Jump to content

help with virus


Recommended Posts

Yesterday I got some kind of virus and it doesn't seem to want to go away easily.

It's killed MSE, lavasoft ad-aware and superantispyware's normal .exe but malwarebytes and spybot S/D are still working. I've also managed to download and install Kaspersky virus removal tool as well as run ESET. I tried installing avira but that didn't work.

When I was finished running GMER I had to do a hard reboot and following that my computer started in normal mode :huh:

Anyway, logs

MBAM

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Databasversion: 7908

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/10/2011 4:37:03 AM

mbam-log-2011-10-10 (04-37-03).txt

Skanningstyp: Snabbskanning

Antal skannade objekt: 217016

Förfluten tid: 6 minut(er), 51 sekund(er)

Infekterade minnesprocesser: 0

Infekterade minnesmoduler: 0

Infekterade registernycklar: 0

Infekterade registervärden: 0

Infekterade registerdataposter: 0

Infekterade mappar: 0

Infekterade filer: 0

Infekterade minnesprocesser:

(Inga skadliga poster hittades)

Infekterade minnesmoduler:

(Inga skadliga poster hittades)

Infekterade registernycklar:

(Inga skadliga poster hittades)

Infekterade registervärden:

(Inga skadliga poster hittades)

Infekterade registerdataposter:

(Inga skadliga poster hittades)

Infekterade mappar:

(Inga skadliga poster hittades)

Infekterade filer:

(Inga skadliga poster hittades)

DDS

.

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.18702

Run by Karl Sundberg at 19:25:26 on 2011-10-09

Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2046.1592 [GMT 2:00]

.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\explorer.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Program\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Internet Explorer\iexplore.exe

C:\Documents and Settings\Karl Sundberg\Skrivbord\avira_free_antivirus_en.exe

C:\DOCUME~1\KARLSU~1\LOKALA~1\Temp\RarSFX1\presetup.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.altavista.com/

uSearch Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uSearch Bar = hxxp://www.google.com/ie

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

uWinlogon: SHELL=c:\documents and settings\karl sundberg\lokala inställningar\application data\99879ed2\X

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program\bitcomet\tools\BitCometBHO_1.1.3.19.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program\avg\avg9\avgssie.dll

BHO: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - No File

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program\spybot - search & destroy\SDHelper.dll

BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program\delade filer\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll

TB: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - No File

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

uRun: [sUPERAntiSpyware] c:\program\superantispyware\SUPERAntiSpyware.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [msnmsgr] "c:\program\windows live\messenger\msnmsgr.exe" /background

uRun: [Messenger (Yahoo!)] "c:\program\yahoo!\messen~1\YahooMessenger.exe" -quiet

uRun: [Google Update] "c:\documents and settings\karl sundberg\lokala inställningar\application data\google\update\GoogleUpdate.exe" /c

uRun: [TomTomHOME.exe] "c:\program\tomtom home 2\TomTomHOMERunner.exe"

mRun: [sunJavaUpdateSched] "c:\program\delade filer\java\java update\jusched.exe"

mRun: [ArcSoft Connection Service] c:\program\delade filer\arcsoft\connection service\bin\ACDaemon.exe

mRun: [MSC] "c:\program\microsoft security client\msseces.exe" -hide -runkey

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [Adobe ARM] "c:\program\delade filer\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [DWQueuedReporting] "c:\program\delade~1\micros~1\dw\dwtrig20.exe" -t

mRunOnce: [Malwarebytes' Anti-Malware] c:\program\malwarebytes' anti-malware\mbamgui.exe /install /silent

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\micros~1.lnk - c:\program\microsoft office\office\OSA9.EXE

IE: AltaVista Search - file://c:\program\dynamic toolbar\altavista\cache\SelectedContextSearch.htm

IE: Google Sidewiki... - c:\program\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Translate - file://c:\program\dynamic toolbar\altavista\cache\SelectedContextTranslation.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program\yahoo!\messenger\YahooMessenger.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program\spybot - search & destroy\SDHelper.dll

LSP: mswsock.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program\yahoo!\common\yinsthelper.dll

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 195.58.103.124 213.150.135.210

TCP: Interfaces\{AF6B546A-A4CD-4DFF-A803-1225C9731A10} : DhcpNameServer = 195.58.103.124 213.150.135.210

Notify: !SASWinLogon - c:\program\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-24 64512]

S0 exkxka;exkxka; [x]

S0 jerm;jerm;c:\windows\system32\drivers\bcxiiqvc.sys --> c:\windows\system32\drivers\bcxiiqvc.sys [?]

S0 pgqy;pgqy;c:\windows\system32\drivers\xfakgela.sys --> c:\windows\system32\drivers\xfakgela.sys [?]

S0 wlyry;wlyry;c:\windows\system32\drivers\yhtmgjrt.sys --> c:\windows\system32\drivers\yhtmgjrt.sys [?]

S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165648]

S1 MpKsl232ac154;MpKsl232ac154;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f3585fd7-ac55-4bc6-95f0-bc1ea0c0ff72}\mpksl232ac154.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f3585fd7-ac55-4bc6-95f0-bc1ea0c0ff72}\MpKsl232ac154.sys [?]

S1 SASDIFSV;SASDIFSV;c:\program\superantispyware\SASDIFSV.SYS [2010-2-17 12880]

S1 SASKUTIL;SASKUTIL;c:\program\superantispyware\SASKUTIL.SYS [2010-2-17 67664]

S1 zbnegcaahptd5;zbnegcaahptd5;c:\windows\system32\drivers\zbnegcaahptd5.sys --> c:\windows\system32\drivers\zbnegcaahptd5.sys [?]

S2 gupdate1c9c666ba4935f6;Google Update Service (gupdate1c9c666ba4935f6);c:\program\google\update\GoogleUpdate.exe [2009-4-26 133104]

S2 iRacingService;iRacing.com Helper Service;c:\spel\iracing\iRacingService.exe [2008-2-4 475808]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\lavasoft\ad-aware\AAWService.exe [2011-4-1 2152152]

S3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys --> c:\windows\system32\drivers\AmdTools.sys [?]

S3 gupdatem;Tjänsten Google Update (gupdatem);c:\program\google\update\GoogleUpdate.exe [2009-4-26 133104]

S3 hercspud;Hercules ® WDM Audio Driver;c:\windows\system32\drivers\hercspud.sys [2008-7-23 153216]

S3 hercwdm;Hercules ® WDM Interface Driver;c:\windows\system32\drivers\hercwdm.sys [2008-7-23 497152]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program\lavasoft\ad-aware\kernexplorer.sys [2011-4-1 15232]

S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

S3 SASENUM;SASENUM;c:\program\superantispyware\SASENUM.SYS [2010-2-17 12872]

S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\karl sundberg\skrivbord\sysprot\sysprotdrv.sys --> c:\documents and settings\karl sundberg\skrivbord\sysprot\SysProtDrv.sys [?]

.

=============== Created Last 30 ================

.

2011-10-09 14:09:05 -------- d-----w- c:\program\ESET

2011-10-09 07:11:59 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b91c9470-47c3-422d-bf46-ccb4b814c9b4}\offreg.dll

2011-10-09 07:11:52 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b91c9470-47c3-422d-bf46-ccb4b814c9b4}\mpengine.dll

2011-10-08 15:52:46 -------- d-----w- C:\lvb

2011-09-24 12:36:56 -------- d-----w- C:\jrflag

2011-09-19 18:13:25 -------- d-----w- c:\documents and settings\karl sundberg\application data\TradingPaints Downloader

2011-09-19 18:10:05 -------- d-----w- c:\program\TradingPaints Downloader

2011-09-17 08:30:30 -------- d-----w- C:\Waterford_Speedbowl_Tower

.

==================== Find3M ====================

.

2011-10-01 22:06:27 2560 ----a-w- c:\windows\system32\BitCometRes.dll

2011-09-26 06:39:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-09 09:12:07 602112 ----a-w- c:\windows\system32\crypt32.dll

2011-09-08 20:03:09 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

2011-08-31 15:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-15 18:59:44 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

============= FINISH: 19:25:34.39 ===============

In a hurry to go to work so obviously I forgot the attachments :P

ARK.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

Thanks Screen :)

I couldn't turn MSE and the lavasoft live watch off because as far as I can tell they're not running on my pc

Here are the logs:

MBAM

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Databasversion: 7930

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/12/2011 10:04:42 PM

mbam-log-2011-10-12 (22-04-42).txt

Skanningstyp: Snabbskanning

Antal skannade objekt: 214337

Förfluten tid: 6 minut(er), 48 sekund(er)

Infekterade minnesprocesser: 0

Infekterade minnesmoduler: 0

Infekterade registernycklar: 0

Infekterade registervärden: 0

Infekterade registerdataposter: 0

Infekterade mappar: 0

Infekterade filer: 0

Infekterade minnesprocesser:

(Inga skadliga poster hittades)

Infekterade minnesmoduler:

(Inga skadliga poster hittades)

Infekterade registernycklar:

(Inga skadliga poster hittades)

Infekterade registervärden:

(Inga skadliga poster hittades)

Infekterade registerdataposter:

(Inga skadliga poster hittades)

Infekterade mappar:

(Inga skadliga poster hittades)

Infekterade filer:

(Inga skadliga poster hittades)

Combofix

ComboFix 11-10-12.03 - Karl Sundberg 10/12/2011 22:30:36.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2046.1664 [GMT 2:00]

Körs från: c:\documents and settings\Karl Sundberg\Skrivbord\ComboFix.exe

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\desktop.ini

c:\documents and settings\Karl Sundberg\Application Data\Adobe\plugs

c:\documents and settings\Karl Sundberg\Application Data\Adobe\shed

c:\documents and settings\Karl Sundberg\WINDOWS

C:\DSCN0378.JPG

C:\DSCN0380.JPG

C:\DSCN0381.JPG

c:\windows\$NtUninstallKB63658$\2936239907

c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}

c:\windows\assembly\GAC_MSIL\desktop.ini

c:\windows\ehome\medctrro.exe

c:\windows\$NtUninstallKB63658$ . . . . misslyckades radera

.

c:\windows\system32\drivers\cdrom.sys saknades

Återställd kopia från - c:\windows\ServicePackFiles\i386\cdrom.sys

.

