Jump to content

Virus Hjälp! Trojan horse Generic18.BYZH


Recommended Posts

Hejsan!

Idag när jag spelade spel så tabbades jag ner till skrivbordet tackvare AVG 9.0 Free som hittat en trojan (Trojan horse Generic18.BYZH) på min hårddisk.

Jag tog bort filen med hjälp utav AVG och trodde allt var frid och fröjd. Tills 2 timmar senare, då samma meddelande dyker upp igen.. Så jag googlade Trojan horse Generic18.BYZH och hittade hit tack vare en annan person som haft samma problem. Länk

Jag har precis gjort första steget.

Hej! Låt bli systemåterställningen för det löser inte ditt problem!

Följ dessa instruktioner och posta loggarna så får vi se hur det ser ut: http://www.saswsupport.se/?page_id=241

Mvh MrO

Efter att jag gjort den scanningen så sparades denna log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Databasversion: 4621

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

2010-09-15 20:33:49

mbam-log-2010-09-15 (20-33-49).txt

Skanningstyp: Snabbskanning

Antal skannade objekt: 135141

Förfluten tid: 4 minut(er), 53 sekund(er)

Infekterade minnesprocesser: 0

Infekterade minnesmoduler: 0

Infekterade registernycklar: 0

Infekterade registervärden: 0

Infekterade registerdataposter: 0

Infekterade mappar: 0

Infekterade filer: 1

Infekterade minnesprocesser:

(Inga illasinnade poster hittades)

Infekterade minnesmoduler:

(Inga illasinnade poster hittades)

Infekterade registernycklar:

(Inga illasinnade poster hittades)

Infekterade registervärden:

(Inga illasinnade poster hittades)

Infekterade registerdataposter:

(Inga illasinnade poster hittades)

Infekterade mappar:

(Inga illasinnade poster hittades)

Infekterade filer:

C:\Users\Samsung\AppData\Local\Temp\test.exe (Trojan.Zlob) -> Quarantined and deleted successfully.

Nu står jag vid steg två i Denna guide och vet inte var jag laddar ner Hijack This.

Jag är evigt tacksam för all hjälp jag kan få!

MVH

Niki

Link to comment
Share on other sites

Det är inte alls säkert att infektionen yttrar sig på samma sätt längre för skadliga program kommer ständigt i nya versioner och därför behöver det inte gå bra att följa en gammal instruktion.

Jag skulle vilja veta i vilka filer och mappar som AVG har hittat de trojanska hästarna, det borde finnas en logg eller karantän i AVG där det framgår.

I stället för HijackThis föredrar jag DDS eftersom det visar mer. Spara DDS på Skrivbordet.

http://download.bleepingcomputer.com/sUBs/dds.scr

Starta programmet genom att dubbelklicka på det.

Tryck Yes/Ja om frågan om Optional Scan dyker upp.

I ditt svar klistrar du in loggen DSS.txt. Medan du bifogar Attach.txt som en fil.

Link to comment
Share on other sites

Det är inte alls säkert att infektionen yttrar sig på samma sätt längre för skadliga program kommer ständigt i nya versioner och därför behöver det inte gå bra att följa en gammal instruktion.

Jag skulle vilja veta i vilka filer och mappar som AVG har hittat de trojanska hästarna, det borde finnas en logg eller karantän i AVG där det framgår.

I stället för HijackThis föredrar jag DDS eftersom det visar mer. Spara DDS på Skrivbordet.

http://download.bleepingcomputer.com/sUBs/dds.scr

Starta programmet genom att dubbelklicka på det.

Tryck Yes/Ja om frågan om Optional Scan dyker upp.

I ditt svar klistrar du in loggen DSS.txt. Medan du bifogar Attach.txt som en fil.

Först och främst tack för visat intresse! :)

Filen är bifogad och här kommer DDS logen.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Samsung at 22:36:55,18 on 2010-09-15

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.46.1053.18.3566.2335 [GMT 2:00]

============== Running Processes ===============

C:\windows\system32\wininit.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\nvvsvc.exe

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalService

C:\Program Files\Sandboxie\SbieSvc.exe

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\system32\nvvsvc.exe

C:\windows\System32\spoolsv.exe

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe

C:\windows\SYSTEM32\Rezip.exe

C:\windows\system32\Dwm.exe

C:\windows\system32\taskhost.exe

C:\windows\Explorer.EXE

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\windows\system32\taskeng.exe

C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe

C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe

C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe

C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\windows\system32\SearchIndexer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\windows\System32\alg.exe

C:\windows\system32\svchost.exe -k bthsvcs

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe

C:\Program Files\AVG\AVG9\avgtray.exe

C:\Program Files\Razer\DeathAdder\razerhid.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Razer\DeathAdder\razertra.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Sandboxie\SbieCtrl.exe

C:\Users\Samsung\AppData\Roaming\Microsoft\Windows\Templates\taskeng.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Razer\DeathAdder\razerofa.exe

C:\Users\Samsung\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Samsung\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Samsung\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Samsung\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Samsung\AppData\Local\Google\Chrome\Application\chrome.exe

C:\windows\system32\svchost.exe -k netsvcs

C:\Program Files\Mumble\mumble.exe

C:\Program Files\Spotify\spotify.exe

C:\Steam\Steam.exe

C:\Program Files\Common Files\Steam\SteamService.exe

C:\windows\system32\SearchProtocolHost.exe

C:\windows\system32\SearchFilterHost.exe

C:\windows\system32\DllHost.exe

C:\windows\system32\DllHost.exe

C:\Users\Samsung\Desktop\dds.scr

C:\windows\system32\conhost.exe

C:\windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn

uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Inloggningshjälp för Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"

uRun: [sandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"

uRun: [Google Update] "c:\users\samsung\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [ATI] c:\users\samsung\appdata\roaming\microsoft\windows\templates\taskeng.exe

uRun: [ControlPanel] c:\users\samsung\appdata\roaming\microsoft\taskeng.exe

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [updateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"

mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"

mRun: [updateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"

mRun: [updatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"

mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"

mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"

mRun: [updatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" updatewithcreateonce "software\cyberlink\powerproducer\5.0"

mRun: [updatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"

mRun: [uCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE

mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"

mRun: [switchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe

mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xportera till Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Skicka bild till &Bluetooth-enhet... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Skicka sida till &Bluetooth-enhet... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\samsung\appdata\roaming\mozilla\firefox\profiles\xz66l5jx.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.se/

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\samsung\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-8-1 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-8-1 29584]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-8-1 243024]

R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2010-1-5 10752]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-8-1 921952]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-8-1 308136]

R2 Rezip;Rezip;c:\windows\system32\Rezip.exe [2010-1-5 311296]

R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-1-6 43944]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-3-10 29472]

R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2010-8-1 9728]

R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-1-6 125696]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-8-1 105576]

R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-7-4 119016]

R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2010-7-1 34896]

R3 vHidDev;Razer Gaming Device;c:\windows\system32\drivers\vHidDev.sys [2010-8-1 5760]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]

S2 gupdate;Tjänsten Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-1 135664]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-8-17 430152]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]

S3 CYUSB;Cypress Generic USB Driver;c:\windows\system32\drivers\CYUSB.sys [2010-8-1 39936]

S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-3-10 54632]

S3 fsssvc;Tjänsten Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2010-4-19 18432]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]

S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]

S3 WatAdminSvc;Aktiveringsteknologier för Windows-tjänst;c:\windows\system32\wat\WatAdminSvc.exe [2010-8-1 1343400]

