Inactive System Check virus, a lot of problems

Now google is working for me again, no redirection =)

ListParts by Farbar
Ran by Simon on 10-02-2012 at 23:33:23
Windows 7 (X86)
Running From: C:\Users\Simon\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 22%
Total physical RAM: 3327.18 MB
Available physical RAM: 2583.12 MB
Total Pagefile: 6652.64 MB
Available Pagefile: 5815.63 MB
Total Virtual: 2047.88 MB
Available Virtual: 1954.29 MB

======================= Partitions =========================

1 Drive c: (System) (Fixed) (Total:78.03 GB) (Free:30.99 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (Backup) (Fixed) (Total:387.63 GB) (Free:148.05 GB) NTFS
3 Drive e: (Reparationsskiva för Windows 7, ) (CDROM) (Total:0.14 GB) (Free:0 GB) UDF

Disk nr Status Storlek Ledigt Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk nr 0 Online 465 G B 1024 K B

DiskPart avslutas...

Partitions of Disk Disk nr 0 Online 465 G B 1024 K B :
===============

Argumenten som angetts f”r kommandot „r inte giltiga.
Om du vill ha mer information om kommandot skriver du: HELP SELECT DISK

Ingen disk har valts.


****** End Of Log ******




Bootkit remover is a Green color on the physicaldrive0 now, it was red before :)

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Ultimate Edition Service Pack 1 (build 7601), 32
-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`06500000
Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...
 
:D

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-10 23:40:09
-----------------------------
23:40:09.200 OS Version: Windows 6.1.7601 Service Pack 1
23:40:09.200 Number of processors: 4 586 0x402
23:40:09.200 ComputerName: SIMON-PC UserName: Simon
23:40:09.543 Initialize success
23:41:19.826 AVAST engine defs: 12021001
23:41:30.402 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
23:41:30.402 Disk 0 Vendor: WDC_WD5001AALS-00L3B2 01.03B01 Size: 476940MB BusType: 3
23:41:30.418 Disk 0 MBR read successfully
23:41:30.418 Disk 0 MBR scan
23:41:30.418 Disk 0 Windows 7 default MBR code
23:41:30.418 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 100 MB offset 2048
23:41:30.434 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 79900 MB offset 206848
23:41:30.449 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 396937 MB offset 163842048
23:41:30.449 Disk 0 scanning sectors +976769024
23:41:30.512 Disk 0 scanning C:\Windows\system32\drivers
23:41:41.525 File: C:\Windows\system32\drivers\tdx.sys **INFECTED** Win32:Sirefef-JQ [Trj]
23:41:42.648 Disk 0 trace - called modules:
23:41:42.664 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8d3f0fc0]<<
23:41:42.680 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x875f7030]
23:41:42.680 3 CLASSPNP.SYS[8d2c359e] -> nt!IofCallDriver -> [0x87855028]
23:41:42.680 \Driver\00000418[0x87855ab8] -> IRP_MJ_CREATE -> 0x8d3f0fc0
23:41:43.101 AVAST engine scan C:\Windows
23:41:44.754 AVAST engine scan C:\Windows\system32
23:43:27.247 AVAST engine scan C:\Windows\system32\drivers
23:43:40.429 File: C:\Windows\system32\drivers\tdx.sys **INFECTED** Win32:Sirefef-JQ [Trj]
23:43:41.864 AVAST engine scan C:\Users\Simon
23:47:32.745 AVAST engine scan C:\ProgramData
23:50:15.750 Scan finished successfully
23:51:14.297 Disk 0 MBR has been saved successfully to "C:\Users\Simon\Desktop\MBR.dat"
23:51:14.312 The log file has been saved successfully to "C:\Users\Simon\Desktop\aswMBR.txt"
 
Excellent!

We still have work to do but the worst seems to be over.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
ok last time i ran combofix it says that AVG Antivirus FREE is running both as virus protection and spyware protection, the thing is.. i dont have AVG antivirus free, ive uninstalled ALL my virusprograms, i had avg before,

i tryed that addremoval program but it didnt find anything, should i run combofix anyway?
 
