also @ TechSpot: Building a Thin Mini-ITX PC: Small and Silent Performance

System Check virus, a lot of problems

Discussion in 'Virus and Malware Removal' started by MjuTaS, Feb 8, 2012.

Post New Reply
Page 9 of 10

  1. MjuTaS Newcomer, in training Posts: 105

    MjuTaS, Feb 13, 2012
    #161

  2. MjuTaS Newcomer, in training Posts: 105

    i dont wanna loose internet connection to the laptop too, so are u sure i can reset the modem/router ? :p
    MjuTaS, Feb 13, 2012
    #162

  3. Broni Malware Annihilator Posts: 39,324   +175

    Turn computer off.
    Disconnect modem from power source for 1 minute.
    Reconnect.
    Restart computer.

    Then go ahead with Combofix.
    Broni, Feb 13, 2012
    #163

  4. MjuTaS Newcomer, in training Posts: 105

    ComboFix 12-02-13.01 - Simon 2012-02-14 1:36.8.4 - x86
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1033.18.3327.2496 [GMT 1:00]
    Körs från: c:\users\Simon\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\$NtUninstallKB21072$\2418786939\@
    c:\windows\$NtUninstallKB21072$\2418786939\cfg.ini
    c:\windows\$NtUninstallKB21072$\2418786939\Desktop.ini
    c:\windows\$NtUninstallKB21072$\2418786939\L\xadqgnnk
    c:\windows\$NtUninstallKB21072$\343653544
    .
    En infekterad kopia av c:\windows\system32\drivers\cdrom.sys hittades och desinficerades.
    Återställd kopia från - The cat found it :)
    c:\windows\system32\drivers\tdx.sys saknades
    Återställd kopia från - c:\windows\ERDNT\cache\tdx.sys
    .
    .
    (((((((((((((((((((((((( Filer skapade från 2012-01-14 till 2012-02-14 ))))))))))))))))))))))))))))))
    .
    .
    2012-02-14 00:42 . 2012-02-14 00:45 -------- d-----w- c:\users\Simon\AppData\Local\temp
    2012-02-14 00:42 . 2012-02-14 00:42 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-14 00:34 . 2010-11-20 08:38 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2012-02-12 22:21 . 2012-02-12 22:21 -------- d-----w- c:\users\Simon\AppData\Roaming\SUPERAntiSpyware.com
    2012-02-12 22:20 . 2012-02-12 22:21 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-02-12 22:20 . 2012-02-12 22:20 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-02-12 22:01 . 2012-02-12 22:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-12 22:01 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-11 07:13 . 2012-02-11 07:31 -------- d-----w- C:\Boot
    2012-02-11 03:13 . 2012-02-12 22:09 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
    2012-02-11 02:59 . 2011-04-25 03:24 338944 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-02-09 23:37 . 2009-07-13 23:45 83456 ----a-w- c:\windows\system32\drivers\Serial.sys
    2012-02-09 23:36 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
    2012-02-09 22:09 . 2012-02-09 22:09 -------- d-----w- C:\_OTL
    2012-02-08 17:37 . 2012-02-08 17:45 -------- d-----w- c:\program files\GridinSoft Trojan Killer
    2012-02-08 13:49 . 2012-02-10 00:53 -------- d-----w- c:\programdata\AVAST Software
    2012-02-08 13:49 . 2012-02-08 13:49 -------- d-----w- c:\program files\AVAST Software
    2012-02-08 13:26 . 2012-02-08 13:26 -------- d-----w- c:\program files\Common Files\Java
    2012-02-08 02:51 . 2012-02-08 13:10 -------- d-----w- c:\programdata\MFAData
    2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\users\Simon\AppData\Roaming\Malwarebytes
    2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-08 01:41 . 2012-02-08 01:41 -------- d-----w- c:\program files\Enigma Software Group
    2012-02-08 01:40 . 2012-02-08 01:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2012-01-25 18:19 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-25 18:19 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-01-25 18:19 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-01-25 18:19 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
    2012-01-25 18:19 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
    2012-01-25 18:19 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
    2012-01-25 18:19 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
    2012-01-25 18:19 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
    2012-01-25 18:19 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-25 18:19 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-10 00:46 . 2012-02-11 02:04 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.svs
    2012-02-07 22:25 . 2011-08-08 19:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-05 17:00 . 2012-01-05 17:00 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\tmpidcrl.dll
    2012-01-05 17:00 . 2011-03-28 17:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-11-24 04:25 . 2011-12-15 04:45 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-11-19 14:01 . 2012-01-10 19:28 67072 ----a-w- c:\windows\system32\packager.dll
    2011-11-17 05:38 . 2012-01-10 19:28 1288472 ----a-w- c:\windows\system32\ntdll.dll
    2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2011-11-16 01:25 . 2011-11-16 01:25 161792 ----a-w- c:\windows\system32\msls31.dll