=============== Created Last 30 ================

2010-09-15 18:27:46 0 d-----w- c:\users\samsung\appdata\roaming\Malwarebytes

2010-09-15 18:27:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-15 18:27:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-15 18:27:33 0 d-----w- c:\programdata\Malwarebytes

2010-09-15 18:27:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-15 01:00:44 0 d-----w- C:\05001902cdbcc91ca822668e3774

2010-09-14 22:28:31 316928 ----a-w- c:\windows\system32\spoolsv.exe

2010-09-13 18:40:42 0 d-----w- c:\users\samsung\appdata\roaming\StealthBot

2010-09-13 18:40:12 0 d-----w- C:\Stealthbot

2010-09-12 08:01:13 49917 ----a-w- c:\users\samsung\.ems.cfg

2010-09-12 08:00:18 299520 ----a-w- c:\windows\uninst.exe

2010-09-12 07:57:44 0 d-----w- c:\program files\Your Freedom

2010-09-05 14:27:15 0 d-----w- c:\program files\iPod

2010-09-05 14:27:14 0 d-----w- c:\program files\iTunes

2010-08-30 21:01:36 0 d-----w- c:\programdata\Boss Media

2010-08-30 21:01:33 0 d-----w- C:\Svenska Spels Poker

2010-08-26 10:22:21 0 d-----w- c:\programdata\Office Genuine Advantage

2010-08-25 20:38:22 0 d-----w- c:\users\samsung\appdata\roaming\AVG9

2010-08-24 21:12:50 571904 ----a-w- c:\windows\system32\oleaut32.dll

2010-08-24 08:13:58 0 d-----w- C:\Ventrilo 3.0.5

2010-08-24 08:13:56 254 ----a-w- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

2010-08-24 08:13:22 0 d-----w- c:\program files\common files\Wise Installation Wizard

2010-08-23 06:41:00 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys

2010-08-23 06:41:00 1286456 ----a-w- c:\windows\system32\ntdll.dll

2010-08-20 10:36:05 0 d-----w- c:\program files\Screaming Bee LLC

2010-08-20 10:30:06 0 d-----w- C:\MorphVOX Pro

2010-08-20 10:27:36 0 d-----w- c:\program files\Screaming Bee

2010-08-20 07:38:53 0 d-----w- c:\users\samsung\appdata\roaming\Screaming Bee

2010-08-20 07:38:37 0 d-----w- c:\programdata\Screaming Bee

2010-08-19 15:17:28 0 d-----w- c:\program files\SpotifyRemotelessHelper

2010-08-17 15:39:04 574976 ----a-w- c:\windows\system32\Western_Railway_NV_3D_Screensaver.scr

2010-08-17 15:39:04 0 d-----w- c:\program files\Western Railway NV 3D Screensaver

2010-08-17 13:46:33 0 d-----w- c:\programdata\AVG Security Toolbar

==================== Find3M ====================

2010-09-03 19:42:48 617470 ----a-w- c:\windows\system32\perfh01D.dat

2010-09-03 19:42:48 120802 ----a-w- c:\windows\system32\perfc01D.dat

2010-08-14 18:52:44 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_netaapl_01009.Wdf

2010-08-14 18:49:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_netaapl_01005.Wdf

2010-08-07 20:23:37 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf

2010-08-02 19:09:25 170 ----a-w- c:\programdata\nvUnsupRes.dat

2010-08-02 16:12:22 28457 ----a-w- c:\windows\DIIUnin.dat

2010-08-01 17:38:04 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-08-01 16:48:33 21840 ----a-w- c:\windows\system32\SIntfNT.dll

2010-08-01 16:48:33 17212 ----a-w- c:\windows\system32\SIntf32.dll

2010-08-01 16:48:33 12067 ----a-w- c:\windows\system32\SIntf16.dll

2010-08-01 16:31:01 94208 ----a-w- c:\windows\DIIUnin.exe

2010-08-01 16:31:01 2829 ----a-w- c:\windows\DIIUnin.pif

2010-08-01 14:40:04 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-08-01 14:39:59 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-08-01 14:39:33 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll

2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll

2010-07-09 14:20:08 110696 ----a-w- c:\windows\system32\nvmctray.dll

2010-07-09 14:20:06 1881704 ----a-w- c:\windows\system32\nvsvcr.dll

2010-07-09 14:20:06 1469544 ----a-w- c:\windows\system32\nvsvc.dll

2010-07-09 14:20:06 13939816 ----a-w- c:\windows\system32\nvcpl.dll

2010-07-09 14:20:06 129640 ----a-w- c:\windows\system32\nvvsvc.exe

2010-07-07 12:03:14 604776 ----a-w- c:\windows\system32\NVUNINST.EXE

2010-06-30 06:25:31 978432 ----a-w- c:\windows\system32\wininet.dll

2010-06-21 22:07:47 26216 ----a-w- c:\windows\system32\nvhdap32.dll

2010-06-21 22:07:45 600680 ----a-w- c:\windows\system32\nvuhda.exe

2010-06-21 22:07:43 232040 ----a-w- c:\windows\system32\nvcohda.dll

2010-06-19 06:33:29 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-06-19 06:33:29 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-06-19 06:23:50 37376 ----a-w- c:\windows\system32\rtutils.dll

2010-06-19 04:07:18 2326016 ----a-w- c:\windows\system32\win32k.sys

2010-01-06 04:19:35 37052 ----a-w- c:\windows\inf\perflib\041d\perfd.dat

2010-01-06 04:19:35 37052 ----a-w- c:\windows\inf\perflib\041d\perfc.dat

2010-01-06 04:19:35 294764 ----a-w- c:\windows\inf\perflib\041d\perfi.dat

2010-01-06 04:19:35 294764 ----a-w- c:\windows\inf\perflib\041d\perfh.dat

2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 22:37:50,55 ===============

Attach.txt

Link to comment
Share on other sites

I fortsättningen använd inte citat-knappen utan klistra in loggar direkt i svaret utan någon knapp.

Hittade du någon information i AVG om vilka filer det hade hittat?

Vad finns i mappen C:\05001902cdbcc91ca822668e3774 ?

Och i mappen C:\Stealthbot ?

På sidan http://www.virustotal.com trycker du på Bläddra-knappen och klistrar in ett av följande filnamn i rutan, tryck på Öppna och sedan Skicka Fil. Vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in en länk till resultatet här. Upprepa med nästa filnamn.

c:\windows\system32\Rezip.exe

c:\windows\system32\spoolsv.exe

Link to comment
Share on other sites

I fortsättningen använd inte citat-knappen utan klistra in loggar direkt i svaret utan någon knapp.

Hittade du någon information i AVG om vilka filer det hade hittat?

Vad finns i mappen C:\05001902cdbcc91ca822668e3774 ?

Och i mappen C:\Stealthbot ?

På sidan http://www.virustotal.com trycker du på Bläddra-knappen och klistrar in ett av följande filnamn i rutan, tryck på Öppna och sedan Skicka Fil. Vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in en länk till resultatet här. Upprepa med nästa filnamn.

c:\windows\system32\Rezip.exe

c:\windows\system32\spoolsv.exe

AVG hittade denna:

"C:\Users\Samsung\AppData\Local\Temp\412gg.exe";"Trojan horse Generic18.BYZH";"Moved to Virus Vault"

Rezip.exe gav detta:

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:

MD5: f85ae59a52885f4b09aadafb23001a3b

Date first seen: 2009-07-25 03:29:46 (UTC)

Date last seen: 2010-09-14 14:24:45 (UTC)

Detection ratio: 0/43

Spoolsv.exe gav detta:

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:

MD5: d1bb750eb51694de183e08b9c33be5b2

Date first seen: 2010-09-14 21:58:56 (UTC)

Date last seen: 2010-09-15 00:09:31 (UTC)

Detection ratio: 0/42

Stealthbot är en chat-client för spelet Diablo II. Inget märkvärdigt, då jag använt det i åratal.

