Jeg kørte også en fuldstændig skan med malwarebytes, hvor den fandt 1 trojan, som den slettede. Første gang var en quick scan. Lavede så en normal opstart og fik en dialogbox på skrivebordet hvor der stod som overskrift: rundll - fejl under indlæsning af C:\windows\prtroi3p.dll det angivne modul blev ikke fundet. Ellers kan jeg komme på nettet og ind outlook express. Hvordan får jeg rundll-filen igen.

Hej og velkommen

Hvordan får jeg rundll-filen igen.

Den vil du ikke have igen, for det er rester fra en infektion    

Hent Combofix, og gem den på dit skrivebord:
ComboFix

Luk alle andre vinduer ned.

Kør så combofix.exe, og følg anvisningerne.

Når du får denne besked:
http://img.photobucket.com/albums/v666/sUBs/RC_update.png

Svarer du enten Ja eller Nej. Det er tilrådeligt at du siger Ja. Uanset hvad du svarer, har det ingen indflydelse på combofix scanningen.

Du må ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.

Når Combofix er færdig, og efter det (muligvis) har genstartet, skulle der gerne åbnes en logfil: combofix.txt som ligger her C: Combofix txt

Indholdet af denne fil må du gerne lægge herind

Da de er forholdsvis lange, kan du blive nødt til at sende dem i flere indlæg.

ComboFix 10-08-08.02 - Ejer 09-08-2010 16:39:29.1.1 - x86
Kører fra: c:\documents and settings\Ejer\Skrivebord\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100808-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

(((((((((((((((((((((((((((((((((((((((  Andet, der er slettet   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\ogesanuz.dll
c:\windows\olumimimesu.dll
c:\windows\oxofiraw.dll
D:\Autorun.inf.vir

.
(((((((((((((((((((((((((((((  Filer skabt fra 2010-07-09 til 2010-08-09 )))))))))))))))))))))))))))))))))))
.

2010-08-08 13:51 . 2010-08-08 13:51   ————  d——-w-  c:\documents and settings\Ejer\Application Data\Malwarebytes
2010-08-08 13:50 . 2010-04-29 13:39   38224   ——a-w-  c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-08 13:50 . 2010-08-08 13:50   ————  d——-w-  c:\programmer\Malwarebytes’ Anti-Malware
2010-08-08 13:50 . 2010-08-08 13:50   ————  d——-w-  c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-08 13:50 . 2010-04-29 13:39   20952   ——a-w-  c:\windows\system32\drivers\mbam.sys
2010-08-08 09:43 . 2010-08-08 09:43   ————  d-sh—w-  c:\documents and settings\NetworkService\IETldCache
2010-08-07 22:26 . 2010-08-08 14:11   ————  d——-w-  c:\documents and settings\Ejer\Lokale indstillinger\Application Data\hsenwvbti
2010-08-02 23:57 . 2010-08-02 23:57   ————  d——-w-  c:\documents and settings\Ejer\Lokale indstillinger\Application Data\Geckofx
2010-08-02 23:57 . 2010-08-02 23:57   ————  d——-w-  c:\documents and settings\Ejer\Lokale indstillinger\Application Data\www.Spin4Profit.com
2010-08-02 23:55 . 2010-08-02 23:55   ————  d——-w-  c:\programmer\Spin4Profit Ninja
2010-07-28 21:20 . 2010-07-28 21:20   ————  d——-w-  c:\documents and settings\All Users\Application Data\F-Secure
2010-07-23 12:55 . 2010-07-23 13:23   ————  d——-w-  c:\programmer\KENO V1
2010-07-23 09:52 . 2010-07-23 09:52   ————  d——-w-  c:\programmer\Fælles filer\Skype
2010-07-14 09:52 . 2010-06-14 14:31   744448   -c——w-  c:\windows\system32\dllcache\helpsvc.exe

