Inactive System Check virus, a lot of problems
- Thread starter MjuTaS
- Start date
I cant open any files. i can open "my computer" and some folders.
if i try open internet explorer for example, i get C:\program files\internet explorer\iexplore.exe An attempt was made to preform a non legit move on a refestry key that has been flagged for remove. its in swedish so its not exactly that but almost.
it was like this the last time i ran combofix too, after i restarted i got the problem with accessing desktop
if i try open internet explorer for example, i get C:\program files\internet explorer\iexplore.exe An attempt was made to preform a non legit move on a refestry key that has been flagged for remove. its in swedish so its not exactly that but almost.
it was like this the last time i ran combofix too, after i restarted i got the problem with accessing desktop
Farbar Service Scanner Version: 10-02-2012
Ran by Simon (administrator) on 11-02-2012 at 03:49:05
Running from "C:\Users\Simon\Desktop"
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.
Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.
Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of MpsSvc. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of MpsSvc. The value does not exist.
Unable to retrieve ServiceDll of MpsSvc. The value does not exist.
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
Windows Update:
============
Windows Defender:
=============
WinDefend Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open WinDefend registry key. The service key does not exist.
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2012-02-11 03:12] - [2011-04-25 04:24] - 0338944 ____A (Microsoft Corporation) C427F91A748CD342A2B3F9278D9FD6A5
Attention! C:\Windows\system32\Drivers\tdx.sys is missing.
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
Ran by Simon (administrator) on 11-02-2012 at 03:49:05
Running from "C:\Users\Simon\Desktop"
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.
Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.
Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of MpsSvc. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of MpsSvc. The value does not exist.
Unable to retrieve ServiceDll of MpsSvc. The value does not exist.
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
Windows Update:
============
Windows Defender:
=============
WinDefend Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open WinDefend registry key. The service key does not exist.
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2012-02-11 03:12] - [2011-04-25 04:24] - 0338944 ____A (Microsoft Corporation) C427F91A748CD342A2B3F9278D9FD6A5
Attention! C:\Windows\system32\Drivers\tdx.sys is missing.
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
Broni
Posts: 56,041 +517
We have tdx.sys file missing again.
1. Please open Notepad (Start>All Programs>Accessories>Notepad).
2. Now copy/paste the entire content of the codebox below into the Notepad window:
3. Save the above as CFScript.txt
4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.
5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
1. Please open Notepad (Start>All Programs>Accessories>Notepad).
2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
FCopy::
c:\windows\ERDNT\cache\tdx.sys | C:\Windows\system32\Drivers\tdx.sys
File::
c:\windows\system32\dds_trash_log.cmd
ClearJavaCache::3. Save the above as CFScript.txt
4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.
5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
- Combofix.txt
internet working, programs working 
how does the log look?
ComboFix 12-02-10.03 - Simon 2012-02-11 4:00.7.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1033.18.3327.2642 [GMT 1:00]
Körs från: G:\ComboFix.exe
Kommandoväxlar som använts :: c:\users\Simon\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\dds_trash_log.cmd"
.
.
((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB21072$\2418786939\@
c:\windows\$NtUninstallKB21072$\2418786939\cfg.ini
c:\windows\$NtUninstallKB21072$\2418786939\Desktop.ini
c:\windows\$NtUninstallKB21072$\2418786939\L\xadqgnnk
c:\windows\$NtUninstallKB21072$\3856755330
c:\windows\system32\dds_trash_log.cmd
.
En infekterad kopia av c:\windows\system32\drivers\afd.sys hittades och desinficerades.
Återställd kopia från - The cat found it
.
--------------- FCopy ---------------
.
c:\windows\ERDNT\cache\tdx.sys --> c:\windows\system32\Drivers\tdx.sys
.
(((((((((((((((((((((((( Filer skapade från 2012-01-11 till 2012-02-11 ))))))))))))))))))))))))))))))
.
.