Tack igen!

Link to comment
Share on other sites

Det såg ju bra ut. Då är det enda frågetecknet vad som finns i mappen C:\05001902cdbcc91ca822668e3774.

i C:\05001902cdbcc91ca822668e3774 finns en MRT.exe.

Jag tänkte jag skulle scanna den i total virus, men det kunde jag inte.. Står att jag ska kontakta filens ägare för mer information :S Jag har aldrig varit med om dess like.

€: Jag googlade och det verkar vara en legitim fil (MRT.exe).

Men du ser inget annat som kan tänkas vara något?

Edited by Niki
Link to comment
Share on other sites

Ja, det är ju Microsofts program för att ta bort vissa typer av skadliga filer och det kom med Windows-uppdateringarna som kom ut tisdag kväll.

Ett litet fel bara...!

MRT.exe skall ligga i C:\Windows\System32 som standard. Loggfilen för programmet finns på C:\Windows\debug\mrt.log.

Vet inte hur den har hamnat i nämnda underliga mapp, men föreslår att den zippas och flyttas till annan lämplig plats, varefter "den riktiga" MRT.exe undersöks lite mer ingående.

Edit:

Man kan t.ex köra MRT.exe för att kolla så att den fungerar som förväntat, genom att skriva mrt.exe i startmenyns sökfält och trycka Enter...

Edited by e-son
Link to comment
Share on other sites

Det är inte första gången som jag ser MRT i en sådan mapp. Jag vet inte, men det är kanske någon temporär mapp?

Dom enda liknande mappnamn jag kan minnas är dom tempmappar som ibland bev över efter servicepack-installationer, ominstallationer o.dyl men dom brukde då vara fulla av rester och inte tomma sånär som på den här enstaka filen.

Hur som helst är det inget som skall finnas där.

Link to comment
Share on other sites

Niki, kan du komma ihåg när på dygnet det var som AVG reagerade första gången?

Den konstiga mappen skapades under natten:

2010-09-15 01:00:44 0 d-----w- C:\05001902cdbcc91ca822668e3774

fast den tiden motsvarar troligen klockan 3 svensk sommartid.

En Windowsuppdatering verka ha gjorts 1,5 timme innan dess:

2010-09-14 22:28:31 316928 ----a-w- c:\windows\system32\spoolsv.exe

Link to comment
Share on other sites

Jag drog igång en fullständig scanning med det där malware programmet. Jag ska även kolla loggarna från avg så snart jag kommer hem.

Återkommer ikväll!

För övrct så verkar datorn fungera som den ska. Dock verkar mitt internet jäkla slött för o vara 25mbit. Men det kan ju vara driftstörningar eller nått annat.

Link to comment
Share on other sites

Kom precis hem och kikade på Malware scanningen.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Databasversion: 4621

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

2010-09-16 16:48:05

mbam-log-2010-09-16 (16-48-05).txt

Skanningstyp: Fullständig skanning (C:\|)

Antal skannade objekt: 256005

Förfluten tid: 46 minut(er), 38 sekund(er)

Infekterade minnesprocesser: 0

Infekterade minnesmoduler: 0

Infekterade registernycklar: 0

Infekterade registervärden: 0

Infekterade registerdataposter: 0

Infekterade mappar: 0

Infekterade filer: 2

Infekterade minnesprocesser:

(Inga illasinnade poster hittades)

Infekterade minnesmoduler:

(Inga illasinnade poster hittades)

Infekterade registernycklar:

(Inga illasinnade poster hittades)

Infekterade registervärden:

(Inga illasinnade poster hittades)

Infekterade registerdataposter:

(Inga illasinnade poster hittades)

Infekterade mappar:

(Inga illasinnade poster hittades)

Infekterade filer:

C:\Users\Samsung\Desktop\Niki\Installfiler\ventriloMIX05.exe (Trojan.Wreckit) -> Quarantined and deleted successfully.

C:\Windows\MSetup\BASW-01278A18\FailSafeFactoryInstaller_1017.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

-----------------------------------------------------

Nu fick ja samtidigt ett nytt meddelande av AVG.

33oi2xy.png

Vad ska jag ta mig till? :(

Ny DDS log samt Attatch:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Samsung at 16:52:40,67 on 2010-09-16

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.46.1053.18.3566.2071 [GMT 2:00]

============== Running Processes ===============

C:\windows\system32\wininit.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\windows\system32\lsm.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\nvvsvc.exe

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalService

C:\Program Files\Sandboxie\SbieSvc.exe

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\system32\nvvsvc.exe

C:\windows\System32\spoolsv.exe

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe

C:\windows\SYSTEM32\Rezip.exe

C:\windows\system32\taskhost.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\windows\system32\svchost.exe -k imgsvc

C:\windows\system32\Dwm.exe

C:\windows\Explorer.EXE

C:\windows\system32\taskeng.exe

C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe

C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe

C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe

C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\windows\system32\SearchIndexer.exe

C:\windows\System32\alg.exe

C:\windows\system32\svchost.exe -k bthsvcs

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe

C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\AVG\AVG9\avgtray.exe

C:\Program Files\Razer\DeathAdder\razerhid.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Razer\DeathAdder\razertra.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Sandboxie\SbieCtrl.exe

C:\Users\Samsung\AppData\Roaming\Microsoft\Windows\Templates\taskeng.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Razer\DeathAdder\razerofa.exe

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\taskmgr.exe

C:\Program Files\AVG\AVG9\avgui.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\windows\system32\NOTEPAD.EXE

C:\Users\Samsung\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Samsung\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Samsung\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Samsung\AppData\Local\Google\Chrome\Application\chrome.exe

C:\windows\system32\mspaint.exe

C:\Users\Samsung\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Samsung\AppData\Local\Google\Chrome\Application\chrome.exe

C:\windows\explorer.exe

C:\windows\system32\DllHost.exe

C:\windows\system32\DllHost.exe

C:\Users\Samsung\Desktop\dds.scr

C:\windows\system32\conhost.exe

C:\windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn

uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Inloggningshjälp för Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"

uRun: [sandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"

uRun: [Google Update] "c:\users\samsung\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [ATI] c:\users\samsung\appdata\roaming\microsoft\windows\templates\taskeng.exe

uRun: [ControlPanel] c:\users\samsung\appdata\roaming\microsoft\taskeng.exe

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [updateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"

mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"

mRun: [updateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"

mRun: [updatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"

mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"

mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"

mRun: [updatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" updatewithcreateonce "software\cyberlink\powerproducer\5.0"

mRun: [updatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"

mRun: [uCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE

mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"

mRun: [switchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe

mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xportera till Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Skicka bild till &Bluetooth-enhet... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Skicka sida till &Bluetooth-enhet... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\samsung\appdata\roaming\mozilla\firefox\profiles\xz66l5jx.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.se/

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\samsung\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-8-1 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-8-1 29584]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-8-1 243024]

R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2010-1-5 10752]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-8-1 921952]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-8-1 308136]

R2 Rezip;Rezip;c:\windows\system32\Rezip.exe [2010-1-5 311296]

R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2010-8-1 9728]

R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-1-6 125696]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-9-15 38224]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-8-1 105576]