ComboFix 12-02-02.02 - Simon 2012-02-11 0:22.3.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1033.18.3327.2268 [GMT 1:00]
Körs från: c:\users\Simon\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Skapade en ny återställningspunkt
.
- REDUCERAD FUNKTIONALITETSMOD -
.
.
((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-- Föregående körning --
.
c:\windows\system32\drivers\netbt.sys saknades
Återställd kopia från - c:\windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys
.
c:\windows\system32\drivers\cdrom.sys saknades
Återställd kopia från - c:\windows\System32\DriverStore\FileRepository\cdrom.inf_x86_neutral_6381e09675524225\cdrom.sys
.
c:\windows\system32\drivers\Serial.sys saknades
Återställd kopia från - c:\windows\System32\DriverStore\FileRepository\msports.inf_x86_neutral_c1a802e06677f73f\serial.sys
.
c:\windows\system32\drivers\tdx.sys saknades
Återställd kopia från - c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys
.
--------
.
.
(((((((((((((((((((((((( Filer skapade från 2012-01-10 till 2012-02-10 ))))))))))))))))))))))))))))))
.
.
2012-02-11 07:13 . 2012-02-11 07:31 -------- d-----w- C:\Boot
2012-02-10 23:22 . 2012-02-10 23:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-09 23:37 . 2012-02-10 23:23 -------- d-----w- c:\users\Simon\AppData\Local\temp
2012-02-09 23:37 . 2009-07-13 23:12 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-02-09 22:09 . 2009-07-13 23:12 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-09 22:09 . 2012-02-09 22:09 -------- d-----w- C:\_OTL
2012-02-08 17:37 . 2012-02-08 17:45 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2012-02-08 13:49 . 2012-02-10 00:53 -------- d-----w- c:\programdata\AVAST Software
2012-02-08 13:49 . 2012-02-08 13:49 -------- d-----w- c:\program files\AVAST Software
2012-02-08 13:26 . 2012-02-08 13:26 -------- d-----w- c:\program files\Common Files\Java
2012-02-08 02:51 . 2012-02-08 13:10 -------- d-----w- c:\programdata\MFAData
2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\users\Simon\AppData\Roaming\Malwarebytes
2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\programdata\Malwarebytes
2012-02-08 01:41 . 2012-02-08 01:41 -------- d-----w- c:\program files\Enigma Software Group
2012-02-08 01:40 . 2012-02-08 01:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-02-07 22:25 . 2012-02-10 22:32 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-01-25 18:19 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-25 18:19 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-25 18:19 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-25 18:19 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-25 18:19 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-25 18:19 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-25 18:19 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-25 18:19 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-25 18:19 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-25 18:19 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-10 00:46 . 2011-11-16 00:40 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-07 22:25 . 2011-08-08 19:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-05 17:00 . 2012-01-05 17:00 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\tmpidcrl.dll
2012-01-05 17:00 . 2011-03-28 17:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-11-24 04:25 . 2011-12-15 04:45 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 14:01 . 2012-01-10 19:28 67072 ----a-w- c:\windows\system32\packager.dll
2011-11-17 05:38 . 2012-01-10 19:28 1288472 ----a-w- c:\windows\system32\ntdll.dll
2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-11-16 01:25 . 2011-11-16 01:25 161792 ----a-w- c:\windows\system32\msls31.dll
2011-11-16 01:25 . 2011-11-16 01:25 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-11-16 01:25 . 2011-11-16 01:25 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-11-16 01:25 . 2011-11-16 01:25 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-11-16 01:25 . 2011-11-16 01:25 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-11-16 01:25 . 2011-11-16 01:25 367104 ----a-w- c:\windows\system32\html.iec