2012-02-11 07:13 . 2012-02-11 07:31 -------- d-----w- C:\Boot
2012-02-11 03:06 . 2012-02-11 03:08 -------- d-----w- c:\users\Simon\AppData\Local\temp
2012-02-11 03:06 . 2012-02-11 03:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-11 03:00 . 2009-07-13 23:12 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-02-11 02:59 . 2011-04-25 03:24 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-09 23:37 . 2009-07-13 23:45 83456 ----a-w- c:\windows\system32\drivers\Serial.sys
2012-02-09 23:36 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-09 22:09 . 2012-02-09 22:09 -------- d-----w- C:\_OTL
2012-02-08 17:37 . 2012-02-08 17:45 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2012-02-08 13:49 . 2012-02-10 00:53 -------- d-----w- c:\programdata\AVAST Software
2012-02-08 13:49 . 2012-02-08 13:49 -------- d-----w- c:\program files\AVAST Software
2012-02-08 13:26 . 2012-02-08 13:26 -------- d-----w- c:\program files\Common Files\Java
2012-02-08 02:51 . 2012-02-08 13:10 -------- d-----w- c:\programdata\MFAData
2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\users\Simon\AppData\Roaming\Malwarebytes
2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\programdata\Malwarebytes
2012-02-08 01:41 . 2012-02-08 01:41 -------- d-----w- c:\program files\Enigma Software Group
2012-02-08 01:40 . 2012-02-08 01:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-01-25 18:19 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-25 18:19 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-25 18:19 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-25 18:19 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-25 18:19 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-25 18:19 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-25 18:19 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-25 18:19 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-25 18:19 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-25 18:19 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-11 02:37 . 2011-11-16 00:40 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-10 00:46 . 2012-02-11 02:04 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.svs
2012-02-07 22:25 . 2011-08-08 19:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-05 17:00 . 2012-01-05 17:00 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\tmpidcrl.dll
2012-01-05 17:00 . 2011-03-28 17:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-11-24 04:25 . 2011-12-15 04:45 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 14:01 . 2012-01-10 19:28 67072 ----a-w- c:\windows\system32\packager.dll
2011-11-17 05:38 . 2012-01-10 19:28 1288472 ----a-w- c:\windows\system32\ntdll.dll
2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-11-16 01:25 . 2011-11-16 01:25 161792 ----a-w- c:\windows\system32\msls31.dll
2011-11-16 01:25 . 2011-11-16 01:25 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-11-16 01:25 . 2011-11-16 01:25 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-11-16 01:25 . 2011-11-16 01:25 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-11-16 01:25 . 2011-11-16 01:25 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-11-16 01:25 . 2011-11-16 01:25 367104 ----a-w- c:\windows\system32\html.iec
2011-11-16 01:25 . 2011-11-16 01:25 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-11-16 01:25 . 2011-11-16 01:25 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-11-16 01:25 . 2011-11-16 01:25 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-11-16 01:25 . 2011-11-16 01:25 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-16 01:25 . 2011-11-16 01:25 152064 ----a-w- c:\windows\system32\wextract.exe
2011-11-16 01:25 . 2011-11-16 01:25 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-11-16 01:25 . 2011-11-16 01:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-11-16 01:25 . 2011-11-16 01:25 11776 ----a-w- c:\windows\system32\mshta.exe
2011-11-16 01:25 . 2011-11-16 01:25 101888 ----a-w- c:\windows\system32\admparse.dll
2011-11-16 01:16 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-11-15 23:37 . 2009-11-26 18:25 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
.
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"Facebook Update"="c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-18 137536]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-04 98304]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BankID säkerhetsprogram.lnk - c:\program files\Personal\bin\Personal.exe [2012-1-24 1140632]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\PhotoshopElementsFileAgent.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Tjänsten Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\PhotoshopElementsDeviceConnect.exe [x]
R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\DRIVERS\BazisVirtualCDBus.sys [2010-10-28 98400]
R3 gupdatem;Tjänsten Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-02-20 47360]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt; [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-02-11 239168]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 243712]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
procexp100
.
Innehåll i mappen 'Schemalagda aktiviteter':
.
2012-02-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000Core.job
- c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
.
2012-02-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000UA.job
- c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.google.se/
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\clbeh0im.default\
FF - user.js: extensions.BabylonToolbar_i.id - 3ce818f1000000000000002618f04b04
FF - user.js: extensions.BabylonToolbar_i.hardId - 3ce818f1000000000000002618f04b04
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15344
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1717:57
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100478
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Andra processer som körs ------------------------
.
c:\windows\system32\atieclxx.exe
c:\windows\system32\sppsvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Sluttid: 2012-02-11 04:11:08 - datorn startades om.
