Trojan windows restore, help me??

[gripenfighter]

I have "windows restore" in my system. I have tried to get rid of it but it is still there. Im trying to use malwarebytes anti malware but the trojat stops me from install it on my computer even if am follow instructions from bleepingcomputer site. Pleas anyone who can help me??

Christian

[Allan]

Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

[gripenfighter]

I have done everything in exact order after your instructions. I cant see anything under C: I still cant find my program in the program bar?? I cant find anything in the program bar but the prgram Ive installed during this process? For example "My documents" icon are visible but it seems like there is nothing there either??? How can I find it??

Mvh
Christian

[gripenfighter]

I will thank you very much to this point. This is my logs during the process! But please look at my other concerns in the mail before this.

[recovering disk space - old attachment deleted by admin]

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
****************************************************
Please do not attach the logs unless absolutely necessary. Copy and paste them in your reply.

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
***************************************************
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you insist on using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[gripenfighter]

Hello Dave,

I will try your instructions. Thank you so far!
Christian

[gripenfighter]

Hello again !

When I try to install security check on my system it dosent work. I have a messege on the screen says: AutoIt "Error allocating memory" How do I procees from here?? Do I need to unistall microsoft security essantials, antispyware program or what shoud I do??

Christian

[gripenfighter]

Excuse me!
Here is the contents of securitycheck!

Results of screen317's Security Check version 0.99.10 
 Windows XP Service Pack 3 (UAC is enabled)
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Online Armor 5.0   
 Microsoft Security Essentials   
 Antivirus up to date! 
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 CCleaner     
 Java(TM) 6 Update 24 
 Adobe Flash Player    10.2.152.26 
Adobe Reader 7.0
Out of date Adobe Reader installed!
 Mozilla Firefox (3.6.13) Firefox Out of Date! 
````````````````````````````````
Process Check: 
objlist.exe by Laurent
``````````End of Log````````````

[gripenfighter]

Here is the contenst from Combofix.txt

ComboFix 11-04-18.04 - Christian 2011-04-19  16:25:57.1.2 - FAT32x86
Microsoft Windows XP Professional  5.1.2600.3.1252.46.1033.18.2038.1425 [GMT 2:00]
Körs från: C:\Documents and Settings\Christian\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

PEV Error: LocalSettingsFile

(((((((((((((((((((((((((((((((((((((((   Andra raderingar   ))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\WinPCap
C:\Program Files\WinPCap\daemon_mgm.exe
C:\Program Files\WinPCap\npf_mgm.exe
C:\Program Files\WinPCap\rpcapd.exe
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll


(((((((((((((((((((((((((((((((((((((((   Drivrutiner/Tjänster   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((   Filer Skapade från 2011-03-19 till 2011-04-19  ))))))))))))))))))))))))))))))