2011-11-16 01:25 . 2011-11-16 01:25 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-11-16 01:25 . 2011-11-16 01:25 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-11-16 01:25 . 2011-11-16 01:25 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-11-16 01:25 . 2011-11-16 01:25 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-16 01:25 . 2011-11-16 01:25 152064 ----a-w- c:\windows\system32\wextract.exe
2011-11-16 01:25 . 2011-11-16 01:25 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-11-16 01:25 . 2011-11-16 01:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-11-16 01:25 . 2011-11-16 01:25 11776 ----a-w- c:\windows\system32\mshta.exe
2011-11-16 01:25 . 2011-11-16 01:25 101888 ----a-w- c:\windows\system32\admparse.dll
2011-11-16 01:16 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-11-15 23:37 . 2009-11-26 18:25 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-07-13 23:12 . 38F57D262164CB35BC8659785703CD6B . 74240 . . [------] . . c:\windows\System32\drivers\tdx.sys
[7] 2009-07-13 . CB39E896A2A83702D1737BFD402B3542 . 74240 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"Facebook Update"="c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-18 137536]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-04 98304]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BankID säkerhetsprogram.lnk - c:\program files\Personal\bin\Personal.exe [2012-1-24 1140632]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opretuq]
2012-02-10 12:10 10752 ----a-w- c:\windows\System32\config\systemprofile\AppData\Local\opretuq.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\PhotoshopElementsFileAgent.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Tjänsten Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\PhotoshopElementsDeviceConnect.exe [x]
R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\DRIVERS\BazisVirtualCDBus.sys [2010-10-28 98400]
R3 gupdatem;Tjänsten Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-02-20 47360]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt; [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-02-10 239168]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 243712]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
.
.
--- Övriga tjänster/drivrutiner i minnet ---
.
*NewlyCreated* - ASWMBR
*Deregistered* - aswMBR
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
procexp100
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{537d904e-0ff4-11e1-bf24-806e6f6e6963}]
\shell\AutoRun\command - G:\INSTALL.EXE
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e686c22-d79b-11de-9ee0-806e6f6e6963}]
\shell\AutoRun\command - E:\SETUP.EXE
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{963aaa25-16b3-11df-964d-002618f04b04}]
\shell\AutoRun\command - G:\LaunchU3.exe -a
.
Innehåll i mappen 'Schemalagda aktiviteter':
.
2012-02-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000Core.job
- c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
.
2012-02-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000UA.job
- c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.google.se/
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\clbeh0im.default\
FF - user.js: extensions.BabylonToolbar_i.id - 3ce818f1000000000000002618f04b04
FF - user.js: extensions.BabylonToolbar_i.hardId - 3ce818f1000000000000002618f04b04
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15344
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1717:57
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100478
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -
.
Toolbar-10 - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-facemoods - c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe
AddRemove-facemoods - c:\program files\facemoods.com\facemoods\1.4.17.11\uninstall.exe
AddRemove-Svenska Spels Poker - c:\casino\SVENSK~1\UNWISE.EXE
.
.
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLL'er som "laddats" under processer som körs ---------------------
.
- - - - - - - > 'lsass.exe'(496)
c:\windows\system32\mswsock.dll
mswsock.dll 75160000 245760 \\.\globalroot\systemroot\system32\mswsock.dll
.
Sluttid: 2012-02-11 00:24:14
ComboFix-quarantined-files.txt 2012-02-10 23:24
.
Före genomsökningen: 35*363*512*320 byte ledigt
Efter genomsökningen: 35*421*814*784 byte ledigt
.
- - End Of File - - 8909D7E98BE8BCF7E4EA5AA79315ACF8
 
