‹‹ Sort skærm / black screen of death win 7..     scan ?? ››
 
 
 
“Falsk” virusprogram har overtaget pc
    [ Ignorer ]   [ # 31 ]   
  f-arn TeamSpywarefri
10.09.2010 09:07:24
Administrator
Team Spywarefri
Antal indlæg: 4202

Vil du godt sende den sidste log fra Combofix herind. Der er nogle låste nøgler jeg ikke rørte. De er usædvanlige på en XP Home, men ikke decideret ulovlige. Hvis der er lavet noget usædvanligt i opsætningen på den Pc, jeg skal ta’ hensyn til, vil jeg gerne vide det.

Signatur

Undlad venligst at vedhæfte logs, medmindre du bliver bedt om det !

    [ Ignorer ]   [ # 32 ]   
  Moser
10.09.2010 09:26:16
Antal indlæg: 60

ComboFix 10-09-02.03 - Ingrid 2010-09-09   7:37.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.1014.533 [GMT 2:00]
Körs från: d:\combo fix\ComboFix.exe
Använda kommandoväxlar :: d:\combo fix\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

VARNINIG -ÅTERSTÄLLNINGSKONSOLEN (THE RECOVERY CONSOLE) ÄR INTE INSTALLERAD PÅ DEN HÄR DATORN !!
.
- REDUCERAD FUNKTIONALITETSMOD -
.

((((((((((((((((((((((((  Filer Skapade från 2010-08-09 till 2010-09-09 ))))))))))))))))))))))))))))))
.

2010-09-09 05:07 . 2010-09-09 05:07   ————  d—h—w-  c:\temp\dvmexp
2010-09-09 05:07 . 2010-09-09 05:07   ————  d——-w-  C:\dvmexp
2010-09-08 14:09 . 2010-09-07 14:47   17744   ——a-w-  c:\windows\system32\drivers\aswFsBlk.sys
2010-09-08 14:09 . 2010-09-07 14:52   165584   ——a-w-  c:\windows\system32\drivers\aswSP.sys
2010-09-08 14:09 . 2010-09-07 14:47   23376   ——a-w-  c:\windows\system32\drivers\aswRdr.sys
2010-09-08 14:09 . 2010-09-07 14:52   46672   ——a-w-  c:\windows\system32\drivers\aswTdi.sys
2010-09-08 14:09 . 2010-09-07 14:47   100176   ——a-w-  c:\windows\system32\drivers\aswmon2.sys
2010-09-08 14:09 . 2010-09-07 14:47   94544   ——a-w-  c:\windows\system32\drivers\aswmon.sys
2010-09-08 14:09 . 2010-09-07 14:46   28880   ——a-w-  c:\windows\system32\drivers\aavmker4.sys
2010-09-08 14:09 . 2010-09-07 15:11   167592   ——a-w-  c:\windows\system32\aswBoot.exe
2010-09-08 13:24 . 2009-10-07 13:28   17544   ———w-  c:\windows\system32\drivers\RkPavproc1.sys
2010-09-08 13:21 . 2009-06-30 07:37   28552   ——a-w-  c:\windows\system32\drivers\pavboot.sys
2010-09-08 13:21 . 2010-09-08 13:21   ————  d——-w-  c:\program\Panda Security
2010-09-08 08:27 . 2010-09-08 08:27   ————  d——-w-  c:\program\AVG
2010-09-05 08:15 . 2008-04-15 12:00   182656   -c—a-w-  c:\windows\system32\dllcache\ndis.sys
2010-09-03 13:28 . 2010-09-03 13:28   ————  d——-w-  c:\documents and settings\Ingrid\Application Data\Malwarebytes
2010-09-03 13:28 . 2010-09-09 05:06   ————  d——-w-  c:\program\Malwarebytes’ Anti-Malware
2010-09-03 13:28 . 2010-09-03 13:28   ————  d——-w-  c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-03 12:04 . 2010-09-07 15:12   38848   ——a-w-  c:\windows\avastSS.scr
2010-09-03 12:04 . 2010-09-08 14:09   ————  d——-w-  c:\program\Alwil Software
2010-09-03 12:04 . 2010-09-03 12:04   ————  d——-w-  c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-03 06:29 . 2010-09-08 09:07   63488   ——a-w-  c:\documents and settings\Ingrid\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-03 06:29 . 2010-09-03 06:29   52224   ——a-w-  c:\documents and settings\Ingrid\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-03 06:29 . 2010-09-08 09:07   117760   ——a-w-  c:\documents and settings\Ingrid\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-03 06:28 . 2010-09-03 06:28   ————  d——-w-  c:\documents and settings\Ingrid\Application Data\SUPERAntiSpyware.com
2010-09-03 06:28 . 2010-09-03 06:28   ————  d——-w-  c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-03 06:28 . 2010-09-03 06:28   ————  d——-w-  c:\program\SUPERAntiSpyware
2010-09-03 06:15 . 2010-09-08 14:15   ————  d——-w-  c:\documents and settings\Administratör.INGRID
2010-09-03 05:40 . 2010-09-03 05:40   ————  d——-w-  C:\840e239d4183b0f32dbaec9fbc
2010-09-03 05:22 . 2010-06-14 14:31   744448   -c——w-  c:\windows\system32\dllcache\helpsvc.exe

