Author Topic: Trojan windows restore, help me?? (Read 16751 times)

gripenfighter · « **on:** April 14, 2011, 08:03:16 AM »

I have "windows restore" in my system. I have tried to get rid of it but it is still there. Im trying to use malwarebytes anti malware but the trojat stops me from install it on my computer even if am follow instructions from bleepingcomputer site. Pleas anyone who can help me??

Christian

Allan · « **Reply #1 on:** April 14, 2011, 08:07:59 AM »

Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

gripenfighter · « **Reply #2 on:** April 17, 2011, 04:45:06 PM »

I have done everything in exact order after your instructions. I cant see anything under C: I still cant find my program in the program bar?? I cant find anything in the program bar but the prgram Ive installed during this process? For example "My documents" icon are visible but it seems like there is nothing there either??? How can I find it??

Mvh
Christian

gripenfighter · « **Reply #3 on:** April 17, 2011, 04:46:47 PM »

I will thank you very much to this point. This is my logs during the process! But please look at my other concerns in the mail before this.

[recovering disk space - old attachment deleted by admin]

SuperDave · « **Reply #4 on:** April 18, 2011, 12:46:14 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
****************************************************
Please do not attach the logs unless absolutely necessary. Copy and paste them in your reply.

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
***************************************************
Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you insist on using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

gripenfighter · « **Reply #5 on:** April 19, 2011, 07:57:15 AM »

Hello Dave,

I will try your instructions. Thank you so far!
Christian

gripenfighter · « **Reply #6 on:** April 19, 2011, 08:07:34 AM »

Hello again !

When I try to install security check on my system it dosent work. I have a messege on the screen says: AutoIt "Error allocating memory" How do I procees from here?? Do I need to unistall microsoft security essantials, antispyware program or what shoud I do??

Christian

gripenfighter · « **Reply #7 on:** April 19, 2011, 08:09:32 AM »

Excuse me!
Here is the contents of securitycheck!

Results of screen317's Security Check version 0.99.10
Windows XP Service Pack 3 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Online Armor 5.0
Microsoft Security Essentials
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 24
Adobe Flash Player 10.2.152.26
Adobe Reader 7.0
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.13) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````

gripenfighter · « **Reply #8 on:** April 19, 2011, 08:50:40 AM »

Here is the contenst from Combofix.txt

ComboFix 11-04-18.04 - Christian 2011-04-19 16:25:57.1.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.2038.1425 [GMT 2:00]
Körs från: C:\Documents and Settings\Christian\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

PEV Error: LocalSettingsFile

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\WinPCap
C:\Program Files\WinPCap\daemon_mgm.exe
C:\Program Files\WinPCap\npf_mgm.exe
C:\Program Files\WinPCap\rpcapd.exe
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll

((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF

(((((((((((((((((((((((( Filer Skapade från 2011-03-19 till 2011-04-19 ))))))))))))))))))))))))))))))