1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
FCopy::
c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys | c:\windows\System32\drivers\tdx.sys

File::
c:\windows\system32\dds_trash_log.cmd

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
ComboFix 12-02-02.02 - Simon 2012-02-11 1:22.4.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1033.18.3327.2286 [GMT 1:00]
Körs från: c:\users\Simon\Desktop\ComboFix.exe
Kommandoväxlar som använts :: c:\users\Simon\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
- REDUCERAD FUNKTIONALITETSMOD -
.
FILE ::
"c:\windows\system32\dds_trash_log.cmd"
.
.
((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\dds_trash_log.cmd
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys --> c:\windows\System32\drivers\tdx.sys
.
(((((((((((((((((((((((( Filer skapade från 2012-01-11 till 2012-02-11 ))))))))))))))))))))))))))))))
.
.
2012-02-11 07:13 . 2012-02-11 07:31 -------- d-----w- C:\Boot
2012-02-11 00:22 . 2012-02-11 00:22 -------- d-----w- c:\users\Simon\AppData\Local\temp
2012-02-11 00:22 . 2012-02-11 00:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-09 23:37 . 2009-07-13 23:12 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-02-09 23:37 . 2009-07-13 23:45 83456 ----a-w- c:\windows\system32\drivers\Serial.sys
2012-02-09 23:36 . 2010-11-20 08:38 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-09 23:36 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-09 22:09 . 2009-07-13 23:12 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-09 22:09 . 2012-02-09 22:09 -------- d-----w- C:\_OTL
2012-02-08 17:37 . 2012-02-08 17:45 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2012-02-08 13:49 . 2012-02-10 00:53 -------- d-----w- c:\programdata\AVAST Software
2012-02-08 13:49 . 2012-02-08 13:49 -------- d-----w- c:\program files\AVAST Software
2012-02-08 13:26 . 2012-02-08 13:26 -------- d-----w- c:\program files\Common Files\Java
2012-02-08 02:51 . 2012-02-08 13:10 -------- d-----w- c:\programdata\MFAData
2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\users\Simon\AppData\Roaming\Malwarebytes
2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\programdata\Malwarebytes
2012-02-08 01:41 . 2012-02-08 01:41 -------- d-----w- c:\program files\Enigma Software Group
2012-02-08 01:40 . 2012-02-08 01:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-01-25 18:19 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-25 18:19 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-25 18:19 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-25 18:19 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-25 18:19 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-25 18:19 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-25 18:19 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-25 18:19 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-25 18:19 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-25 18:19 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-10 00:46 . 2011-11-16 00:40 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-07 22:25 . 2011-08-08 19:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-05 17:00 . 2012-01-05 17:00 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\tmpidcrl.dll
2012-01-05 17:00 . 2011-03-28 17:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-11-24 04:25 . 2011-12-15 04:45 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 14:01 . 2012-01-10 19:28 67072 ----a-w- c:\windows\system32\packager.dll
2011-11-17 05:38 . 2012-01-10 19:28 1288472 ----a-w- c:\windows\system32\ntdll.dll
2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-11-16 01:25 . 2011-11-16 01:25 161792 ----a-w- c:\windows\system32\msls31.dll
2011-11-16 01:25 . 2011-11-16 01:25 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-11-16 01:25 . 2011-11-16 01:25 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-11-16 01:25 . 2011-11-16 01:25 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-11-16 01:25 . 2011-11-16 01:25 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-11-16 01:25 . 2011-11-16 01:25 367104 ----a-w- c:\windows\system32\html.iec