.
((((((((((((((((((((((((((((((((((((((((  Find3M Rapport   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-09 14:35 . 2009-11-24 02:23   ————  d——-w-  c:\documents and settings\Ejer\Application Data\Skype
2010-08-09 14:33 . 2009-11-24 02:31   ————  d——-w-  c:\documents and settings\Ejer\Application Data\skypePM
2010-08-08 17:51 . 2010-02-11 23:28   ————  d——-w-  c:\documents and settings\Ejer\Application Data\HPAppData
2010-08-06 21:08 . 2009-11-24 02:05   1   ——a-w-  c:\documents and settings\Ejer\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-21 20:51 . 2009-11-23 18:59   ————  d—-a-w-  c:\documents and settings\All Users\Application Data\TEMP
2010-07-04 12:13 . 2010-06-11 00:37   0   ——a-w-  c:\documents and settings\Ejer\temp.dat
2010-06-23 21:07 . 2003-08-13 19:59   83026   ——a-w-  c:\windows\system32\perfc006.dat
2010-06-23 21:07 . 2003-08-13 19:59   457360   ——a-w-  c:\windows\system32\perfh006.dat
2010-06-14 14:31 . 2009-11-24 00:23   744448   ——a-w-  c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-06 22:14 . 2010-06-06 22:05   29684   ——a-w-  c:\windows\hpoins03.dat
2010-06-06 21:13 . 2010-06-06 21:13   133   ——a-w-  C:\DeletePrintJobs.cmd
2010-06-01 11:57 . 2010-06-01 11:57   2232   ——a-w-  c:\windows\Java\Packages\Data\TB5F9ZZB.DAT
2010-06-01 11:57 . 2010-06-01 11:57   155995   ——a-w-  c:\windows\Java\Packages\MUGV3XBT.ZIP
2010-06-01 11:56 . 2010-06-01 11:56   2678   ——a-w-  c:\windows\Java\Packages\Data\L33VXFTV.DAT
2010-06-01 11:56 . 2010-06-01 11:56   2678   ——a-w-  c:\windows\Java\Packages\Data\I2BBBHN9.DAT
2010-06-01 11:56 . 2010-06-01 11:56   2678   ——a-w-  c:\windows\Java\Packages\Data\FFLNPF9F.DAT
2010-06-01 11:56 . 2010-06-01 11:56   2678   ——a-w-  c:\windows\Java\Packages\Data\E6SUYPRP.DAT
2010-06-01 11:56 . 2010-06-01 11:56   2678   ——a-w-  c:\windows\Java\Packages\Data\666RX39Z.DAT
.

———- Sigcheck———-

[7] 2008-04-14 . 14C8EC0AA06A33CCC5407E4324F91312 . 296448 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\termsrv.dll
[7] 2004-08-27 . DE5B43EAFE4070FEBD050D2AA48776AF . 296448 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\termsrv.dll

c:\windows\System32\termsrv.dll ... mangler !!
.
(((((((((((((((((((((((((((((((((((  Start steder i reg.basen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
“{0ed0633c-a54d-47f1-94e7-5bded41ae674}”= “c:\programmer\Free_Traffic_Bar\tbFre1.dll” [2010-05-19 2515552]

[HKEY_CLASSES_ROOT\clsid\{0ed0633c-a54d-47f1-94e7-5bded41ae674}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0ed0633c-a54d-47f1-94e7-5bded41ae674}]
2010-05-19 11:24   2515552   ——a-w-  c:\programmer\Free_Traffic_Bar\tbFre1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{0ed0633c-a54d-47f1-94e7-5bded41ae674}”= “c:\programmer\Free_Traffic_Bar\tbFre1.dll” [2010-05-19 2515552]

[HKEY_CLASSES_ROOT\clsid\{0ed0633c-a54d-47f1-94e7-5bded41ae674}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
“{0ED0633C-A54D-47F1-94E7-5BDED41AE674}”= “c:\programmer\Free_Traffic_Bar\tbFre1.dll” [2010-05-19 2515552]

