Brug en USB-pind, alternativt brænd en CDR.

Hent Malwarebytes Anti-Malware herfra:
http://www.besttechie.net/tools/mbam-setup.exe
Eller herfra ->
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
Hent også opdateringen her:
http://www.malwarebytes.org/mbam/database/mbam-rules.exe
Kopier de to exe filer over på USB-pinden.

Hent Combofix, og gem den i en mappe på USB-pinden:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Åbn mappen med Combofix, højreklik, vælg Ny->tekstdokument, åbn tekstdokumentet, kopier følgende ind:

Killall::
Snapshot::

klik på Filer->Gem som, navngiv den CFScript, luk tekstdokumentet.
Fjern USB-pinden fra den raske maskine.

Start den syge maskine op, sæt USB-pinden i.
Installer malwarebytes, luk det igen, når det er gjort dobbeltklik på mbam-rules, så bliver Mbam opdateret.
Start Malwarebytes, flyt prikken til “Kør et fuldstændigt systemscan” - klik på Skan Knappen - lad programmet arbejde. Når det er færdig (det tager lidt tid afhængig af hvor meget du har på computeren).

Derefter - Tryk på “Vis resultater” knappen efter scanningen - og herefter tryk på “Fjern det valgte” - nu åbnes log’en og du skal gemme den et sted, hvor du kan finde den igen.

Åbn mappen med Combofix.
Tag så fat i CFScript med musen, og før den hen over Combofix-filen, hvorefter du “giver slip” med musen.
http://www.fromsej.saknet.dk/billeder/cfscript.gif
Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Svar nej til gendannelseskonsol og opdatering af Combofix.
Kopier den fremkomne log herind, sammen med loggen fra Malwarebytes.

linket til mbam-rules er dødt, og jeg kunne ikke finde opdateringen andre steder på hjemmesiden.

Jeg kan heller ikke finde den.
Prøv at køre Combofix i stedet for.

Malwarebytes’ Anti-Malware 1.46
http://www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2010-09-03 22:33:48
mbam-log-2010-09-03 (22-33-48).txt

Scan type: Full scan (C:\|)
Objects scanned: 161819
Time elapsed: 31 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ipsecndis.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\Drivers\ntndis.sys (Rootkit.Agent) -> Delete on reboot.

Og så combofix:

ComboFix 10-09-02.03 - Ingrid 2010-09-04 15:54:55.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.1014.726 [GMT 2:00]
Kˆrs frÂn: c:\documents and settings\Ingrid\Skrivbord\Combo fix\ComboFix.exe
Anv‰nda kommandov‰xlar :: c:\documents and settings\Ingrid\Skrivbord\Combo fix\CFScript.txt

VARNINIG -≈TERSTƒLLNINGSKONSOLEN (THE RECOVERY CONSOLE) ƒR INTE INSTALLERAD P≈ DEN HƒR DATORN !!
.

(((((((((((((((((((((((((((((((((((((((  Andra raderingar   ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administratˆr.INGRID\Lokala inst‰llningar\Application Data\okfpjkwgn
c:\documents and settings\Administratˆr.INGRID\Lokala inst‰llningar\Application Data\okfpjkwgn\xvtayjcshdw.exe
c:\documents and settings\Ingrid\Application Data\EurekaLog
c:\documents and settings\Ingrid\Application Data\ohydy.exe
c:\documents and settings\Ingrid\Lokala inst‰llningar\Application Data\fwitjgnak
c:\documents and settings\Ingrid\Lokala inst‰llningar\Application Data\fwitjgnak\jbkwwrqshdw.exe
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((  Filer Skapade frÂn 2010-08-04 till 2010-09-04 ))))))))))))))))))))))))))))))
.

2010-09-04 13:53 . 2010-09-04 13:53   ————  d—h—w-  c:\temp\dvmexp
2010-09-04 13:53 . 2010-09-04 13:53   ————  d——-w-  C:\dvmexp
2010-09-03 13:28 . 2010-09-03 13:28   ————  d——-w-  c:\documents and settings\Ingrid\Application Data\Malwarebytes
2010-09-03 13:28 . 2010-04-29 13:39   38224   ——a-w-  c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-03 13:28 . 2010-09-03 13:28   ————  d——-w-  c:\program\Malwarebytes’ Anti-Malware
2010-09-03 13:28 . 2010-09-03 13:28   ————  d——-w-  c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-03 13:28 . 2010-04-29 13:39   20952   ——a-w-  c:\windows\system32\drivers\mbam.sys
2010-09-03 12:05 . 2010-06-28 20:37   165456   ——a-w-  c:\windows\system32\drivers\aswSP.sys
2010-09-03 12:05 . 2010-06-28 20:32   17744   ——a-w-  c:\windows\system32\drivers\aswFsBlk.sys
2010-09-03 12:05 . 2010-06-28 20:33   23376   ——a-w-  c:\windows\system32\drivers\aswRdr.sys
2010-09-03 12:05 . 2010-06-28 20:37   46672   ——a-w-  c:\windows\system32\drivers\aswTdi.sys
2010-09-03 12:04 . 2010-06-28 20:32   100176   ——a-w-  c:\windows\system32\drivers\aswmon2.sys
2010-09-03 12:04 . 2010-06-28 20:32   94544   ——a-w-  c:\windows\system32\drivers\aswmon.sys
2010-09-03 12:04 . 2010-06-28 20:32   28880   ——a-w-  c:\windows\system32\drivers\aavmker4.sys
2010-09-03 12:04 . 2010-06-28 20:57   38848   ——a-w-  c:\windows\avastSS.scr
2010-09-03 12:04 . 2010-06-28 20:57   165032   ——a-w-  c:\windows\system32\aswBoot.exe
2010-09-03 12:04 . 2010-09-03 12:04   ————  d——-w-  c:\program\Alwil Software
2010-09-03 12:04 . 2010-09-03 12:04   ————  d——-w-  c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-03 06:29 . 2010-09-03 06:29   63488   ——a-w-  c:\documents and settings\Ingrid\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-03 06:29 . 2010-09-03 06:29   52224   ——a-w-  c:\documents and settings\Ingrid\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-03 06:29 . 2010-09-03 06:29   117760   ——a-w-  c:\documents and settings\Ingrid\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-03 06:28 . 2010-09-03 06:28   ————  d——-w-  c:\documents and settings\Ingrid\Application Data\SUPERAntiSpyware.com
2010-09-03 06:28 . 2010-09-03 06:28   ————  d——-w-  c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-03 06:28 . 2010-09-03 06:28   ————  d——-w-  c:\program\SUPERAntiSpyware
2010-09-03 06:15 . 2010-09-03 06:15   ————  d——-w-  c:\documents and settings\Administratˆr.INGRID
2010-09-03 05:40 . 2010-09-03 05:40   ————  d——-w-  C:\840e239d4183b0f32dbaec9fbc
2010-09-02 20:21 . 2010-09-04 14:08   786944   ——a-w-  c:\windows\system32\drivers\cfmefixl.sys
2010-08-30 19:47 . 2010-08-30 19:47   210816   -c—a-w-  c:\windows\system32\dllcache\ndis.sys

.
((((((((((((((((((((((((((((((((((((((((  Find3M Rapport   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-04 13:51 . 2008-07-22 10:30   494514   ——a-w-  c:\windows\system32\perfh01D.dat
2010-09-04 13:51 . 2008-07-22 10:30   105124   ——a-w-  c:\windows\system32\perfc01D.dat
2010-09-03 06:26 . 2009-03-10 03:04   1324   ——a-w-  c:\windows\system32\d3d9caps.dat
2010-09-03 05:39 . 2009-01-30 15:46   ————  d——-w-  c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-01 19:50 . 2009-04-12 14:57   ————  d——-w-  c:\documents and settings\Ingrid\Application Data\dvdcss
2010-08-30 19:47 . 2008-07-22 10:30   210816   ——a-w-  c:\windows\system32\drivers\ndis.sys
2010-07-09 12:31 . 2010-01-25 09:57   ————  d——-w-  c:\documents and settings\Ingrid\Application Data\Spotify
2010-06-30 12:33 . 2008-07-22 10:30   149504   ——a-w-  c:\windows\system32\schannel.dll
2010-06-24 09:02 . 2008-07-22 10:30   1851904   ——a-w-  c:\windows\system32\win32k.sys
2010-06-17 14:03 . 2008-07-22 10:30   80384   ——a-w-  c:\windows\system32\iccvid.dll
.