.
((((((((((((((((((((((((((((((((((((((((  Find3M Rapport   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-09 05:25 . 2008-07-22 10:30   494514   ——a-w-  c:\windows\system32\perfh01D.dat
2010-09-09 05:25 . 2008-07-22 10:30   105124   ——a-w-  c:\windows\system32\perfc01D.dat
2010-09-08 14:42 . 2009-01-30 15:39   ————  d——-w-  c:\program\Delade filer\Adobe
2010-09-05 06:58 . 2009-01-30 15:46   ————  d——-w-  c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-03 06:26 . 2009-03-10 03:04   1324   ——a-w-  c:\windows\system32\d3d9caps.dat
2010-09-01 19:50 . 2009-04-12 14:57   ————  d——-w-  c:\documents and settings\Ingrid\Application Data\dvdcss
2010-06-30 12:33 . 2008-07-22 10:30   149504   ——a-w-  c:\windows\system32\schannel.dll
2010-06-24 12:19 . 2008-07-22 10:30   832512   ——a-w-  c:\windows\system32\wininet.dll
2010-06-24 12:19 . 2008-07-22 10:30   78336   ——a-w-  c:\windows\system32\ieencode.dll
2010-06-24 12:19 . 2008-07-22 10:30   17408   ——a-w-  c:\windows\system32\corpol.dll
2010-06-24 09:02 . 2008-07-22 10:30   1851904   ——a-w-  c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-07-22 10:30   354304   ——a-w-  c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-07-22 10:30   80384   ——a-w-  c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-07-22 00:42   744448   ——a-w-  c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:43 . 2008-07-22 10:30   1172480   ——a-w-  c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((  Startpunkter i registret   )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not*  Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
“{dd02a4eb-4afd-4d60-99d8-e67f964ca813}”= “c:\program\PHPNukeEN\tbPHP1.dll” [2010-05-18 2515552]

[HKEY_CLASSES_ROOT\clsid\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}]
2010-05-18 20:42   2515552   ——a-w-  c:\program\PHPNukeEN\tbPHP1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{dd02a4eb-4afd-4d60-99d8-e67f964ca813}”= “c:\program\PHPNukeEN\tbPHP1.dll” [2010-05-18 2515552]

[HKEY_CLASSES_ROOT\clsid\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
“{DD02A4EB-4AFD-4D60-99D8-E67F964CA813}”= “c:\program\PHPNukeEN\tbPHP1.dll” [2010-05-18 2515552]

[HKEY_CLASSES_ROOT\clsid\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@=”{771C7324-DA80-49D3-8017-753B0AF60951}”
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2009-01-30 15:38   241752   ——a-w-  c:\windows\system32\IcnOvrly.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SUPERAntiSpyware”=“c:\program\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2010-08-25 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“avast5”=“c:\program\ALWILS~1\Avast5\avastUI.exe” [2010-09-07 2838912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-15 15360]

c:\documents and settings\All Users\Start-meny\Program\Autostart\
BTTray.lnk - c:\program\Lenovo\Bluetooth Software\BTTray.exe [2008-6-24 600680]
Personal.lnk - c:\program\Personal\bin\Personal.exe [2010-2-11 939920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= “c:\program\SUPERAntiSpyware\SASSEH.DLL” [2008-05-13 77824]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“%windir%\\system32\\sessmgr.exe”=
“c:\\Program\\Microsoft Office\\Office12\\OUTLOOK.EXE”=
“c:\\Program\\Spotify\\spotify.exe”=
“c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe”=
“c:\\Program\\Windows Live\\Sync\\WindowsLiveSync.exe”=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-09-08 28552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-09-08 165584]
R1 SASDIFSV;SASDIFSV;c:\program\SUPERAntiSpyware\sasdifsv.sys [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-09-08 17744]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\qstart.sys\config\DVMExportService.exe [2008-11-20 307200]
R2 PowerSave;PowerSave Service;c:\program\Packard Bell\Software Suite\PowerSave\PSPBSSS.exe [2009-04-06 1002016]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2009-01-30 9472]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-01-30 157696]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys—> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
.
———- Extra genomsökning———-
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2086743
uSearchURL,(Default) = hxxp://g.msn.se/0SESVSE/SAOS01?FORM=TOOLBR
IE: E&xportera; till Microsoft Excel - c:\program\MICROS~3\Office12\EXCEL.EXE/3000
IE: Skicka till &Bluetooth;-enhet… - c:\program\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: Skicka till Bluetooth - c:\program\Lenovo\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-09 07:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
——————————- LÅSTA REGISTERNYCKLAR——————————-