[HKEY_CLASSES_ROOT\clsid\{0ed0633c-a54d-47f1-94e7-5bded41ae674}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NVIEW”=“nview.dll” [2003-05-02 835654]
“VoipBuster”=“c:\programmer\VoipBuster.com\VoipBuster\VoipBuster.exe” [2009-11-12 9094448]
“RoboForm”=“c:\programmer\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe” [2010-01-25 160592]
“Skype”=“c:\programmer\Skype\\Phone\Skype.exe” [2010-05-13 26192168]
“swg”=“c:\programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2009-11-24 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“hpsysdrv”=“c:\windows\system\hpsysdrv.exe” [1998-05-07 52736]
“HotKeysCmds”=“c:\windows\System32\hkcmd.exe” [2003-04-07 114688]
“HPHUPD05”=“c:\programmer\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe” [2003-05-23 49152]
“HPHmon05”=“c:\windows\System32\hphmon05.exe” [2003-05-23 483328]
“KBD”=“c:\hp\KBD\KBD.EXE” [2003-02-11 61440]
“StorageGuard”=“c:\programmer\Fælles filer\Sonic\Update Manager\sgtray.exe” [2003-02-13 155648]
“Home Theater SchSvr”=“c:\programmer\Fælles filer\InterVideo\SchSvr\SchSvr.exe” [2003-08-08 155648]
“Recguard”=“c:\windows\SMINST\RECGUARD.EXE” [2002-09-13 212992]
“NvCplDaemon”=“c:\windows\System32\NvCpl.dll” [2003-05-02 4640768]
“AlcxMonitor”=“ALCXMNTR.EXE” [2003-04-03 50176]
“PS2”=“c:\windows\system32\ps2.exe” [2002-10-16 81920]
“HP Software Update”=“c:\programmer\HP\HP Software Update\HPWuSchd.exe” [2003-08-04 49152]
“SunJavaUpdateSched”=“c:\programmer\Java\jre6\bin\jusched.exe” [2009-12-01 149280]
“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2009-11-24 81000]
“Google Quick Search Box”=“c:\programmer\Google\Quick Search Box\GoogleQuickSearchBox.exe” [2010-02-16 126976]
“HP Component Manager”=“c:\programmer\HP\hpcoretech\hpcmpmgr.exe” [2004-05-12 241664]

c:\documents and settings\Ejer\Menuen Start\Programmer\Start\
OpenOffice.org 3.1.lnk - c:\programmer\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\Default User\Menuen Start\Programmer\Start\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Menuen Start\Programmer\Start\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ejer^Menuen Start^Programmer^Start^Desktop Lightning.lnk]
path=c:\documents and settings\Ejer\Menuen Start\Programmer\Start\Desktop Lightning.lnk
backup=c:\windows\pss\Desktop Lightning.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ejer^Menuen Start^Programmer^Start^OpenOffice.org 3.1.lnk]
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06   976832   ——a-w-  c:\programmer\Fælles filer\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 00:57   35760   ——a-w-  c:\programmer\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2010-02-16 13:12   126976   ——a-w-  c:\programmer\Google\Quick Search Box\GoogleQuickSearchBox.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 16:05   1695232   ——a-w-  c:\programmer\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-05-02 21:19   323584   ——a-w-  c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-11-24 02:10   39408   ——a-w-  c:\programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
2009-08-04 15:49   1068424   ——a-w-  c:\programmer\Trojan Remover\Trjscan.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\\system32\\sessmgr.exe”=
“c:\\Programmer\\Skype\\Plugin Manager\\skypePM.exe”=
“c:\\Programmer\\VoipBuster.com\\VoipBuster\\VoipBuster.exe”=
“c:\\WINDOWS\\system32\\mshta.exe”=
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“c:\\Programmer\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe”=
“c:\\Programmer\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe”=
“c:\\Programmer\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe”=
“c:\\Programmer\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe”=
“c:\\Programmer\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe”=
“c:\\Programmer\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxs08.exe”=
“c:\\Programmer\\Hewlett-Packard\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe”=
“c:\\Programmer\\Skype\\Phone\\Skype.exe”=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [23-01-2010 17:49 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [23-01-2010 17:49 20560]
S0 fdkb;fdkb;c:\windows\system32\drivers\vrohi.sys—> c:\windows\system32\drivers\vrohi.sys [?]
S2 gupdate1ca6cad21712c4c;Tjenesten Google Update (gupdate1ca6cad21712c4c);c:\programmer\Google\Update\GoogleUpdate.exe [24-11-2009 04:23 133104]
.
Indhold af mappen ‘Planlagte Opgaver’