2011-11-16 01:25 . 2011-11-16 01:25 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-11-16 01:25 . 2011-11-16 01:25 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-11-16 01:25 . 2011-11-16 01:25 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-11-16 01:25 . 2011-11-16 01:25 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-16 01:25 . 2011-11-16 01:25 152064 ----a-w- c:\windows\system32\wextract.exe
2011-11-16 01:25 . 2011-11-16 01:25 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-11-16 01:25 . 2011-11-16 01:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-11-16 01:25 . 2011-11-16 01:25 11776 ----a-w- c:\windows\system32\mshta.exe
2011-11-16 01:25 . 2011-11-16 01:25 101888 ----a-w- c:\windows\system32\admparse.dll
2011-11-16 01:16 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-11-15 23:37 . 2009-11-26 18:25 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
.
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"Facebook Update"="c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-18 137536]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-04 98304]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BankID säkerhetsprogram.lnk - c:\program files\Personal\bin\Personal.exe [2012-1-24 1140632]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opretuq]
2012-02-10 12:10 10752 ----a-w- c:\windows\System32\config\systemprofile\AppData\Local\opretuq.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\PhotoshopElementsFileAgent.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Tjänsten Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\PhotoshopElementsDeviceConnect.exe [x]
R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\DRIVERS\BazisVirtualCDBus.sys [2010-10-28 98400]
R3 gupdatem;Tjänsten Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-02-20 47360]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt; [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-02-10 239168]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 243712]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
.
.
--- Övriga tjänster/drivrutiner i minnet ---
.
*NewlyCreated* - ASWMBR
*Deregistered* - aswMBR
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
procexp100
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{537d904e-0ff4-11e1-bf24-806e6f6e6963}]
\shell\AutoRun\command - G:\INSTALL.EXE
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e686c22-d79b-11de-9ee0-806e6f6e6963}]
\shell\AutoRun\command - E:\SETUP.EXE
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{963aaa25-16b3-11df-964d-002618f04b04}]
\shell\AutoRun\command - G:\LaunchU3.exe -a
.
Innehåll i mappen 'Schemalagda aktiviteter':
.
2012-02-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000Core.job
- c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
.
2012-02-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000UA.job
- c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.google.se/
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\clbeh0im.default\
FF - user.js: extensions.BabylonToolbar_i.id - 3ce818f1000000000000002618f04b04
FF - user.js: extensions.BabylonToolbar_i.hardId - 3ce818f1000000000000002618f04b04
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15344
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1717:57
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100478
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLL'er som "laddats" under processer som körs ---------------------
.
- - - - - - - > 'lsass.exe'(496)
c:\windows\system32\mswsock.dll
mswsock.dll 75160000 245760 \\.\globalroot\systemroot\system32\mswsock.dll
.
Sluttid: 2012-02-11 01:23:21
ComboFix-quarantined-files.txt 2012-02-11 00:23
ComboFix2.txt 2012-02-10 23:24
.
Före genomsökningen: 35*442*483*200 byte ledigt
Efter genomsökningen: 35*422*539*776 byte ledigt
.
- - End Of File - - 6B553B50FB04B6572B908D834239EB3C
 