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@=“Microsoft Diskkvot”
“NoMachinePolicy”=dword:00000000
“NoUserPolicy”=dword:00000001
“NoSlowLink”=dword:00000001
“NoBackgroundPolicy”=dword:00000001
“NoGPOListChanges”=dword:00000001
“PerUserLocalSettings”=dword:00000000
“RequiresSuccessfulRegistry”=dword:00000001
“EnableAsynchronousProcessing”=dword:00000000
“DllName”=expand:“dskquota.dll”
“ProcessGroupPolicy”=“ProcessGroupPolicy”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@=“Internet Explorer Zonemapping”
“DllName”=expand:“iedkcs32.dll”
“ProcessGroupPolicy”=“ProcessGroupPolicyForZoneMap”
“NoGPOListChanges”=dword:00000001
“RequiresSucessfulRegistry”=dword:00000001
“DisplayName”=expand:”@iedkcs32.dll,-3051”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
“ProcessGroupPolicy”=“SceProcessSecurityPolicyGPO”
“GenerateGroupPolicy”=“SceGenerateGroupPolicy”
“ExtensionRsopPlanningDebugLevel”=dword:00000001
“ProcessGroupPolicyEx”=“SceProcessSecurityPolicyGPOEx”
“ExtensionDebugLevel”=dword:00000001
“DllName”=expand:“scecli.dll”
@=“Security”
“NoUserPolicy”=dword:00000001
“NoGPOListChanges”=dword:00000001
“EnableAsynchronousProcessing”=dword:00000001
“MaxNoGPOListChangesInterval”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
“ProcessGroupPolicyEx”=“ProcessGroupPolicyEx”
“GenerateGroupPolicy”=“GenerateGroupPolicy”
“ProcessGroupPolicy”=“ProcessGroupPolicy”
“DllName”=“iedkcs32.dll”
@=“Internet Explorer Branding”
“NoSlowLink”=dword:00000001
“NoBackgroundPolicy”=dword:00000000
“NoGPOListChanges”=dword:00000001
“NoMachinePolicy”=dword:00000001
“DisplayName”=expand:”@iedkcs32.dll,-3014”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
“ProcessGroupPolicy”=“SceProcessEFSRecoveryGPO”
“DllName”=expand:“scecli.dll”
@=“EFS recovery”
“NoUserPolicy”=dword:00000001
“NoGPOListChanges”=dword:00000001
“RequiresSuccessfulRegistry”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@=“802.3 Group Policy”
“DisplayName”=expand:”@dot3gpclnt.dll,-100”
“ProcessGroupPolicyEx”=“ProcessLANPolicyEx”
“GenerateGroupPolicy”=“GenerateLANPolicy”
“DllName”=expand:“dot3gpclnt.dll”
“NoUserPolicy”=dword:00000001
“NoGPOListChanges”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@=“Microsoft Offline Files”
“DllName”=expand:”%SystemRoot%\\System32\\cscui.dll”
“EnableAsynchronousProcessing”=dword:00000000
“NoBackgroundPolicy”=dword:00000000
“NoGPOListChanges”=dword:00000000
“NoMachinePolicy”=dword:00000000
“NoSlowLink”=dword:00000000
“NoUserPolicy”=dword:00000001
“PerUserLocalSettings”=dword:00000000
“ProcessGroupPolicy”=“ProcessGroupPolicy”
“RequiresSuccessfulRegistry”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@=“Programvaruinstallation”
“DllName”=expand:“appmgmts.dll”
“ProcessGroupPolicyEx”=“ProcessGroupPolicyObjectsEx”
“GenerateGroupPolicy”=“GenerateGroupPolicy”
“NoBackgroundPolicy”=dword:00000000
“RequiresSucessfulRegistry”=dword:00000000
“NoSlowLink”=dword:00000001
“PerUserLocalSettings”=dword:00000001
“EventSources”=multi:”(Application Management,Application)\00(MsiInstaller,Application)\00\00”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
“DllName”=“c:\\Program\\SUPERAntiSpyware\\SASWINLO.DLL”
“Logon”=“SABWINLOLogon”
“Logoff”=“SABWINLOLogoff”
“Startup”=“SABWINLOStartup”
“Shutdown”=“SABWINLOShutdown”
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000
“DllName”=expand:“crypt32.dll”
“Logoff”=“ChainWlxLogoffEvent”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000