.

(((((((((((((((((((((((( Filer skapade från 2011-09-12 till 2011-10-12 ))))))))))))))))))))))))))))))

.

.

2011-10-12 20:41 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys

2011-10-12 20:41 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-10-10 02:32 . 2011-10-10 02:32 -------- d-----w- c:\documents and settings\Karl Sundberg\Lokala inställningar\Application Data\PCHealth

2011-10-09 14:09 . 2011-10-09 14:09 -------- d-----w- c:\program\ESET

2011-10-09 13:26 . 2011-10-09 13:29 -------- d-----w- c:\documents and settings\Administratör

2011-10-09 12:40 . 2011-10-10 16:03 -------- d-sh--w- c:\documents and settings\Karl Sundberg\Lokala inställningar\Application Data\99879ed2

2011-10-09 07:11 . 2011-10-09 07:11 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B91C9470-47C3-422D-BF46-CCB4B814C9B4}\offreg.dll

2011-10-09 07:11 . 2011-09-12 23:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B91C9470-47C3-422D-BF46-CCB4B814C9B4}\mpengine.dll

2011-10-08 15:52 . 2011-10-08 15:53 -------- d-----w- C:\lvb

2011-09-24 12:36 . 2011-10-09 12:42 -------- d-----w- C:\jrflag

2011-09-19 18:13 . 2011-09-19 18:44 -------- d-----w- c:\documents and settings\Karl Sundberg\Application Data\TradingPaints Downloader

2011-09-19 18:10 . 2011-09-19 18:10 -------- d-----w- c:\program\TradingPaints Downloader

2011-09-17 08:30 . 2011-09-17 21:02 -------- d-----w- C:\Waterford_Speedbowl_Tower

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-09 08:50 . 2011-10-09 08:50 9254 ----a-w- C:\Super_Cuts-vector-logo-6F8B6E82A8-seeklogo.com.zip

2011-10-03 15:59 . 2011-10-03 15:59 6833565 ----a-w- C:\WinchesterNight1_1.zip

2011-10-02 18:04 . 2011-10-02 18:04 3646789 ----a-w- C:\winchester1_3.zip

2011-10-01 22:06 . 2006-09-18 05:57 2560 ----a-w- c:\windows\system32\BitCometRes.dll

2011-09-26 21:07 . 2011-09-26 21:07 11389375 ----a-w- C:\358_OCFS_WTF.zip

2011-09-26 09:41 . 2007-10-09 12:03 612352 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 09:41 . 2006-03-02 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-26 09:41 . 2006-03-02 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 06:39 . 2011-05-16 07:30 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-12 23:14 . 2010-04-23 11:40 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-09-09 09:12 . 2006-03-02 12:00 602112 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 14:09 . 2006-03-02 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-31 15:00 . 2010-04-20 20:36 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-22 23:40 . 2006-03-02 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:40 . 2006-03-02 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2011-08-22 23:40 . 2006-03-02 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:58 . 2006-03-02 12:00 385024 ------w- c:\windows\system32\html.iec

2011-08-17 13:49 . 2006-03-02 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-07-15 18:59 . 2010-06-07 07:34 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-07-15 13:29 . 2006-03-02 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Not* tomma poster & legitima standardposter visas inte.

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-27 4611456]

"msnmsgr"="c:\program\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

"Messenger (Yahoo!)"="c:\program\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program\Delade filer\Java\Java Update\jusched.exe" [2010-02-18 248040]

"ArcSoft Connection Service"="c:\program\Delade filer\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]

"MSC"="c:\program\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

"Adobe ARM"="c:\program\Delade filer\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\All Users\Start-meny\Program\Autostart\

Microsoft Office.lnk - c:\program\Microsoft Office\Office\OSA9.EXE [1999-12-19 65588]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program\SUPERAntiSpyware\SASSEH.DLL" [2011-08-04 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 13:21 548352 ----a-w- c:\program\SUPERAntiSpyware\SASWINLO.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Spel\\NASCAR craftsman\\NR2003.exe"=

"c:\\Program\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program\\backburner 2\\monitor.exe"=

"c:\\Program\\backburner 2\\manager.exe"=

"c:\\Program\\backburner 2\\server.exe"=

"c:\\Program\\3dsmax7\\3dsmax.exe"=

"c:\\Program\\BitComet\\BitComet.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Spel\\NASCAR Racing 2005 Season\\NR2003.exe"=

"c:\\Program\\RSclient\\ServerRS_CLient\\ServerRS_Client.exe"=

"c:\\Program\\GPLSecrets\\iGOR\\iGOR.exe"=

"c:\\Program\\TVUPlayer\\TVUPlayer.exe"=

"c:\\Program\\eMule\\emule.exe"=

"c:\\Spel\\NASCAR Oldies\\NR2003.exe"=

"c:\\Program\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program\\Autodesk\\backburner\\monitor.exe"=

"c:\\Program\\Autodesk\\backburner\\manager.exe"=

"c:\\Program\\Autodesk\\backburner\\server.exe"=

"c:\\Program\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program\\Winamp\\winamp.exe"=

"c:\\Program\\Google\\Google Earth\\plugin\\geplugin.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"13876:TCP"= 13876:TCP:BitComet 13876 TCP

"13876:UDP"= 13876:UDP:BitComet 13876 UDP

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/24/2009 12:56 AM 64512]

R1 SASDIFSV;SASDIFSV;c:\program\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 11:25 AM 12880]

R1 SASKUTIL;SASKUTIL;c:\program\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 67664]

R2 !SASCORE;SAS Core Service;c:\program\SUPERAntiSpyware\SASCORE.EXE [10/10/2011 5:44 PM 116608]

R2 iRacingService;iRacing.com Helper Service;c:\spel\iRacing\iRacingService.exe [2/4/2008 11:19 PM 475808]

S0 exkxka;exkxka; [x]

S0 jerm;jerm;c:\windows\system32\drivers\bcxiiqvc.sys --> c:\windows\system32\drivers\bcxiiqvc.sys [?]

S0 pgqy;pgqy;c:\windows\system32\drivers\xfakgela.sys --> c:\windows\system32\drivers\xfakgela.sys [?]

S0 wlyry;wlyry;c:\windows\system32\drivers\yhtmgjrt.sys --> c:\windows\system32\drivers\yhtmgjrt.sys [?]

S1 MpKsl232ac154;MpKsl232ac154;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3585FD7-AC55-4BC6-95F0-BC1EA0C0FF72}\MpKsl232ac154.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3585FD7-AC55-4BC6-95F0-BC1EA0C0FF72}\MpKsl232ac154.sys [?]

S1 zbnegcaahptd5;zbnegcaahptd5;c:\windows\system32\drivers\zbnegcaahptd5.sys --> c:\windows\system32\drivers\zbnegcaahptd5.sys [?]

S2 gupdate1c9c666ba4935f6;Google Update Service (gupdate1c9c666ba4935f6);c:\program\Google\Update\GoogleUpdate.exe [4/26/2009 2:01 PM 133104]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\Lavasoft\Ad-Aware\AAWService.exe [4/1/2011 9:22 AM 2152152]

S3 AmdTools;AMD Special Tools Driver;c:\windows\system32\DRIVERS\AmdTools.sys --> c:\windows\system32\DRIVERS\AmdTools.sys [?]

S3 gupdatem;Tjänsten Google Update (gupdatem);c:\program\Google\Update\GoogleUpdate.exe [4/26/2009 2:01 PM 133104]

S3 hercspud;Hercules ® WDM Audio Driver;c:\windows\system32\drivers\hercspud.sys [7/23/2008 2:18 PM 153216]

S3 hercwdm;Hercules ® WDM Interface Driver;c:\windows\system32\drivers\hercwdm.sys [7/23/2008 2:18 PM 497152]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program\Lavasoft\Ad-Aware\kernexplorer.sys [4/1/2011 9:22 AM 15232]

S3 SASENUM;SASENUM;c:\program\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\Karl Sundberg\Skrivbord\SysProt\SysProtDrv.sys --> c:\documents and settings\Karl Sundberg\Skrivbord\SysProt\SysProtDrv.sys [?]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/12/2006 2:46 PM 691696]

.

Innehåll i mappen 'Schemalagda aktiviteter':

.

2011-10-12 c:\windows\Tasks\Google Software Updater.job

- c:\program\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-25 19:02]

.

2011-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program\Google\Update\GoogleUpdate.exe [2009-04-26 12:01]

.

2011-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program\Google\Update\GoogleUpdate.exe [2009-04-26 12:01]

.

2011-10-09 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 13:39]

.

2011-10-12 c:\windows\Tasks\User_Feed_Synchronization-{DAA89DED-0C43-44C5-8010-9A9987BDBDAD}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]

.

.

------- Extra genomsökning -------

.

uStart Page = hxxp://www.altavista.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: AltaVista Search - file://c:\program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm

IE: Google Sidewiki... - c:\program\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Translate - file://c:\program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm

TCP: DhcpNameServer = 195.58.103.124 213.150.135.210

.

- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -

.

HKCU-Run-TomTomHOME.exe - c:\program\TomTom HOME 2\TomTomHOMERunner.exe

AddRemove-LMS - c:\c_dilla\setup\cdunin16.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-12 22:45

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\.cdrom]

"ImagePath"="\*"

.

--------------------- LÅSTA REGISTERNYCKLAR ---------------------

.

[HKEY_USERS\S-1-5-21-1844237615-725345543-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2EB06BD8-2159-F682-4E02-4394A10089BA}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"hablgopbffeaiiko"=hex:67,61,69,67,6f,6f,65,68,67,6e,6b,70,68,63,00,00

"iafjkjiikmdpnepbbm"=hex:62,61,6f,66,00,fa

.