2011-04-19 14:08:40 . 2011-03-14 19:05:44   6792528   ----a-w-   C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-19 14:08:27 . 2011-04-11 07:04:08   7071056   ----a-w-   C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{66815DCA-BA1A-432E-A86F-78E9E6A34E64}\mpengine.dll
2011-04-18 01:35:07 . 2011-04-18 01:35:08   --------   d-----w-   C:\WINDOWS\LastGood.Tmp
2011-04-18 01:34:57 . 2011-04-18 01:34:58   --------   d-----w-   C:\Program Files\Microsoft Security Client
2011-04-18 01:30:16 . 2011-04-18 01:30:18   --------   d--h--w-   C:\WINDOWS\system32\GroupPolicy
2011-04-18 01:21:18 . 2011-04-18 01:21:20   --------   d-----w-   C:\Program Files\Common Files\McAfee
2011-04-18 01:20:39 . 2011-04-18 01:20:40   --------   d-----w-   C:\Program Files\McAfee
2011-04-18 01:20:39 . 2011-04-18 01:20:40   --------   d-----w-   C:\Documents and Settings\All Users\Application Data\McAfee
2011-04-17 23:30:52 . 2011-04-17 23:30:54   --------   d-----w-   C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2011-04-17 23:30:51 . 2011-04-17 23:30:52   --------   d-sh--w-   C:\Documents and Settings\Administrator\IETldCache
2011-04-17 22:25:58 . 2011-04-17 22:26:00   388096   ----a-r-   C:\Documents and Settings\Christian\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-17 22:25:57 . 2011-04-17 22:25:58   --------   d-----w-   C:\Program Files\Trend Micro
2011-04-17 22:22:23 . 2011-04-17 22:22:14   73728   ----a-w-   C:\WINDOWS\system32\javacpl.cpl
2011-04-17 22:22:09 . 2011-04-17 22:22:10   --------   d-----w-   C:\Program Files\Java
2011-04-17 21:59:26 . 2010-12-20 16:09:00   38224   ----a-w-   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011-04-17 21:59:19 . 2010-12-20 16:08:40   20952   ----a-w-   C:\WINDOWS\system32\drivers\mbam.sys
2011-04-17 19:06:53 . 2011-04-17 19:06:54   --------   d-----w-   C:\Documents and Settings\Christian\Application Data\SUPERAntiSpyware.com
2011-04-17 19:06:53 . 2011-04-17 19:06:54   --------   d-----w-   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-17 19:06:37 . 2011-04-17 19:06:38   --------   d-----w-   C:\Program Files\SUPERAntiSpyware
2011-04-17 18:54:30 . 2011-04-17 18:54:32   --------   d-----w-   C:\Program Files\CCleaner
2011-04-17 18:07:56 . 2011-04-17 18:07:58   --------   d-----w-   C:\Documents and Settings\Christian\Application Data\OnlineArmor
2011-04-17 18:07:56 . 2011-04-17 18:07:58   --------   d-----w-   C:\Documents and Settings\All Users\Application Data\OnlineArmor
2011-04-17 18:07:35 . 2011-04-06 11:02:26   39048   ----a-w-   C:\WINDOWS\system32\drivers\oahlp32.sys
2011-04-17 18:07:35 . 2011-04-06 11:01:32   29464   ----a-w-   C:\WINDOWS\system32\drivers\OAnet.sys
2011-04-17 18:07:35 . 2011-04-06 11:01:30   25192   ----a-w-   C:\WINDOWS\system32\drivers\OAmon.sys
2011-04-17 18:07:35 . 2011-04-06 11:01:30   205864   ----a-w-   C:\WINDOWS\system32\drivers\OADriver.sys
2011-04-17 18:07:04 . 2011-04-17 18:07:06   --------   d-----w-   C:\Program Files\Online Armor
2011-04-14 14:29:24 . 2011-04-14 14:29:24   --------   d-----w-   C:\FOUND.005
2011-04-13 22:35:43 . 2011-04-13 22:35:44   --------   d--h--w-   C:\Documents and Settings\Christian\Local Settings\Application Data\Threat Expert
2011-04-13 21:24:33 . 2011-04-13 21:24:34   --------   d--h--w-   C:\Program Files\Spyware Doctor
2011-04-13 21:08:48 . 2011-04-13 21:08:50   --------   d--h--w-   C:\Program Files\Panda Security
2011-04-13 20:59:57 . 2011-04-13 20:59:58   --------   d--h--w-   C:\Documents and Settings\All Users\Application Data\TEMP
2011-04-13 20:42:53 . 2011-04-13 20:42:54   --------   d--h--w-   C:\Program Files\Loaris
2011-04-13 17:44:28 . 2011-04-13 17:44:28   --------   d-----w-   C:\FOUND.004
2011-04-13 17:14:43 . 2011-04-13 17:14:44   --------   d-sh--w-   C:\Documents and Settings\LocalService\IETldCache
2011-04-13 16:18:12 . 2011-04-13 16:18:12   --------   d-----w-   C:\FOUND.003
2011-04-13 14:35:56 . 2011-04-13 14:35:58   --------   d--h--w-   C:\WINDOWS\Sun
2011-04-13 14:35:38 . 2011-04-17 22:22:14   472808   ----a-w-   C:\WINDOWS\system32\deployJava1.dll
2011-04-13 14:35:38 . 2011-04-17 22:22:14   472808   ----a-w-   C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-13 14:22:56 . 2011-04-13 14:22:58   529052   ---ha-w-   C:\WINDOWS\system32\PerfStringBackup.TMP
2011-04-13 13:05:37 . 2011-04-13 13:05:38   --------   d--h--w-   C:\Program Files\Enigma Software Group
2011-04-13 13:04:52 . 2011-04-13 13:04:54   --------   d--h--w-   C:\WINDOWS\41EBC322660F4D16A0DF53147210CBDB.TMP
2011-04-13 13:04:49 . 2011-04-13 13:04:50   --------   d--h--w-   C:\Program Files\Common Files\Wise Installation Wizard
2011-04-13 12:39:46 . 2011-04-13 12:39:48   --------   d--h--w-   C:\Program Files\GridinSoft Trojan Killer
2011-04-13 12:10:54 . 2011-04-13 12:10:56   380   ---ha-w-   C:\WINDOWS\system32\drivers\sunkdkym.dat
2011-04-13 05:14:25 . 2011-04-13 05:14:26   --------   d--h--w-   C:\Documents and Settings\Christian\Local Settings\Application Data\WMTools Downloaded Files
2011-04-05 21:33:43 . 2011-04-05 21:33:44   --------   d--h--w-   C:\Documents and Settings\All Users\Application Data\WinZip
2011-04-05 21:21:38 . 2011-04-05 21:21:40   --------   d--h--w-   C:\Program Files\7-Zip
2011-03-21 12:26:49 . 2010-10-19 19:51:34   222080   ------w-   C:\WINDOWS\system32\MpSigStub.exe
2011-03-21 11:37:13 . 2011-03-21 11:37:14   --------   d--h--w-   C:\Documents and Settings\Christian\Application Data\Malwarebytes
2011-03-21 11:37:08 . 2011-03-21 11:37:10   --------   d--h--w-   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2011-03-21 11:37:05 . 2011-03-21 11:37:06   --------   d--h--w-   C:\Program Files\Malwarebytes' Anti-Malware
2011-03-21 10:50:18 . 2011-03-21 10:50:18   --------   d-----w-   C:\FOUND.002
.