“DllName”=expand:“cryptnet.dll”
“Logoff”=“CryptnetWlxLogoffEvent”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
“DLLName”=“cscdll.dll”
“Logon”=“WinlogonLogonEvent”
“Logoff”=“WinlogonLogoffEvent”
“ScreenSaver”=“WinlogonScreenSaverEvent”
“Startup”=“WinlogonStartupEvent”
“Shutdown”=“WinlogonShutdownEvent”
“StartShell”=“WinlogonStartShellEvent”
“Impersonate”=dword:00000000
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
“Asynchronous”=dword:00000001
“DllName”=expand:”%SystemRoot%\\System32\\dimsntfy.dll”
“Startup”=“WlDimsStartup”
“Shutdown”=“WlDimsShutdown”
“Logon”=“WlDimsLogon”
“Logoff”=“WlDimsLogoff”
“StartShell”=“WlDimsStartShell”
“Lock”=“WlDimsLock”
“Unlock”=“WlDimsUnlock”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@DACL=(02 0000)
@SACL=
@=”“
“DLLName”=“igfxdev.dll”
“Asynchronous”=dword:00000001
“Impersonate”=dword:00000001
“Unlock”=“WinlogonUnlockEvent”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PicNotify]
@DACL=(02 0000)
@SACL=
“DLLName”=“PicNotify.dll”
“Logon”=“HeadLogon”
“Logoff”=“HeadLogoff”
“StartScreenSaver”=“HeadStartScreenSaver”
“StopScreenSaver”=“HeadStopScreenSaver”
“Startup”=“HeadStartup”
“Shutdown”=“HeadShutdown”
“StartShell”=“HeadCreateShell”
“Lock”=“HeadLock”
“Unlock”=“HeadUnlock”
“Impersonate”=dword:00000000
“Asynchronous”=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
“DLLName”=“wlnotify.dll”
“Logon”=“SCardStartCertProp”
“Logoff”=“SCardStopCertProp”
“Lock”=“SCardSuspendCertProp”
“Unlock”=“SCardResumeCertProp”
“Enabled”=dword:00000000
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
“Asynchronous”=dword:00000000
“DllName”=expand:“wlnotify.dll”
“Impersonate”=dword:00000000
“StartShell”=“SchedStartShell”
“Logoff”=“SchedEventLogOff”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
“Logoff”=“WLEventLogoff”
“Impersonate”=dword:00000000
“Asynchronous”=dword:00000001
“DllName”=expand:“sclgntfy.dll”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
“DLLName”=“WlNotify.dll”
“Lock”=“SensLockEvent”
“Logon”=“SensLogonEvent”
“Logoff”=“SensLogoffEvent”
“Safe”=dword:00000001
“MaxWait”=dword:00000258
“StartScreenSaver”=“SensStartScreenSaverEvent”
“StopScreenSaver”=“SensStopScreenSaverEvent”
“Startup”=“SensStartupEvent”
“Shutdown”=“SensShutdownEvent”
“StartShell”=“SensStartShellEvent”
“PostShell”=“SensPostShellEvent”
“Disconnect”=“SensDisconnectEvent”
“Reconnect”=“SensReconnectEvent”
“Unlock”=“SensUnlockEvent”
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
“Asynchronous”=dword:00000000
“DllName”=expand:“wlnotify.dll”
“Impersonate”=dword:00000000
“Logoff”=“TSEventLogoff”
“Logon”=“TSEventLogon”
“PostShell”=“TSEventPostShell”
“Shutdown”=“TSEventShutdown”
“StartShell”=“TSEventStartShell”
“Startup”=“TSEventStartup”
“MaxWait”=dword:00000258
“Reconnect”=“TSEventReconnect”
“Disconnect”=“TSEventDisconnect”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
“DLLName”=“wlnotify.dll”
“Logon”=“RegisterTicketExpiredNotificationEvent”
“Logoff”=“UnregisterTicketExpiredNotificationEvent”
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
“Hjälpassistent”=dword:00000000
“TsInternetUser”=dword:00000000
“SQLAgentCmdExec”=dword:00000000
“NetShowServices”=dword:00000000
“HelpAssistant”=dword:00000000
“IWAM_”=dword:00010000
“IUSR_”=dword:00010000
“VUSR_”=dword:00010000
“ASPNET”=dword:00000000
.
——————————- DLLer som “laddats” under processer som körs——————————-