ComboFix-quarantined-files.txt 2012-02-11 03:11
ComboFix2.txt 2012-02-11 02:17
ComboFix3.txt 2012-02-11 01:20
ComboFix4.txt 2012-02-11 00:23
ComboFix5.txt 2012-02-11 02:58
.
Före genomsökningen: 34*967*019*520 byte ledigt
Efter genomsökningen: 34*869*952*512 byte ledigt
.
- - End Of File - - B89BE5442FE1130D9A41C747E9E92F8C
how does the log look?ComboFix 12-02-10.03 - Simon 2012-02-11 4:00.7.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1033.18.3327.2642 [GMT 1:00]
Körs från: G:\ComboFix.exe
Kommandoväxlar som använts :: c:\users\Simon\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\dds_trash_log.cmd"
.
.
((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB21072$\2418786939\@
c:\windows\$NtUninstallKB21072$\2418786939\cfg.ini
c:\windows\$NtUninstallKB21072$\2418786939\Desktop.ini
c:\windows\$NtUninstallKB21072$\2418786939\L\xadqgnnk
c:\windows\$NtUninstallKB21072$\3856755330
c:\windows\system32\dds_trash_log.cmd
.
En infekterad kopia av c:\windows\system32\drivers\afd.sys hittades och desinficerades.
Återställd kopia från - The cat found it
.
--------------- FCopy ---------------
.
c:\windows\ERDNT\cache\tdx.sys --> c:\windows\system32\Drivers\tdx.sys
.
(((((((((((((((((((((((( Filer skapade från 2012-01-11 till 2012-02-11 ))))))))))))))))))))))))))))))
.
.
2012-02-11 07:13 . 2012-02-11 07:31 -------- d-----w- C:\Boot
2012-02-11 03:06 . 2012-02-11 03:08 -------- d-----w- c:\users\Simon\AppData\Local\temp
2012-02-11 03:06 . 2012-02-11 03:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-11 03:00 . 2009-07-13 23:12 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-02-11 02:59 . 2011-04-25 03:24 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-09 23:37 . 2009-07-13 23:45 83456 ----a-w- c:\windows\system32\drivers\Serial.sys
2012-02-09 23:36 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-09 22:09 . 2012-02-09 22:09 -------- d-----w- C:\_OTL
2012-02-08 17:37 . 2012-02-08 17:45 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2012-02-08 13:49 . 2012-02-10 00:53 -------- d-----w- c:\programdata\AVAST Software
2012-02-08 13:49 . 2012-02-08 13:49 -------- d-----w- c:\program files\AVAST Software
2012-02-08 13:26 . 2012-02-08 13:26 -------- d-----w- c:\program files\Common Files\Java
2012-02-08 02:51 . 2012-02-08 13:10 -------- d-----w- c:\programdata\MFAData
2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\users\Simon\AppData\Roaming\Malwarebytes
2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\programdata\Malwarebytes
2012-02-08 01:41 . 2012-02-08 01:41 -------- d-----w- c:\program files\Enigma Software Group
2012-02-08 01:40 . 2012-02-08 01:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-01-25 18:19 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-25 18:19 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-25 18:19 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-25 18:19 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-25 18:19 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-25 18:19 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-25 18:19 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-25 18:19 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-25 18:19 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-25 18:19 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-11 02:37 . 2011-11-16 00:40 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-10 00:46 . 2012-02-11 02:04 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.svs
2012-02-07 22:25 . 2011-08-08 19:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-05 17:00 . 2012-01-05 17:00 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\tmpidcrl.dll
2012-01-05 17:00 . 2011-03-28 17:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-11-24 04:25 . 2011-12-15 04:45 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 14:01 . 2012-01-10 19:28 67072 ----a-w- c:\windows\system32\packager.dll
2011-11-17 05:38 . 2012-01-10 19:28 1288472 ----a-w- c:\windows\system32\ntdll.dll
2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-11-16 01:25 . 2011-11-16 01:25 161792 ----a-w- c:\windows\system32\msls31.dll
2011-11-16 01:25 . 2011-11-16 01:25 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-11-16 01:25 . 2011-11-16 01:25 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-11-16 01:25 . 2011-11-16 01:25 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-11-16 01:25 . 2011-11-16 01:25 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-11-16 01:25 . 2011-11-16 01:25 367104 ----a-w- c:\windows\system32\html.iec
2011-11-16 01:25 . 2011-11-16 01:25 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-11-16 01:25 . 2011-11-16 01:25 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-11-16 01:25 . 2011-11-16 01:25 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-11-16 01:25 . 2011-11-16 01:25 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-16 01:25 . 2011-11-16 01:25 152064 ----a-w- c:\windows\system32\wextract.exe
2011-11-16 01:25 . 2011-11-16 01:25 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-11-16 01:25 . 2011-11-16 01:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-11-16 01:25 . 2011-11-16 01:25 11776 ----a-w- c:\windows\system32\mshta.exe
2011-11-16 01:25 . 2011-11-16 01:25 101888 ----a-w- c:\windows\system32\admparse.dll
2011-11-16 01:16 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-11-15 23:37 . 2009-11-26 18:25 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
.
