2012-02-11 07:31 -------- d-----w- C:\Boot
    2012-02-11 01:15 . 2012-02-11 01:18 -------- d-----w- c:\users\Simon\AppData\Local\temp
    2012-02-11 01:15 . 2012-02-11 01:15 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-11 01:15 . 2009-07-13 23:12 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
    2012-02-11 01:08 . 2012-02-10 00:46 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
    2012-02-09 23:37 . 2009-07-13 23:45 83456 ----a-w- c:\windows\system32\drivers\Serial.sys
    2012-02-09 23:36 . 2010-11-20 08:38 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2012-02-09 23:36 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
    2012-02-09 22:09 . 2012-02-09 22:09 -------- d-----w- C:\_OTL
    2012-02-08 17:37 . 2012-02-08 17:45 -------- d-----w- c:\program files\GridinSoft Trojan Killer
    2012-02-08 13:49 . 2012-02-10 00:53 -------- d-----w- c:\programdata\AVAST Software
    2012-02-08 13:49 . 2012-02-08 13:49 -------- d-----w- c:\program files\AVAST Software
    2012-02-08 13:26 . 2012-02-08 13:26 -------- d-----w- c:\program files\Common Files\Java
    2012-02-08 02:51 . 2012-02-08 13:10 -------- d-----w- c:\programdata\MFAData
    2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\users\Simon\AppData\Roaming\Malwarebytes
    2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-08 01:41 . 2012-02-08 01:41 -------- d-----w- c:\program files\Enigma Software Group
    2012-02-08 01:40 . 2012-02-08 01:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2012-01-25 18:19 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-25 18:19 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-01-25 18:19 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-01-25 18:19 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
    2012-01-25 18:19 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
    2012-01-25 18:19 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
    2012-01-25 18:19 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
    2012-01-25 18:19 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
    2012-01-25 18:19 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-25 18:19 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-07 22:25 . 2011-08-08 19:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-05 17:00 . 2012-01-05 17:00 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\tmpidcrl.dll
    2012-01-05 17:00 . 2011-03-28 17:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-11-24 04:25 . 2011-12-15 04:45 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-11-19 14:01 . 2012-01-10 19:28 67072 ----a-w- c:\windows\system32\packager.dll
    2011-11-17 05:38 . 2012-01-10 19:28 1288472 ----a-w- c:\windows\system32\ntdll.dll
    2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2011-11-16 01:25 . 2011-11-16 01:25 161792 ----a-w- c:\windows\system32\msls31.dll
    2011-11-16 01:25 . 2011-11-16 01:25 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2011-11-16 01:25 . 2011-11-16 01:25 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2011-11-16 01:25 . 2011-11-16 01:25 63488 ----a-w- c:\windows\system32\tdc.ocx
    2011-11-16 01:25 . 2011-11-16 01:25 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2011-11-16 01:25 . 2011-11-16 01:25 367104 ----a-w- c:\windows\system32\html.iec
    2011-11-16 01:25 . 2011-11-16 01:25 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\iesetup.dll
    2011-11-16 01:25 . 2011-11-16 01:25 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-11-16 01:25 . 2011-11-16 01:25 35840 ----a-w- c:\windows\system32\imgutil.dll
    2011-11-16 01:25 . 2011-11-16 01:25 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-16 01:25 . 2011-11-16 01:25 152064 ----a-w- c:\windows\system32\wextract.exe
    2011-11-16 01:25 . 2011-11-16 01:25 150528 ----a-w- c:\windows\system32\iexpress.exe
    2011-11-16 01:25 . 2011-11-16 01:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-11-16 01:25 . 2011-11-16 01:25 11776 ----a-w- c:\windows\system32\mshta.exe
    2011-11-16 01:25 . 2011-11-16 01:25 101888 ----a-w- c:\windows\system32\admparse.dll
    2011-11-16 01:16 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-11-15 23:37 . 2009-11-26 18:25 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
    .
    .
    (((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not* tomma poster & legitima standardposter visas inte.
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
    "Facebook Update"="c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-18 137536]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-04 98304]
    "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    BankID säkerhetsprogram.lnk - c:\program files\Personal\bin\Personal.exe [2012-1-24 1140632]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opretuq]
    2012-02-10 12:10 10752 ----a-w- c:\windows\System32\config\systemprofile\AppData\Local\opretuq.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\PhotoshopElementsFileAgent.exe [x]
    .
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    procexp100
    .
    Innehåll i mappen 'Schemalagda aktiviteter':
    .
    2012-02-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000Core.job
    - c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
    .
    2012-02-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000UA.job
    - c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
    .
    2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
    .
    2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
    .
    .
    ------- Extra genomsökning -------
    .
    uStart Page = hxxp://www.google.se/
    LSP: mswsock.dll
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\clbeh0im.default\
    FF - user.js: extensions.BabylonToolbar_i.id - 3ce818f1000000000000002618f04b04
    FF - user.js: extensions.BabylonToolbar_i.hardId - 3ce818f1000000000000002618f04b04
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15344
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1717:57
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
    FF - user.js: extensions.BabylonToolbar_i.newTab - false
    FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100478
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    .
    .
    --------------------- LÅSTA REGISTERNYCKLAR ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Andra processer som körs ------------------------
    .
    c:\windows\system32\atiesrxx.exe
    c:\windows\system32\atieclxx.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\system32\conhost.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    .
    **************************************************************************
    .
    Sluttid: 2012-02-11 02:20:22 - datorn startades om.
    ComboFix-quarantined-files.txt 2012-02-11 01:20
    ComboFix2.txt 2012-02-11 00:23
    ComboFix3.txt 2012-02-10 23:24
    .
    Före genomsökningen: 35*220*439*040 byte ledigt
    Efter genomsökningen: 34*997*989*376 byte ledigt
    .
    - - End Of File - - 2E4C342D58A3F929E0B71587B1CCF1E3
     