- - - - - - - > ‘explorer.exe’(3428)
c:\windows\system32\IcnOvrly.dll
c:\windows\system32\btmmhook.dll
.
————————————Andra processer som körs————————————
.
c:\program\Lenovo\Bluetooth Software\bin\btwdins.exe
c:\program\Alwil Software\Avast5\AvastSvc.exe
c:\program\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program\Delade filer\Lenovo\tvt_reg_monitor_svc.exe
c:\program\Delade filer\Lenovo\Scheduler\tvtsched.exe
c:\program\lenovo\system update\suservice.exe
c:\program\Lenovo\BLUETO~1\BTSTAC~1.EXE
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Sluttid: 2010-09-09 07:44:35 - datorn startades om.
ComboFix-quarantined-files.txt 2010-09-09 05:44
ComboFix2.txt 2010-09-09 05:26
ComboFix3.txt 2010-09-07 05:31
ComboFix4.txt 2010-09-05 08:38
ComboFix5.txt 2010-09-09 05:36

Före genomsökningen: 74 103 046 144 byte ledigt
Efter genomsökningen: 74 088 583 168 byte ledigt

- - End Of File - - B795DFA303EFEA1907DAFD5E3DFCD8DB

    [ Ignorer ]   [ # 33 ]   
  Moser
10.09.2010 09:32:35
Antal indlæg: 60

Kunne ikke forestille mig der er lavet noget specielt i opsætningen. PC’en er som tidligere nævnt en vens, som jeg hjælper med at lave, og tror ærligt talt ikke hun ville kunne ændre på noget i opsætningen (i hvert fald ikke bevidst). XP er selvfølgelig original og kører på en lille netbook.

    [ Ignorer ]   [ # 34 ]   
  f-arn TeamSpywarefri
10.09.2010 19:43:01
Administrator
Team Spywarefri
Antal indlæg: 4202

Jeg er ikke helt sikker på om de også bør slettes men….

Højreklik på skrivebordet og vælg ny->tekstdokument og kopier det fremhævede ind og gem filen som CFScript

Killall::
Snapshot::
Reglock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]

Da Combofix kan konflikte med dine sikkerhedsprogrammer er det vigtigt at du deaktiverer dem.

Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du “giver slip” med musen.
http://www.fromsej.saknet.dk/billeder/swfcombo.gif

Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når Combofix er færdig, og efter det (muligvis) har genstartet, skulle der gerne åbnes en logfil combofix.txt som ligger her C:\Combofix.txt

Indholdet af denne fil må du gerne lægge herind.

Signatur

Undlad venligst at vedhæfte logs, medmindre du bliver bedt om det !

    [ Ignorer ]   [ # 35 ]   
  Moser
11.09.2010 13:03:16
Antal indlæg: 60

ComboFix 10-09-09.04 - Ingrid 2010-09-11 11:35:15.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.1014.559 [GMT 2:00]
Körs från: c:\documents and settings\Ingrid\Skrivbord\Combo fix\ComboFix.exe
Använda kommandoväxlar :: c:\documents and settings\Ingrid\Skrivbord\Combo fix\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

VARNINIG -ÅTERSTÄLLNINGSKONSOLEN (THE RECOVERY CONSOLE) ÄR INTE INSTALLERAD PÅ DEN HÄR DATORN !!
.

((((((((((((((((((((((((  Filer Skapade från 2010-08-11 till 2010-09-11 ))))))))))))))))))))))))))))))
.

2010-09-10 06:42 . 2010-09-10 09:51   ————  d—h—w-  c:\temp\dvmexp
2010-09-10 06:42 . 2010-09-10 06:42   ————  d——-w-  C:\dvmexp
2010-09-10 06:35 . 2010-09-11 09:42   ————  d——-w-  c:\windows\system32\CatRoot2
2010-09-08 14:09 . 2010-09-07 14:47   17744   ——a-w-  c:\windows\system32\drivers\aswFsBlk.sys
2010-09-08 14:09 . 2010-09-07 14:52   165584   ——a-w-  c:\windows\system32\drivers\aswSP.sys
2010-09-08 14:09 . 2010-09-07 14:47   23376   ——a-w-  c:\windows\system32\drivers\aswRdr.sys
2010-09-08 14:09 . 2010-09-07 14:52   46672   ——a-w-  c:\windows\system32\drivers\aswTdi.sys
2010-09-08 14:09 . 2010-09-07 14:47   100176   ——a-w-  c:\windows\system32\drivers\aswmon2.sys
2010-09-08 14:09 . 2010-09-07 14:47   94544   ——a-w-  c:\windows\system32\drivers\aswmon.sys
2010-09-08 14:09 . 2010-09-07 14:46   28880   ——a-w-  c:\windows\system32\drivers\aavmker4.sys
2010-09-08 14:09 . 2010-09-07 15:11   167592   ——a-w-  c:\windows\system32\aswBoot.exe
2010-09-08 13:24 . 2009-10-07 13:28   17544   ———w-  c:\windows\system32\drivers\RkPavproc1.sys
2010-09-08 13:21 . 2009-06-30 07:37   28552   ——a-w-  c:\windows\system32\drivers\pavboot.sys
2010-09-08 13:21 . 2010-09-08 13:21   ————  d——-w-  c:\program\Panda Security
2010-09-08 08:27 . 2010-09-08 08:27   ————  d——-w-  c:\program\AVG
2010-09-05 08:15 . 2008-04-15 12:00   182656   -c—a-w-  c:\windows\system32\dllcache\ndis.sys
2010-09-03 13:28 . 2010-09-03 13:28   ————  d——-w-  c:\documents and settings\Ingrid\Application Data\Malwarebytes
2010-09-03 13:28 . 2010-09-09 05:06   ————  d——-w-  c:\program\Malwarebytes’ Anti-Malware
2010-09-03 13:28 . 2010-09-03 13:28   ————  d——-w-  c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-03 12:04 . 2010-09-07 15:12   38848   ——a-w-  c:\windows\avastSS.scr
2010-09-03 12:04 . 2010-09-08 14:09   ————  d——-w-  c:\program\Alwil Software
2010-09-03 12:04 . 2010-09-03 12:04   ————  d——-w-  c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-03 06:29 . 2010-09-08 09:07   63488   ——a-w-  c:\documents and settings\Ingrid\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-03 06:29 . 2010-09-03 06:29   52224   ——a-w-  c:\documents and settings\Ingrid\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-03 06:29 . 2010-09-08 09:07   117760   ——a-w-  c:\documents and settings\Ingrid\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-03 06:28 . 2010-09-03 06:28   ————  d——-w-  c:\documents and settings\Ingrid\Application Data\SUPERAntiSpyware.com
2010-09-03 06:28 . 2010-09-03 06:28   ————  d——-w-  c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-03 06:28 . 2010-09-03 06:28   ————  d——-w-  c:\program\SUPERAntiSpyware
2010-09-03 06:15 . 2010-09-08 14:15   ————  d——-w-  c:\documents and settings\Administratör.INGRID
2010-09-03 05:40 . 2010-09-03 05:40   ————  d——-w-  C:\840e239d4183b0f32dbaec9fbc
2010-09-03 05:22 . 2010-06-14 14:31   744448   -c——w-  c:\windows\system32\dllcache\helpsvc.exe