((((((((((((((((((((((((((((((((((((((((   Find3M Rapport   )))))))))))))))))))))))))))))))))))))))))))))))))))

[SuperDave]

The ComboFix log is not complete. Please look for it on your C: drive under ComboFix.

[gripenfighter]

Hello again, I think I had a problem when I first run the combofix. Now I have the complete log:

ComboFix 11-04-19.02 - Christian 2011-04-20   8:09.2.2 - FAT32x86
Microsoft Windows XP Professional  5.1.2600.3.1252.46.1033.18.2038.1465 [GMT 2:00]
Körs från: c:\documents and settings\Christian\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
(((((((((((((((((((((((((((((((((((((((   Andra raderingar   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\npf.sys
.
---- Föregående körning -------
.
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
.
.
(((((((((((((((((((((((((((((((((((((((   Drivrutiner/Tjänster   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((   Filer Skapade från 2011-03-20 till 2011-04-20  ))))))))))))))))))))))))))))))
.
.
2011-04-19 14:54 . 2011-04-11 07:04   7071056   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8DA7A6F1-60E9-4F6A-AAE8-A22DBE966989}\mpengine.dll
2011-04-19 14:08 . 2011-03-14 19:05   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-18 01:34 . 2011-04-18 01:34   --------   d-----w-   c:\program files\Microsoft Security Client
2011-04-18 01:30 . 2011-04-18 01:30   --------   d--h--w-   c:\windows\system32\GroupPolicy
2011-04-18 01:21 . 2011-04-18 01:21   --------   d-----w-   c:\program files\Common Files\McAfee
2011-04-18 01:20 . 2011-04-18 01:20   --------   d-----w-   c:\program files\McAfee
2011-04-18 01:20 . 2011-04-18 01:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2011-04-17 23:30 . 2011-04-17 23:30   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-17 23:30 . 2011-04-17 23:30   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
2011-04-17 22:25 . 2011-04-17 22:26   388096   ----a-r-   c:\documents and settings\Christian\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-17 22:25 . 2011-04-17 22:25   --------   d-----w-   c:\program files\Trend Micro
2011-04-17 22:22 . 2011-04-17 22:22   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-04-17 22:22 . 2011-04-17 22:22   --------   d-----w-   c:\program files\Java
2011-04-17 21:59 . 2010-12-20 16:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-17 21:59 . 2010-12-20 16:08   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-04-17 19:06 . 2011-04-17 19:06   --------   d-----w-   c:\documents and settings\Christian\Application Data\SUPERAntiSpyware.com
2011-04-17 19:06 . 2011-04-17 19:06   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-17 19:06 . 2011-04-17 19:06   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-04-17 18:54 . 2011-04-17 18:54   --------   d-----w-   c:\program files\CCleaner
2011-04-17 18:07 . 2011-04-17 18:07   --------   d-----w-   c:\documents and settings\Christian\Application Data\OnlineArmor
2011-04-17 18:07 . 2011-04-17 18:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2011-04-17 18:07 . 2011-04-06 11:02   39048   ----a-w-   c:\windows\system32\drivers\oahlp32.sys
2011-04-17 18:07 . 2011-04-06 11:01   29464   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2011-04-17 18:07 . 2011-04-06 11:01   25192   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2011-04-17 18:07 . 2011-04-06 11:01   205864   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2011-04-17 18:07 . 2011-04-17 18:07   --------   d-----w-   c:\program files\Online Armor
2011-04-14 14:29 . 2011-04-14 14:29   --------   d-----w-   C:\FOUND.005
2011-04-13 22:35 . 2011-04-13 22:35   --------   d--h--w-   c:\documents and settings\Christian\Local Settings\Application Data\Threat Expert
2011-04-13 21:24 . 2011-04-13 21:24   --------   d--h--w-   c:\program files\Spyware Doctor
2011-04-13 21:08 . 2011-04-13 21:08   --------   d--h--w-   c:\program files\Panda Security
2011-04-13 20:59 . 2011-04-13 20:59   --------   d--h--w-   c:\documents and settings\All Users\Application Data\TEMP
2011-04-13 20:42 . 2011-04-13 20:42   --------   d--h--w-   c:\program files\Loaris
2011-04-13 17:44 . 2011-04-13 17:44   --------   d-----w-   C:\FOUND.004
2011-04-13 17:14 . 2011-04-13 17:14   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2011-04-13 16:18 . 2011-04-13 16:18   --------   d-----w-   C:\FOUND.003
2011-04-13 14:35 . 2011-04-13 14:35   --------   d--h--w-   c:\windows\Sun
2011-04-13 14:35 . 2011-04-17 22:22   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-04-13 14:35 . 2011-04-17 22:22   472808   ----a-w-   c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-13 14:22 . 2011-04-13 14:22   529052   ---ha-w-   c:\windows\system32\PerfStringBackup.TMP
2011-04-13 13:05 . 2011-04-13 13:05   --------   d--h--w-   c:\program files\Enigma Software Group
2011-04-13 13:04 . 2011-04-13 13:04   --------   d--h--w-   c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2011-04-13 13:04 . 2011-04-13 13:04   --------   d--h--w-   c:\program files\Common Files\Wise Installation Wizard
2011-04-13 12:39 . 2011-04-13 12:39   --------   d--h--w-   c:\program files\GridinSoft Trojan Killer
2011-04-13 12:10 . 2011-04-13 12:10   380   ---ha-w-   c:\windows\system32\drivers\sunkdkym.dat
2011-04-13 05:14 . 2011-04-13 05:14   --------   d--h--w-   c:\documents and settings\Christian\Local Settings\Application Data\WMTools Downloaded Files
2011-04-05 21:33 . 2011-04-05 21:33   --------   d--h--w-   c:\documents and settings\All Users\Application Data\WinZip
2011-04-05 21:21 . 2011-04-05 21:21   --------   d--h--w-   c:\program files\7-Zip
2011-03-21 12:26 . 2010-10-19 19:51   222080   ------w-   c:\windows\system32\MpSigStub.exe
2011-03-21 11:37 . 2011-03-21 11:37   --------   d--h--w-   c:\documents and settings\Christian\Application Data\Malwarebytes
2011-03-21 11:37 . 2011-03-21 11:37   --------   d--h--w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-21 11:37 . 2011-03-21 11:37   --------   d--h--w-   c:\program files\Malwarebytes' Anti-Malware
2011-03-21 10:50 . 2011-03-21 10:50   --------   d-----w-   C:\FOUND.002
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Rapport   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-09 18:36 . 2009-08-18 09:30   564632   ---ha-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\wlidui.dll