2010-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmer\Google\Update\GoogleUpdate.exe [2009-11-24 02:23]

2010-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmer\Google\Update\GoogleUpdate.exe [2009-11-24 02:23]
.
.
———- Yderligere scanning———-
.
uStart Page = hxxp://www.bt.dk/
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Gem formularer - file://c:\programmer\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Google Sidewiki ... - c:\programmer\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: RF værktøjslinie - file://c:\programmer\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Tilpas RF menu - file://c:\programmer\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Udfyld formularer - file://c:\programmer\Siber Systems\AI RoboForm\RoboFormComFillForms.html
Trusted Zone: expekt.com\www
Trusted Zone: mitnykredit.dk\www
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
FF - ProfilePath - c:\documents and settings\Ejer\Application Data\Mozilla\Firefox\Profiles\sc8znmfn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bt.dk/
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - component: c:\programmer\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\programmer\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

——FIREFOX POLITIKKER——
c:\programmer\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref(“browser.fixup.alternate.suffix”, “.dk”);
.
- - - - TOMME GENVEJE FJERNET - - - -

Toolbar-Locked - (no file)
HKCU-Run-Apakuqu - c:\windows\prtroi3p.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-09 16:49
Windows 5.1.2600 Service Pack 3 NTFS

scanner skjulte processer ... 

scanner skjulte autostarter ...

scanner skjulte filer ... 

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
Gennemført tid: 2010-08-09 16:55:11
ComboFix-quarantined-files.txt 2010-08-09 14:54

Pre-Kørsel: 17.866.174.464 byte ledig
Post-Kørsel: 17.910.493.184 byte ledig

- - End Of File - - AE0E77AA95AEF47BD51A4034F3C13666

Åben Notesblok og kopier følgende (tekst med fed skrift) inklusive linket ind - og gem tekst-filen som CFScript samme sted som du har ComboFix:

http://www.spywarefri.dk/forum/viewthread/78485/
Killall::
Snapshot::
Collect::
c:\windows\Java\Packages\Data\TB5F9ZZB.DAT
c:\windows\Java\Packages\MUGV3XBT.ZIP
c:\windows\Java\Packages\Data\L33VXFTV.DAT
c:\windows\Java\Packages\Data\I2BBBHN9.DAT
c:\windows\Java\Packages\Data\FFLNPF9F.DAT
c:\windows\Java\Packages\Data\E6SUYPRP.DAT
c:\windows\Java\Packages\Data\666RX39Z.DAT
c:\windows\system32\drivers\vrohi.sys
Folder::
c:\documents and settings\Ejer\Lokale indstillinger\Application Data\hsenwvbti
Driver::
fdkb
Fcopy::
c:\windows\ServicePackFiles\i386\termsrv.dll | c:\windows\System32\termsrv.dll
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
Registry::
[-HKEY_CLASSES_ROOT\clsid\{0ed0633c-a54d-47f1-94e7-5bded41ae674}]
[-HKEY_CLASSES_ROOT\clsid\{0ed0633c-a54d-47f1-94e7-5bded41ae674}]
[-HKEY_CLASSES_ROOT\clsid\{0ed0633c-a54d-47f1-94e7-5bded41ae674}]

Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du “giver slip” med musen. Som vist her ->

http://www.fromsej.saknet.dk/billeder/swfcombo.gif

Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.

Når ComboFix er færdig med sin scanning/rensning åbnes en ComboFix log sammen med en lille meddelelses-boks. Rensningen du lige har gennemført har indsamlet nogle filer til videre analyse. Klik nu på OK i meddelelses-boksen for at uploade de indsamlede filer til videre analyse (du skal have forbindelse til internettet for at kunne uploade filerne).

