witsend
-
Posts
27 -
Joined
-
Last visited
-
Everything back in order and it seems I'm set to go I do update scanners somewhat regurarly and keep MSE updated but I'm slacking at keeping Java up to date. Hopefully I'll be better at it from now on. Thanks you very much for your help
-
Thanks, getting closer. I haven't had time to reinstall them all yet. I started out with MSE which worked and it did find something (Trojan dropper:win32/Sirefef.B) but fixing it required a restart and after that my computer couldn't find a network address so I've been without internet for a couple of days. I think the virus did something to superantispyware though. I uninstalled it but several files (including sascore.exe) didn't get removed and I couldn't even remove them manually when I was logged in as admin in safe mode. The relative who helped me get the connection back up also helped me remove them so they're gone now I did bring tdsskiller back home from work and it didn't find anything. I'll report back as soon as I've completed remaining tasks.
-
I've run TFC but isn't it a bit premature to start removing the tools? I still can't run a few programs MSE - icon is in systray but it's red with an X and when I open it and click Start Now it says it couldn't start security Essentials service. Access Denied. Ad Aware - I get Failed To Connect To Service when I only try to start the program Superantispyware - I get a message something along the lines of "could not access the specified unit, path or file. You might not have the right authority to access the object"
-
Thanks Logs are below but I still can't start MSE (when I click Start Now I get Access Denied). I think F-secure deleted some of the exe's it found but not all. All the exe's under Spel or Files are really old and I haven't run them in ages, for instance SBOSTON_70.EXE was last altered december 2005 and created november 2006 (interesting but I guess that's when I transfered it to this computer ) Here's what F-Secure found Scanning Report Saturday, October 29, 2011 09:45:07 - 11:42:28 Computer name: KARL-68030033A5 Scanning type: Scan system for malware, spyware and rootkits Target: C:\ -------------------------------------------------------------------------------- 11 malware found Suspicious:W32/Malware!Gemini (spyware) System (Disinfected) Suspicious:W32/Malware!Gemini (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{797F656F-8661-4789-8F2A-D9D17A7CF991}\RP1733\A0252608.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{797F656F-8661-4789-8F2A-D9D17A7CF991}\RP1733\A0253630.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus) C:\SPEL\GPL 2004 DEMO\SETUP.EXE (Not cleaned) Suspicious:W32/Malware!Gemini (virus) C:\SPEL\EMPIRE EARTH II\EVIL GENIUS W SLATE.EXE (Not cleaned) Suspicious:W32/Malware!Gemini (virus) C:\SPEL\EMPIRE EARTH II\NEXUS E3 CLIPPED.EXE (Not cleaned) Suspicious:W32/Malware!Gemini (virus) C:\FILES\NR2003\TRACKS\70-TRACKS\BRISTOL_70.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus) C:\FILES\NR2003\TRACKS\70-TRACKS\SBOSTON_70.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus) C:\FILES\NR2003\TRACKS\70-TRACKS\BRISTOL_70_NIGHT.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus) C:\FILES\MISC\MYCARS\OTHER\DTR2\BIGBLOCKMODIFIEDS_TYPEB.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus) C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\SKRIVBORD\NTIIHTNN.EXE (Not cleaned) -------------------------------------------------------------------------------- Statistics Scanned: Files: 78367 System: 4049 Not scanned: 24 Actions: Disinfected: 1 Renamed: 0 Deleted: 0 Not cleaned: 10 Submitted: 6 Files not scanned: C:\PAGEFILE.SYS C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS\SYSTEM32\CONFIG\SAM C:\WINDOWS\SYSTEM32\CONFIG\SECURITY C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM C:\PROGRAM\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE C:\PROGRAM\MICROSOFT SECURITY CLIENT\ANTIMALWARE\MSMPENG.EXE C:\PROGRAM\LAVASOFT\AD-AWARE\AAWSERVICE.EXE C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\TEMP\ETILQS_EB8GNMWZ9EWRMZT C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\TEMP\ETILQS_5OTNTIRUQ6VPPXS C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\TEMP\ETILQS_5BGXEP3VUFHCGHJ C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\TEMP\ETILQS_Q9SQGBYZTSQJPIC C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\TEMP\ETILQS_CVE0EJFSYK5RJ9A C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\TEMP\HSPERFDATA_KARL SUNDBERG\2416 C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\TEMP\HSPERFDATA_KARL SUNDBERG\644 C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\CACHE\DATA_0 C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\CACHE\DATA_4 C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\CACHE\DATA_1 C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\CACHE\DATA_5 C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\CACHE\DATA_2 C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\CACHE\DATA_3 C:\DOCUMENTS AND SETTINGS\KARL SUNDBERG\LOKALA INSTÄLLNINGAR\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\CACHE\INDEX C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\MICROSOFT ANTIMALWARE\SCANS\HISTORY\CACHEMANAGER\MPSCANCACHE-0.BIN and Security check Results of screen317's Security Check version 0.99.24 Windows XP Service Pack 3 x86 Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: ESET Online Scanner v3 Microsoft Security Essentials Antivirus up to date! (On Access scanning disabled!) ``````````````````````````````` Anti-malware/Other Utilities Check: Ad-Aware Malwarebytes' Anti-Malware CCleaner (remove only) Java 6 Update 20 Out of date Java installed! Adobe Reader X (10.1.1) ```````````````````````````````` Process Check: objlist.exe by Laurent Ad-Aware AAWService.exe is disabled! Ad-Aware AAWTray.exe is disabled! Microsoft Security Essentials msseces.exe ``````````End of Log````````````
-
Thanks for helping I created the 2 directories in the script file but that probably doesn't mean they're not infected. The first time I ran the ESET online scanner it deleted 3 jpg's that I'd gotten from my own digital camera Combofix ComboFix 11-10-24.02 - Karl Sundberg 10/24/2011 19:51:42.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2046.1561 [GMT 2:00] Körs från: c:\documents and settings\Karl Sundberg\Skrivbord\ComboFix.exe Kommandoväxlar som använts :: c:\documents and settings\Karl Sundberg\Skrivbord\CFScript.txt AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF} AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((((((((((((((((( Andra raderingar )))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\help\tours\htmltour\unlock_playing.htm . . ((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_MPKSL232AC154 -------\Service_exkxka -------\Service_jerm -------\Service_MpKsl232ac154 -------\Service_pgqy -------\Service_wlyry -------\Service_zbnegcaahptd5 . . (((((((((((((((((((((((( Filer skapade från 2011-09-24 till 2011-10-24 )))))))))))))))))))))))))))))) . . 2011-10-12 20:41 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys 2011-10-12 20:41 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys 2011-10-10 02:32 . 2011-10-10 02:32 -------- d-----w- c:\documents and settings\Karl Sundberg\Lokala inställningar\Application Data\PCHealth 2011-10-09 14:09 . 2011-10-09 14:09 -------- d-----w- c:\program\ESET 2011-10-09 13:26 . 2011-10-09 13:29 -------- d-----w- c:\documents and settings\Administratör 2011-10-09 12:40 . 2011-10-10 16:03 -------- d-sh--w- c:\documents and settings\Karl Sundberg\Lokala inställningar\Application Data\99879ed2 2011-10-09 07:11 . 2011-10-09 07:11 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B91C9470-47C3-422D-BF46-CCB4B814C9B4}\offreg.dll 2011-10-09 07:11 . 2011-09-12 23:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B91C9470-47C3-422D-BF46-CCB4B814C9B4}\mpengine.dll 2011-10-08 15:52 . 2011-10-08 15:53 -------- d-----w- C:\lvb . . . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-10-19 15:47 . 2011-05-16 07:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-10-09 08:50 . 2011-10-09 08:50 9254 ----a-w- C:\Super_Cuts-vector-logo-6F8B6E82A8-seeklogo.com.zip 2011-10-03 15:59 . 2011-10-03 15:59 6833565 ----a-w- C:\WinchesterNight1_1.zip 2011-10-02 18:04 . 2011-10-02 18:04 3646789 ----a-w- C:\winchester1_3.zip 2011-09-26 21:07 . 2011-09-26 21:07 11389375 ----a-w- C:\358_OCFS_WTF.zip 2011-09-26 09:41 . 2007-10-09 12:03 612352 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 09:41 . 2006-03-02 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-26 09:41 . 2006-03-02 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-12 23:14 . 2010-04-23 11:40 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-09-09 09:12 . 2006-03-02 12:00 602112 ----a-w- c:\windows\system32\crypt32.dll 2011-09-06 14:09 . 2006-03-02 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys 2011-08-31 15:00 . 2010-04-20 20:36 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-08-22 23:40 . 2006-03-02 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2011-08-22 23:40 . 2006-03-02 12:00 43520 ------w- c:\windows\system32\licmgr10.dll 2011-08-22 23:40 . 2006-03-02 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-08-22 11:58 . 2006-03-02 12:00 385024 ------w- c:\windows\system32\html.iec 2011-08-17 13:49 . 2006-03-02 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys . . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of C:\jrflag ---- . 2011-10-09 12:23 . 2011-10-09 12:23 119457 ----a-w- c:\jrflag\nh.png 2011-10-09 12:21 . 