2011-03-09 18:36 . 2009-08-18 09:24   18328   ---ha-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-07 07:31 . 2011-02-20 14:55   57344   ---ha-r-   c:\documents and settings\Christian\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2011-03-07 07:30 . 2003-03-18 19:05   106496   ---ha-w-   c:\windows\system32\ATL71.DLL
2011-03-07 05:33 . 2004-08-10 18:00   692736   ---ha-w-   c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-10 18:00   420864   ---ha-w-   c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 18:00   1857920   ---ha-w-   c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-01-09 18:02   916480   ---ha-w-   c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-10 18:00   43520   ---ha-w-   c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-10 18:00   1469440   ---h--w-   c:\windows\system32\inetcpl.cpl
2011-02-22 11:42 . 2004-08-10 18:00   385024   ---ha-w-   c:\windows\system32\html.iec
2011-02-20 14:55 . 2011-02-20 14:55   49152   ---ha-r-   c:\documents and settings\Christian\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2011-02-17 13:18 . 2004-08-10 18:00   455936   ---ha-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 18:00   357888   ---ha-w-   c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2011-02-15 21:22   5120   ---ha-w-   c:\windows\system32\xpsp4res.dll
2011-02-15 19:19 . 2011-02-15 19:19   21275   ---ha-w-   c:\windows\system32\drivers\AegisP.sys
2011-02-15 19:17 . 2004-09-27 15:15   1003   ---ha-w-   c:\windows\CLEANUP.CMD
2011-02-15 16:49 . 2004-09-21 12:28   62   ---ha-w-   c:\windows\HotFix.bat
2011-02-15 12:56 . 2004-08-10 18:00   290432   ---ha-w-   c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2004-08-10 18:00   229888   ---ha-w-   c:\windows\system32\fxscover.exe
2011-02-08 13:33 . 2004-08-10 18:00   978944   ---ha-w-   c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 18:00   974848   ---ha-w-   c:\windows\system32\mfc42u.dll
2011-02-04 15:48 . 2005-08-05 12:01   456192   ---ha-w-   c:\windows\system32\encdec.dll
2011-02-04 15:48 . 2005-08-05 12:01   291840   ---ha-w-   c:\windows\system32\sbe.dll
2011-02-02 06:58 . 2004-08-10 18:00   2067456   ---ha-w-   c:\windows\system32\mstscax.dll
2011-01-27 10:57 . 2004-08-10 18:00   677888   ---ha-w-   c:\windows\system32\mstsc.exe
2011-01-21 13:44 . 2004-08-10 18:00   439296   ---ha-w-   c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((((((((   Startpunkter i registret   )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not*  Tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-03-16 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 352256]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-07-20 593920]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2006-06-23 225280]
"LogitechCameraAssistant"="c:\program files\Acer\OrbiCam\CameraAssistant.exe" [2006-06-26 331776]
"LogitechVideo[inspector]"="c:\program files\Acer\OrbiCam\InstallHelper.exe" [2006-06-26 13:55 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"Nikon Message Center 2"="c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-25 619008]
"@OnlineArmor GUI"="c:\program files\Online Armor\OAui.exe" [2011-04-06 2477032]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-2-16 113664]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2011-2-9 610120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2011-04-06 354720]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R1 MpKsldb63392e;MpKsldb63392e;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8DA7A6F1-60E9-4F6A-AAE8-A22DBE966989}\MpKsldb63392e.sys [2011-04-20 28752]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2011-04-17 205864]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2011-04-17 25192]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2011-04-17 29464]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [2011-04-17 381512]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [2006-06-19 1097728]
S1 MpKsl2e392492;MpKsl2e392492;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{66815DCA-BA1A-432E-A86F-78E9E6A34E64}\MpKsl2e392492.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{66815DCA-BA1A-432E-A86F-78E9E6A34E64}\MpKsl2e392492.sys [?]
S1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2011-04-17 39048]
S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [2011-04-17 4326472]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
.
--- Övriga tjänster/drivrutiner i minnet ---
.
*NewlyCreated* - INT15.SYS
*NewlyCreated* - MPKSLDB63392E
.
Innehållet i mappen 'Schemalagda aktiviteter':
.
2011-04-18 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 14:07]
.
2011-04-17 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 14:07]
.
2011-04-19 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 14:07]
.
2011-04-18 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 14:07]
.
2011-04-20 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 10:26]
.
2011-04-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 10:26]
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.aftonbladet.se/
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Lägg till i Skydd mot webbannonser - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm
Trusted Zone: farman.se
Trusted Zone: farman.se\www
Trusted Zone: one.com\www
DPF: {DC6FEBC5-0A2D-458A-A01B-5DB15EEC4305} - hxxp://webc.farman.se/auth/controls/IlosoftImageUpload.dll
FF - ProfilePath - c:\documents and settings\Christian\Application Data\Mozilla\Firefox\Profiles\60wvxkr8.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -
.
AddRemove-{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A} - c:\program files\McAfee\SiteAdvisor\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-20 08:13
Windows 5.1.2600 Service Pack 3 FAT NTAPI
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLer som "laddats" under processer som körs ---------------------
.
- - - - - - - > 'winlogon.exe'(520)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Sluttid: 2011-04-20  08:14:28
ComboFix-quarantined-files.txt  2011-04-20 06:14
.
Före genomsökningen: 31 309 070 336 bytes free
Efter genomsökningen: 31 332 728 832 byte ledigt
.
- - End Of File - - 15F08D1679DF294086BCE21D9CA5D97F