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"Facebook Update"="c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-18 137536]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-04 98304]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BankID säkerhetsprogram.lnk - c:\program files\Personal\bin\Personal.exe [2012-1-24 1140632]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\PhotoshopElementsFileAgent.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Tjänsten Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\PhotoshopElementsDeviceConnect.exe [x]
R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\DRIVERS\BazisVirtualCDBus.sys [2010-10-28 98400]
R3 gupdatem;Tjänsten Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-02-20 47360]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt; [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-02-11 239168]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 243712]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
procexp100
.
Innehåll i mappen 'Schemalagda aktiviteter':
.
2012-02-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000Core.job
- c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
.
2012-02-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000UA.job
- c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.google.se/
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\clbeh0im.default\
FF - user.js: extensions.BabylonToolbar_i.id - 3ce818f1000000000000002618f04b04
FF - user.js: extensions.BabylonToolbar_i.hardId - 3ce818f1000000000000002618f04b04
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15344
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1717:57
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100478
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Andra processer som körs ------------------------
.
c:\windows\system32\atieclxx.exe
c:\windows\system32\sppsvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Sluttid: 2012-02-11 04:11:08 - datorn startades om.
ComboFix-quarantined-files.txt 2012-02-11 03:11
ComboFix2.txt 2012-02-11 02:17
ComboFix3.txt 2012-02-11 01:20
ComboFix4.txt 2012-02-11 00:23
ComboFix5.txt 2012-02-11 02:58
.
Före genomsökningen: 34*967*019*520 byte ledigt
Efter genomsökningen: 34*869*952*512 byte ledigt
.
- - End Of File - - B89BE5442FE1130D9A41C747E9E92F8C
Broni
Posts: 56,041 +517
Looks good
Now when we everything working (for now....LOL).
Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
Be sure to restart the computer.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
=============================================================
Post MBAM log before going for the next step listed below......
Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen
Post SUPERAntiSpyware log.
Now when we everything working (for now....LOL).
Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
Be sure to restart the computer.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
=============================================================
Post MBAM log before going for the next step listed below......
Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/
- Double-click SUPERAntiSpyware.exe and use the default settings for installation.
- An icon will be created on your desktop. Double-click that icon to launch the program.
- Super should automatically the program definitions. If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
- Close SUPERAntiSpyware.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen
- Open SUPERAntiSpyware.
- Click on "Preferences" button.
- Click the "Scanning Control" tab.
- Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Click the "Home" button to leave the control center screen.
- Back on the main screen checkmark "Complete scan" and click "Scan your computer".
- Click "Next" to start the scan. Please be patient while it scans your computer.
- After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
- Make sure everything has a checkmark next to it and click "Next".
- A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
- If asked if you want to reboot, click "Yes".
- To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Copy and paste the Scan Log results in your next reply.
- Click Close to exit the program.
Post SUPERAntiSpyware log.
Nice, im from north sweden, a town calle Ostersund
here is MBAM :
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Databasversion: v2012.02.12.05
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Simon :: SIMON-PC [administratör]
2012-02-12 23:02:50
mbam-log-2012-02-12 (23-02-50).txt
Skanningstyp: Snabbskanning
Aktiverade skanningsalternativ: Minne | Start | Register | Filsystem | Heuristik/Extra | Heuristik/Shuriken | PUP | PUM
Inaktiverade skanningsalternativ: P2P
Antal skannade objekt: 175252
Förfluten tid: 3 minut(er), 10 sekund(er)
Upptäckta minnesprocesser: 0
(Inga skadliga poster hittades)
Upptäckta minnesmoduler: 1
C:\Windows\System32\queuemgr.dll (RootKit.0Access.H) -> Ta bort vid nästa datorstart.