2011-10-09 12:21 113651 ----a-w- c:\jrflag\newhampshire.jpg 2011-10-09 12:16 . 2011-10-09 12:16 786486 ----a-w- c:\jrflag\maine.bmp 2011-10-09 12:15 . 2011-10-09 12:15 786486 ----a-w- c:\jrflag\maine_m.bmp 2011-10-09 10:05 . 2011-10-09 10:05 786486 ----a-w- c:\jrflag\conn_m.bmp 2011-10-09 10:05 . 2011-10-09 10:05 786486 ----a-w- c:\jrflag\conn.bmp 2011-09-29 18:36 . 2011-10-09 12:42 1874226 ----a-w- c:\jrflag\flagm.psd 2011-09-27 19:49 . 2011-09-27 19:49 786486 ----a-w- c:\jrflag\canadam.bmp 2011-09-27 19:49 . 2011-09-27 19:49 786486 ----a-w- c:\jrflag\canada.bmp 2011-09-24 13:53 . 2011-10-09 12:38 3239588 ----a-w- c:\jrflag\flag.psd 2011-09-24 13:52 . 2011-09-24 13:52 786486 ----a-w- c:\jrflag\flagmirrored.bmp 2011-09-24 12:37 . 2011-09-24 12:37 101542 ----a-w- c:\jrflag\nh-flag1.bmp 2011-09-24 12:37 . 2011-09-24 12:36 40360 ----a-w- c:\jrflag\connecticut-flag.jpg 2011-09-24 12:37 . 2011-09-24 12:36 46445 ----a-w- c:\jrflag\Canada_Flag.jpg 2011-09-24 12:37 . 2011-09-24 12:37 1886262 ----a-w- c:\jrflag\maine1.bmp 2011-09-24 10:16 . 2011-09-24 10:16 786486 ----a-w- c:\jrflag\flag.bmp . ---- Directory of C:\lvb ---- . 2011-10-03 18:15 . 2011-10-03 18:13 69335 ----a-w- c:\lvb\5209_2011-03-21-dsc_0067_large.jpg 2011-10-03 18:14 . 2011-10-03 18:13 72646 ----a-w- c:\lvb\5209_2011-03-21-dsc_0049_large.jpg 2011-10-03 18:14 . 2011-10-03 18:13 84543 ----a-w- c:\lvb\5209_2011-03-21-dsc_0045_large.jpg 2011-10-03 18:14 . 2011-10-03 18:13 89693 ----a-w- c:\lvb\5209_2011-03-21-dsc_0043_large.jpg 2011-10-03 18:14 . 2011-10-03 18:13 95006 ----a-w- c:\lvb\5209_2011-03-21-dsc_0031_large.jpg 2011-10-03 18:14 . 2011-10-03 18:13 98899 ----a-w- c:\lvb\5209_2011-03-21-dsc_0027_large.jpg 2011-10-03 18:14 . 2011-10-03 18:13 63578 ----a-w- c:\lvb\5209_2011-03-21-dsc_0025_large.jpg 2011-10-03 18:14 . 2011-10-03 18:13 81777 ----a-w- c:\lvb\5209_2011-03-21-dsc_0023_large.jpg 2011-10-03 18:14 . 2011-10-03 18:13 107198 ----a-w- c:\lvb\5209_2011-03-21-dsc_0016_large.jpg 2011-10-03 18:14 . 2011-10-03 18:13 106142 ----a-w- c:\lvb\5209_2011-03-21-dsc_0013_large.jpg 2011-10-03 18:13 . 2011-10-03 18:13 86086 ----a-w- c:\lvb\5209_2011-03-21-dsc_0011_large.jpg 2011-10-03 18:13 . 2011-10-03 18:13 94997 ----a-w- c:\lvb\5209_2011-03-21-dsc_0010_large.jpg 2011-10-03 18:13 . 2011-10-03 18:13 86417 ----a-w- c:\lvb\5209_2011-03-21-dsc_0008_large.jpg 2011-10-03 18:13 . 2011-10-03 18:13 80356 ----a-w- c:\lvb\5209_2011-03-21-dsc_0006_large.jpg 2011-10-02 15:32 . 2011-10-02 15:32 11391 ----a-w- c:\lvb\logo_2000bullring_sm.gif 2011-10-02 15:31 . 2011-10-02 15:30 43111 ----a-w- c:\lvb\2011_track_photo_bullring.jpg 2011-10-02 15:27 . 2011-10-02 15:27 64623 ----a-w- c:\lvb\2011_nknps_west_las_vegas_track_700.jpg 2011-10-02 15:00 . 2011-10-02 15:00 1792721 ----a-w- c:\lvb\lvb.jpg . . ((((((((((((((((((((((((((((( SnapShot@2011-10-12_20.45.37 ))))))))))))))))))))))))))))))))))))))))) . + 2011-10-24 18:05 . 2011-10-24 18:05 16384 c:\windows\temp\Perflib_Perfdata_af8.dat + 2011-10-19 15:47 . 2011-10-19 15:47 247968 c:\windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe + 2011-10-19 15:47 . 2011-10-19 15:47 335520 c:\windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.dll . (((((((((((((((((((((((((((((((((( Startpunkter i registret ))))))))))))))))))))))))))))))))))))))))))))))) . . *Not* tomma poster & legitima standardposter visas inte. REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-27 4611456] "msnmsgr"="c:\program\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080] "Messenger (Yahoo!)"="c:\program\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program\Delade filer\Java\Java Update\jusched.exe" [2010-02-18 248040] "ArcSoft Connection Service"="c:\program\Delade filer\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616] "MSC"="c:\program\Microsoft Security Client\msseces.exe" [2011-06-15 997920] "Adobe ARM"="c:\program\Delade filer\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . c:\documents and settings\All Users\Start-meny\Program\Autostart\ Microsoft Office.lnk - c:\program\Microsoft Office\Office\OSA9.EXE [1999-12-19 65588] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program\SUPERAntiSpyware\SASSEH.DLL" [2011-08-04 113024] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 13:21 548352 ----a-w- c:\program\SUPERAntiSpyware\SASWINLO.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Spel\\NASCAR craftsman\\NR2003.exe"= "c:\\Program\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program\\backburner 2\\monitor.exe"= "c:\\Program\\backburner 2\\manager.exe"= "c:\\Program\\backburner 2\\server.exe"= "c:\\Program\\3dsmax7\\3dsmax.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Spel\\NASCAR Racing 2005 Season\\NR2003.exe"= "c:\\Program\\RSclient\\ServerRS_CLient\\ServerRS_Client.exe"= "c:\\Program\\GPLSecrets\\iGOR\\iGOR.exe"= "c:\\Program\\TVUPlayer\\TVUPlayer.exe"= "c:\\Spel\\NASCAR Oldies\\NR2003.exe"= "c:\\Program\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program\\Autodesk\\backburner\\monitor.exe"= "c:\\Program\\Autodesk\\backburner\\manager.exe"= "c:\\Program\\Autodesk\\backburner\\server.exe"= "c:\\Program\\Google\\Google Earth\\client\\googleearth.exe"= "c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program\\Winamp\\winamp.exe"= "c:\\Program\\Google\\Google Earth\\plugin\\geplugin.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "13876:TCP"= 13876:TCP:BitComet 13876 TCP "13876:UDP"= 13876:UDP:BitComet 13876 UDP . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/24/2009 12:56 AM 64512] R1 SASDIFSV;SASDIFSV;c:\program\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 11:25 AM 12880] R1 SASKUTIL;SASKUTIL;c:\program\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 67664] R2 !SASCORE;SAS Core Service;c:\program\SUPERAntiSpyware\SASCORE.EXE [10/10/2011 5:44 PM 116608] R2 iRacingService;iRacing.com Helper Service;c:\spel\iRacing\iRacingService.exe [2/4/2008 11:19 PM 475808] S2 gupdate1c9c666ba4935f6;Google Update Service (gupdate1c9c666ba4935f6);c:\program\Google\Update\GoogleUpdate.exe [4/26/2009 2:01 PM 133104] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\Lavasoft\Ad-Aware\AAWService.exe [4/1/2011 9:22 AM 2152152] S3 AmdTools;AMD Special Tools Driver;c:\windows\system32\DRIVERS\AmdTools.sys --> c:\windows\system32\DRIVERS\AmdTools.sys [?] S3 gupdatem;Tjänsten Google Update (gupdatem);c:\program\Google\Update\GoogleUpdate.exe [4/26/2009 2:01 PM 133104] S3 hercspud;Hercules ® WDM Audio Driver;c:\windows\system32\drivers\hercspud.sys [7/23/2008 2:18 PM 153216] S3 hercwdm;Hercules ® WDM Interface Driver;c:\windows\system32\drivers\hercwdm.sys [7/23/2008 2:18 PM 497152] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program\Lavasoft\Ad-Aware\kernexplorer.sys [4/1/2011 9:22 AM 15232] S3 SASENUM;SASENUM;c:\program\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872] S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\Karl Sundberg\Skrivbord\SysProt\SysProtDrv.sys --> c:\documents and settings\Karl Sundberg\Skrivbord\SysProt\SysProtDrv.sys [?] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/12/2006 2:46 PM 691696] . Innehåll i mappen 'Schemalagda aktiviteter': . 2011-10-24 c:\windows\Tasks\Google Software Updater.job - c:\program\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-25 19:02] . 2011-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program\Google\Update\GoogleUpdate.exe [2009-04-26 12:01] . 2011-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program\Google\Update\GoogleUpdate.exe [2009-04-26 12:01] . 2011-10-09 c:\windows\Tasks\MP Scheduled Scan.job - c:\program\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 13:39] . 2011-10-24 c:\windows\Tasks\User_Feed_Synchronization-{DAA89DED-0C43-44C5-8010-9A9987BDBDAD}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 02:31] . . ------- Extra genomsökning ------- . uStart Page = hxxp://www.altavista.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com IE: AltaVista Search - file://c:\program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm IE: Google Sidewiki... - c:\program\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html IE: Translate - file://c:\program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm TCP: DhcpNameServer = 195.58.103.124 213.150.135.210 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-10-24 20:04 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\.cdrom] "ImagePath"="\*" . --------------------- LÅSTA REGISTERNYCKLAR --------------------- . [HKEY_USERS\S-1-5-21-1844237615-725345543-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2EB06BD8-2159-F682-4E02-4394A10089BA}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "hablgopbffeaiiko"=hex:67,61,69,67,6f,6f,65,68,67,6e,6b,70,68,63,00,00 "iafjkjiikmdpnepbbm"=hex:62,61,6f,66,00,fa . --------------------- DLL'er som "laddats" under processer som körs --------------------- . - - - - - - - > 'winlogon.exe'(900) c:\program\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(4092) c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Andra processer som körs ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program\Delade filer\ArcSoft\Connection Service\Bin\ACService.exe c:\program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe c:\windows\system32\DRIVERS\CDANTSRV.EXE c:\program\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe . ************************************************************************** . Sluttid: 2011-10-24 20:10:50 - datorn startades om. ComboFix-quarantined-files.txt 2011-10-24 18:10 ComboFix2.txt 2011-10-20 18:08 . Före genomsökningen: 139,472,936,960 byte ledigt Efter genomsökningen: 139,629,903,872 byte ledigt . Current=3 Default=3 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5 - - End Of File - - 0C3A4D1E70898B89F70DED424EB728ED DDS . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by Karl Sundberg at 20:12:59 on 2011-10-24 Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2046.1531 [GMT 2:00] . AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF} . ============== Running Processes =============== . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe svchost.exe C:\Program\SUPERAntiSpyware\SASCORE.EXE C:\Program\Delade filer\ArcSoft\Connection Service\Bin\ACService.exe C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE C:\spel\iRacing\iRacingService.exe C:\Program\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program\Delade filer\ArcSoft\Connection Service\Bin\ACDaemon.exe C:\Program\Microsoft Security Client\msseces.exe C:\Program\Windows Live\Messenger\msnmsgr.exe C:\Program\Yahoo!\MESSEN~1\YahooMessenger.exe C:\WINDOWS\explorer.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.altavista.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program\avg\avg9\avgssie.dll BHO: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - No File BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program\spybot - search & destroy\SDHelper.dll BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program\delade filer\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program\google\googletoolbarnotifier\5.5.5126.1836\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll TB: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - No File TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - uRun: [sUPERAntiSpyware] c:\program\superantispyware\SUPERAntiSpyware.exe uRun: [msnmsgr] "c:\program\windows live\messenger\msnmsgr.exe" /background uRun: [Messenger (Yahoo!)] "c:\program\yahoo!\messen~1\YahooMessenger.exe" -quiet mRun: [sunJavaUpdateSched] "c:\program\delade filer\java\java update\jusched.exe" mRun: [ArcSoft Connection Service] c:\program\delade filer\arcsoft\connection service\bin\ACDaemon.exe mRun: [MSC] "c:\program\microsoft security client\msseces.exe" -hide -runkey mRun: [Adobe ARM] "c:\program\delade filer\adobe\arm\1.0\AdobeARM.exe" dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\micros~1.lnk - c:\program\microsoft office\office\OSA9.EXE IE: AltaVista Search - file://c:\program\dynamic toolbar\altavista\cache\SelectedContextSearch.htm IE: Google Sidewiki... - c:\program\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html IE: Translate - file://c:\program\dynamic toolbar\altavista\cache\SelectedContextTranslation.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program\yahoo!\messenger\YahooMessenger.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program\spybot - search & destroy\SDHelper.dll DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program\yahoo!\common\yinsthelper.dll DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 195.58.103.124 213.150.135.210 TCP: Interfaces\{AF6B546A-A4CD-4DFF-A803-1225C9731A10} : DhcpNameServer = 195.58.103.124 213.150.135.210 Notify: !SASWinLogon - c:\program\superantispyware\SASWINLO.DLL Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program\superantispyware\SASSEH.DLL . ============= SERVICES / DRIVERS =============== . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-24 64512] R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165648] R1 SASDIFSV;SASDIFSV;c:\program\superantispyware\SASDIFSV.SYS [2010-2-17 12880] R1 SASKUTIL;SASKUTIL;c:\program\superantispyware\SASKUTIL.SYS [2010-2-17 67664] R2 !SASCORE;SAS Core Service;c:\program\superantispyware\SASCORE.EXE [2011-10-10 116608] R2 iRacingService;iRacing.com Helper Service;c:\spel\iracing\iRacingService.exe [2008-2-4 475808] S2 gupdate1c9c666ba4935f6;Google Update Service (gupdate1c9c666ba4935f6);c:\program\google\update\GoogleUpdate.exe [2009-4-26 133104] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\lavasoft\ad-aware\AAWService.exe [2011-4-1 2152152] S3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys --> c:\windows\system32\drivers\AmdTools.sys [?] S3 gupdatem;Tjänsten Google Update (gupdatem);c:\program\google\update\GoogleUpdate.exe [2009-4-26 133104] S3 hercspud;Hercules ® WDM Audio Driver;c:\windows\system32\drivers\hercspud.sys [2008-7-23 153216] S3 hercwdm;Hercules ® WDM Interface Driver;c:\windows\system32\drivers\hercwdm.sys [2008-7-23 497152] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program\lavasoft\ad-aware\kernexplorer.sys [2011-4-1 15232] S3 SASENUM;SASENUM;c:\program\superantispyware\SASENUM.SYS [2010-2-17 12872] S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\karl sundberg\skrivbord\sysprot\sysprotdrv.sys --> c:\documents and settings\karl sundberg\skrivbord\sysprot\SysProtDrv.sys [?] UnknownUnknown exkxka;exkxka; [x] UnknownUnknown jerm;jerm; [x] UnknownUnknown MpKsl232ac154;MpKsl232ac154; [x] UnknownUnknown pgqy;pgqy; [x] UnknownUnknown wlyry;wlyry; [x] UnknownUnknown zbnegcaahptd5;zbnegcaahptd5; [x] . =============== Created Last 30 ================ . 2011-10-12 20:41:54 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys 2011-10-12 20:41:54 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys 2011-10-12 20:17:42 -------- d-sha-r- C:\cmdcons 2011-10-12 20:15:20 98816 ----a-w- c:\windows\sed.exe 2011-10-12 20:15:20 518144 ----a-w- c:\windows\SWREG.exe 2011-10-12 20:15:20 256000 ----a-w- c:\windows\PEV.exe 2011-10-12 20:15:20 208896 ----a-w- c:\windows\MBR.exe 2011-10-10 02:32:32 -------- d-----w- c:\documents and settings\karl sundberg\lokala inställningar\application data\PCHealth 2011-10-09 14:09:05 -------- d-----w- c:\program\ESET 2011-10-09 12:40:06 -------- d-sh--w- c:\documents and settings\karl sundberg\lokala inställningar\application data\99879ed2 2011-10-09 07:11:59 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b91c9470-47c3-422d-bf46-ccb4b814c9b4}\offreg.dll 2011-10-09 07:11:52 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b91c9470-47c3-422d-bf46-ccb4b814c9b4}\mpengine.dll 2011-10-08 15:52:46 -------- d-----w- C:\lvb . ==================== Find3M ==================== . 2011-10-19 15:47:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-09-26 09:41:40 612352 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 09:41:40 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-26 09:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-09 09:12:07 602112 ----a-w- c:\windows\system32\crypt32.dll 2011-09-08 20:03:09 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys 2011-09-06 14:09:57 1858944 ----a-w- c:\windows\system32\win32k.sys 2011-08-31 15:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-08-22 23:40:15 916480 ----a-w- c:\windows\system32\wininet.dll 2011-08-22 23:40:14 43520 ------w- c:\windows\system32\licmgr10.dll 2011-08-22 23:40:14 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-08-22 11:58:29 385024 ------w- c:\windows\system32\html.iec 2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys . ============= FINISH: 20:13:08.43 ===============
-
Hi Screen, thanks for your reply Combofix ComboFix 11-10-20.05 - Karl Sundberg 10/20/2011 19:55:31.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2046.1592 [GMT 2:00] Körs från: c:\documents and settings\Karl Sundberg\Skrivbord\ComboFix.exe AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF} AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((((((((((((((((( Andra raderingar )))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Karl Sundberg\Lokala inställningar\Application Data\99879ed2\U\80000000.@ . . (((((((((((((((((((((((( Filer skapade från 2011-09-20 till 2011-10-20 )))))))))))))))))))))))))))))) . . 2011-10-12 20:41 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys 2011-10-12 20:41 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys 2011-10-10 02:32 . 2011-10-10 02:32 -------- d-----w- c:\documents and settings\Karl Sundberg\Lokala inställningar\Application Data\PCHealth 2011-10-09 14:09 . 2011-10-09 14:09 -------- d-----w- c:\program\ESET 2011-10-09 13:26 . 2011-10-09 13:29 -------- d-----w- c:\documents and settings\Administratör 2011-10-09 12:40 . 2011-10-10 16:03 -------- d-sh--w- c:\documents and settings\Karl Sundberg\Lokala inställningar\Application Data\99879ed2 2011-10-09 07:11 . 2011-10-09 07:11 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B91C9470-47C3-422D-BF46-CCB4B814C9B4}\offreg.dll 2011-10-09 07:11 . 2011-09-12 23:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B91C9470-47C3-422D-BF46-CCB4B814C9B4}\mpengine.dll 2011-10-08 15:52 . 2011-10-08 15:53 -------- d-----w- C:\lvb 2011-09-24 12:36 . 2011-10-09 12:42 -------- d-----w- C:\jrflag . . . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-10-19 15:47 . 2011-05-16 07:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-10-09 08:50 . 2011-10-09 08:50 9254 ----a-w- C:\Super_Cuts-vector-logo-6F8B6E82A8-seeklogo.com.zip 2011-10-03 15:59 . 2011-10-03 15:59 6833565 ----a-w- C:\WinchesterNight1_1.zip 2011-10-02 18:04 . 2011-10-02 18:04 3646789 ----a-w- C:\winchester1_3.zip 2011-09-26 21:07 . 2011-09-26 21:07 11389375 ----a-w- C:\358_OCFS_WTF.zip 2011-09-26 09:41 . 2007-10-09 12:03 612352 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 09:41 . 2006-03-02 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-26 09:41 . 2006-03-02 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-12 23:14 . 2010-04-23 11:40 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-09-09 09:12 . 