———- Sigcheck———-

[-] 2010-08-30 19:47 . !HASH: COULD NOT OPEN FILE !!!!! . 210816 . . [———] . . c:\windows\system32\drivers\ndis.sys
[-] 2010-08-30 19:47 . !HASH: COULD NOT OPEN FILE !!!!! . 210816 . . [———] . . c:\windows\system32\dllcache\ndis.sys
.
((((((((((((((((((((((((((((((((((  Startpunkter i registret   )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not*  Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
“{dd02a4eb-4afd-4d60-99d8-e67f964ca813}”= “c:\program\PHPNukeEN\tbPHP1.dll” [2010-05-18 2515552]

[HKEY_CLASSES_ROOT\clsid\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}]
2010-05-18 20:42   2515552   ——a-w-  c:\program\PHPNukeEN\tbPHP1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{dd02a4eb-4afd-4d60-99d8-e67f964ca813}”= “c:\program\PHPNukeEN\tbPHP1.dll” [2010-05-18 2515552]

[HKEY_CLASSES_ROOT\clsid\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
“{DD02A4EB-4AFD-4D60-99D8-E67F964CA813}”= “c:\program\PHPNukeEN\tbPHP1.dll” [2010-05-18 2515552]

[HKEY_CLASSES_ROOT\clsid\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@=”{771C7324-DA80-49D3-8017-753B0AF60951}”
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2009-01-30 15:38   241752   ——a-w-  c:\windows\system32\IcnOvrly.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SUPERAntiSpyware”=“c:\program\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2010-08-25 2424560]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-15 15360]

c:\documents and settings\All Users\Start-meny\Program\Autostart\
BTTray.lnk - c:\program\Lenovo\Bluetooth Software\BTTray.exe [2008-6-24 600680]
Personal.lnk - c:\program\Personal\bin\Personal.exe [2010-2-11 939920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= “c:\program\SUPERAntiSpyware\SASSEH.DLL” [2008-05-13 77824]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“%windir%\\system32\\sessmgr.exe”=
“c:\\Program\\Microsoft Office\\Office12\\OUTLOOK.EXE”=
“c:\\Program\\Spotify\\spotify.exe”=
“c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe”=
“c:\\Program\\Windows Live\\Sync\\WindowsLiveSync.exe”=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-09-03 165456]
R1 SASDIFSV;SASDIFSV;c:\program\SUPERAntiSpyware\sasdifsv.sys [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\qstart.sys\config\DVMExportService.exe [2008-11-20 307200]
R2 PowerSave;PowerSave Service;c:\program\Packard Bell\Software Suite\PowerSave\PSPBSSS.exe [2009-04-06 1002016]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2009-01-30 9472]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-01-30 157696]
S2 aswFsBlk;aswFsBlk;aswFsBlk.sys—> aswFsBlk.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys—> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

—- ÷vriga tj‰nster/drivrutiner i minnet—-

*Deregistered* - cfmefixl
.
.
———- Extra genomsˆkning———-
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2086743
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://g.msn.se/0SESVSE/SAOS01?FORM=TOOLBR
IE: E&xportera; till Microsoft Excel - c:\program\MICROS~3\Office12\EXCEL.EXE/3000
IE: Skicka till &Bluetooth;-enhet… - c:\program\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: Skicka till Bluetooth - c:\program\Lenovo\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-04 16:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe >>UNKNOWN [0x8656E0E0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7601f28
\Driver\ACPI -> ACPI.sys @ 0xf7494cb8
\Driver\atapi -> atapi.sys @ 0xf7367852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: Broadcom NetLink (TM) Fast Ethernet -> SendCompleteHandler -> NDIS.sys @ 0x864f0bb0
PacketIndicateHandler -> NDIS.sys @ 0x864dfa0d
SendHandler -> NDIS.sys @ 0x864f3b40
user & kernel MBR OK
copy of MBR has been found in sector 1 !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cfmefixl]

.
——————————- L≈STA REGISTERNYCKLAR——————————-

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
“Installed”=“1”
@=”“

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
“NoChange”=“1”
“Installed”=“1”
@=”“

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
“Installed”=“1”
@=”“

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@=“Microsoft Diskkvot”
“NoMachinePolicy”=dword:00000000
“NoUserPolicy”=dword:00000001
“NoSlowLink”=dword:00000001
“NoBackgroundPolicy”=dword:00000001
“NoGPOListChanges”=dword:00000001
“PerUserLocalSettings”=dword:00000000
“RequiresSuccessfulRegistry”=dword:00000001
“EnableAsynchronousProcessing”=dword:00000000
“DllName”=expand:“dskquota.dll”
“ProcessGroupPolicy”=“ProcessGroupPolicy”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@=“Internet Explorer Zonemapping”
“DllName”=expand:“iedkcs32.dll”
“ProcessGroupPolicy”=“ProcessGroupPolicyForZoneMap”
“NoGPOListChanges”=dword:00000001
“RequiresSucessfulRegistry”=dword:00000001
“DisplayName”=expand:”@iedkcs32.dll,-3051”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
“ProcessGroupPolicy”=“SceProcessSecurityPolicyGPO”
“GenerateGroupPolicy”=“SceGenerateGroupPolicy”
“ExtensionRsopPlanningDebugLevel”=dword:00000001
“ProcessGroupPolicyEx”=“SceProcessSecurityPolicyGPOEx”
“ExtensionDebugLevel”=dword:00000001
“DllName”=expand:“scecli.dll”
@=“Security”
“NoUserPolicy”=dword:00000001
“NoGPOListChanges”=dword:00000001
“EnableAsynchronousProcessing”=dword:00000001
“MaxNoGPOListChangesInterval”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
“ProcessGroupPolicyEx”=“ProcessGroupPolicyEx”
“GenerateGroupPolicy”=“GenerateGroupPolicy”
“ProcessGroupPolicy”=“ProcessGroupPolicy”
“DllName”=“iedkcs32.dll”
@=“Internet Explorer Branding”
“NoSlowLink”=dword:00000001
“NoBackgroundPolicy”=dword:00000000
“NoGPOListChanges”=dword:00000001
“NoMachinePolicy”=dword:00000001
“DisplayName”=expand:”@iedkcs32.dll,-3014”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
“ProcessGroupPolicy”=“SceProcessEFSRecoveryGPO”
“DllName”=expand:“scecli.dll”
@=“EFS recovery”
“NoUserPolicy”=dword:00000001
“NoGPOListChanges”=dword:00000001
“RequiresSuccessfulRegistry”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@=“802.3 Group Policy”
“DisplayName”=expand:”@dot3gpclnt.dll,-100”
“ProcessGroupPolicyEx”=“ProcessLANPolicyEx”
“GenerateGroupPolicy”=“GenerateLANPolicy”
“DllName”=expand:“dot3gpclnt.dll”
“NoUserPolicy”=dword:00000001
“NoGPOListChanges”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@=“Microsoft Offline Files”
“DllName”=expand:”%SystemRoot%\\System32\\cscui.dll”
“EnableAsynchronousProcessing”=dword:00000000
“NoBackgroundPolicy”=dword:00000000
“NoGPOListChanges”=dword:00000000
“NoMachinePolicy”=dword:00000000
“NoSlowLink”=dword:00000000
“NoUserPolicy”=dword:00000001
“PerUserLocalSettings”=dword:00000000
“ProcessGroupPolicy”=“ProcessGroupPolicy”
“RequiresSuccessfulRegistry”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@=“Programvaruinstallation”
“DllName”=expand:“appmgmts.dll”
“ProcessGroupPolicyEx”=“ProcessGroupPolicyObjectsEx”
“GenerateGroupPolicy”=“GenerateGroupPolicy”
“NoBackgroundPolicy”=dword:00000000
“RequiresSucessfulRegistry”=dword:00000000
“NoSlowLink”=dword:00000001
“PerUserLocalSettings”=dword:00000001
“EventSources”=multi:”(Application Management,Application)\00(MsiInstaller,Application)\00\00”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
“DllName”=“c:\\Program\\SUPERAntiSpyware\\SASWINLO.DLL”
“Logon”=“SABWINLOLogon”
“Logoff”=“SABWINLOLogoff”
“Startup”=“SABWINLOStartup”
“Shutdown”=“SABWINLOShutdown”
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000
“DllName”=expand:“crypt32.dll”
“Logoff”=“ChainWlxLogoffEvent”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000
“DllName”=expand:“cryptnet.dll”
“Logoff”=“CryptnetWlxLogoffEvent”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
“DLLName”=“cscdll.dll”
“Logon”=“WinlogonLogonEvent”
“Logoff”=“WinlogonLogoffEvent”
“ScreenSaver”=“WinlogonScreenSaverEvent”
“Startup”=“WinlogonStartupEvent”
“Shutdown”=“WinlogonShutdownEvent”
“StartShell”=“WinlogonStartShellEvent”
“Impersonate”=dword:00000000
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
“Asynchronous”=dword:00000001
“DllName”=expand:”%SystemRoot%\\System32\\dimsntfy.dll”
“Startup”=“WlDimsStartup”
“Shutdown”=“WlDimsShutdown”
“Logon”=“WlDimsLogon”
“Logoff”=“WlDimsLogoff”
“StartShell”=“WlDimsStartShell”
“Lock”=“WlDimsLock”
“Unlock”=“WlDimsUnlock”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@DACL=(02 0000)
@SACL=
@=”“
“DLLName”=“igfxdev.dll”
“Asynchronous”=dword:00000001
“Impersonate”=dword:00000001
“Unlock”=“WinlogonUnlockEvent”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PicNotify]
@DACL=(02 0000)
@SACL=
“DLLName”=“PicNotify.dll”
“Logon”=“HeadLogon”
“Logoff”=“HeadLogoff”
“StartScreenSaver”=“HeadStartScreenSaver”
“StopScreenSaver”=“HeadStopScreenSaver”
“Startup”=“HeadStartup”
“Shutdown”=“HeadShutdown”
“StartShell”=“HeadCreateShell”
“Lock”=“HeadLock”
“Unlock”=“HeadUnlock”
“Impersonate”=dword:00000000
“Asynchronous”=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
“DLLName”=“wlnotify.dll”
“Logon”=“SCardStartCertProp”
“Logoff”=“SCardStopCertProp”
“Lock”=“SCardSuspendCertProp”
“Unlock”=“SCardResumeCertProp”
“Enabled”=dword:00000000
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
“Asynchronous”=dword:00000000
“DllName”=expand:“wlnotify.dll”
“Impersonate”=dword:00000000
“StartShell”=“SchedStartShell”
“Logoff”=“SchedEventLogOff”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
“Logoff”=“WLEventLogoff”
“Impersonate”=dword:00000000
“Asynchronous”=dword:00000001
“DllName”=expand:“sclgntfy.dll”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
“DLLName”=“WlNotify.dll”
“Lock”=“SensLockEvent”
“Logon”=“SensLogonEvent”
“Logoff”=“SensLogoffEvent”
“Safe”=dword:00000001
“MaxWait”=dword:00000258
“StartScreenSaver”=“SensStartScreenSaverEvent”
“StopScreenSaver”=“SensStopScreenSaverEvent”
“Startup”=“SensStartupEvent”
“Shutdown”=“SensShutdownEvent”
“StartShell”=“SensStartShellEvent”
“PostShell”=“SensPostShellEvent”
“Disconnect”=“SensDisconnectEvent”
“Reconnect”=“SensReconnectEvent”
“Unlock”=“SensUnlockEvent”
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
“Asynchronous”=dword:00000000
“DllName”=expand:“wlnotify.dll”
“Impersonate”=dword:00000000
“Logoff”=“TSEventLogoff”
“Logon”=“TSEventLogon”
“PostShell”=“TSEventPostShell”
“Shutdown”=“TSEventShutdown”
“StartShell”=“TSEventStartShell”
“Startup”=“TSEventStartup”
“MaxWait”=dword:00000258
“Reconnect”=“TSEventReconnect”
“Disconnect”=“TSEventDisconnect”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
“DLLName”=“wlnotify.dll”
“Logon”=“RegisterTicketExpiredNotificationEvent”
“Logoff”=“UnregisterTicketExpiredNotificationEvent”
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
“Hj‰lpassistent”=dword:00000000
“TsInternetUser”=dword:00000000
“SQLAgentCmdExec”=dword:00000000
“NetShowServices”=dword:00000000
“HelpAssistant”=dword:00000000
“IWAM_”=dword:00010000
“IUSR_”=dword:00010000
“VUSR_”=dword:00010000
“ASPNET”=dword:00000000
.
——————————- DLLer som “laddats” under processer som kˆrs——————————-