R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-7-4 119016]

R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2010-7-1 34896]

R3 vHidDev;Razer Gaming Device;c:\windows\system32\drivers\vHidDev.sys [2010-8-1 5760]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]

S2 gupdate;Tjänsten Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-1 135664]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-8-17 430152]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]

S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-1-6 43944]

S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-3-10 29472]

S3 CYUSB;Cypress Generic USB Driver;c:\windows\system32\drivers\CYUSB.sys [2010-8-1 39936]

S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-3-10 54632]

S3 fsssvc;Tjänsten Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2010-4-19 18432]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]

S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]

S3 WatAdminSvc;Aktiveringsteknologier för Windows-tjänst;c:\windows\system32\wat\WatAdminSvc.exe [2010-8-1 1343400]

=============== Created Last 30 ================

2010-09-15 18:27:46 0 d-----w- c:\users\samsung\appdata\roaming\Malwarebytes

2010-09-15 18:27:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-15 18:27:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-15 18:27:33 0 d-----w- c:\programdata\Malwarebytes

2010-09-15 18:27:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-15 01:00:44 0 d-----w- C:\05001902cdbcc91ca822668e3774

2010-09-14 22:28:31 316928 ----a-w- c:\windows\system32\spoolsv.exe

2010-09-13 18:40:42 0 d-----w- c:\users\samsung\appdata\roaming\StealthBot

2010-09-13 18:40:12 0 d-----w- C:\Stealthbot

2010-09-12 08:01:13 49917 ----a-w- c:\users\samsung\.ems.cfg

2010-09-12 08:00:18 299520 ----a-w- c:\windows\uninst.exe

2010-09-12 07:57:44 0 d-----w- c:\program files\Your Freedom

2010-09-05 14:27:15 0 d-----w- c:\program files\iPod

2010-09-05 14:27:14 0 d-----w- c:\program files\iTunes

2010-08-30 21:01:36 0 d-----w- c:\programdata\Boss Media

2010-08-30 21:01:33 0 d-----w- C:\Svenska Spels Poker

2010-08-26 10:22:21 0 d-----w- c:\programdata\Office Genuine Advantage

2010-08-25 20:38:22 0 d-----w- c:\users\samsung\appdata\roaming\AVG9

2010-08-24 21:12:50 571904 ----a-w- c:\windows\system32\oleaut32.dll

2010-08-24 08:13:58 0 d-----w- C:\Ventrilo 3.0.5

2010-08-24 08:13:56 254 ----a-w- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

2010-08-24 08:13:22 0 d-----w- c:\program files\common files\Wise Installation Wizard

2010-08-23 06:41:00 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys

2010-08-23 06:41:00 1286456 ----a-w- c:\windows\system32\ntdll.dll

2010-08-20 10:36:05 0 d-----w- c:\program files\Screaming Bee LLC

2010-08-20 10:30:06 0 d-----w- C:\MorphVOX Pro

2010-08-20 10:27:36 0 d-----w- c:\program files\Screaming Bee

2010-08-20 07:38:53 0 d-----w- c:\users\samsung\appdata\roaming\Screaming Bee

2010-08-20 07:38:37 0 d-----w- c:\programdata\Screaming Bee

2010-08-19 15:17:28 0 d-----w- c:\program files\SpotifyRemotelessHelper

2010-08-17 15:39:04 574976 ----a-w- c:\windows\system32\Western_Railway_NV_3D_Screensaver.scr

2010-08-17 15:39:04 0 d-----w- c:\program files\Western Railway NV 3D Screensaver

==================== Find3M ====================

2010-09-16 04:40:46 261 ----a-w- c:\programdata\nvUnsupRes.dat

2010-09-03 19:42:48 617470 ----a-w- c:\windows\system32\perfh01D.dat

2010-09-03 19:42:48 120802 ----a-w- c:\windows\system32\perfc01D.dat

2010-08-14 18:52:44 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_netaapl_01009.Wdf

2010-08-14 18:49:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_netaapl_01005.Wdf

2010-08-07 20:23:37 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf

2010-08-02 16:12:22 28457 ----a-w- c:\windows\DIIUnin.dat

2010-08-01 17:38:04 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-08-01 16:48:33 21840 ----a-w- c:\windows\system32\SIntfNT.dll

2010-08-01 16:48:33 17212 ----a-w- c:\windows\system32\SIntf32.dll

2010-08-01 16:48:33 12067 ----a-w- c:\windows\system32\SIntf16.dll

2010-08-01 16:31:01 94208 ----a-w- c:\windows\DIIUnin.exe

2010-08-01 16:31:01 2829 ----a-w- c:\windows\DIIUnin.pif

2010-08-01 14:40:04 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-08-01 14:39:59 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-08-01 14:39:33 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll

2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll

2010-07-09 14:20:08 110696 ----a-w- c:\windows\system32\nvmctray.dll

2010-07-09 14:20:06 1881704 ----a-w- c:\windows\system32\nvsvcr.dll

2010-07-09 14:20:06 1469544 ----a-w- c:\windows\system32\nvsvc.dll

2010-07-09 14:20:06 13939816 ----a-w- c:\windows\system32\nvcpl.dll

2010-07-09 14:20:06 129640 ----a-w- c:\windows\system32\nvvsvc.exe

2010-07-07 12:03:14 604776 ----a-w- c:\windows\system32\NVUNINST.EXE

2010-06-30 06:25:31 978432 ----a-w- c:\windows\system32\wininet.dll

2010-06-21 22:07:47 26216 ----a-w- c:\windows\system32\nvhdap32.dll

2010-06-21 22:07:45 600680 ----a-w- c:\windows\system32\nvuhda.exe

2010-06-21 22:07:43 232040 ----a-w- c:\windows\system32\nvcohda.dll

2010-06-19 06:33:29 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-06-19 06:33:29 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-06-19 06:23:50 37376 ----a-w- c:\windows\system32\rtutils.dll

2010-06-19 04:07:18 2326016 ----a-w- c:\windows\system32\win32k.sys

2010-01-06 04:19:35 37052 ----a-w- c:\windows\inf\perflib\041d\perfd.dat

2010-01-06 04:19:35 37052 ----a-w- c:\windows\inf\perflib\041d\perfc.dat

2010-01-06 04:19:35 294764 ----a-w- c:\windows\inf\perflib\041d\perfi.dat

2010-01-06 04:19:35 294764 ----a-w- c:\windows\inf\perflib\041d\perfh.dat

2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 16:53:04,76 ===============

Attach.txt

Edited by Niki
Link to comment
Share on other sites

Vet du något om de två filerna MBAM hittade? Något du vet har funnits länge i datorn?

Ventrilo ser ju ut att ha installerats för 3-4 veckor sedan.

Har du sett till något falskt antivirusprogram eller liknande?

Har du fått oväntade frågor från Användarkontrollen (UAC)?

Kunde du komma ihåg när på dygnet det var som AVG reagerade första gången?

Vi söker djupare i datorn.

Spara ComboFix på Skrivbordet:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Stäng av alla program du ser inklusive antivirusprogram och antispionprogram men lämna brandväggen på.

Hur? Se http://www.bleepingcomputer.com/forums/topic114351.html

Kör ComboFix och följ anvisningarna som visas.

Om det kommer upp en fråga om du vill installera återställningskonsolen så svara ja.

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

När den är färdig så ska en logg komma upp, klistra in den i ditt svar. Kontrollera att antivirusprogram mm är igång innan du ansluter till internet.

Om du får problem med att komma ut på internet:

Kontrollpanelen - Nätverksanslutningar

högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.

Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix.

Edited by Cecilia
Link to comment
Share on other sites

Vet du något om de två filerna MBAM hittade? Något du vet har funnits länge i datorn?

Nej det gör jag inte, aldrig sett dem tidigare.

Har du sett till något falskt antivirusprogram eller liknande?

Nepp, avinsallerade Mcaffe eller vare heter precis efter att jag återställt datorn till tillståndet den var i när jag köpte den. (backup)

Och efter det insallerade jag AVG.

Har du fått oväntade frågor från Användarkontrollen (UAC)?

Nej, inte vad jag märkt. Men min kära flickvän har börjat tanka hem serier.. Så jag har stora antagningar om att det kan vara där jag fått det ifrån.

När jag frågade henne om vad hon laddat ner så sa hon något i stil med att det var en RAR-fil med lösenord eller nått..

Kunde du komma ihåg när på dygnet det var som AVG reagerade första gången?

Första gången måste ha varit i Tisdag runt 17-18 snåret. Då har jag precis kommit hem från jobbet. Men när jag tittar i loggarna på AVG så står detta datum och klockslag.

2010-9-15, 20:00 (Detta är efter att jag lagt upp en tråd på detta forum)

2010-9-16, 16:52 (Idag när jag kom hem)

Återkommer när jag kört Combofix.

Link to comment
Share on other sites

ComboFix:

ComboFix 10-09-15.02 - Samsung 2010-09-16 17:51:26.1.4 - x86

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.46.1053.18.3566.2595 [GMT 2:00]

Körs från: c:\users\Samsung\Desktop\ComboFix.exe

* Skapade en ny återställningspunkt

.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\programdata\FullRemove.exe

c:\users\Samsung\AppData\Roaming\Microsoft\taskeng.exe

c:\users\Samsung\AppData\Roaming\Microsoft\Windows\Templates\taskeng.exe

c:\windows\SEC

c:\windows\SEC\172100logo.bmp

c:\windows\SEC\banner.png

c:\windows\SEC\Computer.png

c:\windows\SEC\Media _S_ Logo.png

c:\windows\SEC\Samsung.png

c:\windows\SEC\Samsung2.png

c:\windows\SEC\SamsungLogo.png

c:\windows\SEC\Thumbs.db

c:\windows\SEC\Wallpapers\Thumbs.db

c:\windows\SEC\Wallpapers\wallpaper.jpg

c:\windows\SEC\Wallpapers\wallpaper1.jpg

c:\windows\SEC\Wallpapers\Wallpaper2.jpg

c:\windows\system32\tmp.reg

c:\windows\system32\vbzlib1.dll

.

(((((((((((((((((((((((( Filer Skapade från 2010-08-16 till 2010-09-16 ))))))))))))))))))))))))))))))

.

2010-09-15 18:27 . 2010-09-15 18:27 -------- d-----w- c:\users\Samsung\AppData\Roaming\Malwarebytes

2010-09-15 18:27 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-15 18:27 . 2010-09-15 18:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-15 18:27 . 2010-09-15 18:27 -------- d-----w- c:\programdata\Malwarebytes

2010-09-15 18:27 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-15 01:00 . 2010-09-15 01:02 -------- d-----w- C:\05001902cdbcc91ca822668e3774

2010-09-14 22:28 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe

2010-09-13 18:40 . 2010-09-13 18:40 -------- d-----w- c:\users\Samsung\AppData\Roaming\StealthBot

2010-09-13 18:40 . 2010-09-13 18:40 7358 ----a-r- c:\users\Samsung\AppData\Roaming\Microsoft\Installer\{C05DEB30-501D-4106-958D-C5E147D2BF7E}\_7a653c12.exe

2010-09-13 18:40 . 2010-09-13 18:40 7358 ----a-r- c:\users\Samsung\AppData\Roaming\Microsoft\Installer\{C05DEB30-501D-4106-958D-C5E147D2BF7E}\_3c6a7f4.exe

2010-09-13 18:40 . 2010-09-13 18:40 -------- d-----w- C:\Stealthbot

2010-09-12 09:13 . 2010-09-12 11:24 -------- d-----w- c:\users\Samsung\AppData\Roaming\vlc

2010-09-12 08:00 . 1998-02-06 20:37 299520 ----a-w- c:\windows\uninst.exe

2010-09-12 07:57 . 2010-09-12 07:57 -------- d-----w- c:\program files\Your Freedom

2010-09-05 14:27 . 2010-09-05 14:27 -------- d-----w- c:\program files\iPod

2010-09-05 14:27 . 2010-09-05 14:27 -------- d-----w- c:\program files\iTunes

2010-09-05 14:25 . 2010-09-05 14:26 -------- d-----w- c:\program files\QuickTime

2010-09-05 14:24 . 2010-09-05 14:24 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe

2010-08-30 21:01 . 2010-08-30 21:01 -------- d-----w- c:\users\Samsung\AppData\Local\Boss Media

2010-08-30 21:01 . 2010-08-30 21:01 -------- d-----w- c:\programdata\Boss Media

2010-08-30 21:01 . 2010-08-30 21:01 -------- d-----w- C:\Svenska Spels Poker

2010-08-26 10:22 . 2010-08-26 10:22 -------- d-----w- c:\programdata\Office Genuine Advantage

2010-08-25 20:38 . 2010-08-25 20:38 -------- d-----w- c:\users\Samsung\AppData\Roaming\AVG9

2010-08-25 13:43 . 2010-08-25 13:43 -------- d-----w- c:\program files\Gabest

2010-08-24 21:12 . 2010-04-07 07:10 571904 ----a-w- c:\windows\system32\oleaut32.dll

2010-08-24 08:13 . 2010-08-24 08:13 -------- d-----w- C:\Ventrilo 3.0.5

2010-08-24 08:13 . 2010-08-24 08:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-08-23 06:41 . 2010-03-24 06:37 1286456 ----a-w- c:\windows\system32\ntdll.dll

2010-08-23 06:41 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys

2010-08-23 06:40 . 2010-05-09 09:14 641536 ----a-w- c:\windows\system32\CPFilters.dll

2010-08-23 06:40 . 2010-05-09 09:14 417792 ----a-w- c:\windows\system32\msdri.dll

2010-08-23 06:40 . 2009-12-13 09:30 465408 ----a-w- c:\windows\system32\psisdecd.dll

2010-08-23 06:40 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll

2010-08-23 06:40 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp.dll

2010-08-23 06:40 . 2010-01-18 23:29 365568 ----a-w- c:\windows\system32\secproc_isv.dll

2010-08-23 06:40 . 2010-01-18 23:29 369152 ----a-w- c:\windows\system32\secproc.dll

2010-08-23 06:40 . 2010-01-18 23:28 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe

2010-08-23 06:40 . 2010-01-18 23:28 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe

2010-08-23 06:40 . 2010-01-18 23:28 320512 ----a-w- c:\windows\system32\RMActivate.exe

2010-08-23 06:40 . 2010-01-18 23:28 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe

2010-08-22 18:53 . 2010-08-22 18:53 -------- d-----w- c:\users\Samsung\AppData\Roaming\dvdcss

2010-08-20 10:36 . 2010-08-20 10:36 -------- d-----w- c:\program files\Screaming Bee LLC

2010-08-20 10:31 . 2010-08-20 10:31 -------- d-----w- c:\users\Samsung\AppData\Local\IsolatedStorage

2010-08-20 10:30 . 2010-08-20 10:30 -------- d-----w- C:\MorphVOX Pro

2010-08-20 10:27 . 2010-08-20 10:45 -------- d-----w- c:\program files\Screaming Bee