[SuperDave]

Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  

  KillAll::
  
  File::
  C:\FOUND.005
  C:\FOUND.004
  C:\FOUND.003
  C:\FOUND.002
  C:\WINDOWS\system32\drivers\sunkdkym.dat
  
  DDS::
  Trusted Zone: farman.se
  Trusted Zone: farman.se\www
  Trusted Zone: one.com\www
  
  MBR::
  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

************************************************
* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

[gripenfighter]

ComboFix 11-04-19.02 - Christian 2011-04-20   8:09.2.2 - FAT32x86
Microsoft Windows XP Professional  5.1.2600.3.1252.46.1033.18.2038.1465 [GMT 2:00]
Körs från: c:\documents and settings\Christian\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
(((((((((((((((((((((((((((((((((((((((   Andra raderingar   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\npf.sys
.
---- Föregående körning -------
.
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
.
.
(((((((((((((((((((((((((((((((((((((((   Drivrutiner/Tjänster   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((   Filer Skapade från 2011-03-20 till 2011-04-20  ))))))))))))))))))))))))))))))
.
.
2011-04-19 14:54 . 2011-04-11 07:04   7071056   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8DA7A6F1-60E9-4F6A-AAE8-A22DBE966989}\mpengine.dll
2011-04-19 14:08 . 2011-03-14 19:05   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-18 01:34 . 2011-04-18 01:34   --------   d-----w-   c:\program files\Microsoft Security Client
2011-04-18 01:30 . 2011-04-18 01:30   --------   d--h--w-   c:\windows\system32\GroupPolicy
2011-04-18 01:21 . 2011-04-18 01:21   --------   d-----w-   c:\program files\Common Files\McAfee
2011-04-18 01:20 . 2011-04-18 01:20   --------   d-----w-   c:\program files\McAfee
2011-04-18 01:20 . 2011-04-18 01:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2011-04-17 23:30 . 2011-04-17 23:30   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-17 23:30 . 2011-04-17 23:30   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
2011-04-17 22:25 . 2011-04-17 22:26   388096   ----a-r-   c:\documents and settings\Christian\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-17 22:25 . 2011-04-17 22:25   --------   d-----w-   c:\program files\Trend Micro
2011-04-17 22:22 . 2011-04-17 22:22   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-04-17 22:22 . 2011-04-17 22:22   --------   d-----w-   c:\program files\Java
2011-04-17 21:59 . 2010-12-20 16:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-17 21:59 . 2010-12-20 16:08   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-04-17 19:06 . 2011-04-17 19:06   --------   d-----w-   c:\documents and settings\Christian\Application Data\SUPERAntiSpyware.com
2011-04-17 19:06 . 2011-04-17 19:06   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-17 19:06 . 2011-04-17 19:06   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-04-17 18:54 . 2011-04-17 18:54   --------   d-----w-   c:\program files\CCleaner
2011-04-17 18:07 . 2011-04-17 18:07   --------   d-----w-   c:\documents and settings\Christian\Application Data\OnlineArmor
2011-04-17 18:07 . 2011-04-17 18:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2011-04-17 18:07 . 2011-04-06 11:02   39048   ----a-w-   c:\windows\system32\drivers\oahlp32.sys
2011-04-17 18:07 . 2011-04-06 11:01   29464   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2011-04-17 18:07 . 2011-04-06 11:01   25192   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2011-04-17 18:07 . 2011-04-06 11:01   205864   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2011-04-17 18:07 . 2011-04-17 18:07   --------   d-----w-   c:\program files\Online Armor
2011-04-14 14:29 . 2011-04-14 14:29   --------   d-----w-   C:\FOUND.005
2011-04-13 22:35 . 2011-04-13 22:35   --------   d--h--w-   c:\documents and settings\Christian\Local Settings\Application Data\Threat Expert
2011-04-13 21:24 . 2011-04-13 21:24   --------   d--h--w-   c:\program files\Spyware Doctor
2011-04-13 21:08 . 2011-04-13 21:08   --------   d--h--w-   c:\program files\Panda Security
2011-04-13 20:59 . 2011-04-13 20:59   --------   d--h--w-   c:\documents and settings\All Users\Application Data\TEMP
2011-04-13 20:42 . 2011-04-13 20:42   --------   d--h--w-   c:\program files\Loaris