--------------------- DLL'er som "laddats" under processer som körs ---------------------

.

- - - - - - - > 'winlogon.exe'(904)

c:\program\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(2820)

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Andra processer som körs ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program\Delade filer\ArcSoft\Connection Service\Bin\ACService.exe

c:\program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe

c:\windows\system32\DRIVERS\CDANTSRV.EXE

c:\program\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Sluttid: 2011-10-12 22:51:37 - datorn startades om.

ComboFix-quarantined-files.txt 2011-10-12 20:51

.

Före genomsökningen: 138,460,282,880 byte ledigt

Efter genomsökningen: 139,083,874,304 byte ledigt

.

WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

.

Current=4 Default=4 Failed=1 LastKnownGood=3 Sets=1,2,3,4

- - End Of File - - AF443456EAFAC7DE06886B0E5E6C34F5

DDS

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Karl Sundberg at 22:59:13 on 2011-10-12

Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2046.1523 [GMT 2:00]

.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program\SUPERAntiSpyware\SASCORE.EXE

C:\Program\Delade filer\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe

C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

C:\spel\iRacing\iRacingService.exe

C:\Program\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program\Delade filer\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program\Microsoft Security Client\msseces.exe

C:\Program\Windows Live\Messenger\msnmsgr.exe

C:\Program\Yahoo!\MESSEN~1\YahooMessenger.exe

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.altavista.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program\bitcomet\tools\BitCometBHO_1.1.3.19.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program\avg\avg9\avgssie.dll

BHO: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - No File

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program\spybot - search & destroy\SDHelper.dll

BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program\delade filer\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll

TB: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - No File

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

uRun: [sUPERAntiSpyware] c:\program\superantispyware\SUPERAntiSpyware.exe

uRun: [msnmsgr] "c:\program\windows live\messenger\msnmsgr.exe" /background

uRun: [Messenger (Yahoo!)] "c:\program\yahoo!\messen~1\YahooMessenger.exe" -quiet

mRun: [sunJavaUpdateSched] "c:\program\delade filer\java\java update\jusched.exe"

mRun: [ArcSoft Connection Service] c:\program\delade filer\arcsoft\connection service\bin\ACDaemon.exe

mRun: [MSC] "c:\program\microsoft security client\msseces.exe" -hide -runkey

mRun: [Adobe ARM] "c:\program\delade filer\adobe\arm\1.0\AdobeARM.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\micros~1.lnk - c:\program\microsoft office\office\OSA9.EXE

IE: AltaVista Search - file://c:\program\dynamic toolbar\altavista\cache\SelectedContextSearch.htm

IE: Google Sidewiki... - c:\program\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Translate - file://c:\program\dynamic toolbar\altavista\cache\SelectedContextTranslation.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program\yahoo!\messenger\YahooMessenger.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program\spybot - search & destroy\SDHelper.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program\yahoo!\common\yinsthelper.dll

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 195.58.103.124 213.150.135.210

TCP: Interfaces\{AF6B546A-A4CD-4DFF-A803-1225C9731A10} : DhcpNameServer = 195.58.103.124 213.150.135.210

Notify: !SASWinLogon - c:\program\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-24 64512]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165648]

R1 SASDIFSV;SASDIFSV;c:\program\superantispyware\SASDIFSV.SYS [2010-2-17 12880]

R1 SASKUTIL;SASKUTIL;c:\program\superantispyware\SASKUTIL.SYS [2010-2-17 67664]

R2 !SASCORE;SAS Core Service;c:\program\superantispyware\SASCORE.EXE [2011-10-10 116608]

R2 iRacingService;iRacing.com Helper Service;c:\spel\iracing\iRacingService.exe [2008-2-4 475808]

S0 exkxka;exkxka; [x]

S0 jerm;jerm;c:\windows\system32\drivers\bcxiiqvc.sys --> c:\windows\system32\drivers\bcxiiqvc.sys [?]

S0 pgqy;pgqy;c:\windows\system32\drivers\xfakgela.sys --> c:\windows\system32\drivers\xfakgela.sys [?]

S0 wlyry;wlyry;c:\windows\system32\drivers\yhtmgjrt.sys --> c:\windows\system32\drivers\yhtmgjrt.sys [?]

S1 MpKsl232ac154;MpKsl232ac154;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f3585fd7-ac55-4bc6-95f0-bc1ea0c0ff72}\mpksl232ac154.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f3585fd7-ac55-4bc6-95f0-bc1ea0c0ff72}\MpKsl232ac154.sys [?]

S1 zbnegcaahptd5;zbnegcaahptd5;c:\windows\system32\drivers\zbnegcaahptd5.sys --> c:\windows\system32\drivers\zbnegcaahptd5.sys [?]

S2 gupdate1c9c666ba4935f6;Google Update Service (gupdate1c9c666ba4935f6);c:\program\google\update\GoogleUpdate.exe [2009-4-26 133104]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\lavasoft\ad-aware\AAWService.exe [2011-4-1 2152152]

S3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys --> c:\windows\system32\drivers\AmdTools.sys [?]

S3 gupdatem;Tjänsten Google Update (gupdatem);c:\program\google\update\GoogleUpdate.exe [2009-4-26 133104]

S3 hercspud;Hercules ® WDM Audio Driver;c:\windows\system32\drivers\hercspud.sys [2008-7-23 153216]

S3 hercwdm;Hercules ® WDM Interface Driver;c:\windows\system32\drivers\hercwdm.sys [2008-7-23 497152]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program\lavasoft\ad-aware\kernexplorer.sys [2011-4-1 15232]

S3 SASENUM;SASENUM;c:\program\superantispyware\SASENUM.SYS [2010-2-17 12872]

S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\karl sundberg\skrivbord\sysprot\sysprotdrv.sys --> c:\documents and settings\karl sundberg\skrivbord\sysprot\SysProtDrv.sys [?]

.

=============== Created Last 30 ================

.

2011-10-12 20:41:54 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys

2011-10-12 20:41:54 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-10-12 20:17:42 -------- d-sha-r- C:\cmdcons

2011-10-12 20:15:20 98816 ----a-w- c:\windows\sed.exe

2011-10-12 20:15:20 518144 ----a-w- c:\windows\SWREG.exe

2011-10-12 20:15:20 256000 ----a-w- c:\windows\PEV.exe

2011-10-12 20:15:20 208896 ----a-w- c:\windows\MBR.exe

2011-10-10 02:32:32 -------- d-----w- c:\documents and settings\karl sundberg\lokala inställningar\application data\PCHealth

2011-10-09 14:09:05 -------- d-----w- c:\program\ESET

2011-10-09 12:40:06 -------- d-sh--w- c:\documents and settings\karl sundberg\lokala inställningar\application data\99879ed2

2011-10-09 07:11:59 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b91c9470-47c3-422d-bf46-ccb4b814c9b4}\offreg.dll

2011-10-09 07:11:52 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b91c9470-47c3-422d-bf46-ccb4b814c9b4}\mpengine.dll

2011-10-08 15:52:46 -------- d-----w- C:\lvb

2011-09-24 12:36:56 -------- d-----w- C:\jrflag

2011-09-19 18:13:25 -------- d-----w- c:\documents and settings\karl sundberg\application data\TradingPaints Downloader

2011-09-19 18:10:05 -------- d-----w- c:\program\TradingPaints Downloader

2011-09-17 08:30:30 -------- d-----w- C:\Waterford_Speedbowl_Tower

.

==================== Find3M ====================

.

2011-10-01 22:06:27 2560 ----a-w- c:\windows\system32\BitCometRes.dll

2011-09-26 09:41:40 612352 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 09:41:40 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-26 09:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 06:39:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-09 09:12:07 602112 ----a-w- c:\windows\system32\crypt32.dll

2011-09-08 20:03:09 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

2011-09-06 14:09:57 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-31 15:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-22 23:40:15 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:40:14 43520 ------w- c:\windows\system32\licmgr10.dll

2011-08-22 23:40:14 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:58:29 385024 ------w- c:\windows\system32\html.iec

2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-07-15 18:59:44 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

============= FINISH: 22:59:22.56 ===============

Based on the popups from combofix it didn't like the virus much :(

Link to post
Share on other sites

  • Staff

Hi,

Please see:

HijackThis Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

It's likely why your issue began in the first place.

This goes for BitComet and anything else you may have installed.

Link to post
Share on other sites

Hi Screen

no, I really don't think that was my problem. I used bitcomet to download nascar races but that was a while ago. I'm pretty sure I got it while trying to figure out what a certain actress (from comedys but hot of course :) ) was doing nowadays. I googled her and clicked on the link that was supposedly the largest fan site when I got a message from MSE about a virus which it supposedly took care of but shortly after that things went wrong fast. I can pm you her name and what link I think I clicked (not sure, it didn't seem like a high risk link so I wasn't paying much attention)

I've uninstalled bitcomet so here are my newest logs (with updated MBAM)

MBAM

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Databasversion: 7950

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/15/2011 1:52:45 AM

mbam-log-2011-10-15 (01-52-45).txt

Skanningstyp: Snabbskanning

Antal skannade objekt: 208759

Förfluten tid: 3 minut(er), 24 sekund(er)

Infekterade minnesprocesser: 0

Infekterade minnesmoduler: 0

Infekterade registernycklar: 0

Infekterade registervärden: 0

Infekterade registerdataposter: 0

Infekterade mappar: 0

Infekterade filer: 0

Infekterade minnesprocesser:

(Inga skadliga poster hittades)

Infekterade minnesmoduler:

(Inga skadliga poster hittades)

Infekterade registernycklar:

(Inga skadliga poster hittades)

Infekterade registervärden:

(Inga skadliga poster hittades)

Infekterade registerdataposter:

(Inga skadliga poster hittades)

Infekterade mappar:

(Inga skadliga poster hittades)

Infekterade filer:

(Inga skadliga poster hittades)

DDS

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Karl Sundberg at 1:53:16 on 2011-10-15

Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2046.1363 [GMT 2:00]