2010-08-20 07:38 . 2010-08-20 07:45 -------- d-----w- c:\users\Samsung\AppData\Roaming\Screaming Bee

2010-08-20 07:38 . 2010-08-20 10:31 -------- d-----w- c:\programdata\Screaming Bee

2010-08-19 15:39 . 2010-08-19 15:39 -------- d-----w- c:\users\Samsung\AppData\Local\Diagnostics

2010-08-19 15:17 . 2010-08-19 15:17 -------- d-----w- c:\program files\SpotifyRemotelessHelper

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-16 15:24 . 2010-08-01 17:59 -------- d-----w- c:\users\Samsung\AppData\Roaming\uTorrent

2010-09-16 15:05 . 2010-08-01 14:36 -------- d-----w- c:\program files\Common Files\Steam

2010-09-16 04:40 . 2010-08-02 19:06 261 ----a-w- c:\programdata\nvUnsupRes.dat

2010-09-15 21:33 . 2010-08-01 15:03 -------- d-----w- c:\users\Samsung\AppData\Roaming\Spotify

2010-09-15 21:16 . 2010-08-15 16:59 -------- d-----w- c:\users\Samsung\AppData\Roaming\Mumble

2010-09-15 01:18 . 2010-03-10 20:50 -------- d-----w- c:\program files\Microsoft Silverlight

2010-09-15 01:02 . 2010-03-10 20:43 -------- d-----w- c:\programdata\Microsoft Help

2010-09-14 22:58 . 2010-08-12 16:20 -------- d-----w- c:\program files\DsNET Corp

2010-09-12 11:24 . 2010-09-12 09:13 -------- d-----w- c:\users\Samsung\AppData\Roaming\vlc

2010-09-06 18:05 . 2010-03-10 20:37 -------- d-----w- c:\program files\Common Files\Adobe

2010-09-05 14:29 . 2010-01-05 11:09 -------- d-----w- c:\programdata\Partner

2010-09-05 14:27 . 2010-08-14 18:48 -------- d-----w- c:\program files\Common Files\Apple

2010-09-03 19:42 . 2010-01-06 04:20 617470 ----a-w- c:\windows\system32\perfh01D.dat

2010-09-03 19:42 . 2010-01-06 04:20 120802 ----a-w- c:\windows\system32\perfc01D.dat

2010-08-26 17:18 . 2010-03-10 20:47 85408 ----a-w- c:\users\Samsung\AppData\Local\GDIPFONTCACHEV1.DAT

2010-08-25 12:24 . 2010-03-10 20:48 -------- d-----w- c:\program files\Microsoft

2010-08-24 08:14 . 2010-08-01 17:26 -------- d-----w- c:\users\Samsung\AppData\Roaming\Ventrilo

2010-08-18 14:34 . 2010-08-14 18:50 -------- d-----w- c:\users\Samsung\AppData\Roaming\Apple Computer

2010-08-17 15:43 . 2010-01-05 22:49 -------- d-----w- c:\programdata\NVIDIA

2010-08-17 15:39 . 2010-08-17 15:39 -------- d-----w- c:\program files\Western Railway NV 3D Screensaver

2010-08-17 13:46 . 2010-08-17 13:46 -------- d-----w- c:\programdata\AVG Security Toolbar

2010-08-15 17:03 . 2010-08-15 16:58 -------- d-----w- c:\program files\Mumble

2010-08-14 18:53 . 2010-08-14 18:49 -------- d-----w- c:\programdata\Apple Computer

2010-08-14 18:52 . 2010-08-14 18:52 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_netaapl_01009.Wdf

2010-08-14 18:52 . 2010-08-14 18:52 -------- d-----w- c:\program files\Bonjour

2010-08-14 18:49 . 2010-08-14 18:49 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-08-14 18:49 . 2010-08-14 18:49 -------- d-----w- c:\program files\Apple Software Update

2010-08-14 18:49 . 2010-08-14 18:48 -------- d-----w- c:\programdata\Apple

2010-08-14 18:49 . 2010-08-14 18:49 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_netaapl_01005.Wdf

2010-08-14 14:40 . 2010-03-10 20:42 -------- d-----w- c:\program files\Microsoft Works

2010-08-08 18:34 . 2010-08-08 10:58 -------- d-----w- c:\programdata\regid.1986-12.com.adobe

2010-08-08 10:56 . 2010-08-08 10:56 -------- d-----w- c:\program files\Adobe Media Player

2010-08-08 10:55 . 2010-08-08 10:55 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-08-08 10:55 . 2010-08-08 10:55 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-08-08 10:27 . 2010-01-05 10:52 -------- d-----w- c:\programdata\WinClon

2010-08-08 10:27 . 2010-01-05 10:42 -------- d-----w- c:\program files\Samsung

2010-08-08 10:27 . 2010-01-05 10:38 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-08-07 20:23 . 2010-08-07 20:23 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf

2010-08-07 20:19 . 2010-08-07 20:19 -------- d-----w- c:\program files\VideoLAN

2010-08-04 14:31 . 2010-03-10 20:48 -------- d-----w- c:\program files\Windows Live

2010-08-02 22:54 . 2010-08-02 22:54 -------- d-----w- c:\program files\PowerISO

2010-08-02 16:12 . 2010-08-01 16:31 28457 ----a-w- c:\windows\DIIUnin.dat

2010-08-02 16:06 . 2010-08-02 16:06 -------- d-----w- c:\program files\Sandboxie

2010-08-01 17:59 . 2010-08-01 17:59 -------- d-----w- c:\program files\uTorrent

2010-08-01 17:38 . 2010-08-01 17:38 -------- d-----w- c:\program files\Common Files\Java

2010-08-01 17:38 . 2010-08-01 17:38 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-08-01 17:38 . 2010-08-01 17:38 -------- d-----w- c:\program files\Java

2010-08-01 17:26 . 2010-08-01 17:26 -------- d-----w- c:\program files\VentriloMIX

2010-08-01 17:04 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail

2010-08-01 16:48 . 2010-08-01 16:48 21840 ----a-w- c:\windows\system32\SIntfNT.dll

2010-08-01 16:48 . 2010-08-01 16:48 17212 ----a-w- c:\windows\system32\SIntf32.dll

2010-08-01 16:48 . 2010-08-01 16:48 12067 ----a-w- c:\windows\system32\SIntf16.dll

2010-08-01 16:31 . 2010-08-01 16:31 94208 ----a-w- c:\windows\DIIUnin.exe

2010-08-01 16:31 . 2010-08-01 16:31 2829 ----a-w- c:\windows\DIIUnin.pif

2010-08-01 15:22 . 2010-08-01 15:22 -------- d-----w- c:\program files\Marvell

2010-08-01 15:03 . 2010-08-01 15:03 655360 ----a-w- c:\users\Samsung\AppData\Roaming\Spotify\Gracenote\gnsdk_sdkmanager.dll

2010-08-01 15:03 . 2010-08-01 15:03 282624 ----a-w- c:\users\Samsung\AppData\Roaming\Spotify\Gracenote\gnsdk_musicid_file.dll

2010-08-01 15:03 . 2010-08-01 15:03 208896 ----a-w- c:\users\Samsung\AppData\Roaming\Spotify\Gracenote\gnsdk_dsp.dll

2010-08-01 15:03 . 2010-08-01 15:03 -------- d-----w- c:\program files\Spotify

2010-08-01 14:55 . 2010-08-01 14:55 -------- d-----w- c:\users\Samsung\AppData\Roaming\Razer