Upptäckta registernycklar: 0
(Inga skadliga poster hittades)
Upptäckta registervärden: 0
(Inga skadliga poster hittades)
Upptäckta registerdataposter: 0
(Inga skadliga poster hittades)
Upptäckta mappar: 0
(Inga skadliga poster hittades)
Upptäckta filer: 1
C:\Windows\System32\queuemgr.dll (RootKit.0Access.H) -> Ta bort vid nästa datorstart.
(klar)
here is MBAM :
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Databasversion: v2012.02.12.05
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Simon :: SIMON-PC [administratör]
2012-02-12 23:02:50
mbam-log-2012-02-12 (23-02-50).txt
Skanningstyp: Snabbskanning
Aktiverade skanningsalternativ: Minne | Start | Register | Filsystem | Heuristik/Extra | Heuristik/Shuriken | PUP | PUM
Inaktiverade skanningsalternativ: P2P
Antal skannade objekt: 175252
Förfluten tid: 3 minut(er), 10 sekund(er)
Upptäckta minnesprocesser: 0
(Inga skadliga poster hittades)
Upptäckta minnesmoduler: 1
C:\Windows\System32\queuemgr.dll (RootKit.0Access.H) -> Ta bort vid nästa datorstart.
Upptäckta registernycklar: 0
(Inga skadliga poster hittades)
Upptäckta registervärden: 0
(Inga skadliga poster hittades)
Upptäckta registerdataposter: 0
(Inga skadliga poster hittades)
Upptäckta mappar: 0
(Inga skadliga poster hittades)
Upptäckta filer: 1
C:\Windows\System32\queuemgr.dll (RootKit.0Access.H) -> Ta bort vid nästa datorstart.
(klar)
No internet connection now ofc , that daamn afd.sys file that keeps getting removed all the time haha.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 02/13/2012 at 00:16 AM
Application Version : 5.0.1144
Core Rules Database Version : 8230
Trace Rules Database Version: 6042
Scan type : Complete Scan
Total Scan Time : 00:35:16
Operating System Information
Windows 7 Ultimate 32-bit, Service Pack 1 (Build 6.01.7601)
UAC Off - Administrator
Memory items scanned : 316
Memory threats detected : 0
Registry items scanned : 34243
Registry threats detected : 8
File items scanned : 124879
File threats detected : 6
Trojan.Agent/Gen-Sirefef
HKLM\System\ControlSet002\Services\TDX
C:\WINDOWS\SYSTEM32\DRIVERS\TDX.SYS
HKLM\System\ControlSet002\Enum\Root\LEGACY_TDX
HKLM\System\ControlSet003\Services\TDX
HKLM\System\ControlSet003\Enum\Root\LEGACY_TDX
HKLM\System\ControlSet004\Services\TDX
HKLM\System\ControlSet004\Enum\Root\LEGACY_TDX
HKLM\System\CurrentControlSet\Services\TDX
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TDX
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\DTSOFTBUS01.SYS.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\DTSOFTBUS01.SYS.VIR_
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\TDX.SYS.VIR
Trojan.Agent/Gen-ZAccess
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\AFD.SYS.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\AFD.SYS.VIR_
, that daamn afd.sys file that keeps getting removed all the time haha.SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 02/13/2012 at 00:16 AM
Application Version : 5.0.1144
Core Rules Database Version : 8230
Trace Rules Database Version: 6042
Scan type : Complete Scan
Total Scan Time : 00:35:16
Operating System Information
Windows 7 Ultimate 32-bit, Service Pack 1 (Build 6.01.7601)
UAC Off - Administrator
Memory items scanned : 316
Memory threats detected : 0
Registry items scanned : 34243
Registry threats detected : 8
File items scanned : 124879
File threats detected : 6
Trojan.Agent/Gen-Sirefef
HKLM\System\ControlSet002\Services\TDX
C:\WINDOWS\SYSTEM32\DRIVERS\TDX.SYS
HKLM\System\ControlSet002\Enum\Root\LEGACY_TDX
HKLM\System\ControlSet003\Services\TDX
HKLM\System\ControlSet003\Enum\Root\LEGACY_TDX
HKLM\System\ControlSet004\Services\TDX
HKLM\System\ControlSet004\Enum\Root\LEGACY_TDX
HKLM\System\CurrentControlSet\Services\TDX
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TDX
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\DTSOFTBUS01.SYS.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\DTSOFTBUS01.SYS.VIR_
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\TDX.SYS.VIR
Trojan.Agent/Gen-ZAccess
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\AFD.SYS.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\AFD.SYS.VIR_
Farbar Service Scanner Version: 10-02-2012
Ran by Simon (administrator) on 13-02-2012 at 00:44:39
Running from "C:\Users\Simon\Desktop"
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
tdx Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open tdx registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open tdx registry key. The service key does not exist.