.
((((((((((((((((((((((((((((((((((((((((  Find3M Rapport   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-11 10:36 . 2008-07-22 10:30   494514   ——a-w-  c:\windows\system32\perfh01D.dat
2010-09-11 10:36 . 2008-07-22 10:30   105124   ——a-w-  c:\windows\system32\perfc01D.dat
2010-09-09 05:52 . 2009-01-30 15:39   ————  d——-w-  c:\program\Delade filer\Adobe
2010-09-05 06:58 . 2009-01-30 15:46   ————  d——-w-  c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-03 06:26 . 2009-03-10 03:04   1324   ——a-w-  c:\windows\system32\d3d9caps.dat
2010-09-01 19:50 . 2009-04-12 14:57   ————  d——-w-  c:\documents and settings\Ingrid\Application Data\dvdcss
2010-06-30 12:33 . 2008-07-22 10:30   149504   ——a-w-  c:\windows\system32\schannel.dll
2010-06-24 12:19 . 2008-07-22 10:30   832512   ——a-w-  c:\windows\system32\wininet.dll
2010-06-24 12:19 . 2008-07-22 10:30   78336   ——a-w-  c:\windows\system32\ieencode.dll
2010-06-24 12:19 . 2008-07-22 10:30   17408   ——a-w-  c:\windows\system32\corpol.dll
2010-06-24 09:02 . 2008-07-22 10:30   1851904   ——a-w-  c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-07-22 10:30   354304   ——a-w-  c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-07-22 10:30   80384   ——a-w-  c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-07-22 00:42   744448   ——a-w-  c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:43 . 2008-07-22 10:30   1172480   ——a-w-  c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((  Startpunkter i registret   )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not*  Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
“{dd02a4eb-4afd-4d60-99d8-e67f964ca813}”= “c:\program\PHPNukeEN\tbPHP1.dll” [2010-05-18 2515552]

[HKEY_CLASSES_ROOT\clsid\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}]
2010-05-18 20:42   2515552   ——a-w-  c:\program\PHPNukeEN\tbPHP1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{dd02a4eb-4afd-4d60-99d8-e67f964ca813}”= “c:\program\PHPNukeEN\tbPHP1.dll” [2010-05-18 2515552]

[HKEY_CLASSES_ROOT\clsid\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
“{DD02A4EB-4AFD-4D60-99D8-E67F964CA813}”= “c:\program\PHPNukeEN\tbPHP1.dll” [2010-05-18 2515552]

[HKEY_CLASSES_ROOT\clsid\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@=”{771C7324-DA80-49D3-8017-753B0AF60951}”
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2009-01-30 15:38   241752   ——a-w-  c:\windows\system32\IcnOvrly.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SUPERAntiSpyware”=“c:\program\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2010-08-25 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“avast5”=“c:\program\ALWILS~1\Avast5\avastUI.exe” [2010-09-07 2838912]
“Adobe Reader Speed Launcher”=“c:\program\Adobe\Reader 9.0\Reader\Reader_sl.exe” [2010-06-20 35760]
“Adobe ARM”=“c:\program\Delade filer\Adobe\ARM\1.0\AdobeARM.exe” [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-15 15360]