  17. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    We still have some infection there...

    Turn the computer off.
    Wait 1 minute.
    Turn it back on.
    See if you can boot to normal mode.

    If not, see if you can boot to safe mode.
     
  18. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    normalmode: it can boot but i cant enter the desktop, its just all grey and only the recycle bin, no internet either.


    Safemode: i got in to the desktop, seems to work. but no access to internet
     
  19. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    What about Safe Mode with Networking?
     
  20. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    nope, just says "identidying..."
     
  21. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    OK. Hold on....
    Restart to safe mode and have your USB flash drive ready...
     
  22. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    I went in to system32/drivers and i can see that afd.sys is gone , just like the last time internet wouldnt work, but that time it was avast who removed it
     
  23. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    We had/have so severe infection there, that setbacks will happen.
    We just have to take it one step at a time....

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\System32\config\systemprofile\AppData\Local\opretuq.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opretuq]
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  24. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    afd.sys is back, internet got connection, but cant open up any files, like internet explorer.

    ComboFix 12-02-10.03 - Simon 2012-02-11 3:07.6.4 - x86
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1033.18.3327.2675 [GMT 1:00]
    Körs från: G:\ComboFix.exe
    Kommandoväxlar som använts :: c:\users\Simon\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Skapade en ny återställningspunkt
    .
    FILE ::
    "c:\windows\System32\config\systemprofile\AppData\Local\opretuq.dll"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\$NtUninstallKB21072$\2241343191
    c:\windows\$NtUninstallKB21072$\2418786939\@
    c:\windows\$NtUninstallKB21072$\2418786939\cfg.ini
    c:\windows\$NtUninstallKB21072$\2418786939\Desktop.ini
    c:\windows\$NtUninstallKB21072$\2418786939\L\xadqgnnk
    c:\windows\System32\config\systemprofile\AppData\Local\opretuq.dll
    c:\windows\system32\wbem\Performance\WmiApRpl_new.ini
    .
    En infekterad kopia av c:\windows\system32\drivers\dtsoftbus01.sys hittades och desinficerades.
    Återställd kopia från - The cat found it :)
    c:\windows\system32\drivers\afd.sys saknades
    Återställd kopia från - c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys
    .
    c:\windows\system32\drivers\tdx.sys saknades
    Återställd kopia från - c:\windows\ERDNT\cache\tdx.sys
    .
    .
    (((((((((((((((((((((((( Filer skapade från 2012-01-11 till 2012-02-11 ))))))))))))))))))))))))))))))
    .
    .
    2012-02-11 07:13 . 2012-02-11 07:31 -------- d-----w- C:\Boot
    2012-02-11 02:14 . 2012-02-11 02:14 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
    2012-02-11 02:12 . 2012-02-11 02:15 -------- d-----w- c:\users\Simon\AppData\Local\temp
    2012-02-11 02:12 . 2012-02-11 02:12 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-11 02:12 . 2009-07-13 23:12 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
    2012-02-11 02:12 . 2011-04-25 03:24 338944 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-02-09 23:37 . 2009-07-13 23:45 83456 ----a-w- c:\windows\system32\drivers\Serial.sys
    2012-02-09 23:36 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
    2012-02-09 22:09 . 2012-02-09 22:09 -------- d-----w- C:\_OTL
    2012-02-08 17:37 . 2012-02-08 17:45 -------- d-----w- c:\program files\GridinSoft Trojan Killer
    2012-02-08 13:49 . 2012-02-10 00:53 -------- d-----w- c:\programdata\AVAST Software
    2012-02-08 13:49 . 2012-02-08 13:49 -------- d-----w- c:\program files\AVAST Software
    2012-02-08 13:26 . 2012-02-08 13:26 -------- d-----w- c:\program files\Common Files\Java
    2012-02-08 02:51 . 2012-02-08 13:10 -------- d-----w- c:\programdata\MFAData
    2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\users\Simon\AppData\Roaming\Malwarebytes
    2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-08 01:41 . 2012-02-08 01:41 -------- d-----w- c:\program files\Enigma Software Group
    2012-02-08 01:40 . 2012-02-08 01:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2012-01-25 18:19 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-25 18:19 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-01-25 18:19 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-01-25 18:19 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
    2012-01-25 18:19 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
    2012-01-25 18:19 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
    2012-01-25 18:19 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
    2012-01-25 18:19 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
    2012-01-25 18:19 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-25 18:19 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-10 00:46 . 2012-02-11 02:04 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.svs
    2012-02-07 22:25 . 2011-08-08 19:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-05 17:00 . 2012-01-05 17:00 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\tmpidcrl.dll