2011-04-13 17:44 . 2011-04-13 17:44   --------   d-----w-   C:\FOUND.004
2011-04-13 17:14 . 2011-04-13 17:14   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2011-04-13 16:18 . 2011-04-13 16:18   --------   d-----w-   C:\FOUND.003
2011-04-13 14:35 . 2011-04-13 14:35   --------   d--h--w-   c:\windows\Sun
2011-04-13 14:35 . 2011-04-17 22:22   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-04-13 14:35 . 2011-04-17 22:22   472808   ----a-w-   c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-13 14:22 . 2011-04-13 14:22   529052   ---ha-w-   c:\windows\system32\PerfStringBackup.TMP
2011-04-13 13:05 . 2011-04-13 13:05   --------   d--h--w-   c:\program files\Enigma Software Group
2011-04-13 13:04 . 2011-04-13 13:04   --------   d--h--w-   c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2011-04-13 13:04 . 2011-04-13 13:04   --------   d--h--w-   c:\program files\Common Files\Wise Installation Wizard
2011-04-13 12:39 . 2011-04-13 12:39   --------   d--h--w-   c:\program files\GridinSoft Trojan Killer
2011-04-13 12:10 . 2011-04-13 12:10   380   ---ha-w-   c:\windows\system32\drivers\sunkdkym.dat
2011-04-13 05:14 . 2011-04-13 05:14   --------   d--h--w-   c:\documents and settings\Christian\Local Settings\Application Data\WMTools Downloaded Files
2011-04-05 21:33 . 2011-04-05 21:33   --------   d--h--w-   c:\documents and settings\All Users\Application Data\WinZip
2011-04-05 21:21 . 2011-04-05 21:21   --------   d--h--w-   c:\program files\7-Zip
2011-03-21 12:26 . 2010-10-19 19:51   222080   ------w-   c:\windows\system32\MpSigStub.exe
2011-03-21 11:37 . 2011-03-21 11:37   --------   d--h--w-   c:\documents and settings\Christian\Application Data\Malwarebytes
2011-03-21 11:37 . 2011-03-21 11:37   --------   d--h--w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-21 11:37 . 2011-03-21 11:37   --------   d--h--w-   c:\program files\Malwarebytes' Anti-Malware
2011-03-21 10:50 . 2011-03-21 10:50   --------   d-----w-   C:\FOUND.002
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Rapport   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-09 18:36 . 2009-08-18 09:30   564632   ---ha-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\wlidui.dll
2011-03-09 18:36 . 2009-08-18 09:24   18328   ---ha-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-07 07:31 . 2011-02-20 14:55   57344   ---ha-r-   c:\documents and settings\Christian\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2011-03-07 07:30 . 2003-03-18 19:05   106496   ---ha-w-   c:\windows\system32\ATL71.DLL
2011-03-07 05:33 . 2004-08-10 18:00   692736   ---ha-w-   c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-10 18:00   420864   ---ha-w-   c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 18:00   1857920   ---ha-w-   c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-01-09 18:02   916480   ---ha-w-   c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-10 18:00   43520   ---ha-w-   c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-10 18:00   1469440   ---h--w-   c:\windows\system32\inetcpl.cpl
2011-02-22 11:42 . 2004-08-10 18:00   385024   ---ha-w-   c:\windows\system32\html.iec
2011-02-20 14:55 . 2011-02-20 14:55   49152   ---ha-r-   c:\documents and settings\Christian\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2011-02-17 13:18 . 2004-08-10 18:00   455936   ---ha-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 18:00   357888   ---ha-w-   c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2011-02-15 21:22   5120   ---ha-w-   c:\windows\system32\xpsp4res.dll
2011-02-15 19:19 . 2011-02-15 19:19   21275   ---ha-w-   c:\windows\system32\drivers\AegisP.sys
2011-02-15 19:17 . 2004-09-27 15:15   1003   ---ha-w-   c:\windows\CLEANUP.CMD
2011-02-15 16:49 . 2004-09-21 12:28   62   ---ha-w-   c:\windows\HotFix.bat
2011-02-15 12:56 . 2004-08-10 18:00   290432   ---ha-w-   c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2004-08-10 18:00   229888   ---ha-w-   c:\windows\system32\fxscover.exe
2011-02-08 13:33 . 2004-08-10 18:00   978944   ---ha-w-   c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 18:00   974848   ---ha-w-   c:\windows\system32\mfc42u.dll