- - - - - - - > ‘explorer.exe’(4028)
c:\windows\system32\IcnOvrly.dll
c:\windows\system32\btmmhook.dll
.
————————————Andra processer som kˆrs————————————
.
c:\program\Lenovo\Bluetooth Software\bin\btwdins.exe
c:\program\Alwil Software\Avast5\AvastSvc.exe
c:\program\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program\Delade filer\Lenovo\tvt_reg_monitor_svc.exe
c:\program\Delade filer\Lenovo\Scheduler\tvtsched.exe
c:\program\lenovo\system update\suservice.exe
c:\program\Lenovo\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Sluttid: 2010-09-04 16:11:47 - datorn startades om.
ComboFix-quarantined-files.txt 2010-09-04 14:11

Fˆre genomsˆkningen: 74†486†022†144 byte ledigt
Efter genomsˆkningen: 75†110†187†008 byte ledigt

- - End Of File - - C2769A34D985988AF58CFAAFC1BA5D9B

Gå til Start -> Kør, og skriv “notepad” i boksen.
Tryk ok.
Kopier og indsæt følgende kode i Notesblok:

mbr.exe -f

Gå til Filer -> Gem
Nedunder “Gem”  og i bunden af vinduet, tryk på “Alle filer”
Gem den som fix.bat
Dobbeltklik på fix.bat på skrivebordet.

En ny MBR log vil blive lavet. Kopier den herind

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 1 !

Åben Notesblok og kopier følgende (tekst med fed skrift) inklusive linket ind - og gem tekst-filen som CFScript samme sted som du har ComboFix:

http://www.spywarefri.dk/forum/viewthread/78862/#495208
Snapshot::
Folder::
c:\temp\dvmexp
Dirlook::
C:\dvmexp
Mia::
c:\windows\system32\drivers\ndis.sys
c:\windows\system32\dllcache\ndis.sys
SrPeek::
c:\windows\system32\drivers\ndis.sys
c:\windows\system32\dllcache\ndis.sys
Restore::
c:\windows\system32\drivers\ndis.sys
c:\windows\system32\dllcache\ndis.sys
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
Driver::
cfmefixl
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cfmefixl]
Collect::
c:\windows\system32\drivers\cfmefixl.sys

Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du “giver slip” med musen. Som vist her ->

http://www.fromsej.saknet.dk/billeder/swfcombo.gif

Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.

Når ComboFix er færdig med sin scanning/rensning åbnes en ComboFix log sammen med en lille meddelelses-boks. Rensningen du lige har gennemført har indsamlet nogle filer til videre analyse. Klik nu på OK i meddelelses-boksen for at uploade de indsamlede filer til videre analyse (du skal have forbindelse til internettet for at kunne uploade filerne).

Læg den nye ComboFix log herind. Den kan findes her - C:\combofix Txt

ComboFix 10-09-02.03 - Ingrid 2010-09-05 10:15:59.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.1014.737 [GMT 2:00]
Kˆrs frÂn: c:\documents and settings\Ingrid\Skrivbord\Combo fix\ComboFix.exe
Anv‰nda kommandov‰xlar :: c:\documents and settings\Ingrid\Skrivbord\Combo fix\CFScript.txt

VARNINIG -≈TERSTƒLLNINGSKONSOLEN (THE RECOVERY CONSOLE) ƒR INTE INSTALLERAD P≈ DEN HƒR DATORN !!

file zipped: c:\windows\system32\drivers\cfmefixl.sys
.

(((((((((((((((((((((((((((((((((((((((  Andra raderingar   ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\dvmexp
c:\windows\system32\drivers\cfmefixl.sys

Infekterad kopia av c:\windows\system32\dllcache\ndis.sys hittades och desinficerades.
≈terst‰lld kopia frÂn - c:\system volume information\_restore{5D67A0C6-9364-4993-88C3-FFF5EF3385F9}\RP109\A0019017.sys

.
(((((((((((((((((((((((((((((((((((((((  Drivrutiner/Tj‰nster   )))))))))))))))))))))))))))))))))))))))))))))))))
.

———-\Legacy_CFMEFIXL
———-\Service_cfmefixl

((((((((((((((((((((((((  Filer Skapade frÂn 2010-08-05 till 2010-09-05 ))))))))))))))))))))))))))))))
.