2006-03-02 12:00 602112 ----a-w- c:\windows\system32\crypt32.dll 2011-09-06 14:09 . 2006-03-02 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys 2011-08-31 15:00 . 2010-04-20 20:36 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-08-22 23:40 . 2006-03-02 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2011-08-22 23:40 . 2006-03-02 12:00 43520 ------w- c:\windows\system32\licmgr10.dll 2011-08-22 23:40 . 2006-03-02 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-08-22 11:58 . 2006-03-02 12:00 385024 ------w- c:\windows\system32\html.iec 2011-08-17 13:49 . 2006-03-02 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys . . ((((((((((((((((((((((((((((( SnapShot@2011-10-12_20.45.37 ))))))))))))))))))))))))))))))))))))))))) . + 2011-10-19 15:47 . 2011-10-19 15:47 247968 c:\windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe + 2011-10-19 15:47 . 2011-10-19 15:47 335520 c:\windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.dll . (((((((((((((((((((((((((((((((((( Startpunkter i registret ))))))))))))))))))))))))))))))))))))))))))))))) . . *Not* tomma poster & legitima standardposter visas inte. REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-27 4611456] "msnmsgr"="c:\program\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080] "Messenger (Yahoo!)"="c:\program\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program\Delade filer\Java\Java Update\jusched.exe" [2010-02-18 248040] "ArcSoft Connection Service"="c:\program\Delade filer\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616] "MSC"="c:\program\Microsoft Security Client\msseces.exe" [2011-06-15 997920] "Adobe ARM"="c:\program\Delade filer\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . c:\documents and settings\All Users\Start-meny\Program\Autostart\ Microsoft Office.lnk - c:\program\Microsoft Office\Office\OSA9.EXE [1999-12-19 65588] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program\SUPERAntiSpyware\SASSEH.DLL" [2011-08-04 113024] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 13:21 548352 ----a-w- c:\program\SUPERAntiSpyware\SASWINLO.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Spel\\NASCAR craftsman\\NR2003.exe"= "c:\\Program\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program\\backburner 2\\monitor.exe"= "c:\\Program\\backburner 2\\manager.exe"= "c:\\Program\\backburner 2\\server.exe"= "c:\\Program\\3dsmax7\\3dsmax.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Spel\\NASCAR Racing 2005 Season\\NR2003.exe"= "c:\\Program\\RSclient\\ServerRS_CLient\\ServerRS_Client.exe"= "c:\\Program\\GPLSecrets\\iGOR\\iGOR.exe"= "c:\\Program\\TVUPlayer\\TVUPlayer.exe"= "c:\\Spel\\NASCAR Oldies\\NR2003.exe"= "c:\\Program\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program\\Autodesk\\backburner\\monitor.exe"= "c:\\Program\\Autodesk\\backburner\\manager.exe"= "c:\\Program\\Autodesk\\backburner\\server.exe"= "c:\\Program\\Google\\Google Earth\\client\\googleearth.exe"= "c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program\\Winamp\\winamp.exe"= "c:\\Program\\Google\\Google Earth\\plugin\\geplugin.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "13876:TCP"= 13876:TCP:BitComet 13876 TCP "13876:UDP"= 13876:UDP:BitComet 13876 UDP . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/24/2009 12:56 AM 64512] R1 SASDIFSV;SASDIFSV;c:\program\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 11:25 AM 12880] R1 SASKUTIL;SASKUTIL;c:\program\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 67664] R2 !SASCORE;SAS Core Service;c:\program\SUPERAntiSpyware\SASCORE.EXE [10/10/2011 5:44 PM 116608] R2 iRacingService;iRacing.com Helper Service;c:\spel\iRacing\iRacingService.exe [2/4/2008 11:19 PM 475808] S0 exkxka;exkxka; [x] S0 jerm;jerm;c:\windows\system32\drivers\bcxiiqvc.sys --> c:\windows\system32\drivers\bcxiiqvc.sys [?] S0 pgqy;pgqy;c:\windows\system32\drivers\xfakgela.sys --> c:\windows\system32\drivers\xfakgela.sys [?] S0 wlyry;wlyry;c:\windows\system32\drivers\yhtmgjrt.sys --> c:\windows\system32\drivers\yhtmgjrt.sys [?] S1 MpKsl232ac154;MpKsl232ac154;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3585FD7-AC55-4BC6-95F0-BC1EA0C0FF72}\MpKsl232ac154.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3585FD7-AC55-4BC6-95F0-BC1EA0C0FF72}\MpKsl232ac154.sys [?] S1 zbnegcaahptd5;zbnegcaahptd5;c:\windows\system32\drivers\zbnegcaahptd5.sys --> c:\windows\system32\drivers\zbnegcaahptd5.sys [?] S2 gupdate1c9c666ba4935f6;Google Update Service (gupdate1c9c666ba4935f6);c:\program\Google\Update\GoogleUpdate.exe [4/26/2009 2:01 PM 133104] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\Lavasoft\Ad-Aware\AAWService.exe [4/1/2011 9:22 AM 2152152] S3 AmdTools;AMD Special Tools Driver;c:\windows\system32\DRIVERS\AmdTools.sys --> c:\windows\system32\DRIVERS\AmdTools.sys [?] S3 gupdatem;Tjänsten Google Update (gupdatem);c:\program\Google\Update\GoogleUpdate.exe [4/26/2009 2:01 PM 133104] S3 hercspud;Hercules ® WDM Audio Driver;c:\windows\system32\drivers\hercspud.sys [7/23/2008 2:18 PM 153216] S3 hercwdm;Hercules ® WDM Interface Driver;c:\windows\system32\drivers\hercwdm.sys [7/23/2008 2:18 PM 497152] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program\Lavasoft\Ad-Aware\kernexplorer.sys [4/1/2011 9:22 AM 15232] S3 SASENUM;SASENUM;c:\program\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872] S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\Karl Sundberg\Skrivbord\SysProt\SysProtDrv.sys --> c:\documents and settings\Karl Sundberg\Skrivbord\SysProt\SysProtDrv.sys [?] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/12/2006 2:46 PM 691696] . Innehåll i mappen 'Schemalagda aktiviteter': . 2011-10-20 c:\windows\Tasks\Google Software Updater.job - c:\program\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-25 19:02] . 2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program\Google\Update\GoogleUpdate.exe [2009-04-26 12:01] . 2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program\Google\Update\GoogleUpdate.exe [2009-04-26 12:01] . 2011-10-09 c:\windows\Tasks\MP Scheduled Scan.job - c:\program\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 13:39] . 2011-10-20 c:\windows\Tasks\User_Feed_Synchronization-{DAA89DED-0C43-44C5-8010-9A9987BDBDAD}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 02:31] . . ------- Extra genomsökning ------- . uStart Page = hxxp://www.altavista.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com IE: AltaVista Search - file://c:\program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm IE: Google Sidewiki... - c:\program\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html IE: Translate - file://c:\program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm TCP: DhcpNameServer = 195.58.103.124 213.150.135.210 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-10-20 20:06 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet004\Services\.cdrom] "ImagePath"="\*" . --------------------- LÅSTA REGISTERNYCKLAR --------------------- . [HKEY_USERS\S-1-5-21-1844237615-725345543-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2EB06BD8-2159-F682-4E02-4394A10089BA}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "hablgopbffeaiiko"=hex:67,61,69,67,6f,6f,65,68,67,6e,6b,70,68,63,00,00 "iafjkjiikmdpnepbbm"=hex:62,61,6f,66,00,fa . --------------------- DLL'er som "laddats" under processer som körs --------------------- . - - - - - - - > 'winlogon.exe'(900) c:\program\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\Ati2evxx.dll . Sluttid: 2011-10-20 20:08:36 ComboFix-quarantined-files.txt 2011-10-20 18:08 . Före genomsökningen: 139,354,267,648 byte ledigt Efter genomsökningen: 139,579,101,184 byte ledigt . Current=4 Default=4 Failed=1 LastKnownGood=3 Sets=1,2,3,4 - - End Of File - - 317511F9919C539C81D3836C04864647 DDS . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by Karl Sundberg at 20:42:11 on 2011-10-20 Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2046.1477 [GMT 2:00] . AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF} . ============== Running Processes =============== . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program\Delade filer\ArcSoft\Connection Service\Bin\ACDaemon.exe C:\Program\Microsoft Security Client\msseces.exe C:\WINDOWS\system32\ctfmon.exe svchost.exe C:\Program\Delade filer\ArcSoft\Connection Service\Bin\ACService.exe C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe C:\spel\iRacing\iRacingService.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program\SUPERAntiSpyware\SASCORE.EXE C:\Program\ATI Technologies\ATI.ACE\Core-Static\mom.exe C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\WINDOWS\explorer.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.altavista.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program\avg\avg9\avgssie.dll BHO: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - No File BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program\spybot - search & destroy\SDHelper.dll BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program\delade filer\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program\google\googletoolbarnotifier\5.5.5126.1836\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll TB: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - No File TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - uRun: [sUPERAntiSpyware] c:\program\superantispyware\SUPERAntiSpyware.exe uRun: [msnmsgr] "c:\program\windows live\messenger\msnmsgr.exe" /background uRun: [Messenger (Yahoo!)] "c:\program\yahoo!