2011-02-04 15:48 . 2005-08-05 12:01   456192   ---ha-w-   c:\windows\system32\encdec.dll
2011-02-04 15:48 . 2005-08-05 12:01   291840   ---ha-w-   c:\windows\system32\sbe.dll
2011-02-02 06:58 . 2004-08-10 18:00   2067456   ---ha-w-   c:\windows\system32\mstscax.dll
2011-01-27 10:57 . 2004-08-10 18:00   677888   ---ha-w-   c:\windows\system32\mstsc.exe
2011-01-21 13:44 . 2004-08-10 18:00   439296   ---ha-w-   c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((((((((   Startpunkter i registret   )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not*  Tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-03-16 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 352256]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-07-20 593920]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2006-06-23 225280]
"LogitechCameraAssistant"="c:\program files\Acer\OrbiCam\CameraAssistant.exe" [2006-06-26 331776]
"LogitechVideo[inspector]"="c:\program files\Acer\OrbiCam\InstallHelper.exe" [2006-06-26 13:55 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"Nikon Message Center 2"="c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-25 619008]
"@OnlineArmor GUI"="c:\program files\Online Armor\OAui.exe" [2011-04-06 2477032]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-2-16 113664]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2011-2-9 610120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2011-04-06 354720]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R1 MpKsldb63392e;MpKsldb63392e;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8DA7A6F1-60E9-4F6A-AAE8-A22DBE966989}\MpKsldb63392e.sys [2011-04-20 28752]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2011-04-17 205864]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2011-04-17 25192]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2011-04-17 29464]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [2011-04-17 381512]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [2006-06-19 1097728]
S1 MpKsl2e392492;MpKsl2e392492;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{66815DCA-BA1A-432E-A86F-78E9E6A34E64}\MpKsl2e392492.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{66815DCA-BA1A-432E-A86F-78E9E6A34E64}\MpKsl2e392492.sys [?]
S1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2011-04-17 39048]
S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [2011-04-17 4326472]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
.
--- Övriga tjänster/drivrutiner i minnet ---
.
*NewlyCreated* - INT15.SYS
*NewlyCreated* - MPKSLDB63392E
.
Innehållet i mappen 'Schemalagda aktiviteter':
.
2011-04-18 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 14:07]
.
2011-04-17 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 14:07]
.
2011-04-19 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 14:07]
.
2011-04-18 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 14:07]
.
2011-04-20 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 10:26]
.
2011-04-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 10:26]
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.aftonbladet.se/
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Lägg till i Skydd mot webbannonser - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm
Trusted Zone: farman.se
Trusted Zone: farman.se\www
Trusted Zone: one.com\www
DPF: {DC6FEBC5-0A2D-458A-A01B-5DB15EEC4305} - hxxp://webc.farman.se/auth/controls/IlosoftImageUpload.dll
FF - ProfilePath - c:\documents and settings\Christian\Application Data\Mozilla\Firefox\Profiles\60wvxkr8.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -
.
AddRemove-{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A} - c:\program files\McAfee\SiteAdvisor\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-20 08:13
Windows 5.1.2600 Service Pack 3 FAT NTAPI
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLer som "laddats" under processer som körs ---------------------
.
- - - - - - - > 'winlogon.exe'(520)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Sluttid: 2011-04-20  08:14:28
ComboFix-quarantined-files.txt  2011-04-20 06:14
.
Före genomsökningen: 31 309 070 336 bytes free
Efter genomsökningen: 31 332 728 832 byte ledigt
.
- - End Of File - - 15F08D1679DF294086BCE21D9CA5D97F