2010-09-05 08:23 . 2010-09-05 08:23   ————  d—h—w-  c:\temp\dvmexp
2010-09-05 08:23 . 2010-09-05 08:23   ————  d——-w-  C:\dvmexp
2010-09-05 08:15 . 2008-04-15 12:00   182656   -c—a-w-  c:\windows\system32\dllcache\ndis.sys
2010-09-03 13:28 . 2010-09-03 13:28   ————  d——-w-  c:\documents and settings\Ingrid\Application Data\Malwarebytes
2010-09-03 13:28 . 2010-04-29 13:39   38224   ——a-w-  c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-03 13:28 . 2010-09-03 13:28   ————  d——-w-  c:\program\Malwarebytes’ Anti-Malware
2010-09-03 13:28 . 2010-09-03 13:28   ————  d——-w-  c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-03 13:28 . 2010-04-29 13:39   20952   ——a-w-  c:\windows\system32\drivers\mbam.sys
2010-09-03 12:05 . 2010-06-28 20:37   165456   ——a-w-  c:\windows\system32\drivers\aswSP.sys
2010-09-03 12:05 . 2010-06-28 20:32   17744   ——a-w-  c:\windows\system32\drivers\aswFsBlk.sys
2010-09-03 12:05 . 2010-06-28 20:33   23376   ——a-w-  c:\windows\system32\drivers\aswRdr.sys
2010-09-03 12:05 . 2010-06-28 20:37   46672   ——a-w-  c:\windows\system32\drivers\aswTdi.sys
2010-09-03 12:04 . 2010-06-28 20:32   100176   ——a-w-  c:\windows\system32\drivers\aswmon2.sys
2010-09-03 12:04 . 2010-06-28 20:32   94544   ——a-w-  c:\windows\system32\drivers\aswmon.sys
2010-09-03 12:04 . 2010-06-28 20:32   28880   ——a-w-  c:\windows\system32\drivers\aavmker4.sys
2010-09-03 12:04 . 2010-06-28 20:57   38848   ——a-w-  c:\windows\avastSS.scr
2010-09-03 12:04 . 2010-06-28 20:57   165032   ——a-w-  c:\windows\system32\aswBoot.exe
2010-09-03 12:04 . 2010-09-03 12:04   ————  d——-w-  c:\program\Alwil Software
2010-09-03 12:04 . 2010-09-03 12:04   ————  d——-w-  c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-03 06:29 . 2010-09-03 06:29   63488   ——a-w-  c:\documents and settings\Ingrid\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-03 06:29 . 2010-09-03 06:29   52224   ——a-w-  c:\documents and settings\Ingrid\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-03 06:29 . 2010-09-03 06:29   117760   ——a-w-  c:\documents and settings\Ingrid\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-03 06:28 . 2010-09-03 06:28   ————  d——-w-  c:\documents and settings\Ingrid\Application Data\SUPERAntiSpyware.com
2010-09-03 06:28 . 2010-09-03 06:28   ————  d——-w-  c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-03 06:28 . 2010-09-03 06:28   ————  d——-w-  c:\program\SUPERAntiSpyware
2010-09-03 06:15 . 2010-09-03 06:15   ————  d——-w-  c:\documents and settings\Administratˆr.INGRID
2010-09-03 05:40 . 2010-09-03 05:40   ————  d——-w-  C:\840e239d4183b0f32dbaec9fbc
2010-09-03 05:22 . 2010-06-14 14:31   744448   -c——w-  c:\windows\system32\dllcache\helpsvc.exe

.
((((((((((((((((((((((((((((((((((((((((  Find3M Rapport   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-05 06:58 . 2009-01-30 15:46   ————  d——-w-  c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-04 13:51 . 2008-07-22 10:30   494514   ——a-w-  c:\windows\system32\perfh01D.dat
2010-09-04 13:51 . 2008-07-22 10:30   105124   ——a-w-  c:\windows\system32\perfc01D.dat
2010-09-03 06:26 . 2009-03-10 03:04   1324   ——a-w-  c:\windows\system32\d3d9caps.dat
2010-09-01 19:50 . 2009-04-12 14:57   ————  d——-w-  c:\documents and settings\Ingrid\Application Data\dvdcss
2010-08-30 19:47 . 2008-07-22 10:30   210816   ——a-w-  c:\windows\system32\drivers\ndis.sys
2010-07-09 12:31 . 2010-01-25 09:57   ————  d——-w-  c:\documents and settings\Ingrid\Application Data\Spotify
2010-06-30 12:33 . 2008-07-22 10:30   149504   ——a-w-  c:\windows\system32\schannel.dll
2010-06-24 12:19 . 2008-07-22 10:30   832512   ——a-w-  c:\windows\system32\wininet.dll
2010-06-24 12:19 . 2008-07-22 10:30   78336   ——a-w-  c:\windows\system32\ieencode.dll
2010-06-24 12:19 . 2008-07-22 10:30   17408   ——a-w-  c:\windows\system32\corpol.dll
2010-06-24 09:02 . 2008-07-22 10:30   1851904   ——a-w-  c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-07-22 10:30   354304   ——a-w-  c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-07-22 10:30   80384   ——a-w-  c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-07-22 00:42   744448   ——a-w-  c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:43 . 2008-07-22 10:30   1172480   ——a-w-  c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((((((((((  Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
——Directory of C:\dvmexp——

((((((((((((((((((((((((((((((((((((((((((  SR_Search   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

[-] 5B2D50A1E3B574DF5D446E2B37E1C54C   210816   c:\windows\System32\drivers\ndis.sys
[7] 1DF7F42665C94B825322FAE71721130D   182656   \RP109\A0019017.sys
.
———- Sigcheck———-

[-] 2010-08-30 19:47 . !HASH: COULD NOT OPEN FILE !!!!! . 210816 . . [———] . . c:\windows\system32\drivers\ndis.sys
[-] 2008-04-15 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 182656 . . [———] . . c:\windows\system32\dllcache\ndis.sys
.
((((((((((((((((((((((((((((((((((  Startpunkter i registret   )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not*  Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
“{dd02a4eb-4afd-4d60-99d8-e67f964ca813}”= “c:\program\PHPNukeEN\tbPHP1.dll” [2010-05-18 2515552]

[HKEY_CLASSES_ROOT\clsid\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}]
2010-05-18 20:42   2515552   ——a-w-  c:\program\PHPNukeEN\tbPHP1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{dd02a4eb-4afd-4d60-99d8-e67f964ca813}”= “c:\program\PHPNukeEN\tbPHP1.dll” [2010-05-18 2515552]

[HKEY_CLASSES_ROOT\clsid\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
“{DD02A4EB-4AFD-4D60-99D8-E67F964CA813}”= “c:\program\PHPNukeEN\tbPHP1.dll” [2010-05-18 2515552]

[HKEY_CLASSES_ROOT\clsid\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@=”{771C7324-DA80-49D3-8017-753B0AF60951}”
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2009-01-30 15:38   241752   ——a-w-  c:\windows\system32\IcnOvrly.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SUPERAntiSpyware”=“c:\program\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2010-08-25 2424560]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-15 15360]

c:\documents and settings\All Users\Start-meny\Program\Autostart\
BTTray.lnk - c:\program\Lenovo\Bluetooth Software\BTTray.exe [2008-6-24 600680]
Personal.lnk - c:\program\Personal\bin\Personal.exe [2010-2-11 939920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= “c:\program\SUPERAntiSpyware\SASSEH.DLL” [2008-05-13 77824]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“%windir%\\system32\\sessmgr.exe”=
“c:\\Program\\Microsoft Office\\Office12\\OUTLOOK.EXE”=
“c:\\Program\\Spotify\\spotify.exe”=
“c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe”=
“c:\\Program\\Windows Live\\Sync\\WindowsLiveSync.exe”=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-09-03 165456]
R1 SASDIFSV;SASDIFSV;c:\program\SUPERAntiSpyware\sasdifsv.sys [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\qstart.sys\config\DVMExportService.exe [2008-11-20 307200]
R2 PowerSave;PowerSave Service;c:\program\Packard Bell\Software Suite\PowerSave\PSPBSSS.exe [2009-04-06 1002016]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2009-01-30 9472]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-01-30 157696]
S2 aswFsBlk;aswFsBlk;aswFsBlk.sys—> aswFsBlk.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys—> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
.
———- Extra genomsˆkning———-
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2086743
uSearchURL,(Default) = hxxp://g.msn.se/0SESVSE/SAOS01?FORM=TOOLBR
IE: E&xportera; till Microsoft Excel - c:\program\MICROS~3\Office12\EXCEL.EXE/3000
IE: Skicka till &Bluetooth;-enhet… - c:\program\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: Skicka till Bluetooth - c:\program\Lenovo\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-05 10:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe >>UNKNOWN [0x8655B0E0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7601f28
\Driver\ACPI -> ACPI.sys @ 0xf7494cb8
\Driver\atapi -> atapi.sys @ 0xf7367852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: Broadcom NetLink (TM) Fast Ethernet -> SendCompleteHandler -> NDIS.sys @ 0x864fbbb0
PacketIndicateHandler -> NDIS.sys @ 0x864eaa0d
SendHandler -> NDIS.sys @ 0x864feb40
user & kernel MBR OK
copy of MBR has been found in sector 1 !