2010-08-01 14:53 . 2010-08-01 14:53 -------- d-----w- c:\program files\Razer

2010-08-01 14:41 . 2010-01-05 10:54 -------- d-----w- c:\programdata\McAfee

2010-08-01 14:40 . 2010-08-01 14:40 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-08-01 14:39 . 2010-08-01 14:39 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-08-01 14:39 . 2010-08-01 14:39 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-08-01 14:39 . 2010-08-01 14:39 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-08-01 14:37 . 2010-08-01 14:37 -------- d-----w- c:\program files\AVG

2010-08-01 14:37 . 2010-08-01 14:37 -------- d-----w- c:\programdata\avg9

2010-08-01 14:36 . 2010-01-05 11:09 -------- d-----w- c:\program files\Google

2010-08-01 14:35 . 2010-08-01 14:34 -------- d-----w- c:\program files\NVIDIA Corporation

2010-08-01 14:35 . 2010-08-01 14:35 -------- d-----w- c:\programdata\NVIDIA Corporation

2010-08-01 14:27 . 2010-01-05 10:38 -------- d-----w- c:\program files\Intel

2010-08-01 14:27 . 2010-08-01 14:27 -------- d-----w- c:\users\Samsung\AppData\Roaming\InstallShield

2010-08-01 14:26 . 2010-08-01 14:26 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbB166.tmp.exe

2010-07-29 06:30 . 2010-08-14 14:36 197632 ----a-w- c:\windows\system32\ir32_32.dll

2010-07-29 06:30 . 2010-08-14 14:36 82944 ----a-w- c:\windows\system32\iccvid.dll

2010-07-09 14:20 . 2010-07-09 14:20 110696 ----a-w- c:\windows\system32\nvmctray.dll

2010-07-09 14:20 . 2010-07-09 14:20 1881704 ----a-w- c:\windows\system32\nvsvcr.dll

2010-07-09 14:20 . 2010-07-09 14:20 1469544 ----a-w- c:\windows\system32\nvsvc.dll

2010-07-09 14:20 . 2010-07-09 14:20 13939816 ----a-w- c:\windows\system32\nvcpl.dll

2010-07-09 14:20 . 2010-07-09 14:20 129640 ----a-w- c:\windows\system32\nvvsvc.exe

2010-07-07 12:03 . 2010-01-05 10:38 604776 ----a-w- c:\windows\system32\NVUNINST.EXE

2010-07-01 12:21 . 2010-07-01 12:21 34896 ----a-w- c:\windows\system32\drivers\ScreamingBAudio.sys

2010-06-30 06:25 . 2010-08-14 14:36 978432 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 02:47 . 2010-06-23 02:47 32768 ----a-w- c:\windows\system32\drivers\taphss.sys

2010-06-22 02:47 . 2010-08-14 14:36 310784 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-22 02:47 . 2010-08-14 14:36 307200 ----a-w- c:\windows\system32\drivers\srv2.sys

2010-06-22 02:47 . 2010-08-14 14:36 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys

2010-06-21 22:07 . 2010-08-01 14:33 26216 ----a-w- c:\windows\system32\nvhdap32.dll

2010-06-21 22:07 . 2010-01-06 03:54 600680 ----a-w- c:\windows\system32\nvuhda.exe

2010-06-21 22:07 . 2010-01-06 03:54 232040 ----a-w- c:\windows\system32\nvcohda.dll

2010-06-21 22:07 . 2010-08-01 14:33 105576 ----a-w- c:\windows\system32\drivers\nvhda32v.sys

2010-06-19 06:33 . 2010-08-14 14:36 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-06-19 06:33 . 2010-08-14 14:36 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-06-19 06:23 . 2010-08-14 14:36 37376 ----a-w- c:\windows\system32\rtutils.dll

2010-06-19 04:07 . 2010-08-14 14:36 2326016 ----a-w- c:\windows\system32\win32k.sys

2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat

2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Not* Tomma poster & legitima standardposter visas inte.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2010-04-19 08:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-09-04 328568]

"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-07-04 398568]

"Google Update"="c:\users\Samsung\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-08-01 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-12-15 8120864]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-02-26 1713448]

"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]

"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-03 103720]

"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]

"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]

"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-15 91432]

"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-15 50472]

"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]

"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-07-21 210216]

"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-08-01 2065760]

"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2010-05-05 251392]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

R2 gupdate;Tjänsten Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-01 135664]

R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-04-19 430152]

R3 CYUSB;Cypress Generic USB Driver;c:\windows\system32\Drivers\CYUSB.sys [2009-08-10 39936]

R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys [2010-04-19 18432]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]

R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]

R3 WatAdminSvc;Aktiveringsteknologier för Windows-tjänst;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-01 1343400]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-08-01 216400]

S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-08-01 243024]

S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-08-02 921952]

S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-08-01 308136]

S2 Rezip;Rezip;c:\windows\SYSTEM32\Rezip.exe [2009-03-05 311296]

S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-07-01 43944]

S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]

S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2010-04-19 9728]

S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 125696]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-06-21 105576]

S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2010-07-01 34896]

S3 vHidDev;Razer Gaming Device;c:\windows\system32\DRIVERS\vHidDev.sys [2009-12-21 5760]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]

.

Innehållet i mappen 'Schemalagda aktiviteter':

2010-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-01 14:36]

2010-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-01 14:36]

2010-09-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3668850500-1260674723-286945001-1000Core.job

- c:\users\Samsung\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-30 14:36]

2010-09-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3668850500-1260674723-286945001-1000UA.job

- c:\users\Samsung\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-30 14:36]

.

.

------- Extra genomsökning -------

.

uInternet Settings,ProxyOverride = *.local

IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Skicka bild till &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Skicka sida till &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

FF - ProfilePath - c:\users\Samsung\AppData\Roaming\Mozilla\Firefox\Profiles\xz66l5jx.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.se/

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: c:\users\Samsung\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll

---- FIREFOX POLICY ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -

Toolbar-Locked - (no file)

HKCU-Run-ATI - c:\users\Samsung\AppData\Roaming\Microsoft\Windows\Templates\taskeng.exe

HKCU-Run-ControlPanel - c:\users\Samsung\AppData\Roaming\Microsoft\taskeng.exe

SafeBoot-mcmscsvc

SafeBoot-MCODS

.

--------------------- LÅSTA REGISTERNYCKLAR ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Sluttid: 2010-09-16 17:57:30

ComboFix-quarantined-files.txt 2010-09-16 15:57

Före genomsökningen: 386 940 141 568 byte ledigt

Efter genomsökningen: 387 040 559 104 byte ledigt

- - End Of File - - 2799AECAC713D12B07CB8D24B40F9E38

Link to comment
Share on other sites

Är det en Samsung-dator?

Det kan vara ett falsklarm av MBAM, se http://forums.malwarebytes.org/lofiversion/index.php?t62165.html

Har någon av er installerat Ventrilo 24 augusti?

Japp det är en Samsung R780 laptop.

Japp jag har installerat det. Dock kan det vara så att jag var lat och googlade Ventrilomix. Och att jag inte tog en säker källa.

Link to comment
Share on other sites

Även där flyttades några Samsung-filer till karantän, som behöver återställas senare.