[gripenfighter]

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2011/04/21 07:39
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\catchme.sys
Address: 0xBA3C0000   Size: 31744   File Visible: No   Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8971000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5D6000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xBA64E000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xBA612000   Size: 7872   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA776E000   Size: 49152   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\HIBERFIL.SYS
Status: Locked to the Windows API!

Path: c:\documents and settings\christian\local settings\temporary internet files\content.ie5\4mxjmk1g\topic,118352.0[1].html
Status: Allocation size mismatch (API: 1081344, Raw: 163840)

SSDT
-------------------
#: 017   Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7b42c

#: 019   Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7a928

#: 031   Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7964c

#: 037   Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d80316

#: 041   Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d82242

#: 046   Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7946a

#: 047   Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7aee8

#: 048   Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d77978

#: 050   Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d774f2

#: 053   Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d78634

#: 057   Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d78d22

#: 068   Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7932c

#: 097   Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7a350

#: 116   Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d80694

#: 122   Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d78308

#: 125   Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d777b4

#: 128   Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d788b0

#: 137   Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7a6da

#: 180   Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7aa44

#: 199   Function Name: NtRequestPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d79cb0

#: 200   Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7a018

#: 204   Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d8010e

#: 206   Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d790ce

#: 210   Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7986e

#: 213   Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d78bcc

#: 240   Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7b0e0

#: 249   Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7a28a

#: 253   Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d791fe

#: 254   Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d78f7a

#: 255   Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d78e40

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xa8ddd620

#: 258   Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d78a66

#: 262   Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7a518

#: 277   Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7a804

==EOF==

[SuperDave]

You did not run the ComboFix script as instructed. Please follow the instructions in Reply # 11 to run the script.