Læg den nye ComboFix log herind. Den kan findes her - C:\combofix Txt

Jeg gjorde som nævnt ovenfor, men da combofix vinduet ikke havde ændret sig efter 2 timer, genstartede jeg pc’en.
Hvad går der galt?

Prøv en gang til, denne gang i fejlsikret tilstand.

Jeg kan ikke se combofix ikonet på skrivebordet i fejlsikret tilstand, så jeg prøver igen som ved normal opstart og slukker for avast antivirus. Måske det er den, som blokerer.

Eller også, inden du genstarter til fejlsikret, så placer combofix midt på skrivebordet, så burde du kunne se det i fejlsikret.

Jeg fik gang i combofix i fejlsikret tilstand, men den kom med en bemærkning om, at avast var stadig aktiv, og at det var på egen risiko. Jeg trak tekstfilen over combofix ikonet og fulgte proceduren, men når der ikke var sket noget nævneværdigt efter en time, lukkede jeg vinduet ned.
Et andet problem er at computeren genstarter, når jeg sætter et usb-stik i usb-porten. Kan det være noget galt med porten eller er det virus?

Er det uanset hvad du sætter i, og uanset i hvilken USB-port?

Prøv at hente en ny Combofix, dobbeltklik på den og kopier loggen herind.

ComboFix 10-08-12.02 - Ejer 12-08-2010 22:06:42.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.45.1030.18.447.210 [GMT 2:00]
Kører fra: c:\documents and settings\Ejer\Skrivebord\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100812-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

(((((((((((((((((((((((((((((  Filer skabt fra 2010-07-12 til 2010-08-12 )))))))))))))))))))))))))))))))))))
.

2010-08-09 21:36 . 2010-08-09 21:36   ————  d——-w-  c:\documents and settings\Ejer\Dokumenter
2010-08-08 13:51 . 2010-08-08 13:51   ————  d——-w-  c:\documents and settings\Ejer\Application Data\Malwarebytes
2010-08-08 13:50 . 2010-04-29 13:39   38224   ——a-w-  c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-08 13:50 . 2010-08-08 13:50   ————  d——-w-  c:\programmer\Malwarebytes’ Anti-Malware
2010-08-08 13:50 . 2010-08-08 13:50   ————  d——-w-  c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-08 13:50 . 2010-04-29 13:39   20952   ——a-w-  c:\windows\system32\drivers\mbam.sys
2010-08-08 09:43 . 2010-08-08 09:43   ————  d-sh—w-  c:\documents and settings\NetworkService\IETldCache
2010-08-07 22:26 . 2010-08-08 14:11   ————  d——-w-  c:\documents and settings\Ejer\Lokale indstillinger\Application Data\hsenwvbti
2010-08-02 23:57 . 2010-08-02 23:57   ————  d——-w-  c:\documents and settings\Ejer\Lokale indstillinger\Application Data\Geckofx
2010-08-02 23:57 . 2010-08-02 23:57   ————  d——-w-  c:\documents and settings\Ejer\Lokale indstillinger\Application Data\www.Spin4Profit.com
2010-08-02 23:55 . 2010-08-02 23:55   ————  d——-w-  c:\programmer\Spin4Profit Ninja
2010-07-28 21:20 . 2010-07-28 21:20   ————  d——-w-  c:\documents and settings\All Users\Application Data\F-Secure
2010-07-23 12:55 . 2010-07-23 13:23   ————  d——-w-  c:\programmer\KENO V1
2010-07-23 09:52 . 2010-07-23 09:52   ————  d——-w-  c:\programmer\Fælles filer\Skype
2010-07-14 09:52 . 2010-06-14 14:31   744448   -c——w-  c:\windows\system32\dllcache\helpsvc.exe