Your Combofix version is a bit outdated.
Delete Combofix file, download fresh one, run it and post new log.
I doubt anything new will be found but i want to play safe.

Then.....

Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
 
i think we got a new problem... the new version i installed of combofix found a Zeroaccess rootkit in tcp/ip. i got the log out on a usb stick, computer is pretty screwed now cant access anything. restarted, was stuck on preparing your desktop... for a while, now a window came up " C:\windows\system32\cinfig\systemprofile\desktop is now accessible. Access denied.
This happend sometime yesterday also

ComboFix 12-02-10.03 - Simon 2012-02-11 2:09.5.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1033.18.3327.2499 [GMT 1:00]
Körs från: G:\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Simon\AppData\Roaming\desktop.ini
c:\windows\$NtUninstallKB21072$\2418786939\@
c:\windows\$NtUninstallKB21072$\2418786939\cfg.ini
c:\windows\$NtUninstallKB21072$\2418786939\Desktop.ini
c:\windows\$NtUninstallKB21072$\2418786939\L\xadqgnnk
c:\windows\$NtUninstallKB21072$\3066712622
.
En infekterad kopia av c:\windows\system32\drivers\dtsoftbus01.sys hittades och desinficerades.
Återställd kopia från - The cat found it :)
c:\windows\system32\drivers\tdx.sys saknades
Återställd kopia från - c:\windows\ERDNT\cache\tdx.sys
.
.
(((((((((((((((((((((((( Filer skapade från 2012-01-11 till 2012-02-11 ))))))))))))))))))))))))))))))
.
.
2012-02-11 07:13 . 2012-02-11 07:31 -------- d-----w- C:\Boot
2012-02-11 01:15 . 2012-02-11 01:18 -------- d-----w- c:\users\Simon\AppData\Local\temp
2012-02-11 01:15 . 2012-02-11 01:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-11 01:15 . 2009-07-13 23:12 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-02-11 01:08 . 2012-02-10 00:46 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-09 23:37 . 2009-07-13 23:45 83456 ----a-w- c:\windows\system32\drivers\Serial.sys
2012-02-09 23:36 . 2010-11-20 08:38 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-09 23:36 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-09 22:09 . 2012-02-09 22:09 -------- d-----w- C:\_OTL
2012-02-08 17:37 . 2012-02-08 17:45 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2012-02-08 13:49 . 2012-02-10 00:53 -------- d-----w- c:\programdata\AVAST Software
2012-02-08 13:49 . 2012-02-08 13:49 -------- d-----w- c:\program files\AVAST Software
2012-02-08 13:26 . 2012-02-08 13:26 -------- d-----w- c:\program files\Common Files\Java
2012-02-08 02:51 . 2012-02-08 13:10 -------- d-----w- c:\programdata\MFAData
2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\users\Simon\AppData\Roaming\Malwarebytes
2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\programdata\Malwarebytes
2012-02-08 01:41 . 2012-02-08 01:41 -------- d-----w- c:\program files\Enigma Software Group
2012-02-08 01:40 . 2012-02-08 01:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-01-25 18:19 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-25 18:19 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-25 18:19 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-25 18:19 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-25 18:19 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-25 18:19 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-25 18:19 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-25 18:19 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-25 18:19 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-25 18:19 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-07 22:25 . 2011-08-08 19:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-05 17:00 . 2012-01-05 17:00 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\tmpidcrl.dll
2012-01-05 17:00 . 2011-03-28 17:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-11-24 04:25 . 2011-12-15 04:45 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 14:01 . 2012-01-10 19:28 67072 ----a-w- c:\windows\system32\packager.dll
2011-11-17 05:38 . 2012-01-10 19:28 1288472 ----a-w- c:\windows\system32\ntdll.dll
2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-11-16 01:25 . 2011-11-16 01:25 161792 ----a-w- c:\windows\system32\msls31.dll
2011-11-16 01:25 . 2011-11-16 01:25 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-11-16 01:25 . 2011-11-16 01:25 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-11-16 01:25 . 2011-11-16 01:25 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-11-16 01:25 . 2011-11-16 01:25 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-11-16 01:25 . 2011-11-16 01:25 367104 ----a-w- c:\windows\system32\html.iec
2011-11-16 01:25 . 2011-11-16 01:25 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-11-16 01:25 . 2011-11-16 01:25 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-11-16 01:25 . 2011-11-16 01:25 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-11-16 01:25 . 2011-11-16 01:25 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-16 01:25 . 2011-11-16 01:25 152064 ----a-w- c:\windows\system32\wextract.exe
2011-11-16 01:25 . 2011-11-16 01:25 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-11-16 01:25 . 2011-11-16 01:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-11-16 01:25 . 2011-11-16 01:25 11776 ----a-w- c:\windows\system32\mshta.exe
2011-11-16 01:25 . 2011-11-16 01:25 101888 ----a-w- c:\windows\system32\admparse.dll
2011-11-16 01:16 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-11-15 23:37 . 2009-11-26 18:25 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
.
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"Facebook Update"="c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-18 137536]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-04 98304]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BankID säkerhetsprogram.lnk - c:\program files\Personal\bin\Personal.exe [2012-1-24 1140632]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opretuq]
2012-02-10 12:10 10752 ----a-w- c:\windows\System32\config\systemprofile\AppData\Local\opretuq.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\PhotoshopElementsFileAgent.exe [x]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
procexp100
.
Innehåll i mappen 'Schemalagda aktiviteter':
.
2012-02-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000Core.job
- c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
.
2012-02-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000UA.job
- c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.google.se/
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\clbeh0im.default\
FF - user.js: extensions.BabylonToolbar_i.id - 3ce818f1000000000000002618f04b04
FF - user.js: extensions.BabylonToolbar_i.hardId - 3ce818f1000000000000002618f04b04
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15344
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1717:57
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100478
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Andra processer som körs ------------------------
.
c:\windows\system32\atiesrxx.exe
c:\windows\system32\atieclxx.exe
c:\windows\system32\sppsvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Sluttid: 2012-02-11 02:20:22 - datorn startades om.
ComboFix-quarantined-files.txt 2012-02-11 01:20
ComboFix2.txt 2012-02-11 00:23
ComboFix3.txt 2012-02-10 23:24
.
Före genomsökningen: 35*220*439*040 byte ledigt
Efter genomsökningen: 34*997*989*376 byte ledigt
.
- - End Of File - - 2E4C342D58A3F929E0B71587B1CCF1E3
 
We still have some infection there...