Checking LEGACY_tdx: Attention! Unable to open LEGACY_tdx\0000 registry key. The key does not exist.
Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.
Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of MpsSvc. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of MpsSvc. The value does not exist.
Unable to retrieve ServiceDll of MpsSvc. The value does not exist.
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
Windows Defender:
=============
WinDefend Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open WinDefend registry key. The service key does not exist.
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2012-02-11 03:59] - [2011-04-25 04:24] - 0338944 ____A (Microsoft Corporation) C427F91A748CD342A2B3F9278D9FD6A5
Attention! C:\Windows\system32\Drivers\tdx.sys is missing.
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
Ran by Simon (administrator) on 13-02-2012 at 00:44:39
Running from "C:\Users\Simon\Desktop"
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
tdx Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open tdx registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open tdx registry key. The service key does not exist.
Checking LEGACY_tdx: Attention! Unable to open LEGACY_tdx\0000 registry key. The key does not exist.
Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.
Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of MpsSvc. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of MpsSvc. The value does not exist.
Unable to retrieve ServiceDll of MpsSvc. The value does not exist.
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
Windows Defender:
=============
WinDefend Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open WinDefend registry key. The service key does not exist.
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2012-02-11 03:59] - [2011-04-25 04:24] - 0338944 ____A (Microsoft Corporation) C427F91A748CD342A2B3F9278D9FD6A5
Attention! C:\Windows\system32\Drivers\tdx.sys is missing.
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
Farbar Service Scanner Version: 10-02-2012
Ran by Simon (administrator) on 13-02-2012 at 00:55:55
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
************************************************
======== Search: "tdx.sys" =========
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys
[2009-07-14 00:12] - [2009-07-14 00:12] - 0074240 ____A (Microsoft Corporation) CB39E896A2A83702D1737BFD402B3542
C:\Windows\ERDNT\cache\tdx.sys
[2012-02-11 01:22] - [2009-07-14 00:12] - 0074240 ____A (Microsoft Corporation) CB39E896A2A83702D1737BFD402B3542
====== End Of Search ======
Ran by Simon (administrator) on 13-02-2012 at 00:55:55
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
************************************************
======== Search: "tdx.sys" =========
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys
[2009-07-14 00:12] - [2009-07-14 00:12] - 0074240 ____A (Microsoft Corporation) CB39E896A2A83702D1737BFD402B3542
C:\Windows\ERDNT\cache\tdx.sys
[2012-02-11 01:22] - [2009-07-14 00:12] - 0074240 ____A (Microsoft Corporation) CB39E896A2A83702D1737BFD402B3542
====== End Of Search ======
Broni
Posts: 56,041 +517
Download following batch file: http://www.bleepstatic.com/fhost/uploads/0/93-fix.bat
Double click on it to run the fix.
Command prompt window will open.
You should see following message:
"1 file(s) copied"
In that case press any key to close command prompt window.
If you see any error message let me know.
We also have couple of registry keys missing....
Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
Download Seven.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find several files inside.
Double click on mpssvc.reg file and confirm the prompt.
Double click on tdx.reg file and confirm the prompt.
Restart computer, check on internet connection, see if you can turn Windows firewall on and post new FSS log.
Double click on it to run the fix.
Command prompt window will open.
You should see following message:
"1 file(s) copied"
In that case press any key to close command prompt window.
If you see any error message let me know.
We also have couple of registry keys missing....
Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
Download Seven.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find several files inside.
Double click on mpssvc.reg file and confirm the prompt.
Double click on tdx.reg file and confirm the prompt.
Restart computer, check on internet connection, see if you can turn Windows firewall on and post new FSS log.
Similar threads