.
((((((((((((((((((((((((((((((((((((((((  Find3M Rapport   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-12 20:02 . 2009-11-24 02:23   ————  d——-w-  c:\documents and settings\Ejer\Application Data\Skype
2010-08-12 19:57 . 2010-02-11 23:28   ————  d——-w-  c:\documents and settings\Ejer\Application Data\HPAppData
2010-08-12 14:01 . 2009-11-24 02:31   ————  d——-w-  c:\documents and settings\Ejer\Application Data\skypePM
2010-07-21 20:51 . 2009-11-23 18:59   ————  d—-a-w-  c:\documents and settings\All Users\Application Data\TEMP
2010-07-04 12:13 . 2010-06-11 00:37   0   ——a-w-  c:\documents and settings\Ejer\temp.dat
2010-06-23 21:07 . 2003-08-13 19:59   83026   ——a-w-  c:\windows\system32\perfc006.dat
2010-06-23 21:07 . 2003-08-13 19:59   457360   ——a-w-  c:\windows\system32\perfh006.dat
2010-06-14 14:31 . 2009-11-24 00:23   744448   ——a-w-  c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-06 22:14 . 2010-06-06 22:05   29684   ——a-w-  c:\windows\hpoins03.dat
2010-06-06 21:13 . 2010-06-06 21:13   133   ——a-w-  C:\DeletePrintJobs.cmd
2010-06-01 11:57 . 2010-06-01 11:57   2232   ——a-w-  c:\windows\Java\Packages\Data\TB5F9ZZB.DAT
2010-06-01 11:57 . 2010-06-01 11:57   155995   ——a-w-  c:\windows\Java\Packages\MUGV3XBT.ZIP
2010-06-01 11:56 . 2010-06-01 11:56   2678   ——a-w-  c:\windows\Java\Packages\Data\L33VXFTV.DAT
2010-06-01 11:56 . 2010-06-01 11:56   2678   ——a-w-  c:\windows\Java\Packages\Data\I2BBBHN9.DAT
2010-06-01 11:56 . 2010-06-01 11:56   2678   ——a-w-  c:\windows\Java\Packages\Data\FFLNPF9F.DAT
2010-06-01 11:56 . 2010-06-01 11:56   2678   ——a-w-  c:\windows\Java\Packages\Data\E6SUYPRP.DAT
2010-06-01 11:56 . 2010-06-01 11:56   2678   ——a-w-  c:\windows\Java\Packages\Data\666RX39Z.DAT
.

———- Sigcheck———-

[7] 2008-04-14 . 14C8EC0AA06A33CCC5407E4324F91312 . 296448 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\termsrv.dll
[7] 2004-08-27 . DE5B43EAFE4070FEBD050D2AA48776AF . 296448 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\termsrv.dll

c:\windows\System32\termsrv.dll ... mangler !!
.
(((((((((((((((((((((((((((((((((((  Start steder i reg.basen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
“{0ed0633c-a54d-47f1-94e7-5bded41ae674}”= “c:\programmer\Free_Traffic_Bar\tbFre1.dll” [2010-05-19 2515552]

[HKEY_CLASSES_ROOT\clsid\{0ed0633c-a54d-47f1-94e7-5bded41ae674}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0ed0633c-a54d-47f1-94e7-5bded41ae674}]
2010-05-19 11:24   2515552   ——a-w-  c:\programmer\Free_Traffic_Bar\tbFre1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{0ed0633c-a54d-47f1-94e7-5bded41ae674}”= “c:\programmer\Free_Traffic_Bar\tbFre1.dll” [2010-05-19 2515552]

[HKEY_CLASSES_ROOT\clsid\{0ed0633c-a54d-47f1-94e7-5bded41ae674}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
“{0ED0633C-A54D-47F1-94E7-5BDED41AE674}”= “c:\programmer\Free_Traffic_Bar\tbFre1.dll” [2010-05-19 2515552]