    2012-01-05 17:00 . 2011-03-28 17:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-11-24 04:25 . 2011-12-15 04:45 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-11-19 14:01 . 2012-01-10 19:28 67072 ----a-w- c:\windows\system32\packager.dll
    2011-11-17 05:38 . 2012-01-10 19:28 1288472 ----a-w- c:\windows\system32\ntdll.dll
    2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2011-11-16 01:25 . 2011-11-16 01:25 161792 ----a-w- c:\windows\system32\msls31.dll
    2011-11-16 01:25 . 2011-11-16 01:25 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2011-11-16 01:25 . 2011-11-16 01:25 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2011-11-16 01:25 . 2011-11-16 01:25 63488 ----a-w- c:\windows\system32\tdc.ocx
    2011-11-16 01:25 . 2011-11-16 01:25 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2011-11-16 01:25 . 2011-11-16 01:25 367104 ----a-w- c:\windows\system32\html.iec
    2011-11-16 01:25 . 2011-11-16 01:25 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\iesetup.dll
    2011-11-16 01:25 . 2011-11-16 01:25 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-11-16 01:25 . 2011-11-16 01:25 35840 ----a-w- c:\windows\system32\imgutil.dll
    2011-11-16 01:25 . 2011-11-16 01:25 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-16 01:25 . 2011-11-16 01:25 152064 ----a-w- c:\windows\system32\wextract.exe
    2011-11-16 01:25 . 2011-11-16 01:25 150528 ----a-w- c:\windows\system32\iexpress.exe
    2011-11-16 01:25 . 2011-11-16 01:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-11-16 01:25 . 2011-11-16 01:25 11776 ----a-w- c:\windows\system32\mshta.exe
    2011-11-16 01:25 . 2011-11-16 01:25 101888 ----a-w- c:\windows\system32\admparse.dll
    2011-11-16 01:16 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-11-15 23:37 . 2009-11-26 18:25 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
    .
    .
    (((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not* tomma poster & legitima standardposter visas inte.
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
    "Facebook Update"="c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-18 137536]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-04 98304]
    "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    BankID säkerhetsprogram.lnk - c:\program files\Personal\bin\Personal.exe [2012-1-24 1140632]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
    R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\PhotoshopElementsFileAgent.exe [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Tjänsten Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
    R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\PhotoshopElementsDeviceConnect.exe [x]
    R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\DRIVERS\BazisVirtualCDBus.sys [2010-10-28 98400]
    R3 gupdatem;Tjänsten Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
    R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-02-20 47360]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt; [x]
    S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 243712]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
    .
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    procexp100
    .
    Innehåll i mappen 'Schemalagda aktiviteter':
    .
    2012-02-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000Core.job
    - c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
    .
    2012-02-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000UA.job
    - c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
    .
    2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
    .
    2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
    .
    .
    ------- Extra genomsökning -------
    .
    uStart Page = hxxp://www.google.se/
    LSP: mswsock.dll
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\clbeh0im.default\
    FF - user.js: extensions.BabylonToolbar_i.id - 3ce818f1000000000000002618f04b04
    FF - user.js: extensions.BabylonToolbar_i.hardId - 3ce818f1000000000000002618f04b04
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15344
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1717:57
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
    FF - user.js: extensions.BabylonToolbar_i.newTab - false
    FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100478
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    .
    .
    --------------------- LÅSTA REGISTERNYCKLAR ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Andra processer som körs ------------------------
    .
    c:\windows\system32\atieclxx.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\windows\system32\conhost.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    .
    **************************************************************************
    .
    Sluttid: 2012-02-11 03:17:53 - datorn startades om.
    ComboFix-quarantined-files.txt 2012-02-11 02:17
    ComboFix2.txt 2012-02-11 01:20
    ComboFix3.txt 2012-02-11 00:23
    ComboFix4.txt 2012-02-10 23:24
    .
    Före genomsökningen: 35*126*452*224 byte ledigt
    Efter genomsökningen: 35*049*967*616 byte ledigt
    .
    - - End Of File - - 688CE3A876192308AB9129FDD3631D30
     
  25. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    im gonna go away 1 day now, ill be back on sunday. plz tell me what the next step is and we continue then =) Thanks alot so far, ure really good at this stuff!!
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.