2011-04-19 14:08:40 . 2011-03-14 19:05:44   6792528   ----a-w-   C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-19 14:08:27 . 2011-04-11 07:04:08   7071056   ----a-w-   C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{66815DCA-BA1A-432E-A86F-78E9E6A34E64}\mpengine.dll
2011-04-18 01:35:07 . 2011-04-18 01:35:08   --------   d-----w-   C:\WINDOWS\LastGood.Tmp
2011-04-18 01:34:57 . 2011-04-18 01:34:58   --------   d-----w-   C:\Program Files\Microsoft Security Client
2011-04-18 01:30:16 . 2011-04-18 01:30:18   --------   d--h--w-   C:\WINDOWS\system32\GroupPolicy
2011-04-18 01:21:18 . 2011-04-18 01:21:20   --------   d-----w-   C:\Program Files\Common Files\McAfee
2011-04-18 01:20:39 . 2011-04-18 01:20:40   --------   d-----w-   C:\Program Files\McAfee
2011-04-18 01:20:39 . 2011-04-18 01:20:40   --------   d-----w-   C:\Documents and Settings\All Users\Application Data\McAfee
2011-04-17 23:30:52 . 2011-04-17 23:30:54   --------   d-----w-   C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2011-04-17 23:30:51 . 2011-04-17 23:30:52   --------   d-sh--w-   C:\Documents and Settings\Administrator\IETldCache
2011-04-17 22:25:58 . 2011-04-17 22:26:00   388096   ----a-r-   C:\Documents and Settings\Christian\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-17 22:25:57 . 2011-04-17 22:25:58   --------   d-----w-   C:\Program Files\Trend Micro
2011-04-17 22:22:23 . 2011-04-17 22:22:14   73728   ----a-w-   C:\WINDOWS\system32\javacpl.cpl
2011-04-17 22:22:09 . 2011-04-17 22:22:10   --------   d-----w-   C:\Program Files\Java
2011-04-17 21:59:26 . 2010-12-20 16:09:00   38224   ----a-w-   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011-04-17 21:59:19 . 2010-12-20 16:08:40   20952   ----a-w-   C:\WINDOWS\system32\drivers\mbam.sys
2011-04-17 19:06:53 . 2011-04-17 19:06:54   --------   d-----w-   C:\Documents and Settings\Christian\Application Data\SUPERAntiSpyware.com
2011-04-17 19:06:53 . 2011-04-17 19:06:54   --------   d-----w-   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-17 19:06:37 . 2011-04-17 19:06:38   --------   d-----w-   C:\Program Files\SUPERAntiSpyware
2011-04-17 18:54:30 . 2011-04-17 18:54:32   --------   d-----w-   C:\Program Files\CCleaner
2011-04-17 18:07:56 . 2011-04-17 18:07:58   --------   d-----w-   C:\Documents and Settings\Christian\Application Data\OnlineArmor
2011-04-17 18:07:56 . 2011-04-17 18:07:58   --------   d-----w-   C:\Documents and Settings\All Users\Application Data\OnlineArmor
2011-04-17 18:07:35 . 2011-04-06 11:02:26   39048   ----a-w-   C:\WINDOWS\system32\drivers\oahlp32.sys
2011-04-17 18:07:35 . 2011-04-06 11:01:32   29464   ----a-w-   C:\WINDOWS\system32\drivers\OAnet.sys
2011-04-17 18:07:35 . 2011-04-06 11:01:30   25192   ----a-w-   C:\WINDOWS\system32\drivers\OAmon.sys
2011-04-17 18:07:35 . 2011-04-06 11:01:30   205864   ----a-w-   C:\WINDOWS\system32\drivers\OADriver.sys
2011-04-17 18:07:04 . 2011-04-17 18:07:06   --------   d-----w-   C:\Program Files\Online Armor
2011-04-14 14:29:24 . 2011-04-14 14:29:24   --------   d-----w-   C:\FOUND.005
2011-04-13 22:35:43 . 2011-04-13 22:35:44   --------   d--h--w-   C:\Documents and Settings\Christian\Local Settings\Application Data\Threat Expert
2011-04-13 21:24:33 . 2011-04-13 21:24:34   --------   d--h--w-   C:\Program Files\Spyware Doctor
2011-04-13 21:08:48 . 2011-04-13 21:08:50   --------   d--h--w-   C:\Program Files\Panda Security
2011-04-13 20:59:57 . 2011-04-13 20:59:58   --------   d--h--w-   C:\Documents and Settings\All Users\Application Data\TEMP
2011-04-13 20:42:53 . 2011-04-13 20:42:54   --------   d--h--w-   C:\Program Files\Loaris
2011-04-13 17:44:28 . 2011-04-13 17:44:28   --------   d-----w-   C:\FOUND.004
2011-04-13 17:14:43 . 2011-04-13 17:14:44   --------   d-sh--w-   C:\Documents and Settings\LocalService\IETldCache
2011-04-13 16:18:12 . 2011-04-13 16:18:12   --------   d-----w-   C:\FOUND.003
2011-04-13 14:35:56 . 2011-04-13 14:35:58   --------   d--h--w-   C:\WINDOWS\Sun
2011-04-13 14:35:38 . 2011-04-17 22:22:14   472808   ----a-w-   C:\WINDOWS\system32\deployJava1.dll
2011-04-13 14:35:38 . 2011-04-17 22:22:14   472808   ----a-w-   C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-13 14:22:56 . 2011-04-13 14:22:58   529052   ---ha-w-   C:\WINDOWS\system32\PerfStringBackup.TMP
2011-04-13 13:05:37 . 2011-04-13 13:05:38   --------   d--h--w-   C:\Program Files\Enigma Software Group
2011-04-13 13:04:52 . 2011-04-13 13:04:54   --------   d--h--w-   C:\WINDOWS\41EBC322660F4D16A0DF53147210CBDB.TMP
2011-04-13 13:04:49 . 2011-04-13 13:04:50   --------   d--h--w-   C:\Program Files\Common Files\Wise Installation Wizard
2011-04-13 12:39:46 . 2011-04-13 12:39:48   --------   d--h--w-   C:\Program Files\GridinSoft Trojan Killer
2011-04-13 12:10:54 . 2011-04-13 12:10:56   380   ---ha-w-   C:\WINDOWS\system32\drivers\sunkdkym.dat
2011-04-13 05:14:25 . 2011-04-13 05:14:26   --------   d--h--w-   C:\Documents and Settings\Christian\Local Settings\Application Data\WMTools Downloaded Files
2011-04-05 21:33:43 . 2011-04-05 21:33:44   --------   d--h--w-   C:\Documents and Settings\All Users\Application Data\WinZip
2011-04-05 21:21:38 . 2011-04-05 21:21:40   --------   d--h--w-   C:\Program Files\7-Zip
2011-03-21 12:26:49 . 2010-10-19 19:51:34   222080   ------w-   C:\WINDOWS\system32\MpSigStub.exe
2011-03-21 11:37:13 . 2011-03-21 11:37:14   --------   d--h--w-   C:\Documents and Settings\Christian\Application Data\Malwarebytes
2011-03-21 11:37:08 . 2011-03-21 11:37:10   --------   d--h--w-   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2011-03-21 11:37:05 . 2011-03-21 11:37:06   --------   d--h--w-   C:\Program Files\Malwarebytes' Anti-Malware
2011-03-21 10:50:18 . 2011-03-21 10:50:18   --------   d-----w-   C:\FOUND.002
.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