**************************************************************************
.
——————————- L≈STA REGISTERNYCKLAR——————————-

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
“Installed”=“1”
@=”“

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
“NoChange”=“1”
“Installed”=“1”
@=”“

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
“Installed”=“1”
@=”“

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@=“Microsoft Diskkvot”
“NoMachinePolicy”=dword:00000000
“NoUserPolicy”=dword:00000001
“NoSlowLink”=dword:00000001
“NoBackgroundPolicy”=dword:00000001
“NoGPOListChanges”=dword:00000001
“PerUserLocalSettings”=dword:00000000
“RequiresSuccessfulRegistry”=dword:00000001
“EnableAsynchronousProcessing”=dword:00000000
“DllName”=expand:“dskquota.dll”
“ProcessGroupPolicy”=“ProcessGroupPolicy”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@=“Internet Explorer Zonemapping”
“DllName”=expand:“iedkcs32.dll”
“ProcessGroupPolicy”=“ProcessGroupPolicyForZoneMap”
“NoGPOListChanges”=dword:00000001
“RequiresSucessfulRegistry”=dword:00000001
“DisplayName”=expand:”@iedkcs32.dll,-3051”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
“ProcessGroupPolicy”=“SceProcessSecurityPolicyGPO”
“GenerateGroupPolicy”=“SceGenerateGroupPolicy”
“ExtensionRsopPlanningDebugLevel”=dword:00000001
“ProcessGroupPolicyEx”=“SceProcessSecurityPolicyGPOEx”
“ExtensionDebugLevel”=dword:00000001
“DllName”=expand:“scecli.dll”
@=“Security”
“NoUserPolicy”=dword:00000001
“NoGPOListChanges”=dword:00000001
“EnableAsynchronousProcessing”=dword:00000001
“MaxNoGPOListChangesInterval”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
“ProcessGroupPolicyEx”=“ProcessGroupPolicyEx”
“GenerateGroupPolicy”=“GenerateGroupPolicy”
“ProcessGroupPolicy”=“ProcessGroupPolicy”
“DllName”=“iedkcs32.dll”
@=“Internet Explorer Branding”
“NoSlowLink”=dword:00000001
“NoBackgroundPolicy”=dword:00000000
“NoGPOListChanges”=dword:00000001
“NoMachinePolicy”=dword:00000001
“DisplayName”=expand:”@iedkcs32.dll,-3014”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
“ProcessGroupPolicy”=“SceProcessEFSRecoveryGPO”
“DllName”=expand:“scecli.dll”
@=“EFS recovery”
“NoUserPolicy”=dword:00000001
“NoGPOListChanges”=dword:00000001
“RequiresSuccessfulRegistry”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@=“802.3 Group Policy”
“DisplayName”=expand:”@dot3gpclnt.dll,-100”
“ProcessGroupPolicyEx”=“ProcessLANPolicyEx”
“GenerateGroupPolicy”=“GenerateLANPolicy”
“DllName”=expand:“dot3gpclnt.dll”
“NoUserPolicy”=dword:00000001
“NoGPOListChanges”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@=“Microsoft Offline Files”
“DllName”=expand:”%SystemRoot%\\System32\\cscui.dll”
“EnableAsynchronousProcessing”=dword:00000000
“NoBackgroundPolicy”=dword:00000000
“NoGPOListChanges”=dword:00000000
“NoMachinePolicy”=dword:00000000
“NoSlowLink”=dword:00000000
“NoUserPolicy”=dword:00000001
“PerUserLocalSettings”=dword:00000000
“ProcessGroupPolicy”=“ProcessGroupPolicy”
“RequiresSuccessfulRegistry”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@=“Programvaruinstallation”
“DllName”=expand:“appmgmts.dll”
“ProcessGroupPolicyEx”=“ProcessGroupPolicyObjectsEx”
“GenerateGroupPolicy”=“GenerateGroupPolicy”
“NoBackgroundPolicy”=dword:00000000
“RequiresSucessfulRegistry”=dword:00000000
“NoSlowLink”=dword:00000001
“PerUserLocalSettings”=dword:00000001
“EventSources”=multi:”(Application Management,Application)\00(MsiInstaller,Application)\00\00”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
“DllName”=“c:\\Program\\SUPERAntiSpyware\\SASWINLO.DLL”
“Logon”=“SABWINLOLogon”
“Logoff”=“SABWINLOLogoff”
“Startup”=“SABWINLOStartup”
“Shutdown”=“SABWINLOShutdown”
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000
“DllName”=expand:“crypt32.dll”
“Logoff”=“ChainWlxLogoffEvent”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000
“DllName”=expand:“cryptnet.dll”
“Logoff”=“CryptnetWlxLogoffEvent”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
“DLLName”=“cscdll.dll”
“Logon”=“WinlogonLogonEvent”
“Logoff”=“WinlogonLogoffEvent”
“ScreenSaver”=“WinlogonScreenSaverEvent”
“Startup”=“WinlogonStartupEvent”
“Shutdown”=“WinlogonShutdownEvent”
“StartShell”=“WinlogonStartShellEvent”
“Impersonate”=dword:00000000
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
“Asynchronous”=dword:00000001
“DllName”=expand:”%SystemRoot%\\System32\\dimsntfy.dll”
“Startup”=“WlDimsStartup”
“Shutdown”=“WlDimsShutdown”
“Logon”=“WlDimsLogon”
“Logoff”=“WlDimsLogoff”
“StartShell”=“WlDimsStartShell”
“Lock”=“WlDimsLock”
“Unlock”=“WlDimsUnlock”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@DACL=(02 0000)
@SACL=
@=”“
“DLLName”=“igfxdev.dll”
“Asynchronous”=dword:00000001
“Impersonate”=dword:00000001
“Unlock”=“WinlogonUnlockEvent”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PicNotify]
@DACL=(02 0000)
@SACL=
“DLLName”=“PicNotify.dll”
“Logon”=“HeadLogon”
“Logoff”=“HeadLogoff”
“StartScreenSaver”=“HeadStartScreenSaver”
“StopScreenSaver”=“HeadStopScreenSaver”
“Startup”=“HeadStartup”
“Shutdown”=“HeadShutdown”
“StartShell”=“HeadCreateShell”
“Lock”=“HeadLock”
“Unlock”=“HeadUnlock”
“Impersonate”=dword:00000000
“Asynchronous”=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
“DLLName”=“wlnotify.dll”
“Logon”=“SCardStartCertProp”
“Logoff”=“SCardStopCertProp”
“Lock”=“SCardSuspendCertProp”
“Unlock”=“SCardResumeCertProp”
“Enabled”=dword:00000000
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
“Asynchronous”=dword:00000000
“DllName”=expand:“wlnotify.dll”
“Impersonate”=dword:00000000
“StartShell”=“SchedStartShell”
“Logoff”=“SchedEventLogOff”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
“Logoff”=“WLEventLogoff”
“Impersonate”=dword:00000000
“Asynchronous”=dword:00000001
“DllName”=expand:“sclgntfy.dll”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
“DLLName”=“WlNotify.dll”
“Lock”=“SensLockEvent”
“Logon”=“SensLogonEvent”
“Logoff”=“SensLogoffEvent”
“Safe”=dword:00000001
“MaxWait”=dword:00000258
“StartScreenSaver”=“SensStartScreenSaverEvent”
“StopScreenSaver”=“SensStopScreenSaverEvent”
“Startup”=“SensStartupEvent”
“Shutdown”=“SensShutdownEvent”
“StartShell”=“SensStartShellEvent”
“PostShell”=“SensPostShellEvent”
“Disconnect”=“SensDisconnectEvent”
“Reconnect”=“SensReconnectEvent”
“Unlock”=“SensUnlockEvent”
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
“Asynchronous”=dword:00000000
“DllName”=expand:“wlnotify.dll”
“Impersonate”=dword:00000000
“Logoff”=“TSEventLogoff”
“Logon”=“TSEventLogon”
“PostShell”=“TSEventPostShell”
“Shutdown”=“TSEventShutdown”
“StartShell”=“TSEventStartShell”
“Startup”=“TSEventStartup”
“MaxWait”=dword:00000258
“Reconnect”=“TSEventReconnect”
“Disconnect”=“TSEventDisconnect”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
“DLLName”=“wlnotify.dll”
“Logon”=“RegisterTicketExpiredNotificationEvent”
“Logoff”=“UnregisterTicketExpiredNotificationEvent”
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
“Hj‰lpassistent”=dword:00000000
“TsInternetUser”=dword:00000000
“SQLAgentCmdExec”=dword:00000000
“NetShowServices”=dword:00000000
“HelpAssistant”=dword:00000000
“IWAM_”=dword:00010000
“IUSR_”=dword:00010000
“VUSR_”=dword:00010000
“ASPNET”=dword:00000000
.
——————————- DLLer som “laddats” under processer som kˆrs——————————-