.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Delade filer\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program\Microsoft Security Client\msseces.exe

C:\Program\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

svchost.exe

C:\Program\SUPERAntiSpyware\SASCORE.EXE

C:\Program\Delade filer\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe

C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

C:\spel\iRacing\iRacingService.exe

C:\Program\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program\internet explorer\iexplore.exe

C:\Documents and Settings\Karl Sundberg\Lokala inställningar\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Karl Sundberg\Lokala inställningar\Application Data\Google\Chrome\Application\chrome.exe

C:\Program\internet explorer\iexplore.exe

C:\Program\ATI Technologies\ATI.ACE\Core-Static\mom.exe

C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Documents and Settings\Karl Sundberg\Lokala inställningar\Application Data\Google\Chrome\Application\chrome.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.altavista.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program\avg\avg9\avgssie.dll

BHO: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - No File

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program\spybot - search & destroy\SDHelper.dll

BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program\delade filer\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll

TB: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - No File

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

uRun: [sUPERAntiSpyware] c:\program\superantispyware\SUPERAntiSpyware.exe

uRun: [msnmsgr] "c:\program\windows live\messenger\msnmsgr.exe" /background

uRun: [Messenger (Yahoo!)] "c:\program\yahoo!\messen~1\YahooMessenger.exe" -quiet

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [sunJavaUpdateSched] "c:\program\delade filer\java\java update\jusched.exe"

mRun: [ArcSoft Connection Service] c:\program\delade filer\arcsoft\connection service\bin\ACDaemon.exe

mRun: [MSC] "c:\program\microsoft security client\msseces.exe" -hide -runkey

mRun: [Adobe ARM] "c:\program\delade filer\adobe\arm\1.0\AdobeARM.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\micros~1.lnk - c:\program\microsoft office\office\OSA9.EXE

IE: AltaVista Search - file://c:\program\dynamic toolbar\altavista\cache\SelectedContextSearch.htm

IE: Google Sidewiki... - c:\program\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Translate - file://c:\program\dynamic toolbar\altavista\cache\SelectedContextTranslation.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program\yahoo!\messenger\YahooMessenger.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program\spybot - search & destroy\SDHelper.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program\yahoo!\common\yinsthelper.dll

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 195.58.103.124 213.150.135.210

TCP: Interfaces\{AF6B546A-A4CD-4DFF-A803-1225C9731A10} : DhcpNameServer = 195.58.103.124 213.150.135.210

Notify: !SASWinLogon - c:\program\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-24 64512]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165648]

R1 SASDIFSV;SASDIFSV;c:\program\superantispyware\SASDIFSV.SYS [2010-2-17 12880]

R1 SASKUTIL;SASKUTIL;c:\program\superantispyware\SASKUTIL.SYS [2010-2-17 67664]

R2 !SASCORE;SAS Core Service;c:\program\superantispyware\SASCORE.EXE [2011-10-10 116608]

R2 iRacingService;iRacing.com Helper Service;c:\spel\iracing\iRacingService.exe [2008-2-4 475808]

S0 exkxka;exkxka; [x]

S0 jerm;jerm;c:\windows\system32\drivers\bcxiiqvc.sys --> c:\windows\system32\drivers\bcxiiqvc.sys [?]

S0 pgqy;pgqy;c:\windows\system32\drivers\xfakgela.sys --> c:\windows\system32\drivers\xfakgela.sys [?]

S0 wlyry;wlyry;c:\windows\system32\drivers\yhtmgjrt.sys --> c:\windows\system32\drivers\yhtmgjrt.sys [?]

S1 MpKsl232ac154;MpKsl232ac154;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f3585fd7-ac55-4bc6-95f0-bc1ea0c0ff72}\mpksl232ac154.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f3585fd7-ac55-4bc6-95f0-bc1ea0c0ff72}\MpKsl232ac154.sys [?]

S1 zbnegcaahptd5;zbnegcaahptd5;c:\windows\system32\drivers\zbnegcaahptd5.sys --> c:\windows\system32\drivers\zbnegcaahptd5.sys [?]

S2 gupdate1c9c666ba4935f6;Google Update Service (gupdate1c9c666ba4935f6);c:\program\google\update\GoogleUpdate.exe [2009-4-26 133104]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\lavasoft\ad-aware\AAWService.exe [2011-4-1 2152152]

S3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys --> c:\windows\system32\drivers\AmdTools.sys [?]

S3 gupdatem;Tjänsten Google Update (gupdatem);c:\program\google\update\GoogleUpdate.exe [2009-4-26 133104]

S3 hercspud;Hercules ® WDM Audio Driver;c:\windows\system32\drivers\hercspud.sys [2008-7-23 153216]

S3 hercwdm;Hercules ® WDM Interface Driver;c:\windows\system32\drivers\hercwdm.sys [2008-7-23 497152]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program\lavasoft\ad-aware\kernexplorer.sys [2011-4-1 15232]

S3 SASENUM;SASENUM;c:\program\superantispyware\SASENUM.SYS [2010-2-17 12872]

S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\karl sundberg\skrivbord\sysprot\sysprotdrv.sys --> c:\documents and settings\karl sundberg\skrivbord\sysprot\SysProtDrv.sys [?]

.

=============== Created Last 30 ================

.

2011-10-12 20:41:54 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys

2011-10-12 20:41:54 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-10-12 20:17:42 -------- d-sha-r- C:\cmdcons

2011-10-12 20:15:20 98816 ----a-w- c:\windows\sed.exe

2011-10-12 20:15:20 518144 ----a-w- c:\windows\SWREG.exe

2011-10-12 20:15:20 256000 ----a-w- c:\windows\PEV.exe

2011-10-12 20:15:20 208896 ----a-w- c:\windows\MBR.exe

2011-10-10 02:32:32 -------- d-----w- c:\documents and settings\karl sundberg\lokala inställningar\application data\PCHealth

2011-10-09 14:09:05 -------- d-----w- c:\program\ESET

2011-10-09 12:40:06 -------- d-sh--w- c:\documents and settings\karl sundberg\lokala inställningar\application data\99879ed2

2011-10-09 07:11:59 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b91c9470-47c3-422d-bf46-ccb4b814c9b4}\offreg.dll

2011-10-09 07:11:52 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b91c9470-47c3-422d-bf46-ccb4b814c9b4}\mpengine.dll

2011-10-08 15:52:46 -------- d-----w- C:\lvb

2011-09-24 12:36:56 -------- d-----w- C:\jrflag

2011-09-19 18:13:25 -------- d-----w- c:\documents and settings\karl sundberg\application data\TradingPaints Downloader

2011-09-19 18:10:05 -------- d-----w- c:\program\TradingPaints Downloader

2011-09-17 08:30:30 -------- d-----w- C:\Waterford_Speedbowl_Tower

.

==================== Find3M ====================

.

2011-09-26 09:41:40 612352 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 09:41:40 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-26 09:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 06:39:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-09 09:12:07 602112 ----a-w- c:\windows\system32\crypt32.dll

2011-09-08 20:03:09 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

2011-09-06 14:09:57 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-31 15:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-22 23:40:15 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:40:14 43520 ------w- c:\windows\system32\licmgr10.dll

2011-08-22 23:40:14 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:58:29 385024 ------w- c:\windows\system32\html.iec

2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys

.

============= FINISH: 1:54:18.40 ===============

Link to post
Share on other sites

Hi Screen, thanks for your reply :)

Combofix

ComboFix 11-10-20.05 - Karl Sundberg 10/20/2011 19:55:31.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2046.1592 [GMT 2:00]

Körs från: c:\documents and settings\Karl Sundberg\Skrivbord\ComboFix.exe

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Karl Sundberg\Lokala inställningar\Application Data\99879ed2\U\80000000.@

.

.

(((((((((((((((((((((((( Filer skapade från 2011-09-20 till 2011-10-20 ))))))))))))))))))))))))))))))

.

.

2011-10-12 20:41 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys

2011-10-12 20:41 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-10-10 02:32 . 2011-10-10 02:32 -------- d-----w- c:\documents and settings\Karl Sundberg\Lokala inställningar\Application Data\PCHealth

2011-10-09 14:09 . 2011-10-09 14:09 -------- d-----w- c:\program\ESET

2011-10-09 13:26 . 2011-10-09 13:29 -------- d-----w- c:\documents and settings\Administratör

2011-10-09 12:40 . 2011-10-10 16:03 -------- d-sh--w- c:\documents and settings\Karl Sundberg\Lokala inställningar\Application Data\99879ed2

2011-10-09 07:11 . 2011-10-09 07:11 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B91C9470-47C3-422D-BF46-CCB4B814C9B4}\offreg.dll

2011-10-09 07:11 . 2011-09-12 23:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B91C9470-47C3-422D-BF46-CCB4B814C9B4}\mpengine.dll

2011-10-08 15:52 . 2011-10-08 15:53 -------- d-----w- C:\lvb

2011-09-24 12:36 . 2011-10-09 12:42 -------- d-----w- C:\jrflag

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-19 15:47 . 2011-05-16 07:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-09 08:50 . 2011-10-09 08:50 9254 ----a-w- C:\Super_Cuts-vector-logo-6F8B6E82A8-seeklogo.com.zip

2011-10-03 15:59 . 2011-10-03 15:59 6833565 ----a-w- C:\WinchesterNight1_1.zip

2011-10-02 18:04 . 2011-10-02 18:04 3646789 ----a-w- C:\winchester1_3.zip

2011-09-26 21:07 . 2011-09-26 21:07 11389375 ----a-w- C:\358_OCFS_WTF.zip

2011-09-26 09:41 . 2007-10-09 12:03 612352 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 09:41 . 2006-03-02 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-26 09:41 . 2006-03-02 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-12 23:14 . 2010-04-23 11:40 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-09-09 09:12 . 2006-03-02 12:00 602112 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 14:09 . 2006-03-02 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-31 15:00 . 2010-04-20 20:36 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-22 23:40 . 2006-03-02 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:40 . 2006-03-02 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2011-08-22 23:40 . 2006-03-02 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:58 . 2006-03-02 12:00 385024 ------w- c:\windows\system32\html.iec

2011-08-17 13:49 . 2006-03-02 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys

.