c:\documents and settings\All Users\Start-meny\Program\Autostart\
BTTray.lnk - c:\program\Lenovo\Bluetooth Software\BTTray.exe [2008-6-24 600680]
Personal.lnk - c:\program\Personal\bin\Personal.exe [2010-2-11 939920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= “c:\program\SUPERAntiSpyware\SASSEH.DLL” [2008-05-13 77824]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“%windir%\\system32\\sessmgr.exe”=
“c:\\Program\\Microsoft Office\\Office12\\OUTLOOK.EXE”=
“c:\\Program\\Spotify\\spotify.exe”=
“c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe”=
“c:\\Program\\Windows Live\\Sync\\WindowsLiveSync.exe”=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-09-08 28552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-09-08 165584]
R1 SASDIFSV;SASDIFSV;c:\program\SUPERAntiSpyware\sasdifsv.sys [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-09-08 17744]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\qstart.sys\config\DVMExportService.exe [2008-11-20 307200]
R2 PowerSave;PowerSave Service;c:\program\Packard Bell\Software Suite\PowerSave\PSPBSSS.exe [2009-04-06 1002016]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2009-01-30 9472]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-01-30 157696]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys—> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
.
———- Extra genomsökning———-
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2086743
uSearchURL,(Default) = hxxp://g.msn.se/0SESVSE/SAOS01?FORM=TOOLBR
IE: E&xportera; till Microsoft Excel - c:\program\MICROS~3\Office12\EXCEL.EXE/3000
IE: Skicka till &Bluetooth;-enhet… - c:\program\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: Skicka till Bluetooth - c:\program\Lenovo\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-11 12:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
——————————- LÅSTA REGISTERNYCKLAR——————————-

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
“DllName”=“c:\\Program\\SUPERAntiSpyware\\SASWINLO.DLL”
“Logon”=“SABWINLOLogon”
“Logoff”=“SABWINLOLogoff”
“Startup”=“SABWINLOStartup”
“Shutdown”=“SABWINLOShutdown”
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000
“DllName”=expand:“crypt32.dll”
“Logoff”=“ChainWlxLogoffEvent”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000
“DllName”=expand:“cryptnet.dll”
“Logoff”=“CryptnetWlxLogoffEvent”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
“DLLName”=“cscdll.dll”
“Logon”=“WinlogonLogonEvent”
“Logoff”=“WinlogonLogoffEvent”
“ScreenSaver”=“WinlogonScreenSaverEvent”
“Startup”=“WinlogonStartupEvent”
“Shutdown”=“WinlogonShutdownEvent”
“StartShell”=“WinlogonStartShellEvent”
“Impersonate”=dword:00000000
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
“Asynchronous”=dword:00000001
“DllName”=expand:”%SystemRoot%\\System32\\dimsntfy.dll”
“Startup”=“WlDimsStartup”
“Shutdown”=“WlDimsShutdown”
“Logon”=“WlDimsLogon”
“Logoff”=“WlDimsLogoff”
“StartShell”=“WlDimsStartShell”
“Lock”=“WlDimsLock”
“Unlock”=“WlDimsUnlock”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@DACL=(02 0000)
@SACL=
@=”“
“DLLName”=“igfxdev.dll”
“Asynchronous”=dword:00000001
“Impersonate”=dword:00000001
“Unlock”=“WinlogonUnlockEvent”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PicNotify]
@DACL=(02 0000)
@SACL=
“DLLName”=“PicNotify.dll”
“Logon”=“HeadLogon”
“Logoff”=“HeadLogoff”
“StartScreenSaver”=“HeadStartScreenSaver”
“StopScreenSaver”=“HeadStopScreenSaver”
“Startup”=“HeadStartup”
“Shutdown”=“HeadShutdown”
“StartShell”=“HeadCreateShell”
“Lock”=“HeadLock”
“Unlock”=“HeadUnlock”
“Impersonate”=dword:00000000
“Asynchronous”=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
“DLLName”=“wlnotify.dll”
“Logon”=“SCardStartCertProp”
“Logoff”=“SCardStopCertProp”
“Lock”=“SCardSuspendCertProp”
“Unlock”=“SCardResumeCertProp”
“Enabled”=dword:00000000
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
“Asynchronous”=dword:00000000
“DllName”=expand:“wlnotify.dll”
“Impersonate”=dword:00000000
“StartShell”=“SchedStartShell”
“Logoff”=“SchedEventLogOff”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
“Logoff”=“WLEventLogoff”
“Impersonate”=dword:00000000
“Asynchronous”=dword:00000001
“DllName”=expand:“sclgntfy.dll”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
“DLLName”=“WlNotify.dll”
“Lock”=“SensLockEvent”
“Logon”=“SensLogonEvent”
“Logoff”=“SensLogoffEvent”
“Safe”=dword:00000001
“MaxWait”=dword:00000258
“StartScreenSaver”=“SensStartScreenSaverEvent”
“StopScreenSaver”=“SensStopScreenSaverEvent”
“Startup”=“SensStartupEvent”
“Shutdown”=“SensShutdownEvent”
“StartShell”=“SensStartShellEvent”
“PostShell”=“SensPostShellEvent”
“Disconnect”=“SensDisconnectEvent”
“Reconnect”=“SensReconnectEvent”
“Unlock”=“SensUnlockEvent”
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
“Asynchronous”=dword:00000000
“DllName”=expand:“wlnotify.dll”
“Impersonate”=dword:00000000
“Logoff”=“TSEventLogoff”
“Logon”=“TSEventLogon”
“PostShell”=“TSEventPostShell”
“Shutdown”=“TSEventShutdown”
“StartShell”=“TSEventStartShell”
“Startup”=“TSEventStartup”
“MaxWait”=dword:00000258
“Reconnect”=“TSEventReconnect”
“Disconnect”=“TSEventDisconnect”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
“DLLName”=“wlnotify.dll”
“Logon”=“RegisterTicketExpiredNotificationEvent”
“Logoff”=“UnregisterTicketExpiredNotificationEvent”
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
“Hjälpassistent”=dword:00000000
“TsInternetUser”=dword:00000000
“SQLAgentCmdExec”=dword:00000000
“NetShowServices”=dword:00000000
“HelpAssistant”=dword:00000000
“IWAM_”=dword:00010000
“IUSR_”=dword:00010000
“VUSR_”=dword:00010000
“ASPNET”=dword:00000000
.
——————————- DLLer som “laddats” under processer som körs——————————-