- - - - - - - > ‘explorer.exe’(1228)
c:\windows\system32\IcnOvrly.dll
c:\windows\system32\btmmhook.dll
.
————————————Andra processer som kˆrs————————————
.
c:\program\Lenovo\Bluetooth Software\bin\btwdins.exe
c:\program\Alwil Software\Avast5\AvastSvc.exe
c:\program\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program\Delade filer\Lenovo\tvt_reg_monitor_svc.exe
c:\program\Delade filer\Lenovo\Scheduler\tvtsched.exe
c:\program\lenovo\system update\suservice.exe
c:\program\Lenovo\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Sluttid: 2010-09-05 10:38:49 - datorn startades om.
ComboFix-quarantined-files.txt 2010-09-05 08:38
ComboFix2.txt 2010-09-04 14:11

Fˆre genomsˆkningen: 74†911†207†424 byte ledigt
Efter genomsˆkningen: 74†771†697†664 byte ledigt

- - End Of File - - 2F4B95F8366F7F42115A6795A93D1515

Åben Notesblok og kopier det fremhævede ind og gem tekst-filen som CFScript samme sted som du har ComboFix

Killall::
Snapshot::
Mia::
c:\windows\system32\drivers\ndis.sys
SrPeek::
c:\windows\system32\drivers\ndis.sys
Restore::
c:\windows\system32\drivers\ndis.sys

Da Combofix kan konflikte med dine sikkerhedsprogrammer er det vigtigt at du deaktiverer dem.

Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du “giver slip” med musen.
http://www.fromsej.saknet.dk/billeder/swfcombo.gif

Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når Combofix er færdig, og efter det (muligvis) har genstartet, skulle der gerne åbnes en logfil: combofix.txt som ligger her C:\ Combofix.txt

Indholdet af denne fil må du gerne lægge herind.

ComboFix 10-09-02.03 - Ingrid 2010-09-07   7:20.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.1014.742 [GMT 2:00]
Kˆrs frÂn: c:\documents and settings\Ingrid\Skrivbord\Combo fix\ComboFix.exe
Anv‰nda kommandov‰xlar :: c:\documents and settings\Ingrid\Skrivbord\Combo fix\CFScript.txt
* Skapade en ny Âterst‰llningspunkt

VARNINIG -≈TERSTƒLLNINGSKONSOLEN (THE RECOVERY CONSOLE) ƒR INTE INSTALLERAD P≈ DEN HƒR DATORN !!
.

(((((((((((((((((((((((((((((((((((((((  Andra raderingar   ))))))))))))))))))))))))))))))))))))))))))))))))
.

Infekterad kopia av c:\windows\system32\drivers\ndis.sys hittades och desinficerades.
≈terst‰lld kopia frÂn - c:\windows\system32\dllcache\ndis.sys
.
((((((((((((((((((((((((  Filer Skapade frÂn 2010-08-07 till 2010-09-07 ))))))))))))))))))))))))))))))
.

2010-09-07 05:18 . 2010-09-07 05:18   ————  d—h—w-  c:\temp\dvmexp
2010-09-07 05:18 . 2010-09-07 05:18   ————  d——-w-  C:\dvmexp
2010-09-05 08:15 . 2008-04-15 12:00   182656   -c—a-w-  c:\windows\system32\dllcache\ndis.sys
2010-09-03 13:28 . 2010-09-03 13:28   ————  d——-w-  c:\documents and settings\Ingrid\Application Data\Malwarebytes
2010-09-03 13:28 . 2010-04-29 13:39   38224   ——a-w-  c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-03 13:28 . 2010-09-03 13:28   ————  d——-w-  c:\program\Malwarebytes’ Anti-Malware
2010-09-03 13:28 . 2010-09-03 13:28   ————  d——-w-  c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-03 13:28 . 2010-04-29 13:39   20952   ——a-w-  c:\windows\system32\drivers\mbam.sys
2010-09-03 12:05 . 2010-06-28 20:37   165456   ——a-w-  c:\windows\system32\drivers\aswSP.sys
2010-09-03 12:05 . 2010-06-28 20:32   17744   ——a-w-  c:\windows\system32\drivers\aswFsBlk.sys
2010-09-03 12:05 . 2010-06-28 20:33   23376   ——a-w-  c:\windows\system32\drivers\aswRdr.sys
2010-09-03 12:05 . 2010-06-28 20:37   46672   ——a-w-  c:\windows\system32\drivers\aswTdi.sys
2010-09-03 12:04 . 2010-06-28 20:32   100176   ——a-w-  c:\windows\system32\drivers\aswmon2.sys
2010-09-03 12:04 . 2010-06-28 20:32   94544   ——a-w-  c:\windows\system32\drivers\aswmon.sys
2010-09-03 12:04 . 2010-06-28 20:32   28880   ——a-w-  c:\windows\system32\drivers\aavmker4.sys
2010-09-03 12:04 . 2010-06-28 20:57   38848   ——a-w-  c:\windows\avastSS.scr
2010-09-03 12:04 . 2010-06-28 20:57   165032   ——a-w-  c:\windows\system32\aswBoot.exe
2010-09-03 12:04 . 2010-09-03 12:04   ————  d——-w-  c:\program\Alwil Software
2010-09-03 12:04 . 2010-09-03 12:04   ————  d——-w-  c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-03 06:29 . 2010-09-03 06:29   63488   ——a-w-  c:\documents and settings\Ingrid\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-03 06:29 . 2010-09-03 06:29   52224   ——a-w-  c:\documents and settings\Ingrid\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-03 06:29 . 2010-09-03 06:29   117760   ——a-w-  c:\documents and settings\Ingrid\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-03 06:28 . 2010-09-03 06:28   ————  d——-w-  c:\documents and settings\Ingrid\Application Data\SUPERAntiSpyware.com
2010-09-03 06:28 . 2010-09-03 06:28   ————  d——-w-  c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-03 06:28 . 2010-09-03 06:28   ————  d——-w-  c:\program\SUPERAntiSpyware
2010-09-03 06:15 . 2010-09-03 06:15   ————  d——-w-  c:\documents and settings\Administratˆr.INGRID
2010-09-03 05:40 . 2010-09-03 05:40   ————  d——-w-  C:\840e239d4183b0f32dbaec9fbc
2010-09-03 05:22 . 2010-06-14 14:31   744448   -c——w-  c:\windows\system32\dllcache\helpsvc.exe

.
((((((((((((((((((((((((((((((((((((((((  Find3M Rapport   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-05 06:58 . 2009-01-30 15:46   ————  d——-w-  c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-04 13:51 . 2008-07-22 10:30   494514   ——a-w-  c:\windows\system32\perfh01D.dat
2010-09-04 13:51 . 2008-07-22 10:30   105124   ——a-w-  c:\windows\system32\perfc01D.dat
2010-09-03 06:26 . 2009-03-10 03:04   1324   ——a-w-  c:\windows\system32\d3d9caps.dat
2010-09-01 19:50 . 2009-04-12 14:57   ————  d——-w-  c:\documents and settings\Ingrid\Application Data\dvdcss
2010-07-09 12:31 . 2010-01-25 09:57   ————  d——-w-  c:\documents and settings\Ingrid\Application Data\Spotify
2010-06-30 12:33 . 2008-07-22 10:30   149504   ——a-w-  c:\windows\system32\schannel.dll
2010-06-24 12:19 . 2008-07-22 10:30   832512   ——a-w-  c:\windows\system32\wininet.dll
2010-06-24 12:19 . 2008-07-22 10:30   78336   ——a-w-  c:\windows\system32\ieencode.dll
2010-06-24 12:19 . 2008-07-22 10:30   17408   ——a-w-  c:\windows\system32\corpol.dll
2010-06-24 09:02 . 2008-07-22 10:30   1851904   ——a-w-  c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-07-22 10:30   354304   ——a-w-  c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-07-22 10:30   80384   ——a-w-  c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-07-22 00:42   744448   ——a-w-  c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:43 . 2008-07-22 10:30   1172480   ——a-w-  c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((((((((  SR_Search   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