.

((((((((((((((((((((((((((((( SnapShot@2011-10-12_20.45.37 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-10-19 15:47 . 2011-10-19 15:47 247968 c:\windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe

+ 2011-10-19 15:47 . 2011-10-19 15:47 335520 c:\windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.dll

.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Not* tomma poster & legitima standardposter visas inte.

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-27 4611456]

"msnmsgr"="c:\program\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

"Messenger (Yahoo!)"="c:\program\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program\Delade filer\Java\Java Update\jusched.exe" [2010-02-18 248040]

"ArcSoft Connection Service"="c:\program\Delade filer\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]

"MSC"="c:\program\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

"Adobe ARM"="c:\program\Delade filer\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\All Users\Start-meny\Program\Autostart\

Microsoft Office.lnk - c:\program\Microsoft Office\Office\OSA9.EXE [1999-12-19 65588]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program\SUPERAntiSpyware\SASSEH.DLL" [2011-08-04 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 13:21 548352 ----a-w- c:\program\SUPERAntiSpyware\SASWINLO.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Spel\\NASCAR craftsman\\NR2003.exe"=

"c:\\Program\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program\\backburner 2\\monitor.exe"=

"c:\\Program\\backburner 2\\manager.exe"=

"c:\\Program\\backburner 2\\server.exe"=

"c:\\Program\\3dsmax7\\3dsmax.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Spel\\NASCAR Racing 2005 Season\\NR2003.exe"=

"c:\\Program\\RSclient\\ServerRS_CLient\\ServerRS_Client.exe"=

"c:\\Program\\GPLSecrets\\iGOR\\iGOR.exe"=

"c:\\Program\\TVUPlayer\\TVUPlayer.exe"=

"c:\\Spel\\NASCAR Oldies\\NR2003.exe"=

"c:\\Program\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program\\Autodesk\\backburner\\monitor.exe"=

"c:\\Program\\Autodesk\\backburner\\manager.exe"=

"c:\\Program\\Autodesk\\backburner\\server.exe"=

"c:\\Program\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program\\Winamp\\winamp.exe"=

"c:\\Program\\Google\\Google Earth\\plugin\\geplugin.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"13876:TCP"= 13876:TCP:BitComet 13876 TCP

"13876:UDP"= 13876:UDP:BitComet 13876 UDP

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/24/2009 12:56 AM 64512]

R1 SASDIFSV;SASDIFSV;c:\program\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 11:25 AM 12880]

R1 SASKUTIL;SASKUTIL;c:\program\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 67664]

R2 !SASCORE;SAS Core Service;c:\program\SUPERAntiSpyware\SASCORE.EXE [10/10/2011 5:44 PM 116608]

R2 iRacingService;iRacing.com Helper Service;c:\spel\iRacing\iRacingService.exe [2/4/2008 11:19 PM 475808]

S0 exkxka;exkxka; [x]

S0 jerm;jerm;c:\windows\system32\drivers\bcxiiqvc.sys --> c:\windows\system32\drivers\bcxiiqvc.sys [?]

S0 pgqy;pgqy;c:\windows\system32\drivers\xfakgela.sys --> c:\windows\system32\drivers\xfakgela.sys [?]

S0 wlyry;wlyry;c:\windows\system32\drivers\yhtmgjrt.sys --> c:\windows\system32\drivers\yhtmgjrt.sys [?]

S1 MpKsl232ac154;MpKsl232ac154;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3585FD7-AC55-4BC6-95F0-BC1EA0C0FF72}\MpKsl232ac154.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3585FD7-AC55-4BC6-95F0-BC1EA0C0FF72}\MpKsl232ac154.sys [?]

S1 zbnegcaahptd5;zbnegcaahptd5;c:\windows\system32\drivers\zbnegcaahptd5.sys --> c:\windows\system32\drivers\zbnegcaahptd5.sys [?]

S2 gupdate1c9c666ba4935f6;Google Update Service (gupdate1c9c666ba4935f6);c:\program\Google\Update\GoogleUpdate.exe [4/26/2009 2:01 PM 133104]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\Lavasoft\Ad-Aware\AAWService.exe [4/1/2011 9:22 AM 2152152]

S3 AmdTools;AMD Special Tools Driver;c:\windows\system32\DRIVERS\AmdTools.sys --> c:\windows\system32\DRIVERS\AmdTools.sys [?]

S3 gupdatem;Tjänsten Google Update (gupdatem);c:\program\Google\Update\GoogleUpdate.exe [4/26/2009 2:01 PM 133104]

S3 hercspud;Hercules ® WDM Audio Driver;c:\windows\system32\drivers\hercspud.sys [7/23/2008 2:18 PM 153216]

S3 hercwdm;Hercules ® WDM Interface Driver;c:\windows\system32\drivers\hercwdm.sys [7/23/2008 2:18 PM 497152]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program\Lavasoft\Ad-Aware\kernexplorer.sys [4/1/2011 9:22 AM 15232]

S3 SASENUM;SASENUM;c:\program\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\Karl Sundberg\Skrivbord\SysProt\SysProtDrv.sys --> c:\documents and settings\Karl Sundberg\Skrivbord\SysProt\SysProtDrv.sys [?]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/12/2006 2:46 PM 691696]

.

Innehåll i mappen 'Schemalagda aktiviteter':

.

2011-10-20 c:\windows\Tasks\Google Software Updater.job

- c:\program\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-25 19:02]

.

2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program\Google\Update\GoogleUpdate.exe [2009-04-26 12:01]

.

2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program\Google\Update\GoogleUpdate.exe [2009-04-26 12:01]

.

2011-10-09 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 13:39]

.

2011-10-20 c:\windows\Tasks\User_Feed_Synchronization-{DAA89DED-0C43-44C5-8010-9A9987BDBDAD}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]

.

.

------- Extra genomsökning -------

.

uStart Page = hxxp://www.altavista.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: AltaVista Search - file://c:\program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm

IE: Google Sidewiki... - c:\program\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Translate - file://c:\program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm

TCP: DhcpNameServer = 195.58.103.124 213.150.135.210

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-20 20:06

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\.cdrom]

"ImagePath"="\*"

.

--------------------- LÅSTA REGISTERNYCKLAR ---------------------

.

[HKEY_USERS\S-1-5-21-1844237615-725345543-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2EB06BD8-2159-F682-4E02-4394A10089BA}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"hablgopbffeaiiko"=hex:67,61,69,67,6f,6f,65,68,67,6e,6b,70,68,63,00,00

"iafjkjiikmdpnepbbm"=hex:62,61,6f,66,00,fa

.

--------------------- DLL'er som "laddats" under processer som körs ---------------------

.

- - - - - - - > 'winlogon.exe'(900)

c:\program\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\Ati2evxx.dll

.

Sluttid: 2011-10-20 20:08:36

ComboFix-quarantined-files.txt 2011-10-20 18:08

.

Före genomsökningen: 139,354,267,648 byte ledigt

Efter genomsökningen: 139,579,101,184 byte ledigt

.

Current=4 Default=4 Failed=1 LastKnownGood=3 Sets=1,2,3,4

- - End Of File - - 317511F9919C539C81D3836C04864647

DDS

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Karl Sundberg at 20:42:11 on 2011-10-20

Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2046.1477 [GMT 2:00]

.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program\Delade filer\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program\Microsoft Security Client\msseces.exe

C:\WINDOWS\system32\ctfmon.exe

svchost.exe

C:\Program\Delade filer\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe

C:\spel\iRacing\iRacingService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program\SUPERAntiSpyware\SASCORE.EXE

C:\Program\ATI Technologies\ATI.ACE\Core-Static\mom.exe

C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.altavista.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program\avg\avg9\avgssie.dll

BHO: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - No File

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program\spybot - search & destroy\SDHelper.dll

BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program\delade filer\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll

TB: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - No File

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

uRun: [sUPERAntiSpyware] c:\program\superantispyware\SUPERAntiSpyware.exe

uRun: [msnmsgr] "c:\program\windows live\messenger\msnmsgr.exe" /background

uRun: [Messenger (Yahoo!)] "c:\program\yahoo!\messen~1\YahooMessenger.exe" -quiet

mRun: [sunJavaUpdateSched] "c:\program\delade filer\java\java update\jusched.exe"

mRun: [ArcSoft Connection Service] c:\program\delade filer\arcsoft\connection service\bin\ACDaemon.exe

mRun: [MSC] "c:\program\microsoft security client\msseces.exe" -hide -runkey

mRun: [Adobe ARM] "c:\program\delade filer\adobe\arm\1.0\AdobeARM.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\micros~1.lnk - c:\program\microsoft office\office\OSA9.EXE

IE: AltaVista Search - file://c:\program\dynamic toolbar\altavista\cache\SelectedContextSearch.htm

IE: Google Sidewiki... - c:\program\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Translate - file://c:\program\dynamic toolbar\altavista\cache\SelectedContextTranslation.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program\yahoo!\messenger\YahooMessenger.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program\spybot - search & destroy\SDHelper.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program\yahoo!\common\yinsthelper.dll

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 195.58.103.124 213.150.135.210

TCP: Interfaces\{AF6B546A-A4CD-4DFF-A803-1225C9731A10} : DhcpNameServer = 195.58.103.124 213.150.135.210

Notify: !SASWinLogon - c:\program\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-24 64512]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165648]

R1 SASDIFSV;SASDIFSV;c:\program\superantispyware\SASDIFSV.SYS [2010-2-17 12880]

R1 SASKUTIL;SASKUTIL;c:\program\superantispyware\SASKUTIL.SYS [2010-2-17 67664]

R2 !SASCORE;SAS Core Service;c:\program\superantispyware\SASCORE.EXE [2011-10-10 116608]

R2 iRacingService;iRacing.com Helper Service;c:\spel\iracing\iRacingService.exe [2008-2-4 475808]

S0 exkxka;exkxka; [x]

S0 jerm;jerm;c:\windows\system32\drivers\bcxiiqvc.sys --> c:\windows\system32\drivers\bcxiiqvc.sys [?]