[HKEY_CLASSES_ROOT\clsid\{0ed0633c-a54d-47f1-94e7-5bded41ae674}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NVIEW”=“nview.dll” [2003-05-02 835654]
“VoipBuster”=“c:\programmer\VoipBuster.com\VoipBuster\VoipBuster.exe” [2009-11-12 9094448]
“RoboForm”=“c:\programmer\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe” [2010-01-25 160592]
“Skype”=“c:\programmer\Skype\\Phone\Skype.exe” [2010-05-13 26192168]
“swg”=“c:\programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2009-11-24 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“hpsysdrv”=“c:\windows\system\hpsysdrv.exe” [1998-05-07 52736]
“HotKeysCmds”=“c:\windows\System32\hkcmd.exe” [2003-04-07 114688]
“HPHUPD05”=“c:\programmer\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe” [2003-05-23 49152]
“HPHmon05”=“c:\windows\System32\hphmon05.exe” [2003-05-23 483328]
“KBD”=“c:\hp\KBD\KBD.EXE” [2003-02-11 61440]
“StorageGuard”=“c:\programmer\Fælles filer\Sonic\Update Manager\sgtray.exe” [2003-02-13 155648]
“Home Theater SchSvr”=“c:\programmer\Fælles filer\InterVideo\SchSvr\SchSvr.exe” [2003-08-08 155648]
“Recguard”=“c:\windows\SMINST\RECGUARD.EXE” [2002-09-13 212992]
“NvCplDaemon”=“c:\windows\System32\NvCpl.dll” [2003-05-02 4640768]
“AlcxMonitor”=“ALCXMNTR.EXE” [2003-04-03 50176]
“PS2”=“c:\windows\system32\ps2.exe” [2002-10-16 81920]
“HP Software Update”=“c:\programmer\HP\HP Software Update\HPWuSchd.exe” [2003-08-04 49152]
“SunJavaUpdateSched”=“c:\programmer\Java\jre6\bin\jusched.exe” [2009-12-01 149280]
“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2009-11-24 81000]
“Google Quick Search Box”=“c:\programmer\Google\Quick Search Box\GoogleQuickSearchBox.exe” [2010-02-16 126976]
“HP Component Manager”=“c:\programmer\HP\hpcoretech\hpcmpmgr.exe” [2004-05-12 241664]

c:\documents and settings\Ejer\Menuen Start\Programmer\Start\
OpenOffice.org 3.1.lnk - c:\programmer\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\Default User\Menuen Start\Programmer\Start\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Menuen Start\Programmer\Start\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ejer^Menuen Start^Programmer^Start^Desktop Lightning.lnk]
path=c:\documents and settings\Ejer\Menuen Start\Programmer\Start\Desktop Lightning.lnk
backup=c:\windows\pss\Desktop Lightning.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ejer^Menuen Start^Programmer^Start^OpenOffice.org 3.1.lnk]
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06   976832   ——a-w-  c:\programmer\Fælles filer\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 00:57   35760   ——a-w-  c:\programmer\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2010-02-16 13:12   126976   ——a-w-  c:\programmer\Google\Quick Search Box\GoogleQuickSearchBox.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 16:05   1695232   ——a-w-  c:\programmer\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-05-02 21:19   323584   ——a-w-  c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-11-24 02:10   39408   ——a-w-  c:\programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
2009-08-04 15:49   1068424   ——a-w-  c:\programmer\Trojan Remover\Trjscan.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\\system32\\sessmgr.exe”=
“c:\\Programmer\\Skype\\Plugin Manager\\skypePM.exe”=
“c:\\Programmer\\VoipBuster.com\\VoipBuster\\VoipBuster.exe”=
“c:\\WINDOWS\\system32\\mshta.exe”=
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“c:\\Programmer\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe”=
“c:\\Programmer\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe”=
“c:\\Programmer\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe”=
“c:\\Programmer\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe”=
“c:\\Programmer\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe”=
“c:\\Programmer\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxs08.exe”=
“c:\\Programmer\\Hewlett-Packard\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe”=
“c:\\Programmer\\Skype\\Phone\\Skype.exe”=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [23-01-2010 17:49 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [23-01-2010 17:49 20560]
S0 fdkb;fdkb;c:\windows\system32\drivers\vrohi.sys—> c:\windows\system32\drivers\vrohi.sys [?]
S2 gupdate1ca6cad21712c4c;Tjenesten Google Update (gupdate1ca6cad21712c4c);c:\programmer\Google\Update\GoogleUpdate.exe [24-11-2009 04:23 133104]
.
Indhold af mappen ‘Planlagte Opgaver’