- - - - - - - > ‘explorer.exe’(2352)
c:\windows\system32\IcnOvrly.dll
c:\windows\system32\btmmhook.dll
.
————————————Andra processer som körs————————————
.
c:\program\Lenovo\Bluetooth Software\bin\btwdins.exe
c:\program\Alwil Software\Avast5\AvastSvc.exe
c:\program\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program\Delade filer\Lenovo\tvt_reg_monitor_svc.exe
c:\program\Delade filer\Lenovo\Scheduler\tvtsched.exe
c:\program\lenovo\system update\suservice.exe
c:\program\Lenovo\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Sluttid: 2010-09-11 12:38:46 - datorn startades om.
ComboFix-quarantined-files.txt 2010-09-11 10:38
ComboFix2.txt 2010-09-09 05:44
ComboFix3.txt 2010-09-09 05:26
ComboFix4.txt 2010-09-07 05:31
ComboFix5.txt 2010-09-11 09:32

Före genomsökningen: 73 610 760 192 byte ledigt
Efter genomsökningen: 73 883 213 824 byte ledigt

- - End Of File - - C9CB24020486C8FF8058B4DF1824E511

    [ Ignorer ]   [ # 36 ]   
  f-arn TeamSpywarefri
11.09.2010 13:12:27
Administrator
Team Spywarefri
Antal indlæg: 4202

Har du prøvet Windows opdatering igen? Evnt. med Dial-a-fix.

Signatur

Undlad venligst at vedhæfte logs, medmindre du bliver bedt om det !

    [ Ignorer ]   [ # 37 ]   
  Moser
11.09.2010 14:34:22
Antal indlæg: 60

Dial-a-fix er holdt op med at brokke sig, men WGA installeres stadig ikke..

    [ Ignorer ]   [ # 38 ]   
  f-arn TeamSpywarefri
11.09.2010 20:34:25
Administrator
Team Spywarefri
Antal indlæg: 4202

Prøv at hente denne:
http://go.microsoft.com/?linkid=9665683

Kør den i “Standard mode” i første omgang.

Signatur

Undlad venligst at vedhæfte logs, medmindre du bliver bedt om det !

    [ Ignorer ]   [ # 39 ]   
  Moser
12.09.2010 09:50:39
Antal indlæg: 60

problemet er der stadig.. skal den ha lidt mere gas med programmet så

    [ Ignorer ]   [ # 40 ]   
  f-arn TeamSpywarefri
13.09.2010 22:39:20
Administrator
Team Spywarefri
Antal indlæg: 4202

problemet er der stadig.. skal den ha lidt mere gas med programmet så

Ja

Signatur

Undlad venligst at vedhæfte logs, medmindre du bliver bedt om det !

    [ Ignorer ]   [ # 41 ]   
  Moser
18.09.2010 12:22:21
Antal indlæg: 60

Det hjalp ikke… Den er godt nok strid! Har jeg andre muligheder?

    [ Ignorer ]   [ # 42 ]   
  f-arn TeamSpywarefri
18.09.2010 13:20:25
Administrator
Team Spywarefri
Antal indlæg: 4202

Hvad skriver den helt nøjagtigt, og hvor og hvornår skriver den det?

Signatur

Undlad venligst at vedhæfte logs, medmindre du bliver bedt om det !

 
‹‹ Sort skærm / black screen of death win 7..     scan ?? ››
 
Om os | Kontakt os
Copyright © 2003-2010 Spywarefri - Alle rettigheder haves