\messen~1\YahooMessenger.exe" -quiet mRun: [sunJavaUpdateSched] "c:\program\delade filer\java\java update\jusched.exe" mRun: [ArcSoft Connection Service] c:\program\delade filer\arcsoft\connection service\bin\ACDaemon.exe mRun: [MSC] "c:\program\microsoft security client\msseces.exe" -hide -runkey mRun: [Adobe ARM] "c:\program\delade filer\adobe\arm\1.0\AdobeARM.exe" dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\micros~1.lnk - c:\program\microsoft office\office\OSA9.EXE IE: AltaVista Search - file://c:\program\dynamic toolbar\altavista\cache\SelectedContextSearch.htm IE: Google Sidewiki... - c:\program\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html IE: Translate - file://c:\program\dynamic toolbar\altavista\cache\SelectedContextTranslation.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program\yahoo!\messenger\YahooMessenger.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program\spybot - search & destroy\SDHelper.dll DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program\yahoo!\common\yinsthelper.dll DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 195.58.103.124 213.150.135.210 TCP: Interfaces\{AF6B546A-A4CD-4DFF-A803-1225C9731A10} : DhcpNameServer = 195.58.103.124 213.150.135.210 Notify: !SASWinLogon - c:\program\superantispyware\SASWINLO.DLL Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program\superantispyware\SASSEH.DLL . ============= SERVICES / DRIVERS =============== . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-24 64512] R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165648] R1 SASDIFSV;SASDIFSV;c:\program\superantispyware\SASDIFSV.SYS [2010-2-17 12880] R1 SASKUTIL;SASKUTIL;c:\program\superantispyware\SASKUTIL.SYS [2010-2-17 67664] R2 !SASCORE;SAS Core Service;c:\program\superantispyware\SASCORE.EXE [2011-10-10 116608] R2 iRacingService;iRacing.com Helper Service;c:\spel\iracing\iRacingService.exe [2008-2-4 475808] S0 exkxka;exkxka; [x] S0 jerm;jerm;c:\windows\system32\drivers\bcxiiqvc.sys --> c:\windows\system32\drivers\bcxiiqvc.sys [?] S0 pgqy;pgqy;c:\windows\system32\drivers\xfakgela.sys --> c:\windows\system32\drivers\xfakgela.sys [?] S0 wlyry;wlyry;c:\windows\system32\drivers\yhtmgjrt.sys --> c:\windows\system32\drivers\yhtmgjrt.sys [?] S1 MpKsl232ac154;MpKsl232ac154;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f3585fd7-ac55-4bc6-95f0-bc1ea0c0ff72}\mpksl232ac154.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f3585fd7-ac55-4bc6-95f0-bc1ea0c0ff72}\MpKsl232ac154.sys [?] S1 zbnegcaahptd5;zbnegcaahptd5;c:\windows\system32\drivers\zbnegcaahptd5.sys --> c:\windows\system32\drivers\zbnegcaahptd5.sys [?] S2 gupdate1c9c666ba4935f6;Google Update Service (gupdate1c9c666ba4935f6);c:\program\google\update\GoogleUpdate.exe [2009-4-26 133104] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\lavasoft\ad-aware\AAWService.exe [2011-4-1 2152152] S3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys --> c:\windows\system32\drivers\AmdTools.sys [?] S3 gupdatem;Tjänsten Google Update (gupdatem);c:\program\google\update\GoogleUpdate.exe [2009-4-26 133104] S3 hercspud;Hercules ® WDM Audio Driver;c:\windows\system32\drivers\hercspud.sys [2008-7-23 153216] S3 hercwdm;Hercules ® WDM Interface Driver;c:\windows\system32\drivers\hercwdm.sys [2008-7-23 497152] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program\lavasoft\ad-aware\kernexplorer.sys [2011-4-1 15232] S3 SASENUM;SASENUM;c:\program\superantispyware\SASENUM.SYS [2010-2-17 12872] S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\karl sundberg\skrivbord\sysprot\sysprotdrv.sys --> c:\documents and settings\karl sundberg\skrivbord\sysprot\SysProtDrv.sys [?] . =============== Created Last 30 ================ . 2011-10-12 20:41:54 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys 2011-10-12 20:41:54 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys 2011-10-12 20:17:42 -------- d-sha-r- C:\cmdcons 2011-10-12 20:15:20 98816 ----a-w- c:\windows\sed.exe 2011-10-12 20:15:20 518144 ----a-w- c:\windows\SWREG.exe 2011-10-12 20:15:20 256000 ----a-w- c:\windows\PEV.exe 2011-10-12 20:15:20 208896 ----a-w- c:\windows\MBR.exe 2011-10-10 02:32:32 -------- d-----w- c:\documents and settings\karl sundberg\lokala inställningar\application data\PCHealth 2011-10-09 14:09:05 -------- d-----w- c:\program\ESET 2011-10-09 12:40:06 -------- d-sh--w- c:\documents and settings\karl sundberg\lokala inställningar\application data\99879ed2 2011-10-09 07:11:59 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b91c9470-47c3-422d-bf46-ccb4b814c9b4}\offreg.dll 2011-10-09 07:11:52 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b91c9470-47c3-422d-bf46-ccb4b814c9b4}\mpengine.dll 2011-10-08 15:52:46 -------- d-----w- C:\lvb 2011-09-24 12:36:56 -------- d-----w- C:\jrflag . ==================== Find3M ==================== . 2011-10-19 15:47:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-09-26 09:41:40 612352 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 09:41:40 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-26 09:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-09 09:12:07 602112 ----a-w- c:\windows\system32\crypt32.dll 2011-09-08 20:03:09 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys 2011-09-06 14:09:57 1858944 ----a-w- c:\windows\system32\win32k.sys 2011-08-31 15:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-08-22 23:40:15 916480 ----a-w- c:\windows\system32\wininet.dll 2011-08-22 23:40:14 43520 ------w- c:\windows\system32\licmgr10.dll 2011-08-22 23:40:14 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-08-22 11:58:29 385024 ------w- c:\windows\system32\html.iec 2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys . ============= FINISH: 20:42:20.37 =============== I ran ESET a couple of days ago and it said something about C:\WINDOWS\system32\drivers\netbt.sys a variant of Win32/Rootkit.Kryptik.EA trojan unable to clean
-
Is there some other log I should post after uninstalling bitcomet?
-
Hi Screen no, I really don't think that was my problem. I used bitcomet to download nascar races but that was a while ago. I'm pretty sure I got it while trying to figure out what a certain actress (from comedys but hot of course ) was doing nowadays. I googled her and clicked on the link that was supposedly the largest fan site when I got a message from MSE about a virus which it supposedly took care of but shortly after that things went wrong fast. I can pm you her name and what link I think I clicked (not sure, it didn't seem like a high risk link so I wasn't paying much attention) I've uninstalled bitcomet so here are my newest logs (with updated MBAM) MBAM Malwarebytes' Anti-Malware 1.51.2.1300 www.malwarebytes.org Databasversion: 7950 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 10/15/2011 1:52:45 AM mbam-log-2011-10-15 (01-52-45).txt Skanningstyp: Snabbskanning Antal skannade objekt: 208759 Förfluten tid: 3 minut(er), 24 sekund(er) Infekterade minnesprocesser: 0 Infekterade minnesmoduler: 0 Infekterade registernycklar: 0 Infekterade registervärden: 0 Infekterade registerdataposter: 0 Infekterade mappar: 0 Infekterade filer: 0 Infekterade minnesprocesser: (Inga skadliga poster hittades) Infekterade minnesmoduler: (Inga skadliga poster hittades) Infekterade registernycklar: (Inga skadliga poster hittades) Infekterade registervärden: (Inga skadliga poster hittades) Infekterade registerdataposter: (Inga skadliga poster hittades) Infekterade mappar: (Inga skadliga poster hittades) Infekterade filer: (Inga skadliga poster hittades) DDS . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by Karl Sundberg at 1:53:16 on 2011-10-15 Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2046.1363 [GMT 2:00] . AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF} . ============== Running Processes =============== . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program\Delade filer\ArcSoft\Connection Service\Bin\ACDaemon.exe C:\Program\Microsoft Security Client\msseces.exe C:\Program\Windows Live\Messenger\msnmsgr.exe C:\WINDOWS\system32\ctfmon.exe svchost.exe C:\Program\SUPERAntiSpyware\SASCORE.EXE C:\Program\Delade filer\ArcSoft\Connection Service\Bin\ACService.exe C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE C:\spel\iRacing\iRacingService.exe C:\Program\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program\internet explorer\iexplore.exe C:\Documents and Settings\Karl Sundberg\Lokala inställningar\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Karl Sundberg\Lokala inställningar\Application Data\Google\Chrome\Application\chrome.exe C:\Program\internet explorer\iexplore.exe C:\Program\ATI Technologies\ATI.ACE\Core-Static\mom.exe C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Documents and Settings\Karl Sundberg\Lokala inställningar\Application Data\Google\Chrome\Application\chrome.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.altavista.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program\avg\avg9\avgssie.dll BHO: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - No File BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program\spybot - search & destroy\SDHelper.dll BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program\delade filer\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program\google\googletoolbarnotifier\5.5.5126.1836\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll TB: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - No File TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - uRun: [sUPERAntiSpyware] c:\program\superantispyware\SUPERAntiSpyware.exe uRun: [msnmsgr] "c:\program\windows live\messenger\msnmsgr.exe" /background uRun: [Messenger (Yahoo!)] "c:\program\yahoo!