Turn the computer off.
Wait 1 minute.
Turn it back on.
See if you can boot to normal mode.

If not, see if you can boot to safe mode.
 
normalmode: it can boot but i cant enter the desktop, its just all grey and only the recycle bin, no internet either.


Safemode: i got in to the desktop, seems to work. but no access to internet
 
I went in to system32/drivers and i can see that afd.sys is gone , just like the last time internet wouldnt work, but that time it was avast who removed it
 
We had/have so severe infection there, that setbacks will happen.
We just have to take it one step at a time....

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\windows\System32\config\systemprofile\AppData\Local\opretuq.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opretuq]

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
afd.sys is back, internet got connection, but cant open up any files, like internet explorer.

ComboFix 12-02-10.03 - Simon 2012-02-11 3:07.6.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1033.18.3327.2675 [GMT 1:00]
Körs från: G:\ComboFix.exe
Kommandoväxlar som använts :: c:\users\Simon\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Skapade en ny återställningspunkt
.
FILE ::
"c:\windows\System32\config\systemprofile\AppData\Local\opretuq.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB21072$\2241343191
c:\windows\$NtUninstallKB21072$\2418786939\@
c:\windows\$NtUninstallKB21072$\2418786939\cfg.ini
c:\windows\$NtUninstallKB21072$\2418786939\Desktop.ini
c:\windows\$NtUninstallKB21072$\2418786939\L\xadqgnnk
c:\windows\System32\config\systemprofile\AppData\Local\opretuq.dll
c:\windows\system32\wbem\Performance\WmiApRpl_new.ini
.
En infekterad kopia av c:\windows\system32\drivers\dtsoftbus01.sys hittades och desinficerades.
Återställd kopia från - The cat found it :)
c:\windows\system32\drivers\afd.sys saknades
Återställd kopia från - c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys
.
c:\windows\system32\drivers\tdx.sys saknades
Återställd kopia från - c:\windows\ERDNT\cache\tdx.sys
.
.
(((((((((((((((((((((((( Filer skapade från 2012-01-11 till 2012-02-11 ))))))))))))))))))))))))))))))
.
.
2012-02-11 07:13 . 2012-02-11 07:31 -------- d-----w- C:\Boot
2012-02-11 02:14 . 2012-02-11 02:14 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-11 02:12 . 2012-02-11 02:15 -------- d-----w- c:\users\Simon\AppData\Local\temp
2012-02-11 02:12 . 2012-02-11 02:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-11 02:12 . 2009-07-13 23:12 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-02-11 02:12 . 2011-04-25 03:24 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-09 23:37 . 2009-07-13 23:45 83456 ----a-w- c:\windows\system32\drivers\Serial.sys
2012-02-09 23:36 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-09 22:09 . 2012-02-09 22:09 -------- d-----w- C:\_OTL
2012-02-08 17:37 . 2012-02-08 17:45 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2012-02-08 13:49 . 2012-02-10 00:53 -------- d-----w- c:\programdata\AVAST Software
2012-02-08 13:49 . 2012-02-08 13:49 -------- d-----w- c:\program files\AVAST Software
2012-02-08 13:26 . 2012-02-08 13:26 -------- d-----w- c:\program files\Common Files\Java
2012-02-08 02:51 . 2012-02-08 13:10 -------- d-----w- c:\programdata\MFAData
2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\users\Simon\AppData\Roaming\Malwarebytes
2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\programdata\Malwarebytes
2012-02-08 01:41 . 2012-02-08 01:41 -------- d-----w- c:\program files\Enigma Software Group
2012-02-08 01:40 . 2012-02-08 01:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-01-25 18:19 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-25 18:19 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-25 18:19 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-25 18:19 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-25 18:19 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-25 18:19 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-25 18:19 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-25 18:19 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-25 18:19 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-25 18:19 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-10 00:46 . 2012-02-11 02:04 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.svs
2012-02-07 22:25 . 2011-08-08 19:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-05 17:00 . 2012-01-05 17:00 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\tmpidcrl.dll