S0 pgqy;pgqy;c:\windows\system32\drivers\xfakgela.sys --> c:\windows\system32\drivers\xfakgela.sys [?]

S0 wlyry;wlyry;c:\windows\system32\drivers\yhtmgjrt.sys --> c:\windows\system32\drivers\yhtmgjrt.sys [?]

S1 MpKsl232ac154;MpKsl232ac154;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f3585fd7-ac55-4bc6-95f0-bc1ea0c0ff72}\mpksl232ac154.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f3585fd7-ac55-4bc6-95f0-bc1ea0c0ff72}\MpKsl232ac154.sys [?]

S1 zbnegcaahptd5;zbnegcaahptd5;c:\windows\system32\drivers\zbnegcaahptd5.sys --> c:\windows\system32\drivers\zbnegcaahptd5.sys [?]

S2 gupdate1c9c666ba4935f6;Google Update Service (gupdate1c9c666ba4935f6);c:\program\google\update\GoogleUpdate.exe [2009-4-26 133104]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\lavasoft\ad-aware\AAWService.exe [2011-4-1 2152152]

S3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys --> c:\windows\system32\drivers\AmdTools.sys [?]

S3 gupdatem;Tjänsten Google Update (gupdatem);c:\program\google\update\GoogleUpdate.exe [2009-4-26 133104]

S3 hercspud;Hercules ® WDM Audio Driver;c:\windows\system32\drivers\hercspud.sys [2008-7-23 153216]

S3 hercwdm;Hercules ® WDM Interface Driver;c:\windows\system32\drivers\hercwdm.sys [2008-7-23 497152]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program\lavasoft\ad-aware\kernexplorer.sys [2011-4-1 15232]

S3 SASENUM;SASENUM;c:\program\superantispyware\SASENUM.SYS [2010-2-17 12872]

S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\karl sundberg\skrivbord\sysprot\sysprotdrv.sys --> c:\documents and settings\karl sundberg\skrivbord\sysprot\SysProtDrv.sys [?]

.

=============== Created Last 30 ================

.

2011-10-12 20:41:54 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys

2011-10-12 20:41:54 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-10-12 20:17:42 -------- d-sha-r- C:\cmdcons

2011-10-12 20:15:20 98816 ----a-w- c:\windows\sed.exe

2011-10-12 20:15:20 518144 ----a-w- c:\windows\SWREG.exe

2011-10-12 20:15:20 256000 ----a-w- c:\windows\PEV.exe

2011-10-12 20:15:20 208896 ----a-w- c:\windows\MBR.exe

2011-10-10 02:32:32 -------- d-----w- c:\documents and settings\karl sundberg\lokala inställningar\application data\PCHealth

2011-10-09 14:09:05 -------- d-----w- c:\program\ESET

2011-10-09 12:40:06 -------- d-sh--w- c:\documents and settings\karl sundberg\lokala inställningar\application data\99879ed2

2011-10-09 07:11:59 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b91c9470-47c3-422d-bf46-ccb4b814c9b4}\offreg.dll

2011-10-09 07:11:52 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b91c9470-47c3-422d-bf46-ccb4b814c9b4}\mpengine.dll

2011-10-08 15:52:46 -------- d-----w- C:\lvb

2011-09-24 12:36:56 -------- d-----w- C:\jrflag

.

==================== Find3M ====================

.

2011-10-19 15:47:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-26 09:41:40 612352 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 09:41:40 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-26 09:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-09 09:12:07 602112 ----a-w- c:\windows\system32\crypt32.dll

2011-09-08 20:03:09 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

2011-09-06 14:09:57 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-31 15:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-22 23:40:15 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:40:14 43520 ------w- c:\windows\system32\licmgr10.dll

2011-08-22 23:40:14 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:58:29 385024 ------w- c:\windows\system32\html.iec

2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys

.

============= FINISH: 20:42:20.37 ===============

I ran ESET a couple of days ago and it said something about

C:\WINDOWS\system32\drivers\netbt.sys a variant of Win32/Rootkit.Kryptik.EA trojan unable to clean

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

DirLook::
C:\lvb
C:\jrflag
KILLALL::
Driver::
exkxka
jerm
pgqy
wlyry
MpKsl232ac154
zbnegcaahptd5

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

Thanks for helping :)

I created the 2 directories in the script file but that probably doesn't mean they're not infected. The first time I ran the ESET online scanner it deleted 3 jpg's that I'd gotten from my own digital camera :blink:

Combofix

ComboFix 11-10-24.02 - Karl Sundberg 10/24/2011 19:51:42.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2046.1561 [GMT 2:00]

Körs från: c:\documents and settings\Karl Sundberg\Skrivbord\ComboFix.exe

Kommandoväxlar som använts :: c:\documents and settings\Karl Sundberg\Skrivbord\CFScript.txt

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\help\tours\htmltour\unlock_playing.htm

.

.

((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_MPKSL232AC154

-------\Service_exkxka

-------\Service_jerm

-------\Service_MpKsl232ac154

-------\Service_pgqy

-------\Service_wlyry

-------\Service_zbnegcaahptd5

.

.

(((((((((((((((((((((((( Filer skapade från 2011-09-24 till 2011-10-24 ))))))))))))))))))))))))))))))

.

.

2011-10-12 20:41 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys

2011-10-12 20:41 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-10-10 02:32 . 2011-10-10 02:32 -------- d-----w- c:\documents and settings\Karl Sundberg\Lokala inställningar\Application Data\PCHealth

2011-10-09 14:09 . 2011-10-09 14:09 -------- d-----w- c:\program\ESET

2011-10-09 13:26 . 2011-10-09 13:29 -------- d-----w- c:\documents and settings\Administratör

2011-10-09 12:40 . 2011-10-10 16:03 -------- d-sh--w- c:\documents and settings\Karl Sundberg\Lokala inställningar\Application Data\99879ed2

2011-10-09 07:11 . 2011-10-09 07:11 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B91C9470-47C3-422D-BF46-CCB4B814C9B4}\offreg.dll

2011-10-09 07:11 . 2011-09-12 23:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B91C9470-47C3-422D-BF46-CCB4B814C9B4}\mpengine.dll

2011-10-08 15:52 . 2011-10-08 15:53 -------- d-----w- C:\lvb

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-19 15:47 . 2011-05-16 07:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-09 08:50 . 2011-10-09 08:50 9254 ----a-w- C:\Super_Cuts-vector-logo-6F8B6E82A8-seeklogo.com.zip

2011-10-03 15:59 . 2011-10-03 15:59 6833565 ----a-w- C:\WinchesterNight1_1.zip

2011-10-02 18:04 . 2011-10-02 18:04 3646789 ----a-w- C:\winchester1_3.zip

2011-09-26 21:07 . 2011-09-26 21:07 11389375 ----a-w- C:\358_OCFS_WTF.zip

2011-09-26 09:41 . 2007-10-09 12:03 612352 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 09:41 . 2006-03-02 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-26 09:41 . 2006-03-02 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-12 23:14 . 2010-04-23 11:40 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-09-09 09:12 . 2006-03-02 12:00 602112 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 14:09 . 2006-03-02 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-31 15:00 . 2010-04-20 20:36 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-22 23:40 . 2006-03-02 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:40 . 2006-03-02 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2011-08-22 23:40 . 2006-03-02 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:58 . 2006-03-02 12:00 385024 ------w- c:\windows\system32\html.iec

2011-08-17 13:49 . 2006-03-02 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys

.

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of C:\jrflag ----

.

2011-10-09 12:23 . 2011-10-09 12:23 119457 ----a-w- c:\jrflag\nh.png

2011-10-09 12:21 . 2011-10-09 12:21 113651 ----a-w- c:\jrflag\newhampshire.jpg

2011-10-09 12:16 . 2011-10-09 12:16 786486 ----a-w- c:\jrflag\maine.bmp

2011-10-09 12:15 . 2011-10-09 12:15 786486 ----a-w- c:\jrflag\maine_m.bmp

2011-10-09 10:05 . 2011-10-09 10:05 786486 ----a-w- c:\jrflag\conn_m.bmp

2011-10-09 10:05 . 2011-10-09 10:05 786486 ----a-w- c:\jrflag\conn.bmp

2011-09-29 18:36 . 2011-10-09 12:42 1874226 ----a-w- c:\jrflag\flagm.psd

2011-09-27 19:49 . 2011-09-27 19:49 786486 ----a-w- c:\jrflag\canadam.bmp

2011-09-27 19:49 . 2011-09-27 19:49 786486 ----a-w- c:\jrflag\canada.bmp

2011-09-24 13:53 . 2011-10-09 12:38 3239588 ----a-w- c:\jrflag\flag.psd

2011-09-24 13:52 . 2011-09-24 13:52 786486 ----a-w- c:\jrflag\flagmirrored.bmp

2011-09-24 12:37 . 2011-09-24 12:37 101542 ----a-w- c:\jrflag\nh-flag1.bmp

2011-09-24 12:37 . 2011-09-24 12:36 40360 ----a-w- c:\jrflag\connecticut-flag.jpg

2011-09-24 12:37 . 2011-09-24 12:36 46445 ----a-w- c:\jrflag\Canada_Flag.jpg

2011-09-24 12:37 . 2011-09-24 12:37 1886262 ----a-w- c:\jrflag\maine1.bmp

2011-09-24 10:16 . 2011-09-24 10:16 786486 ----a-w- c:\jrflag\flag.bmp

.

---- Directory of C:\lvb ----

.