[7] 1DF7F42665C94B825322FAE71721130D   182656   c:\windows\system32\dllcache\ndis.sys
[-] 5B2D50A1E3B574DF5D446E2B37E1C54C   210816   \RP113\A0023724.sys

[-] 5B2D50A1E3B574DF5D446E2B37E1C54C   210816   c:\windows\System32\drivers\ndis.sys
[7] 1DF7F42665C94B825322FAE71721130D   182656   \RP109\A0019017.sys
.
((((((((((((((((((((((((((((((((((  Startpunkter i registret   )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not*  Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
“{dd02a4eb-4afd-4d60-99d8-e67f964ca813}”= “c:\program\PHPNukeEN\tbPHP1.dll” [2010-05-18 2515552]

[HKEY_CLASSES_ROOT\clsid\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}]
2010-05-18 20:42   2515552   ——a-w-  c:\program\PHPNukeEN\tbPHP1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{dd02a4eb-4afd-4d60-99d8-e67f964ca813}”= “c:\program\PHPNukeEN\tbPHP1.dll” [2010-05-18 2515552]

[HKEY_CLASSES_ROOT\clsid\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
“{DD02A4EB-4AFD-4D60-99D8-E67F964CA813}”= “c:\program\PHPNukeEN\tbPHP1.dll” [2010-05-18 2515552]

[HKEY_CLASSES_ROOT\clsid\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@=”{771C7324-DA80-49D3-8017-753B0AF60951}”
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2009-01-30 15:38   241752   ——a-w-  c:\windows\system32\IcnOvrly.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SUPERAntiSpyware”=“c:\program\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2010-08-25 2424560]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-15 15360]

c:\documents and settings\All Users\Start-meny\Program\Autostart\
BTTray.lnk - c:\program\Lenovo\Bluetooth Software\BTTray.exe [2008-6-24 600680]
Personal.lnk - c:\program\Personal\bin\Personal.exe [2010-2-11 939920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= “c:\program\SUPERAntiSpyware\SASSEH.DLL” [2008-05-13 77824]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“%windir%\\system32\\sessmgr.exe”=
“c:\\Program\\Microsoft Office\\Office12\\OUTLOOK.EXE”=
“c:\\Program\\Spotify\\spotify.exe”=
“c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe”=
“c:\\Program\\Windows Live\\Sync\\WindowsLiveSync.exe”=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-09-03 165456]
R1 SASDIFSV;SASDIFSV;c:\program\SUPERAntiSpyware\sasdifsv.sys [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\qstart.sys\config\DVMExportService.exe [2008-11-20 307200]
R2 PowerSave;PowerSave Service;c:\program\Packard Bell\Software Suite\PowerSave\PSPBSSS.exe [2009-04-06 1002016]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2009-01-30 9472]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-01-30 157696]
S2 aswFsBlk;aswFsBlk;aswFsBlk.sys—> aswFsBlk.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys—> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
.
———- Extra genomsˆkning———-
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2086743
uSearchURL,(Default) = hxxp://g.msn.se/0SESVSE/SAOS01?FORM=TOOLBR
IE: E&xportera; till Microsoft Excel - c:\program\MICROS~3\Office12\EXCEL.EXE/3000
IE: Skicka till &Bluetooth;-enhet… - c:\program\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: Skicka till Bluetooth - c:\program\Lenovo\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-07 07:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
——————————- L≈STA REGISTERNYCKLAR——————————-

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
“Installed”=“1”
@=”“

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
“NoChange”=“1”
“Installed”=“1”
@=”“