2010-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmer\Google\Update\GoogleUpdate.exe [2009-11-24 02:23]

2010-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmer\Google\Update\GoogleUpdate.exe [2009-11-24 02:23]
.
.
———- Yderligere scanning———-
.
uStart Page = hxxp://www.bt.dk/
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Gem formularer - file://c:\programmer\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Google Sidewiki ... - c:\programmer\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: RF værktøjslinie - file://c:\programmer\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Tilpas RF menu - file://c:\programmer\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Udfyld formularer - file://c:\programmer\Siber Systems\AI RoboForm\RoboFormComFillForms.html
Trusted Zone: expekt.com\www
Trusted Zone: mitnykredit.dk\www
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
FF - ProfilePath - c:\documents and settings\Ejer\Application Data\Mozilla\Firefox\Profiles\sc8znmfn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bt.dk/
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - component: c:\programmer\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\programmer\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\programmer\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

——FIREFOX POLITIKKER——
c:\programmer\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref(“browser.fixup.alternate.suffix”, “.dk”);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-12 22:16
Windows 5.1.2600 Service Pack 3 NTFS

scanner skjulte processer ... 

scanner skjulte autostarter ...

scanner skjulte filer ... 

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
——————————- DLLs startet under kørende Processer——————————-

- - - - - - - > ‘explorer.exe’(2624)
c:\windows\system32\nView.dll
c:\windows\system32\NVWRSDA.DLL
c:\programmer\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Gennemført tid: 2010-08-12 22:27:20
ComboFix-quarantined-files.txt 2010-08-12 20:27
ComboFix2.txt 2010-08-09 14:55

Pre-Kørsel: 17.587.851.264 byte ledig
Post-Kørsel: 17.620.103.168 byte ledig

- - End Of File - - 8E8A2D5384FC1564DFDFBA8D716109E9

Jeg har 2 usb-porte foran på kabinettet og 3 bag. Når jeg sætter usb-stik i dem en ad gangen, så genstarter computeren, og det er lige meget, hvilket usb-stik jeg bruger.

Åben Notesblok og kopier følgende (tekst med fed skrift) inklusive linket ind - og gem tekst-filen som CFScript samme sted som du har ComboFix:

http://www.spywarefri.dk/forum/viewthread/78485/
Killall::
Snapshot::
Collect::
c:\windows\Java\Packages\MUGV3XBT.Zip
c:\windows\Java\Packages\Data\L33VXFTV.DAT
c:\windows\Java\Packages\Data\I2BBBHN9.DAT
c:\windows\Java\Packages\Data\FFLNPF9F.DAT
c:\windows\Java\Packages\Data\E6SUYPRP.DAT
c:\windows\Java\Packages\Data\666RX39Z.DAT
c:\windows\system32\drivers\vrohi.sys
Fcopy::
c:\windows\ServicePackFiles\i386\termsrv.dll | c:\windows\System32\termsrv.dll
Driver::
fdkb
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>

Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du “giver slip” med musen. Som vist her ->

http://www.fromsej.saknet.dk/billeder/swfcombo.gif

Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.

Når ComboFix er færdig med sin scanning/rensning åbnes en ComboFix log sammen med en lille meddelelses-boks. Rensningen du lige har gennemført har indsamlet nogle filer til videre analyse. Klik nu på OK i meddelelses-boksen for at uploade de indsamlede filer til videre analyse (du skal have forbindelse til internettet for at kunne uploade filerne).

Læg den nye ComboFix log herind. Den kan findes her - C:\combofix Txt

Jeg gjorde som nævnt ovenfor, men da combofix vinduet ikke havde ændret sig efter at pc’en havde stået tændt hele natten, genstartede jeg.
Hvad går der galt?

Prøv at lave og køre dette CFScript:

Killall::
Snapshot::
Fcopy::
c:\windows\ServicePackFiles\i386\termsrv.dll | c:\windows\System32\termsrv.dll
Driver::
fdkb
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>