    2011-11-16 01:25 . 2011-11-16 01:25 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2011-11-16 01:25 . 2011-11-16 01:25 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2011-11-16 01:25 . 2011-11-16 01:25 63488 ----a-w- c:\windows\system32\tdc.ocx
    2011-11-16 01:25 . 2011-11-16 01:25 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2011-11-16 01:25 . 2011-11-16 01:25 367104 ----a-w- c:\windows\system32\html.iec
    2011-11-16 01:25 . 2011-11-16 01:25 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\iesetup.dll
    2011-11-16 01:25 . 2011-11-16 01:25 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-11-16 01:25 . 2011-11-16 01:25 35840 ----a-w- c:\windows\system32\imgutil.dll
    2011-11-16 01:25 . 2011-11-16 01:25 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-16 01:25 . 2011-11-16 01:25 152064 ----a-w- c:\windows\system32\wextract.exe
    2011-11-16 01:25 . 2011-11-16 01:25 150528 ----a-w- c:\windows\system32\iexpress.exe
    2011-11-16 01:25 . 2011-11-16 01:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-11-16 01:25 . 2011-11-16 01:25 11776 ----a-w- c:\windows\system32\mshta.exe
    2011-11-16 01:25 . 2011-11-16 01:25 101888 ----a-w- c:\windows\system32\admparse.dll
    2011-11-16 01:16 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    .
    .
    (((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not* tomma poster & legitima standardposter visas inte.
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
    "Facebook Update"="c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-18 137536]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-04 98304]
    "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    BankID säkerhetsprogram.lnk - c:\program files\Personal\bin\Personal.exe [2012-1-24 1140632]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
    R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\PhotoshopElementsFileAgent.exe [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Tjänsten Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
    R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\PhotoshopElementsDeviceConnect.exe [x]
    R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\DRIVERS\BazisVirtualCDBus.sys [2010-10-28 98400]
    R3 gupdatem;Tjänsten Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
    R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-02-20 47360]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt; [x]
    S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 243712]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
    .
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    procexp100
    pxfhmdfl
    .
    Innehåll i mappen 'Schemalagda aktiviteter':
    .
    2012-02-13 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000Core.job
    - c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
    .
    2012-02-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000UA.job
    - c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
    .
    2012-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
    .
    2012-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
    .
    .
    ------- Extra genomsökning -------
    .
    uStart Page = hxxp://www.google.se/
    LSP: mswsock.dll
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\clbeh0im.default\
    FF - user.js: extensions.BabylonToolbar_i.id - 3ce818f1000000000000002618f04b04
    FF - user.js: extensions.BabylonToolbar_i.hardId - 3ce818f1000000000000002618f04b04
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15344
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1717:57
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
    FF - user.js: extensions.BabylonToolbar_i.newTab - false
    FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100478
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    .
    .
    --------------------- LÅSTA REGISTERNYCKLAR ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Andra processer som körs ------------------------
    .
    c:\windows\system32\atieclxx.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\system32\taskhost.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\windows\system32\conhost.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    .
    **************************************************************************
    .
    Sluttid: 2012-02-14 01:47:43 - datorn startades om.
    ComboFix-quarantined-files.txt 2012-02-14 00:47
    ComboFix2.txt 2012-02-11 03:11
    ComboFix3.txt 2012-02-11 02:17
    ComboFix4.txt 2012-02-11 01:20
    ComboFix5.txt 2012-02-14 00:33
    .
    Före genomsökningen: 32*759*107*584 byte ledigt
    Efter genomsökningen: 32*727*388*160 byte ledigt
    .
    - - End Of File - - BC4C83EE9535C3138D4EF81C82E22FA4
    MjuTaS, Feb 13, 2012
    #164

  5. MjuTaS Newcomer, in training Posts: 105

    When i follow your 148 post i get tdx.syf back in the folder, but a restart and its gone again, all this happend after i did they superantispyware, it is in quarantine there.
    But i made the program NOT running when windows start so i wonder whats taking the file away every time
    MjuTaS, Feb 13, 2012
    #165

  6. Broni Malware Annihilator Posts: 39,324   +175

    How are we doing now?