\messen~1\YahooMessenger.exe" -quiet uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [sunJavaUpdateSched] "c:\program\delade filer\java\java update\jusched.exe" mRun: [ArcSoft Connection Service] c:\program\delade filer\arcsoft\connection service\bin\ACDaemon.exe mRun: [MSC] "c:\program\microsoft security client\msseces.exe" -hide -runkey mRun: [Adobe ARM] "c:\program\delade filer\adobe\arm\1.0\AdobeARM.exe" dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\micros~1.lnk - c:\program\microsoft office\office\OSA9.EXE IE: AltaVista Search - file://c:\program\dynamic toolbar\altavista\cache\SelectedContextSearch.htm IE: Google Sidewiki... - c:\program\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html IE: Translate - file://c:\program\dynamic toolbar\altavista\cache\SelectedContextTranslation.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program\yahoo!\messenger\YahooMessenger.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program\spybot - search & destroy\SDHelper.dll DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program\yahoo!\common\yinsthelper.dll DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 195.58.103.124 213.150.135.210 TCP: Interfaces\{AF6B546A-A4CD-4DFF-A803-1225C9731A10} : DhcpNameServer = 195.58.103.124 213.150.135.210 Notify: !SASWinLogon - c:\program\superantispyware\SASWINLO.DLL Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program\superantispyware\SASSEH.DLL . ============= SERVICES / DRIVERS =============== . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-24 64512] R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165648] R1 SASDIFSV;SASDIFSV;c:\program\superantispyware\SASDIFSV.SYS [2010-2-17 12880] R1 SASKUTIL;SASKUTIL;c:\program\superantispyware\SASKUTIL.SYS [2010-2-17 67664] R2 !SASCORE;SAS Core Service;c:\program\superantispyware\SASCORE.EXE [2011-10-10 116608] R2 iRacingService;iRacing.com Helper Service;c:\spel\iracing\iRacingService.exe [2008-2-4 475808] S0 exkxka;exkxka; [x] S0 jerm;jerm;c:\windows\system32\drivers\bcxiiqvc.sys --> c:\windows\system32\drivers\bcxiiqvc.sys [?] S0 pgqy;pgqy;c:\windows\system32\drivers\xfakgela.sys --> c:\windows\system32\drivers\xfakgela.sys [?] S0 wlyry;wlyry;c:\windows\system32\drivers\yhtmgjrt.sys --> c:\windows\system32\drivers\yhtmgjrt.sys [?] S1 MpKsl232ac154;MpKsl232ac154;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f3585fd7-ac55-4bc6-95f0-bc1ea0c0ff72}\mpksl232ac154.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f3585fd7-ac55-4bc6-95f0-bc1ea0c0ff72}\MpKsl232ac154.sys [?] S1 zbnegcaahptd5;zbnegcaahptd5;c:\windows\system32\drivers\zbnegcaahptd5.sys --> c:\windows\system32\drivers\zbnegcaahptd5.sys [?] S2 gupdate1c9c666ba4935f6;Google Update Service (gupdate1c9c666ba4935f6);c:\program\google\update\GoogleUpdate.exe [2009-4-26 133104] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\lavasoft\ad-aware\AAWService.exe [2011-4-1 2152152] S3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys --> c:\windows\system32\drivers\AmdTools.sys [?] S3 gupdatem;Tjänsten Google Update (gupdatem);c:\program\google\update\GoogleUpdate.exe [2009-4-26 133104] S3 hercspud;Hercules ® WDM Audio Driver;c:\windows\system32\drivers\hercspud.sys [2008-7-23 153216] S3 hercwdm;Hercules ® WDM Interface Driver;c:\windows\system32\drivers\hercwdm.sys [2008-7-23 497152] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program\lavasoft\ad-aware\kernexplorer.sys [2011-4-1 15232] S3 SASENUM;SASENUM;c:\program\superantispyware\SASENUM.SYS [2010-2-17 12872] S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\karl sundberg\skrivbord\sysprot\sysprotdrv.sys --> c:\documents and settings\karl sundberg\skrivbord\sysprot\SysProtDrv.sys [?] . =============== Created Last 30 ================ . 2011-10-12 20:41:54 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys 2011-10-12 20:41:54 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys 2011-10-12 20:17:42 -------- d-sha-r- C:\cmdcons 2011-10-12 20:15:20 98816 ----a-w- c:\windows\sed.exe 2011-10-12 20:15:20 518144 ----a-w- c:\windows\SWREG.exe 2011-10-12 20:15:20 256000 ----a-w- c:\windows\PEV.exe 2011-10-12 20:15:20 208896 ----a-w- c:\windows\MBR.exe 2011-10-10 02:32:32 -------- d-----w- c:\documents and settings\karl sundberg\lokala inställningar\application data\PCHealth 2011-10-09 14:09:05 -------- d-----w- c:\program\ESET 2011-10-09 12:40:06 -------- d-sh--w- c:\documents and settings\karl sundberg\lokala inställningar\application data\99879ed2 2011-10-09 07:11:59 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b91c9470-47c3-422d-bf46-ccb4b814c9b4}\offreg.dll 2011-10-09 07:11:52 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b91c9470-47c3-422d-bf46-ccb4b814c9b4}\mpengine.dll 2011-10-08 15:52:46 -------- d-----w- C:\lvb 2011-09-24 12:36:56 -------- d-----w- C:\jrflag 2011-09-19 18:13:25 -------- d-----w- c:\documents and settings\karl sundberg\application data\TradingPaints Downloader 2011-09-19 18:10:05 -------- d-----w- c:\program\TradingPaints Downloader 2011-09-17 08:30:30 -------- d-----w- C:\Waterford_Speedbowl_Tower . ==================== Find3M ==================== . 2011-09-26 09:41:40 612352 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 09:41:40 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-26 09:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 06:39:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-09-09 09:12:07 602112 ----a-w- c:\windows\system32\crypt32.dll 2011-09-08 20:03:09 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys 2011-09-06 14:09:57 1858944 ----a-w- c:\windows\system32\win32k.sys 2011-08-31 15:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-08-22 23:40:15 916480 ----a-w- c:\windows\system32\wininet.dll 2011-08-22 23:40:14 43520 ------w- c:\windows\system32\licmgr10.dll 2011-08-22 23:40:14 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-08-22 11:58:29 385024 ------w- c:\windows\system32\html.iec 2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys . ============= FINISH: 1:54:18.40 ===============
-
Thanks Screen I couldn't turn MSE and the lavasoft live watch off because as far as I can tell they're not running on my pc Here are the logs: MBAM Malwarebytes' Anti-Malware 1.51.2.1300 www.malwarebytes.org Databasversion: 7930 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 10/12/2011 10:04:42 PM mbam-log-2011-10-12 (22-04-42).txt Skanningstyp: Snabbskanning Antal skannade objekt: 214337 Förfluten tid: 6 minut(er), 48 sekund(er) Infekterade minnesprocesser: 0 Infekterade minnesmoduler: 0 Infekterade registernycklar: 0 Infekterade registervärden: 0 Infekterade registerdataposter: 0 Infekterade mappar: 0 Infekterade filer: 0 Infekterade minnesprocesser: (Inga skadliga poster hittades) Infekterade minnesmoduler: (Inga skadliga poster hittades) Infekterade registernycklar: (Inga skadliga poster hittades) Infekterade registervärden: (Inga skadliga poster hittades) Infekterade registerdataposter: (Inga skadliga poster hittades) Infekterade mappar: (Inga skadliga poster hittades) Infekterade filer: (Inga skadliga poster hittades) Combofix ComboFix 11-10-12.03 - Karl Sundberg 10/12/2011 22:30:36.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2046.1664 [GMT 2:00] Körs från: c:\documents and settings\Karl Sundberg\Skrivbord\ComboFix.exe AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF} AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((((((((((((((((( Andra raderingar )))))))))))))))))))))))))))))))))))))))))))))))) . . C:\desktop.ini c:\documents and settings\Karl Sundberg\Application Data\Adobe\plugs c:\documents and settings\Karl Sundberg\Application Data\Adobe\shed c:\documents and settings\Karl Sundberg\WINDOWS C:\DSCN0378.JPG C:\DSCN0380.JPG C:\DSCN0381.JPG c:\windows\$NtUninstallKB63658$\2936239907 c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735} c:\windows\assembly\GAC_MSIL\desktop.ini c:\windows\ehome\medctrro.exe c:\windows\$NtUninstallKB63658$ . . . . misslyckades radera . c:\windows\system32\drivers\cdrom.sys saknades Återställd kopia från - c:\windows\ServicePackFiles\i386\cdrom.sys . . (((((((((((((((((((((((( Filer skapade från 2011-09-12 till 2011-10-12 )))))))))))))))))))))))))))))) . . 2011-10-12 20:41 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys 2011-10-12 20:41 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys 2011-10-10 02:32 . 2011-10-10 02:32 -------- d-----w- c:\documents and settings\Karl Sundberg\Lokala inställningar\Application Data\PCHealth 2011-10-09 14:09 . 2011-10-09 14:09 -------- d-----w- c:\program\ESET 2011-10-09 13:26 . 2011-10-09 13:29 -------- d-----w- c:\documents and settings\Administratör 2011-10-09 12:40 . 2011-10-10 16:03 -------- d-sh--w- c:\documents and settings\Karl Sundberg\Lokala inställningar\Application Data\99879ed2 2011-10-09 07:11 . 2011-10-09 07:11 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B91C9470-47C3-422D-BF46-CCB4B814C9B4}\offreg.dll 2011-10-09 07:11 . 2011-09-12 23:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B91C9470-47C3-422D-BF46-CCB4B814C9B4}\mpengine.dll 2011-10-08 15:52 . 2011-10-08 15:53 -------- d-----w- C:\lvb 2011-09-24 12:36 . 2011-10-09 12:42 -------- d-----w- C:\jrflag 2011-09-19 18:13 . 2011-09-19 18:44 -------- d-----w- c:\documents and settings\Karl Sundberg\Application Data\TradingPaints Downloader 2011-09-19 18:10 . 2011-09-19 18:10 -------- d-----w- c:\program\TradingPaints Downloader 2011-09-17 08:30 . 2011-09-17 21:02 -------- d-----w- C:\Waterford_Speedbowl_Tower . . . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-10-09 08:50 . 2011-10-09 08:50 9254 ----a-w- C:\Super_Cuts-vector-logo-6F8B6E82A8-seeklogo.com.zip 2011-10-03 15:59 . 2011-10-03 15:59 6833565 ----a-w- C:\WinchesterNight1_1.zip 2011-10-02 18:04 . 2011-10-02 18:04 3646789 ----a-w- C:\winchester1_3.zip 2011-10-01 22:06 . 2006-09-18 05:57 2560 ----a-w- c:\windows\system32\BitCometRes.dll 2011-09-26 21:07 . 2011-09-26 21:07 11389375 ----a-w- C:\358_OCFS_WTF.zip 2011-09-26 09:41 . 2007-10-09 12:03 612352 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 09:41 . 2006-03-02 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-26 09:41 . 2006-03-02 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 06:39 . 2011-05-16 07:30 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-09-12 23:14 . 2010-04-23 11:40 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-09-09 09:12 . 2006-03-02 12:00 602112 ----a-w- c:\windows\system32\crypt32.dll 2011-09-06 14:09 . 2006-03-02 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys 2011-08-31 15:00 . 2010-04-20 20:36 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-08-22 23:40 . 2006-03-02 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2011-08-22 23:40 . 2006-03-02 12:00 43520 ------w- c:\windows\system32\licmgr10.dll 2011-08-22 23:40 . 2006-03-02 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-08-22 11:58 . 2006-03-02 12:00 385024 ------w- c:\windows\system32\html.iec 2011-08-17 13:49 . 2006-03-02 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys 2011-07-15 18:59 . 2010-06-07 07:34 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2011-07-15 13:29 . 2006-03-02 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys . . (((((((((((((((((((((((((((((((((( Startpunkter i registret ))))))))))))))))))))))))))))))))))))))))))))))) . . *Not* tomma poster & legitima standardposter visas inte. REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-27 4611456] "msnmsgr"="c:\program\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080] "Messenger (Yahoo!)"="c:\program\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program\Delade filer\Java\Java Update\jusched.exe" [2010-02-18 248040] "ArcSoft Connection Service"="c:\program\Delade filer\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616] "MSC"="c:\program\Microsoft Security Client\msseces.exe" [2011-06-15 997920] "Adobe ARM"="c:\program\Delade filer\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . c:\documents and settings\All Users\Start-meny\Program\Autostart\ Microsoft Office.lnk - c:\program\Microsoft Office\Office\OSA9.EXE [1999-12-19 65588] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program\SUPERAntiSpyware\SASSEH.DLL" [2011-08-04 113024] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 13:21 548352 ----a-w- c:\program\SUPERAntiSpyware\SASWINLO.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Spel\\NASCAR craftsman\\NR2003.exe"= "c:\\Program\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program\\backburner 2\\monitor.exe"= "c:\\Program\\backburner 2\\manager.exe"= "c:\\Program\\backburner 2\\server.exe"= "c:\\Program\\3dsmax7\\3dsmax.exe"= "c:\\Program\\BitComet\\BitComet.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Spel\\NASCAR Racing 2005 Season\\NR2003.exe"= "c:\\Program\\RSclient\\ServerRS_CLient\\ServerRS_Client.exe"= "c:\\Program\\GPLSecrets\\iGOR\\iGOR.exe"= "c:\\Program\\TVUPlayer\\TVUPlayer.exe"= "c:\\Program\\eMule\\emule.exe"= "c:\\Spel\\NASCAR Oldies\\NR2003.exe"= "c:\\Program\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program\\Autodesk\\backburner\\monitor.exe"= "c:\\Program\\Autodesk\\backburner\\manager.exe"= "c:\\Program\\Autodesk\\backburner\\server.exe"= "c:\\Program\\Google\\Google Earth\\client\\googleearth.exe"= "c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program\\Winamp\\winamp.exe"= "c:\\Program\\Google\\Google Earth\\plugin\\geplugin.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "13876:TCP"= 13876:TCP:BitComet 13876 TCP "13876:UDP"= 13876:UDP:BitComet 13876 UDP . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/24/2009 12:56 AM 64512] R1 SASDIFSV;SASDIFSV;c:\program\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 11:25 AM 12880] R1 SASKUTIL;SASKUTIL;c:\program\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 67664] R2 !SASCORE;SAS Core Service;c:\program\SUPERAntiSpyware\SASCORE.EXE [10/10/2011 5:44 PM 116608] R2 iRacingService;iRacing.com Helper Service;c:\spel\iRacing\iRacingService.exe [2/4/2008 11:19 PM 475808] S0 exkxka;exkxka; [x] S0 jerm;jerm;c:\windows\system32\drivers\bcxiiqvc.sys --> c:\windows\system32\drivers\bcxiiqvc.sys [?] S0 pgqy;pgqy;c:\windows\system32\drivers\xfakgela.sys --> c:\windows\system32\drivers\xfakgela.sys [?] S0 wlyry;wlyry;c:\windows\system32\drivers\yhtmgjrt.sys --> c:\windows\system32\drivers\yhtmgjrt.sys [?] S1 MpKsl232ac154;MpKsl232ac154;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3585FD7-AC55-4BC6-95F0-BC1EA0C0FF72}\MpKsl232ac154.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3585FD7-AC55-4BC6-95F0-BC1EA0C0FF72}\MpKsl232ac154.sys [?] S1 zbnegcaahptd5;zbnegcaahptd5;c:\windows\system32\drivers\zbnegcaahptd5.sys --> c:\windows\system32\drivers\zbnegcaahptd5.sys [?] S2 gupdate1c9c666ba4935f6;Google Update Service (gupdate1c9c666ba4935f6);c:\program\Google\Update\GoogleUpdate.exe [4/26/2009 2:01 PM 133104] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\Lavasoft\Ad-Aware\AAWService.exe [4/1/2011 9:22 AM 2152152] S3 AmdTools;AMD Special Tools Driver;c:\windows\system32\DRIVERS\AmdTools.sys --> c:\windows\system32\DRIVERS\AmdTools.sys [?] S3 gupdatem;Tjänsten Google Update (gupdatem);c:\program\Google\Update\GoogleUpdate.exe [4/26/2009 2:01 PM 133104] S3 hercspud;Hercules ® WDM Audio Driver;c:\windows\system32\drivers\hercspud.sys [7/23/2008 2:18 PM 153216] S3 hercwdm;Hercules ® WDM Interface Driver;c:\windows\system32\drivers\hercwdm.sys [7/23/2008 2:18 PM 497152] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program\Lavasoft\Ad-Aware\kernexplorer.sys [4/1/2011 9:22 AM 15232] S3 SASENUM;SASENUM;c:\program\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872] S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\Karl Sundberg\Skrivbord\SysProt\SysProtDrv.sys --> c:\documents and settings\Karl Sundberg\Skrivbord\SysProt\SysProtDrv.sys [?] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/12/2006 2:46 PM 691696] . Innehåll i mappen 'Schemalagda aktiviteter': . 2011-10-12 c:\windows\Tasks\Google Software Updater.job - c:\program\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-25 19:02] . 2011-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program\Google\Update\GoogleUpdate.exe [2009-04-26 12:01] . 2011-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program\Google\Update\GoogleUpdate.exe [2009-04-26 12:01] . 2011-10-09 c:\windows\Tasks\MP Scheduled Scan.job - c:\program\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 13:39] . 2011-10-12 c:\windows\Tasks\User_Feed_Synchronization-{DAA89DED-0C43-44C5-8010-9A9987BDBDAD}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 02:31] . . ------- Extra genomsökning ------- . uStart Page = hxxp://www.altavista.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com IE: AltaVista Search - file://c:\program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm IE: Google Sidewiki... - c:\program\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html IE: Translate - file://c:\program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm TCP: DhcpNameServer = 195.58.103.124 213.150.135.210 . - - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - - . HKCU-Run-TomTomHOME.exe - c:\program\TomTom HOME 2\TomTomHOMERunner.exe AddRemove-LMS - c:\c_dilla\setup\cdunin16.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-10-12 22:45 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet004\Services\.cdrom] "ImagePath"="\*" . --------------------- LÅSTA REGISTERNYCKLAR --------------------- . [HKEY_USERS\S-1-5-21-1844237615-725345543-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2EB06BD8-2159-F682-4E02-4394A10089BA}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "hablgopbffeaiiko"=hex:67,61,69,67,6f,6f,65,68,67,6e,6b,70,68,63,00,00 "iafjkjiikmdpnepbbm"=hex:62,61,6f,66,00,fa . --------------------- DLL'er som "laddats" under processer som körs --------------------- . - - - - - - - > 'winlogon.exe'(904) c:\program\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(2820) c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Andra processer som körs ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program\Delade filer\ArcSoft\Connection Service\Bin\ACService.exe c:\program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe c:\windows\system32\DRIVERS\CDANTSRV.EXE c:\program\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Sluttid: 2011-10-12 22:51:37 - datorn startades om. ComboFix-quarantined-files.txt 2011-10-12 20:51 . Före genomsökningen: 138,460,282,880 byte ledigt Efter genomsökningen: 139,083,874,304 byte ledigt . WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer . Current=4 Default=4 Failed=1 LastKnownGood=3 Sets=1,2,3,4 - - End Of File - - AF443456EAFAC7DE06886B0E5E6C34F5 DDS . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by Karl Sundberg at 22:59:13 on 2011-10-12 Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2046.1523 [GMT 2:00] . AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF} . ============== Running Processes =============== . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program\SUPERAntiSpyware\SASCORE.EXE C:\Program\Delade filer\ArcSoft\Connection Service\Bin\ACService.exe C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE C:\spel\iRacing\iRacingService.exe C:\Program\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program\Delade filer\ArcSoft\Connection Service\Bin\ACDaemon.exe C:\Program\Microsoft Security Client\msseces.exe C:\Program\Windows Live\Messenger\msnmsgr.exe C:\Program\Yahoo!\MESSEN~1\YahooMessenger.exe C:\WINDOWS\explorer.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.altavista.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program\bitcomet\tools\BitCometBHO_1.1.3.19.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program\avg\avg9\avgssie.dll BHO: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - No File BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program\spybot - search & destroy\SDHelper.dll BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program\delade filer\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program\google\googletoolbarnotifier\5.5.5126.1836\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll TB: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - No File TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - uRun: [sUPERAntiSpyware] c:\program\superantispyware\SUPERAntiSpyware.exe uRun: [msnmsgr] "c:\program\windows live\messenger\msnmsgr.exe" /background uRun: [Messenger (Yahoo!)] "c:\program\yahoo!\messen~1\YahooMessenger.exe" -quiet mRun: [sunJavaUpdateSched] "c:\program\delade filer\java\java update\jusched.exe" mRun: [ArcSoft Connection Service] c:\program\delade filer\arcsoft\connection service\bin\ACDaemon.exe mRun: [MSC] "c:\program\microsoft security client\msseces.exe" -hide -runkey mRun: [Adobe ARM] "c:\program\delade filer\adobe\arm\1.0\AdobeARM.exe" dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\micros~1.lnk - c:\program\microsoft office\office\OSA9.EXE IE: AltaVista Search - file://c:\program\dynamic toolbar\altavista\cache\SelectedContextSearch.htm IE: Google Sidewiki... - c:\program\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html IE: Translate - file://c:\program\dynamic toolbar\altavista\cache\SelectedContextTranslation.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program\yahoo!\messenger\YahooMessenger.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program\spybot - search & destroy\SDHelper.dll DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program\yahoo!\common\yinsthelper.dll DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 195.58.103.124 213.150.135.210 TCP: Interfaces\{AF6B546A-A4CD-4DFF-A803-1225C9731A10} : DhcpNameServer = 195.58.103.124 213.150.135.210 Notify: !SASWinLogon - c:\program\superantispyware\SASWINLO.DLL Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program\superantispyware\SASSEH.DLL . ============= SERVICES / DRIVERS =============== . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-24 64512] R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165648] R1 SASDIFSV;SASDIFSV;c:\program\superantispyware\SASDIFSV.SYS [2010-2-17 12880] R1 SASKUTIL;SASKUTIL;c:\program\superantispyware\SASKUTIL.SYS [2010-2-17 67664] R2 !SASCORE;SAS Core Service;c:\program\superantispyware\SASCORE.EXE [2011-10-10 116608] R2 iRacingService;iRacing.com Helper Service;c:\spel\iracing\iRacingService.exe [2008-2-4 475808] S0 exkxka;exkxka; [x] S0 jerm;jerm;c:\windows\system32\drivers\bcxiiqvc.sys --> c:\windows\system32\drivers\bcxiiqvc.sys [?] S0 pgqy;pgqy;c:\windows\system32\drivers\xfakgela.sys --> c:\windows\system32\drivers\xfakgela.sys [?] S0 wlyry;wlyry;c:\windows\system32\drivers\yhtmgjrt.sys --> c:\windows\system32\drivers\yhtmgjrt.sys [?] S1 MpKsl232ac154;MpKsl232ac154;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f3585fd7-ac55-4bc6-95f0-bc1ea0c0ff72}\mpksl232ac154.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f3585fd7-ac55-4bc6-95f0-bc1ea0c0ff72}\MpKsl232ac154.sys [?] S1 zbnegcaahptd5;zbnegcaahptd5;c:\windows\system32\drivers\zbnegcaahptd5.sys --> c:\windows\system32\drivers\zbnegcaahptd5.sys [?] S2 gupdate1c9c666ba4935f6;Google Update Service (gupdate1c9c666ba4935f6);c:\program\google\update\GoogleUpdate.exe [2009-4-26 133104] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\lavasoft\ad-aware\AAWService.exe [2011-4-1 2152152] S3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys --> c:\windows\system32\drivers\AmdTools.sys [?] S3 gupdatem;Tjänsten Google Update (gupdatem);c:\program\google\update\GoogleUpdate.exe [2009-4-26 133104] S3 hercspud;Hercules ® WDM Audio Driver;c:\windows\system32\drivers\hercspud.sys [2008-7-23 153216] S3 hercwdm;Hercules ® WDM Interface Driver;c:\windows\system32\drivers\hercwdm.sys [2008-7-23 497152] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program\lavasoft\ad-aware\kernexplorer.sys [2011-4-1 15232] S3 SASENUM;SASENUM;c:\program\superantispyware\SASENUM.SYS [2010-2-17 12872] S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\karl sundberg\skrivbord\sysprot\sysprotdrv.sys --> c:\documents and settings\karl sundberg\skrivbord\sysprot\SysProtDrv.sys [?] . =============== Created Last 30 ================ . 2011-10-12 20:41:54 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys 2011-10-12 20:41:54 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys 2011-10-12 20:17:42 -------- d-sha-r- C:\cmdcons 2011-10-12 20:15:20 98816 ----a-w- c:\windows\sed.exe 2011-10-12 20:15:20 518144 ----a-w- c:\windows\SWREG.exe 2011-10-12 20:15:20 256000 ----a-w- c:\windows\PEV.exe 2011-10-12 20:15:20 208896 ----a-w- c:\windows\MBR.exe 2011-10-10 02:32:32 -------- d-----w- c:\documents and settings\karl sundberg\lokala inställningar\application data\PCHealth 2011-10-09 14:09:05 -------- d-----w- c:\program\ESET 2011-10-09 12:40:06 -------- d-sh--w- c:\documents and settings\karl sundberg\lokala inställningar\application data\99879ed2 2011-10-09 07:11:59 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b91c9470-47c3-422d-bf46-ccb4b814c9b4}\offreg.dll 2011-10-09 07:11:52 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b91c9470-47c3-422d-bf46-ccb4b814c9b4}\mpengine.dll 2011-10-08 15:52:46 -------- d-----w- C:\lvb 2011-09-24 12:36:56 -------- d-----w- C:\jrflag 2011-09-19 18:13:25 -------- d-----w- c:\documents and settings\karl sundberg\application data\TradingPaints Downloader 2011-09-19 18:10:05 -------- d-----w- c:\program\TradingPaints Downloader 2011-09-17 08:30:30 -------- d-----w- C:\Waterford_Speedbowl_Tower . ==================== Find3M ==================== . 2011-10-01 22:06:27 2560 ----a-w- c:\windows\system32\BitCometRes.dll 2011-09-26 09:41:40 612352 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 09:41:40 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-26 09:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 06:39:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-09-09 09:12:07 602112 ----a-w- c:\windows\system32\crypt32.dll 2011-09-08 20:03:09 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys 2011-09-06 14:09:57 1858944 ----a-w- c:\windows\system32\win32k.sys 2011-08-31 15:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-08-22 23:40:15 916480 ----a-w- c:\windows\system32\wininet.dll 2011-08-22 23:40:14 43520 ------w- c:\windows\system32\licmgr10.dll 2011-08-22 23:40:14 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-08-22 11:58:29 385024 ------w- c:\windows\system32\html.iec 2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys 2011-07-15 18:59:44 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys . ============= FINISH: 22:59:22.56 =============== Based on the popups from combofix it didn't like the virus much
-
Yesterday I got some kind of virus and it doesn't seem to want to go away easily. It's killed MSE, lavasoft ad-aware and superantispyware's normal .exe but malwarebytes and spybot S/D are still working. I've also managed to download and install Kaspersky virus removal tool as well as run ESET. I tried installing avira but that didn't work. When I was finished running GMER I had to do a hard reboot and following that my computer started in normal mode Anyway, logs MBAM DDS In a hurry to go to work so obviously I forgot the attachments ARK.zip
-
Thanks, running GMER now but it takes some time. Nice cat btw, I recently got 2 cats but after having them for 1 month the female had 4 kittens. That's something the ad didn't mention
-
Today I got some kind of virus and it doesn't seem to want to go away easily. It's killed MSE, lavasoft ad-aware and superantispyware's normal .exe but malwarebytes and spybot S/D are still working. I've also managed to download and install Kaspersky virus removal tool as well as run ESET. I tried installing avira but that didn't work. I can only run the computer in safe mode, it just reboots during startup if I try normal mode Thanks for any help
-
Old system restore points are gone and here's the log from MBAM. It's quickscan, should I do the full scan? I haven't seen any symptoms since MSE found the one in system restore above. Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Databasversion: 4038 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.11 4/26/2010 5:39:24 PM mbam-log-2010-04-26 (17-39-24).txt Skanningstyp: Snabbskanning Antal skannade objekt: 112157 F
-
Thanks, a bit late now but I'll get on this first thing after work tomorrow
-
Can't find the edit button (if there is one) Latest finding of it was in C:\System Volume Information\_restore{797F656F-8661-4789-8F2A-D9D17A7CF991}\RP1167\A0199117.sys and the action MSE took was Disinfect