På sidan http://www.virustotal.com trycker du på Bläddra-knappen och klistrar in ett av följande filnamn i rutan, tryck på Öppna och sedan Skicka Fil. Vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in en länk till resultatet här. Upprepa med nästa filnamn.

c:\windows\uninst.exe

c:\programdata\nvUnsupRes.dat

Dock verkar mitt internet jäkla slött för o vara 25mbit. Men det kan ju vara driftstörningar eller nått annat.
Har detta ordnat till sig nu?
Link to comment
Share on other sites

Även där flyttades några Samsung-filer till karantän, som behöver återställas senare.

På sidan http://www.virustotal.com trycker du på Bläddra-knappen och klistrar in ett av följande filnamn i rutan, tryck på Öppna och sedan Skicka Fil. Vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in en länk till resultatet här. Upprepa med nästa filnamn.

c:\windows\uninst.exe

c:\programdata\nvUnsupRes.dat

Har detta ordnat till sig nu?

c:\windows\uninst.exe

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:

MD5: 72827d5d38d38a46231cb38e1f3fc5e3

Date first seen: 2008-12-23 08:46:02 (UTC)

Date last seen: 2010-08-25 02:15:04 (UTC)

Detection ratio: 0/40

c:\programdata\nvUnsupRes.dat

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name: nvUnsupRes.dat

Submission date: 2010-09-16 16:44:13 (UTC)

Current status: finished

Result: 0/ 43 (0.0%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2010.09.16.01 2010.09.16 -

AntiVir 8.2.4.52 2010.09.16 -

Antiy-AVL 2.0.3.7 2010.09.16 -

Authentium 5.2.0.5 2010.09.16 -

Avast 4.8.1351.0 2010.09.16 -

Avast5 5.0.594.0 2010.09.16 -

AVG 9.0.0.851 2010.09.16 -

BitDefender 7.2 2010.09.16 -

CAT-QuickHeal 11.00 2010.09.16 -

ClamAV 0.96.2.0-git 2010.09.16 -

Comodo 6099 2010.09.16 -

DrWeb 5.0.2.03300 2010.09.16 -

Emsisoft 5.0.0.37 2010.09.16 -

eSafe 7.0.17.0 2010.09.15 -

eTrust-Vet 36.1.7859 2010.09.16 -

F-Prot 4.6.1.107 2010.09.16 -

F-Secure 9.0.15370.0 2010.09.16 -

Fortinet 4.1.143.0 2010.09.16 -

GData 21 2010.09.16 -

Ikarus T3.1.1.88.0 2010.09.16 -

Jiangmin 13.0.900 2010.09.16 -

K7AntiVirus 9.63.2533 2010.09.16 -

Kaspersky 7.0.0.125 2010.09.16 -

McAfee 5.400.0.1158 2010.09.16 -

McAfee-GW-Edition 2010.1C 2010.09.16 -

Microsoft 1.6103 2010.09.16 -

NOD32 5455 2010.09.16 -

Norman 6.06.06 2010.09.16 -

nProtect 2010-09-16.02 2010.09.16 -

Panda 10.0.2.7 2010.09.16 -

PCTools 7.0.3.5 2010.09.16 -

Prevx 3.0 2010.09.16 -

Rising 22.65.03.04 2010.09.16 -

Sophos 4.57.0 2010.09.16 -

Sunbelt 6877 2010.09.16 -

SUPERAntiSpyware 4.40.0.1006 2010.09.16 -

Symantec 20101.1.1.7 2010.09.16 -

TheHacker 6.7.0.0.020 2010.09.16 -

TrendMicro 9.120.0.1004 2010.09.16 -

TrendMicro-HouseCall 9.120.0.1004 2010.09.16 -

VBA32 3.12.14.0 2010.09.16 -

ViRobot 2010.8.25.4006 2010.09.16 -

VirusBuster 12.65.10.0 2010.09.16 -

Additional informationShow all

MD5 : ff0708d38778c50a1eca8ac0b361893a

SHA1 : ba3d980f7b9f5c6abf0bba038ba4c9d448bc894f

SHA256: c2933e79ea37c2d7b97be672f336dfcc338248e06d9dc16d635b828225f9bfdd

----------------------------------------------------------------------------------

Min uppkoppling verkar vara OK nu. Men det går i perioder..

Link to comment
Share on other sites

Filerna verkar ju vara bra, men låter lite oroväckande om din internetförbindelse inte fungerar som den ska.

1.

Vet du hur man zippar en mapp? För i så fall skulle jag vilja att du zippar mappen C:\Qoobox och laddar upp någonstans, tex på http://www.woofiles.com/ Klistra in länken till filen så kan jag kolla upp lite mer vad det är för filer som ComboFix tog bort. Det ser ju ut som att det är en del Samsung-filer fast de ligger i mappen SEC som ofta används av skadliga program. Om det är falsklarm kan jag meddela sUBs som skriver ComboFix så att han ändrar.

2.

Om engelska är okej vore det bra om du rapporterar falsklarmet som MBAM gjorde:

C:\Windows\MSetup\BASW-01278A18\FailSafeFactoryInstaller_1017.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Det gör du här: http://forums.malwarebytes.org/index.php?showforum=42

3.

Spara Rootkit Unhooker på skrivbordet.

http://www.rootkit.com/vault/DiabloNova/RKUnhookerLE.EXE

Dubbelklicka på programmet för att starta det (i Vista och Windows 7 högerklicka och välj Kör som administratör).

Välj fliken Report och klicka på Scan

Bocka för Drivers, Stealth, Files och Code Hooks, men avbocka de andra valen.

Tryck på OK

Vänta tills skannern är klar och då väljer du File - Save Report. Spara rapporten på Skrivbordet eller på något annat ställe där du hittar igen den. Klicka på Close

Öppna den sparade rapporten i Anteckningar. Klistra in innehållet i ditt svar.

Observera att om det kommer upp en varning "Rootkit Unhooker has detected a parasite..." så ignorera den bara.

Edited by Cecilia
Link to comment
Share on other sites

Filerna verkar ju vara bra, men låter lite oroväckande om din internetförbindelse inte fungerar som den ska.

1.

Vet du hur man zippar en mapp? För i så fall skulle jag vilja att du zippar mappen C:\Qoobox och laddar upp någonstans, tex på http://www.woofiles.com/ Klistra in länken till filen så kan jag kolla upp lite mer vad det är för filer som ComboFix tog bort. Det ser ju ut som att det är en del Samsung-filer fast de ligger i mappen SEC som ofta används av skadliga program. Om det är falsklarm kan jag meddela sUBs som skriver ComboFix så att han ändrar.

Qoobox

2.

Om engelska är okej vore det bra om du rapporterar falsklarmet som MBAM gjorde:

C:\Windows\MSetup\BASW-01278A18\FailSafeFactoryInstaller_1017.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Det gör du här: http://forums.malwarebytes.org/index.php?showforum=42

Det ska jag definitivt göra!

3.

Spara Rootkit Unhooker på skrivbordet.

http://www.rootkit.com/vault/DiabloNova/RKUnhookerLE.EXE

Dubbelklicka på programmet för att starta det (i Vista och Windows 7 högerklicka och välj Kör som administratör).

Välj fliken Report och klicka på Scan

Bocka för Drivers, Stealth, Files och Code Hooks, men avbocka de andra valen.

Tryck på OK

Vänta tills skannern är klar och då väljer du File - Save Report. Spara rapporten på Skrivbordet eller på något annat ställe där du hittar igen den. Klicka på Close

Öppna den sparade rapporten i Anteckningar. Klistra in innehållet i ditt svar.

Observera att om det kommer upp en varning "Rootkit Unhooker has detected a parasite..." så ignorera den bara.

Återkommer när det är klart. Verkar ta sin lilla stund.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...