2011-10-03 18:15 . 2011-10-03 18:13 69335 ----a-w- c:\lvb\5209_2011-03-21-dsc_0067_large.jpg

2011-10-03 18:14 . 2011-10-03 18:13 72646 ----a-w- c:\lvb\5209_2011-03-21-dsc_0049_large.jpg

2011-10-03 18:14 . 2011-10-03 18:13 84543 ----a-w- c:\lvb\5209_2011-03-21-dsc_0045_large.jpg

2011-10-03 18:14 . 2011-10-03 18:13 89693 ----a-w- c:\lvb\5209_2011-03-21-dsc_0043_large.jpg

2011-10-03 18:14 . 2011-10-03 18:13 95006 ----a-w- c:\lvb\5209_2011-03-21-dsc_0031_large.jpg

2011-10-03 18:14 . 2011-10-03 18:13 98899 ----a-w- c:\lvb\5209_2011-03-21-dsc_0027_large.jpg

2011-10-03 18:14 . 2011-10-03 18:13 63578 ----a-w- c:\lvb\5209_2011-03-21-dsc_0025_large.jpg

2011-10-03 18:14 . 2011-10-03 18:13 81777 ----a-w- c:\lvb\5209_2011-03-21-dsc_0023_large.jpg

2011-10-03 18:14 . 2011-10-03 18:13 107198 ----a-w- c:\lvb\5209_2011-03-21-dsc_0016_large.jpg

2011-10-03 18:14 . 2011-10-03 18:13 106142 ----a-w- c:\lvb\5209_2011-03-21-dsc_0013_large.jpg

2011-10-03 18:13 . 2011-10-03 18:13 86086 ----a-w- c:\lvb\5209_2011-03-21-dsc_0011_large.jpg

2011-10-03 18:13 . 2011-10-03 18:13 94997 ----a-w- c:\lvb\5209_2011-03-21-dsc_0010_large.jpg

2011-10-03 18:13 . 2011-10-03 18:13 86417 ----a-w- c:\lvb\5209_2011-03-21-dsc_0008_large.jpg

2011-10-03 18:13 . 2011-10-03 18:13 80356 ----a-w- c:\lvb\5209_2011-03-21-dsc_0006_large.jpg

2011-10-02 15:32 . 2011-10-02 15:32 11391 ----a-w- c:\lvb\logo_2000bullring_sm.gif

2011-10-02 15:31 . 2011-10-02 15:30 43111 ----a-w- c:\lvb\2011_track_photo_bullring.jpg

2011-10-02 15:27 . 2011-10-02 15:27 64623 ----a-w- c:\lvb\2011_nknps_west_las_vegas_track_700.jpg

2011-10-02 15:00 . 2011-10-02 15:00 1792721 ----a-w- c:\lvb\lvb.jpg

.

.

((((((((((((((((((((((((((((( SnapShot@2011-10-12_20.45.37 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-10-24 18:05 . 2011-10-24 18:05 16384 c:\windows\temp\Perflib_Perfdata_af8.dat

+ 2011-10-19 15:47 . 2011-10-19 15:47 247968 c:\windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe

+ 2011-10-19 15:47 . 2011-10-19 15:47 335520 c:\windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.dll

.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Not* tomma poster & legitima standardposter visas inte.

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-27 4611456]

"msnmsgr"="c:\program\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

"Messenger (Yahoo!)"="c:\program\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program\Delade filer\Java\Java Update\jusched.exe" [2010-02-18 248040]

"ArcSoft Connection Service"="c:\program\Delade filer\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]

"MSC"="c:\program\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

"Adobe ARM"="c:\program\Delade filer\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\All Users\Start-meny\Program\Autostart\

Microsoft Office.lnk - c:\program\Microsoft Office\Office\OSA9.EXE [1999-12-19 65588]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program\SUPERAntiSpyware\SASSEH.DLL" [2011-08-04 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 13:21 548352 ----a-w- c:\program\SUPERAntiSpyware\SASWINLO.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Spel\\NASCAR craftsman\\NR2003.exe"=

"c:\\Program\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program\\backburner 2\\monitor.exe"=

"c:\\Program\\backburner 2\\manager.exe"=

"c:\\Program\\backburner 2\\server.exe"=

"c:\\Program\\3dsmax7\\3dsmax.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Spel\\NASCAR Racing 2005 Season\\NR2003.exe"=

"c:\\Program\\RSclient\\ServerRS_CLient\\ServerRS_Client.exe"=

"c:\\Program\\GPLSecrets\\iGOR\\iGOR.exe"=

"c:\\Program\\TVUPlayer\\TVUPlayer.exe"=

"c:\\Spel\\NASCAR Oldies\\NR2003.exe"=

"c:\\Program\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program\\Autodesk\\backburner\\monitor.exe"=

"c:\\Program\\Autodesk\\backburner\\manager.exe"=

"c:\\Program\\Autodesk\\backburner\\server.exe"=

"c:\\Program\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program\\Winamp\\winamp.exe"=

"c:\\Program\\Google\\Google Earth\\plugin\\geplugin.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"13876:TCP"= 13876:TCP:BitComet 13876 TCP

"13876:UDP"= 13876:UDP:BitComet 13876 UDP

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/24/2009 12:56 AM 64512]

R1 SASDIFSV;SASDIFSV;c:\program\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 11:25 AM 12880]

R1 SASKUTIL;SASKUTIL;c:\program\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 67664]

R2 !SASCORE;SAS Core Service;c:\program\SUPERAntiSpyware\SASCORE.EXE [10/10/2011 5:44 PM 116608]

R2 iRacingService;iRacing.com Helper Service;c:\spel\iRacing\iRacingService.exe [2/4/2008 11:19 PM 475808]

S2 gupdate1c9c666ba4935f6;Google Update Service (gupdate1c9c666ba4935f6);c:\program\Google\Update\GoogleUpdate.exe [4/26/2009 2:01 PM 133104]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\Lavasoft\Ad-Aware\AAWService.exe [4/1/2011 9:22 AM 2152152]

S3 AmdTools;AMD Special Tools Driver;c:\windows\system32\DRIVERS\AmdTools.sys --> c:\windows\system32\DRIVERS\AmdTools.sys [?]

S3 gupdatem;Tjänsten Google Update (gupdatem);c:\program\Google\Update\GoogleUpdate.exe [4/26/2009 2:01 PM 133104]

S3 hercspud;Hercules ® WDM Audio Driver;c:\windows\system32\drivers\hercspud.sys [7/23/2008 2:18 PM 153216]

S3 hercwdm;Hercules ® WDM Interface Driver;c:\windows\system32\drivers\hercwdm.sys [7/23/2008 2:18 PM 497152]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program\Lavasoft\Ad-Aware\kernexplorer.sys [4/1/2011 9:22 AM 15232]

S3 SASENUM;SASENUM;c:\program\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\Karl Sundberg\Skrivbord\SysProt\SysProtDrv.sys --> c:\documents and settings\Karl Sundberg\Skrivbord\SysProt\SysProtDrv.sys [?]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/12/2006 2:46 PM 691696]

.

Innehåll i mappen 'Schemalagda aktiviteter':

.

2011-10-24 c:\windows\Tasks\Google Software Updater.job

- c:\program\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-25 19:02]

.

2011-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program\Google\Update\GoogleUpdate.exe [2009-04-26 12:01]

.

2011-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program\Google\Update\GoogleUpdate.exe [2009-04-26 12:01]

.

2011-10-09 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 13:39]

.

2011-10-24 c:\windows\Tasks\User_Feed_Synchronization-{DAA89DED-0C43-44C5-8010-9A9987BDBDAD}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]

.

.

------- Extra genomsökning -------

.

uStart Page = hxxp://www.altavista.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: AltaVista Search - file://c:\program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm

IE: Google Sidewiki... - c:\program\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Translate - file://c:\program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm

TCP: DhcpNameServer = 195.58.103.124 213.150.135.210

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-24 20:04

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\.cdrom]

"ImagePath"="\*"

.

--------------------- LÅSTA REGISTERNYCKLAR ---------------------

.

[HKEY_USERS\S-1-5-21-1844237615-725345543-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2EB06BD8-2159-F682-4E02-4394A10089BA}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"hablgopbffeaiiko"=hex:67,61,69,67,6f,6f,65,68,67,6e,6b,70,68,63,00,00

"iafjkjiikmdpnepbbm"=hex:62,61,6f,66,00,fa

.

--------------------- DLL'er som "laddats" under processer som körs ---------------------

.

- - - - - - - > 'winlogon.exe'(900)

c:\program\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(4092)

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Andra processer som körs ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program\Delade filer\ArcSoft\Connection Service\Bin\ACService.exe

c:\program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe

c:\windows\system32\DRIVERS\CDANTSRV.EXE

c:\program\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe

.

**************************************************************************

.

Sluttid: 2011-10-24 20:10:50 - datorn startades om.

ComboFix-quarantined-files.txt 2011-10-24 18:10

ComboFix2.txt 2011-10-20 18:08

.

Före genomsökningen: 139,472,936,960 byte ledigt

Efter genomsökningen: 139,629,903,872 byte ledigt

.