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
“Installed”=“1”
@=”“

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@=“Microsoft Diskkvot”
“NoMachinePolicy”=dword:00000000
“NoUserPolicy”=dword:00000001
“NoSlowLink”=dword:00000001
“NoBackgroundPolicy”=dword:00000001
“NoGPOListChanges”=dword:00000001
“PerUserLocalSettings”=dword:00000000
“RequiresSuccessfulRegistry”=dword:00000001
“EnableAsynchronousProcessing”=dword:00000000
“DllName”=expand:“dskquota.dll”
“ProcessGroupPolicy”=“ProcessGroupPolicy”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@=“Internet Explorer Zonemapping”
“DllName”=expand:“iedkcs32.dll”
“ProcessGroupPolicy”=“ProcessGroupPolicyForZoneMap”
“NoGPOListChanges”=dword:00000001
“RequiresSucessfulRegistry”=dword:00000001
“DisplayName”=expand:”@iedkcs32.dll,-3051”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
“ProcessGroupPolicy”=“SceProcessSecurityPolicyGPO”
“GenerateGroupPolicy”=“SceGenerateGroupPolicy”
“ExtensionRsopPlanningDebugLevel”=dword:00000001
“ProcessGroupPolicyEx”=“SceProcessSecurityPolicyGPOEx”
“ExtensionDebugLevel”=dword:00000001
“DllName”=expand:“scecli.dll”
@=“Security”
“NoUserPolicy”=dword:00000001
“NoGPOListChanges”=dword:00000001
“EnableAsynchronousProcessing”=dword:00000001
“MaxNoGPOListChangesInterval”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
“ProcessGroupPolicyEx”=“ProcessGroupPolicyEx”
“GenerateGroupPolicy”=“GenerateGroupPolicy”
“ProcessGroupPolicy”=“ProcessGroupPolicy”
“DllName”=“iedkcs32.dll”
@=“Internet Explorer Branding”
“NoSlowLink”=dword:00000001
“NoBackgroundPolicy”=dword:00000000
“NoGPOListChanges”=dword:00000001
“NoMachinePolicy”=dword:00000001
“DisplayName”=expand:”@iedkcs32.dll,-3014”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
“ProcessGroupPolicy”=“SceProcessEFSRecoveryGPO”
“DllName”=expand:“scecli.dll”
@=“EFS recovery”
“NoUserPolicy”=dword:00000001
“NoGPOListChanges”=dword:00000001
“RequiresSuccessfulRegistry”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@=“802.3 Group Policy”
“DisplayName”=expand:”@dot3gpclnt.dll,-100”
“ProcessGroupPolicyEx”=“ProcessLANPolicyEx”
“GenerateGroupPolicy”=“GenerateLANPolicy”
“DllName”=expand:“dot3gpclnt.dll”
“NoUserPolicy”=dword:00000001
“NoGPOListChanges”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@=“Microsoft Offline Files”
“DllName”=expand:”%SystemRoot%\\System32\\cscui.dll”
“EnableAsynchronousProcessing”=dword:00000000
“NoBackgroundPolicy”=dword:00000000
“NoGPOListChanges”=dword:00000000
“NoMachinePolicy”=dword:00000000
“NoSlowLink”=dword:00000000
“NoUserPolicy”=dword:00000001
“PerUserLocalSettings”=dword:00000000
“ProcessGroupPolicy”=“ProcessGroupPolicy”
“RequiresSuccessfulRegistry”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@=“Programvaruinstallation”
“DllName”=expand:“appmgmts.dll”
“ProcessGroupPolicyEx”=“ProcessGroupPolicyObjectsEx”
“GenerateGroupPolicy”=“GenerateGroupPolicy”
“NoBackgroundPolicy”=dword:00000000
“RequiresSucessfulRegistry”=dword:00000000
“NoSlowLink”=dword:00000001
“PerUserLocalSettings”=dword:00000001
“EventSources”=multi:”(Application Management,Application)\00(MsiInstaller,Application)\00\00”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
“DllName”=“c:\\Program\\SUPERAntiSpyware\\SASWINLO.DLL”
“Logon”=“SABWINLOLogon”
“Logoff”=“SABWINLOLogoff”
“Startup”=“SABWINLOStartup”
“Shutdown”=“SABWINLOShutdown”
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000
“DllName”=expand:“crypt32.dll”
“Logoff”=“ChainWlxLogoffEvent”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000
“DllName”=expand:“cryptnet.dll”
“Logoff”=“CryptnetWlxLogoffEvent”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
“DLLName”=“cscdll.dll”
“Logon”=“WinlogonLogonEvent”
“Logoff”=“WinlogonLogoffEvent”
“ScreenSaver”=“WinlogonScreenSaverEvent”
“Startup”=“WinlogonStartupEvent”
“Shutdown”=“WinlogonShutdownEvent”
“StartShell”=“WinlogonStartShellEvent”
“Impersonate”=dword:00000000
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
“Asynchronous”=dword:00000001
“DllName”=expand:”%SystemRoot%\\System32\\dimsntfy.dll”
“Startup”=“WlDimsStartup”
“Shutdown”=“WlDimsShutdown”
“Logon”=“WlDimsLogon”
“Logoff”=“WlDimsLogoff”
“StartShell”=“WlDimsStartShell”
“Lock”=“WlDimsLock”
“Unlock”=“WlDimsUnlock”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@DACL=(02 0000)
@SACL=
@=”“
“DLLName”=“igfxdev.dll”
“Asynchronous”=dword:00000001
“Impersonate”=dword:00000001
“Unlock”=“WinlogonUnlockEvent”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PicNotify]
@DACL=(02 0000)
@SACL=
“DLLName”=“PicNotify.dll”
“Logon”=“HeadLogon”
“Logoff”=“HeadLogoff”
“StartScreenSaver”=“HeadStartScreenSaver”
“StopScreenSaver”=“HeadStopScreenSaver”
“Startup”=“HeadStartup”
“Shutdown”=“HeadShutdown”
“StartShell”=“HeadCreateShell”
“Lock”=“HeadLock”
“Unlock”=“HeadUnlock”
“Impersonate”=dword:00000000
“Asynchronous”=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
“DLLName”=“wlnotify.dll”
“Logon”=“SCardStartCertProp”
“Logoff”=“SCardStopCertProp”
“Lock”=“SCardSuspendCertProp”
“Unlock”=“SCardResumeCertProp”
“Enabled”=dword:00000000
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
“Asynchronous”=dword:00000000
“DllName”=expand:“wlnotify.dll”
“Impersonate”=dword:00000000
“StartShell”=“SchedStartShell”
“Logoff”=“SchedEventLogOff”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
“Logoff”=“WLEventLogoff”
“Impersonate”=dword:00000000
“Asynchronous”=dword:00000001
“DllName”=expand:“sclgntfy.dll”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
“DLLName”=“WlNotify.dll”
“Lock”=“SensLockEvent”
“Logon”=“SensLogonEvent”
“Logoff”=“SensLogoffEvent”
“Safe”=dword:00000001
“MaxWait”=dword:00000258
“StartScreenSaver”=“SensStartScreenSaverEvent”
“StopScreenSaver”=“SensStopScreenSaverEvent”
“Startup”=“SensStartupEvent”
“Shutdown”=“SensShutdownEvent”
“StartShell”=“SensStartShellEvent”
“PostShell”=“SensPostShellEvent”
“Disconnect”=“SensDisconnectEvent”
“Reconnect”=“SensReconnectEvent”
“Unlock”=“SensUnlockEvent”
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
“Asynchronous”=dword:00000000
“DllName”=expand:“wlnotify.dll”
“Impersonate”=dword:00000000
“Logoff”=“TSEventLogoff”
“Logon”=“TSEventLogon”
“PostShell”=“TSEventPostShell”
“Shutdown”=“TSEventShutdown”
“StartShell”=“TSEventStartShell”
“Startup”=“TSEventStartup”
“MaxWait”=dword:00000258
“Reconnect”=“TSEventReconnect”
“Disconnect”=“TSEventDisconnect”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
“DLLName”=“wlnotify.dll”
“Logon”=“RegisterTicketExpiredNotificationEvent”
“Logoff”=“UnregisterTicketExpiredNotificationEvent”
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
“Hj‰lpassistent”=dword:00000000
“TsInternetUser”=dword:00000000
“SQLAgentCmdExec”=dword:00000000
“NetShowServices”=dword:00000000
“HelpAssistant”=dword:00000000
“IWAM_”=dword:00010000
“IUSR_”=dword:00010000
“VUSR_”=dword:00010000
“ASPNET”=dword:00000000
.
——————————- DLLer som “laddats” under processer som kˆrs——————————-

- - - - - - - > ‘explorer.exe’(2908)
c:\windows\system32\IcnOvrly.dll
c:\windows\system32\btmmhook.dll
.
————————————Andra processer som kˆrs————————————
.
c:\program\Lenovo\Bluetooth Software\bin\btwdins.exe
c:\program\Alwil Software\Avast5\AvastSvc.exe
c:\program\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program\Delade filer\Lenovo\tvt_reg_monitor_svc.exe
c:\program\Delade filer\Lenovo\Scheduler\tvtsched.exe
c:\program\lenovo\system update\suservice.exe
c:\program\Lenovo\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Sluttid: 2010-09-07 07:31:42 - datorn startades om.
ComboFix-quarantined-files.txt 2010-09-07 05:31
ComboFix2.txt 2010-09-05 08:38
ComboFix3.txt 2010-09-04 14:11

Fˆre genomsˆkningen: 74†757†574†656 byte ledigt
Efter genomsˆkningen: 74†748†276†736 byte ledigt

- - End Of File - - 3D8902199465AAEFBAF8A60BF7C01430

Hvordan kører PCen nu. Herfra begynder det at se fornuftigt ud.

Den kører da fint, men har ikke prøvet at sætte internet til den endnu.. er den klar til den store prøve?

Prøv først dette.
Hent og overfør denne opdatering til Malwarebytes: http://data.mbamupdates.com/tools/mbam-rules.exe

Installer den og kør en “fuld systen skan”. Lad den fjerne det, hvis den finder noget.
Læg loggen herind før du tilslutter den.

Malwarebytes’ Anti-Malware 1.46
http://www.malwarebytes.org

Database version: 4563

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2010-09-07 21:55:06
mbam-log-2010-09-07 (21-55-06).txt

Scan type: Full scan (C:\|)
Objects scanned: 179352
Time elapsed: 36 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\Administratˆr.INGRID\Lokala inst‰llningar\Application Data\okfpjkwgn\xvtayjcshdw.exe.vir (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Ingrid\Lokala inst‰llningar\Application Data\fwitjgnak\jbkwwrqshdw.exe.vir (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ndis.sys.vir (Rootkit.Kobcka) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5D67A0C6-9364-4993-88C3-FFF5EF3385F9}\RP110\A0021042.exe (Trojan.IRCBrute) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5D67A0C6-9364-4993-88C3-FFF5EF3385F9}\RP110\A0021063.exe (Trojan.Pincav) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5D67A0C6-9364-4993-88C3-FFF5EF3385F9}\RP112\A0023401.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5D67A0C6-9364-4993-88C3-FFF5EF3385F9}\RP112\A0023403.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5D67A0C6-9364-4993-88C3-FFF5EF3385F9}\RP112\A0023404.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5D67A0C6-9364-4993-88C3-FFF5EF3385F9}\RP112\A0023406.exe (Trojan.Pincav) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5D67A0C6-9364-4993-88C3-FFF5EF3385F9}\RP112\A0023407.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5D67A0C6-9364-4993-88C3-FFF5EF3385F9}\RP112\A0023409.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5D67A0C6-9364-4993-88C3-FFF5EF3385F9}\RP112\A0023414.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5D67A0C6-9364-4993-88C3-FFF5EF3385F9}\RP112\A0023418.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5D67A0C6-9364-4993-88C3-FFF5EF3385F9}\RP112\A0023420.exe (Trojan.Pincav) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5D67A0C6-9364-4993-88C3-FFF5EF3385F9}\RP113\A0023724.sys (Rootkit.Kobcka) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5D67A0C6-9364-4993-88C3-FFF5EF3385F9}\RP114\A0023915.sys (Rootkit.Kobcka) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administratˆr.INGRID\Application Data\ohydy.exe (Worm.Palevo) -> Quarantined and deleted successfully.

Klar til internet nu?

Jeg kan se der ligger noget Avast, men det ser ikke ud til at virke rigtigt. Inden den PC bliver sendt på nettet, skal der være et fungerende Antivirus.
Du kan hente en testvirus her: http://www.eicar.org/anti_virus_test_file.htm
Du kan også læse hvordan du selv laver den.