2012-01-05 17:00 . 2011-03-28 17:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-11-24 04:25 . 2011-12-15 04:45 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 14:01 . 2012-01-10 19:28 67072 ----a-w- c:\windows\system32\packager.dll
2011-11-17 05:38 . 2012-01-10 19:28 1288472 ----a-w- c:\windows\system32\ntdll.dll
2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-11-16 01:25 . 2011-11-16 01:25 161792 ----a-w- c:\windows\system32\msls31.dll
2011-11-16 01:25 . 2011-11-16 01:25 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-11-16 01:25 . 2011-11-16 01:25 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-11-16 01:25 . 2011-11-16 01:25 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-11-16 01:25 . 2011-11-16 01:25 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-11-16 01:25 . 2011-11-16 01:25 367104 ----a-w- c:\windows\system32\html.iec
2011-11-16 01:25 . 2011-11-16 01:25 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-11-16 01:25 . 2011-11-16 01:25 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-11-16 01:25 . 2011-11-16 01:25 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-11-16 01:25 . 2011-11-16 01:25 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-16 01:25 . 2011-11-16 01:25 152064 ----a-w- c:\windows\system32\wextract.exe
2011-11-16 01:25 . 2011-11-16 01:25 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-11-16 01:25 . 2011-11-16 01:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-11-16 01:25 . 2011-11-16 01:25 11776 ----a-w- c:\windows\system32\mshta.exe
2011-11-16 01:25 . 2011-11-16 01:25 101888 ----a-w- c:\windows\system32\admparse.dll
2011-11-16 01:16 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-11-15 23:37 . 2009-11-26 18:25 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
.
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"Facebook Update"="c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-18 137536]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-04 98304]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BankID säkerhetsprogram.lnk - c:\program files\Personal\bin\Personal.exe [2012-1-24 1140632]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\PhotoshopElementsFileAgent.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Tjänsten Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\PhotoshopElementsDeviceConnect.exe [x]
R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\DRIVERS\BazisVirtualCDBus.sys [2010-10-28 98400]
R3 gupdatem;Tjänsten Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-02-20 47360]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt; [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 243712]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
procexp100
.
Innehåll i mappen 'Schemalagda aktiviteter':
.
2012-02-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000Core.job
- c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
.
2012-02-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000UA.job
- c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.google.se/
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\clbeh0im.default\
FF - user.js: extensions.BabylonToolbar_i.id - 3ce818f1000000000000002618f04b04
FF - user.js: extensions.BabylonToolbar_i.hardId - 3ce818f1000000000000002618f04b04
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15344
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1717:57
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100478
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Andra processer som körs ------------------------
.
c:\windows\system32\atieclxx.exe
c:\windows\system32\sppsvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\WUDFHost.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\conhost.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Sluttid: 2012-02-11 03:17:53 - datorn startades om.
ComboFix-quarantined-files.txt 2012-02-11 02:17
ComboFix2.txt 2012-02-11 01:20
ComboFix3.txt 2012-02-11 00:23
ComboFix4.txt 2012-02-10 23:24
.
Före genomsökningen: 35*126*452*224 byte ledigt
Efter genomsökningen: 35*049*967*616 byte ledigt
.
- - End Of File - - 688CE3A876192308AB9129FDD3631D30
 
im gonna go away 1 day now, ill be back on sunday. plz tell me what the next step is and we continue then =) Thanks alot so far, ure really good at this stuff!!
 
You must log in or register to reply here.

Similar threads

C
Solved Got a neighbors old computer, its a good one, but slow.
2
Replies
27
Views
5K
Broni
Broni
S
At loss: Kernel virus or something else
2
Replies
30
Views
8K
Soup Stand
S
RanISR
  • Locked
Inactive A VERY Persistent Virus
Replies
3
Views
1K
Broni
Broni

Latest posts

Back