Current=3 Default=3 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5

- - End Of File - - 0C3A4D1E70898B89F70DED424EB728ED

DDS

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Karl Sundberg at 20:12:59 on 2011-10-24

Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2046.1531 [GMT 2:00]

.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\Program\SUPERAntiSpyware\SASCORE.EXE

C:\Program\Delade filer\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe

C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

C:\spel\iRacing\iRacingService.exe

C:\Program\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program\Delade filer\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program\Microsoft Security Client\msseces.exe

C:\Program\Windows Live\Messenger\msnmsgr.exe

C:\Program\Yahoo!\MESSEN~1\YahooMessenger.exe

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.altavista.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program\avg\avg9\avgssie.dll

BHO: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - No File

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program\spybot - search & destroy\SDHelper.dll

BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program\delade filer\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll

TB: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - No File

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

uRun: [sUPERAntiSpyware] c:\program\superantispyware\SUPERAntiSpyware.exe

uRun: [msnmsgr] "c:\program\windows live\messenger\msnmsgr.exe" /background

uRun: [Messenger (Yahoo!)] "c:\program\yahoo!\messen~1\YahooMessenger.exe" -quiet

mRun: [sunJavaUpdateSched] "c:\program\delade filer\java\java update\jusched.exe"

mRun: [ArcSoft Connection Service] c:\program\delade filer\arcsoft\connection service\bin\ACDaemon.exe

mRun: [MSC] "c:\program\microsoft security client\msseces.exe" -hide -runkey

mRun: [Adobe ARM] "c:\program\delade filer\adobe\arm\1.0\AdobeARM.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\micros~1.lnk - c:\program\microsoft office\office\OSA9.EXE

IE: AltaVista Search - file://c:\program\dynamic toolbar\altavista\cache\SelectedContextSearch.htm

IE: Google Sidewiki... - c:\program\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Translate - file://c:\program\dynamic toolbar\altavista\cache\SelectedContextTranslation.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program\yahoo!\messenger\YahooMessenger.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program\spybot - search & destroy\SDHelper.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program\yahoo!\common\yinsthelper.dll

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 195.58.103.124 213.150.135.210

TCP: Interfaces\{AF6B546A-A4CD-4DFF-A803-1225C9731A10} : DhcpNameServer = 195.58.103.124 213.150.135.210

Notify: !SASWinLogon - c:\program\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-24 64512]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165648]

R1 SASDIFSV;SASDIFSV;c:\program\superantispyware\SASDIFSV.SYS [2010-2-17 12880]

R1 SASKUTIL;SASKUTIL;c:\program\superantispyware\SASKUTIL.SYS [2010-2-17 67664]

R2 !SASCORE;SAS Core Service;c:\program\superantispyware\SASCORE.EXE [2011-10-10 116608]

R2 iRacingService;iRacing.com Helper Service;c:\spel\iracing\iRacingService.exe [2008-2-4 475808]

S2 gupdate1c9c666ba4935f6;Google Update Service (gupdate1c9c666ba4935f6);c:\program\google\update\GoogleUpdate.exe [2009-4-26 133104]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\lavasoft\ad-aware\AAWService.exe [2011-4-1 2152152]

S3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys --> c:\windows\system32\drivers\AmdTools.sys [?]

S3 gupdatem;Tjänsten Google Update (gupdatem);c:\program\google\update\GoogleUpdate.exe [2009-4-26 133104]

S3 hercspud;Hercules ® WDM Audio Driver;c:\windows\system32\drivers\hercspud.sys [2008-7-23 153216]

S3 hercwdm;Hercules ® WDM Interface Driver;c:\windows\system32\drivers\hercwdm.sys [2008-7-23 497152]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program\lavasoft\ad-aware\kernexplorer.sys [2011-4-1 15232]

S3 SASENUM;SASENUM;c:\program\superantispyware\SASENUM.SYS [2010-2-17 12872]

S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\karl sundberg\skrivbord\sysprot\sysprotdrv.sys --> c:\documents and settings\karl sundberg\skrivbord\sysprot\SysProtDrv.sys [?]

UnknownUnknown exkxka;exkxka; [x]

UnknownUnknown jerm;jerm; [x]

UnknownUnknown MpKsl232ac154;MpKsl232ac154; [x]

UnknownUnknown pgqy;pgqy; [x]

UnknownUnknown wlyry;wlyry; [x]

UnknownUnknown zbnegcaahptd5;zbnegcaahptd5; [x]

.

=============== Created Last 30 ================

.

2011-10-12 20:41:54 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys

2011-10-12 20:41:54 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-10-12 20:17:42 -------- d-sha-r- C:\cmdcons

2011-10-12 20:15:20 98816 ----a-w- c:\windows\sed.exe

2011-10-12 20:15:20 518144 ----a-w- c:\windows\SWREG.exe

2011-10-12 20:15:20 256000 ----a-w- c:\windows\PEV.exe

2011-10-12 20:15:20 208896 ----a-w- c:\windows\MBR.exe

2011-10-10 02:32:32 -------- d-----w- c:\documents and settings\karl sundberg\lokala inställningar\application data\PCHealth

2011-10-09 14:09:05 -------- d-----w- c:\program\ESET

2011-10-09 12:40:06 -------- d-sh--w- c:\documents and settings\karl sundberg\lokala inställningar\application data\99879ed2

2011-10-09 07:11:59 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b91c9470-47c3-422d-bf46-ccb4b814c9b4}\offreg.dll

2011-10-09 07:11:52 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b91c9470-47c3-422d-bf46-ccb4b814c9b4}\mpengine.dll

2011-10-08 15:52:46 -------- d-----w- C:\lvb

.

==================== Find3M ====================

.

2011-10-19 15:47:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-26 09:41:40 612352 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 09:41:40 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-26 09:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-09 09:12:07 602112 ----a-w- c:\windows\system32\crypt32.dll

2011-09-08 20:03:09 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

2011-09-06 14:09:57 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-31 15:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-22 23:40:15 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:40:14 43520 ------w- c:\windows\system32\licmgr10.dll

2011-08-22 23:40:14 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:58:29 385024 ------w- c:\windows\system32\html.iec

2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys

.

============= FINISH: 20:13:08.43 ===============

Link to post
Share on other sites

  • Staff

Hi,

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Thanks :)

Logs are below but I still can't start MSE (when I click Start Now I get Access Denied).

I think F-secure deleted some of the exe's it found but not all. All the exe's under Spel or Files are really old and I haven't run them in ages, for instance SBOSTON_70.EXE was last altered december 2005 and created november 2006 (interesting but I guess that's when I transfered it to this computer :blink: )

Here's what F-Secure found

Scanning Report

Saturday, October 29, 2011 09:45:07 - 11:42:28

Computer name: KARL-68030033A5

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

--------------------------------------------------------------------------------

11 malware found

Suspicious:W32/Malware!Gemini (spyware)

System (Disinfected)

Suspicious:W32/Malware!Gemini (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{797F656F-8661-4789-8F2A-D9D17A7CF991}\RP1733\A0252608.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{797F656F-8661-4789-8F2A-D9D17A7CF991}\RP1733\A0253630.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\SPEL\GPL 2004 DEMO\SETUP.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

C:\SPEL\EMPIRE EARTH II\EVIL GENIUS W SLATE.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

C:\SPEL\EMPIRE EARTH II\NEXUS E3 CLIPPED.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

C:\FILES\NR2003\TRACKS\70-TRACKS\BRISTOL_70.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\FILES\NR2003\TRACKS\70-TRACKS\SBOSTON_70.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\FILES\NR2003\TRACKS\70-TRACKS\BRISTOL_70_NIGHT.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\FILES\MISC\MYCARS\OTHER\DTR2\BIGBLOCKMODIFIEDS_TYPEB.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\SKRIVBORD\NTIIHTNN.EXE (Not cleaned)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 78367

System: 4049

Not scanned: 24

Actions:

Disinfected: 1

Renamed: 0

Deleted: 0

Not cleaned: 10

Submitted: 6

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\PROGRAM\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE

C:\PROGRAM\MICROSOFT SECURITY CLIENT\ANTIMALWARE\MSMPENG.EXE

C:\PROGRAM\LAVASOFT\AD-AWARE\AAWSERVICE.EXE

C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\TEMP\ETILQS_EB8GNMWZ9EWRMZT

C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\TEMP\ETILQS_5OTNTIRUQ6VPPXS

C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\TEMP\ETILQS_5BGXEP3VUFHCGHJ

C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\TEMP\ETILQS_Q9SQGBYZTSQJPIC

C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\TEMP\ETILQS_CVE0EJFSYK5RJ9A

C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\TEMP\HSPERFDATA_KARL SUNDBERG\2416

C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\TEMP\HSPERFDATA_KARL SUNDBERG\644

C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\CACHE\DATA_0

C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\CACHE\DATA_4

C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\CACHE\DATA_1

C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\CACHE\DATA_5

C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\CACHE\DATA_2

C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\CACHE\DATA_3

C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\CACHE\INDEX

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\MICROSOFT ANTIMALWARE\SCANS\HISTORY\CACHEMANAGER\MPSCANCACHE-0.BIN

and Security check

Results of screen317's Security Check version 0.99.24

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

ESET Online Scanner v3

Microsoft Security Essentials

Antivirus up to date! (On Access scanning disabled!)

```````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

Malwarebytes' Anti-Malware

CCleaner (remove only)

Java 6 Update 20

Out of date Java installed!

Adobe Reader X (10.1.1)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

Microsoft Security Essentials msseces.exe

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Those were all heuristic detections so I think they're okay.

Run TFC by OldTimer to clear temporary files:

  • Please download TFC from here and save it to your desktop.
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Ad-Aware (if you don't use and update it regularly)

ESET Online Scanner v3

F-Secure Online Scanner

Java™ 6 Update 20

Restart your computer.

Get the latest version of Java.

Let me know what issues remain.

Link to post
Share on other sites

I've run TFC but isn't it a bit premature to start removing the tools?

I still can't run a few programs

MSE - icon is in systray but it's red with an X and when I open it and click Start Now it says it couldn't start security Essentials service. Access Denied.

Ad Aware - I get Failed To Connect To Service when I only try to start the program

Superantispyware - I get a message something along the lines of "could not access the specified unit, path or file. You might not have the right authority to access the object"

Link to post
Share on other sites

  • Staff

Hi,

Uninstall all three of those, then reinstall one at a time. See if they function properly now.

If not,

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Link to post
Share on other sites

Thanks, getting closer. :)

I haven't had time to reinstall them all yet. I started out with MSE which worked and it did find something (Trojan dropper:win32/Sirefef.B) but fixing it required a restart and after that my computer couldn't find a network address so I've been without internet for a couple of days.

I think the virus did something to superantispyware though. I uninstalled it but several files (including sascore.exe) didn't get removed and I couldn't even remove them manually when I was logged in as admin in safe mode. The relative who helped me get the connection back up also helped me remove them so they're gone now :)

I did bring tdsskiller back home from work and it didn't find anything.

I'll report back as soon as I've completed remaining tasks.

Link to post
Share on other sites

  • Staff

Great!

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.