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\system32\dds_trash_log.cmd

ClearJavaCache::

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    Broni, Feb 13, 2012
    #166
     

  7. Broni Malware Annihilator Posts: 39,324   +175

    Combofix fixed tdx.sys issue.
    Do not run any extra steps without talking to me.
    Broni, Feb 13, 2012
    #167

  8. MjuTaS Newcomer, in training Posts: 105

    everytime i run combofix it says the computer is infected with zeroaccess rootkit and has to restart, seems like that virus is hard to remove :D and this time i got access denied to desktop when it restarted, just like before. should i run it in safemode again with some script?
    MjuTaS, Feb 13, 2012
    #168

  9. MjuTaS Newcomer, in training Posts: 105

    no im not doing extrasteps, it was before when u asked i just forgot to tell u that the file was there but when i restarted it was gone again
    MjuTaS, Feb 13, 2012
    #169

  10. Broni Malware Annihilator Posts: 39,324   +175

    Go ahead and run the fix from my reply #166 from safe mode.
    Broni, Feb 13, 2012
    #170

  11. MjuTaS Newcomer, in training Posts: 105

    ok, when u asked me to run the combofix in reply 166 it restarted as i said and no desktop showed up and the combofix wasnt complete, now i just started the comp in safe mode and combofix came up running by itself, ill post that log when its done
    MjuTaS, Feb 13, 2012
    #171

  12. Broni Malware Annihilator Posts: 39,324   +175

    OK..................
    In the future if Combofix is still doing its thing let it run.
    I though it was done.
    Broni, Feb 13, 2012
    #172

  13. MjuTaS Newcomer, in training Posts: 105

    no what i mean is, it didnt show up at all. nothing at the computer started then, this is the same "combofix run" as i started before. the blue box came up and then a message that computer is infected with zeroaccess root kit and has to restart, when it started up again nothing worked, but now when i started in safemode that same "combofix run" started again. here is the log:


    ComboFix 12-02-13.01 - Simon 2012-02-14 2:17.9.4 - x86 MINIMAL
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1033.18.3327.2686 [GMT 1:00]
    Körs från: c:\users\Simon\Desktop\ComboFix.exe
    Kommandoväxlar som använts :: c:\users\Simon\Desktop\CFscript.txt
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\windows\system32\dds_trash_log.cmd"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\$NtUninstallKB21072$\2418786939\@
    c:\windows\$NtUninstallKB21072$\2418786939\cfg.ini
    c:\windows\$NtUninstallKB21072$\2418786939\Desktop.ini
    c:\windows\$NtUninstallKB21072$\2418786939\L\xadqgnnk
    c:\windows\$NtUninstallKB21072$\2494549919
    c:\windows\system32\dds_trash_log.cmd
    c:\windows\system32\wbem\Performance\WmiApRpl_new.ini
    .
    En infekterad kopia av c:\windows\system32\drivers\cdrom.sys hittades och desinficerades.
    Återställd kopia från - The cat found it :)
    c:\windows\system32\drivers\afd.sys saknades
    Återställd kopia från - c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys
    .
    c:\windows\system32\drivers\cdrom.sys saknades
    Återställd kopia från - c:\windows\System32\DriverStore\FileRepository\cdrom.inf_x86_neutral_6381e09675524225\cdrom.sys
    .
    c:\windows\system32\drivers\tdx.sys saknades
    Återställd kopia från - c:\windows\ERDNT\cache\tdx.sys
    .
    .
    (((((((((((((((((((((((( Filer skapade från 2012-01-14 till 2012-02-14 ))))))))))))))))))))))))))))))
    .
    .
    2012-02-14 01:22 . 2012-02-14 01:24 -------- d-----w- c:\users\Simon\AppData\Local\temp
    2012-02-14 01:22 . 2012-02-14 01:22 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-14 01:22 . 2010-11-20 08:38 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2012-02-14 01:22 . 2011-04-25 03:24 338944 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-02-12 22:21 . 2012-02-12 22:21 -------- d-----w- c:\users\Simon\AppData\Roaming\SUPERAntiSpyware.com
    2012-02-12 22:20 . 2012-02-12 22:21 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-02-12 22:20 . 2012-02-12 22:20 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-02-12 22:01 . 2012-02-12 22:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-12 22:01 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-11 07:13 . 2012-02-11 07:31 -------- d-----w- C:\Boot
    2012-02-09 23:37 . 2009-07-13 23:45 83456 ----a-w- c:\windows\system32\drivers\Serial.sys
    2012-02-09 23:36 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
    2012-02-09 22:09 . 2012-02-09 22:09 -------- d-----w- C:\_OTL
    2012-02-08 17:37 . 2012-02-08 17:45 -------- d-----w- c:\program files\GridinSoft Trojan Killer
    2012-02-08 13:49 . 2012-02-10 00:53 -------- d-----w- c:\programdata\AVAST Software
    2012-02-08 13:49 . 2012-02-08 13:49 -------- d-----w- c:\program files\AVAST Software
    2012-02-08 13:26 . 2012-02-08 13:26 -------- d-----w- c:\program files\Common Files\Java
    2012-02-08 02:51 . 2012-02-08 13:10 -------- d-----w- c:\programdata\MFAData
    2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\users\Simon\AppData\Roaming\Malwarebytes
    2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-08 01:41 . 2012-02-08 01:41 -------- d-----w- c:\program files\Enigma Software Group
    2012-02-08 01:40 . 2012-02-08 01:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2012-01-25 18:19 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-25 18:19 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-01-25 18:19 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-01-25 18:19 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
    2012-01-25 18:19 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
    2012-01-25 18:19 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
    2012-01-25 18:19 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
    2012-01-25 18:19 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
    2012-01-25 18:19 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-25 18:19 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-10 00:46 . 2012-02-11 02:04 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.svs
    2012-02-07 22:25 . 2011-08-08 19:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-05 17:00 . 2012-01-05 17:00 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\tmpidcrl.dll
    2012-01-05 17:00 . 2011-03-28 17:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-11-24 04:25 . 2011-12-15 04:45 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-11-19 14:01 . 2012-01-10 19:28 67072 ----a-w- c:\windows\system32\packager.dll
    2011-11-17 05:38 . 2012-01-10 19:28 1288472 ----a-w- c:\windows\system32\ntdll.dll
    .
    .
    (((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not* tomma poster & legitima standardposter visas inte.
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
    "Facebook Update"="c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-18 137536]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-04 98304]
    "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    BankID säkerhetsprogram.lnk - c:\program files\Personal\bin\Personal.exe [2012-1-24 1140632]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
    R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\PhotoshopElementsFileAgent.exe [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Tjänsten Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
    R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\PhotoshopElementsDeviceConnect.exe [x]
    R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\DRIVERS\BazisVirtualCDBus.sys [2010-10-28 98400]
    R3 gupdatem;Tjänsten Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
    R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-02-20 47360]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt; [x]
    S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 243712]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
    .
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    procexp100
    pxfhmdfl
    .
    Innehåll i mappen 'Schemalagda aktiviteter':
    .
    2012-02-13 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000Core.job
    - c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
    .
    2012-02-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000UA.job
    - c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
    .
    2012-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
    .
    2012-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
    .
    .
    ------- Extra genomsökning -------
    .
    uStart Page = hxxp://www.google.se/
    LSP: mswsock.dll
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\clbeh0im.default\
    FF - user.js: extensions.BabylonToolbar_i.id - 3ce818f1000000000000002618f04b04
    FF - user.js: extensions.BabylonToolbar_i.hardId - 3ce818f1000000000000002618f04b04
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15344
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1717:57
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
    FF - user.js: extensions.BabylonToolbar_i.newTab - false
    FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100478
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    .
    .
    --------------------- LÅSTA REGISTERNYCKLAR ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Andra processer som körs ------------------------
    .
    c:\windows\system32\atieclxx.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    .
    **************************************************************************
    .
    Sluttid: 2012-02-14 02:27:08 - datorn startades om.
    ComboFix-quarantined-files.txt 2012-02-14 01:27
    ComboFix2.txt 2012-02-14 00:47
    ComboFix3.txt 2012-02-11 03:11
    ComboFix4.txt 2012-02-11 02:17
    ComboFix5.txt 2012-02-14 01:07
    .
    Före genomsökningen: 32*722*264*064 byte ledigt
    Efter genomsökningen: 32*621*412*352 byte ledigt
    .
    - - End Of File - - E627CB6953BC705701AAF6B1998EB99B
    MjuTaS, Feb 13, 2012
    #173

  14. Broni Malware Annihilator Posts: 39,324   +175

    OK, re-run it again from safe mode and let me know if you'll still get warning about ZeroAccess rootkit.
    Broni, Feb 13, 2012
    #174

  15. MjuTaS Newcomer, in training Posts: 105

    ok, with the script ?
    MjuTaS, Feb 13, 2012
    #175

  16. Broni Malware Annihilator Posts: 39,324   +175

    No. Just straight scan.
    Broni, Feb 13, 2012
    #176

  17. MjuTaS Newcomer, in training Posts: 105

    Yes still got that message and now it restarted
    MjuTaS, Feb 13, 2012
    #177

  18. MjuTaS Newcomer, in training Posts: 105

    aand desktop and all gone again, restart into safe mode?
    MjuTaS, Feb 13, 2012
    #178

  19. Broni Malware Annihilator Posts: 39,324   +175

    Go ahead.....
    Broni, Feb 13, 2012
    #179

  20. MjuTaS Newcomer, in training Posts: 105

    i guess u like my computer as much as i do :) allways something wrong haha

    i started in safe mode and the combofix started again and finnished the scan just like last time
    MjuTaS, Feb 13, 2012
    #180
Page 9 of 10

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.