SuperDave · « **Reply #9 on:** April 19, 2011, 01:17:15 PM »

The ComboFix log is not complete. Please look for it on your C: drive under ComboFix.

gripenfighter · « **Reply #10 on:** April 20, 2011, 12:17:17 AM »

Hello again, I think I had a problem when I first run the combofix. Now I have the complete log:

ComboFix 11-04-19.02 - Christian 2011-04-20 8:09.2.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.2038.1465 [GMT 2:00]
Körs från: c:\documents and settings\Christian\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\npf.sys
.
---- Föregående körning -------
.
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
(((((((((((((((((((((((( Filer Skapade från 2011-03-20 till 2011-04-20 ))))))))))))))))))))))))))))))
.
.
2011-04-19 14:54 . 2011-04-11 07:04   7071056   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8DA7A6F1-60E9-4F6A-AAE8-A22DBE966989}\mpengine.dll
2011-04-19 14:08 . 2011-03-14 19:05   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-18 01:34 . 2011-04-18 01:34   --------   d-----w-   c:\program files\Microsoft Security Client
2011-04-18 01:30 . 2011-04-18 01:30   --------   d--h--w-   c:\windows\system32\GroupPolicy
2011-04-18 01:21 . 2011-04-18 01:21   --------   d-----w-   c:\program files\Common Files\McAfee
2011-04-18 01:20 . 2011-04-18 01:20   --------   d-----w-   c:\program files\McAfee
2011-04-18 01:20 . 2011-04-18 01:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2011-04-17 23:30 . 2011-04-17 23:30   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-17 23:30 . 2011-04-17 23:30   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
2011-04-17 22:25 . 2011-04-17 22:26   388096   ----a-r-   c:\documents and settings\Christian\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-17 22:25 . 2011-04-17 22:25   --------   d-----w-   c:\program files\Trend Micro
2011-04-17 22:22 . 2011-04-17 22:22   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-04-17 22:22 . 2011-04-17 22:22   --------   d-----w-   c:\program files\Java
2011-04-17 21:59 . 2010-12-20 16:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-17 21:59 . 2010-12-20 16:08   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-04-17 19:06 . 2011-04-17 19:06   --------   d-----w-   c:\documents and settings\Christian\Application Data\SUPERAntiSpyware.com
2011-04-17 19:06 . 2011-04-17 19:06   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-17 19:06 . 2011-04-17 19:06   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-04-17 18:54 . 2011-04-17 18:54   --------   d-----w-   c:\program files\CCleaner
2011-04-17 18:07 . 2011-04-17 18:07   --------   d-----w-   c:\documents and settings\Christian\Application Data\OnlineArmor
2011-04-17 18:07 . 2011-04-17 18:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2011-04-17 18:07 . 2011-04-06 11:02   39048   ----a-w-   c:\windows\system32\drivers\oahlp32.sys
2011-04-17 18:07 . 2011-04-06 11:01   29464   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2011-04-17 18:07 . 2011-04-06 11:01   25192   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2011-04-17 18:07 . 2011-04-06 11:01   205864   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2011-04-17 18:07 . 2011-04-17 18:07   --------   d-----w-   c:\program files\Online Armor
2011-04-14 14:29 . 2011-04-14 14:29   --------   d-----w-   C:\FOUND.005
2011-04-13 22:35 . 2011-04-13 22:35   --------   d--h--w-   c:\documents and settings\Christian\Local Settings\Application Data\Threat Expert
2011-04-13 21:24 . 2011-04-13 21:24   --------   d--h--w-   c:\program files\Spyware Doctor
2011-04-13 21:08 . 2011-04-13 21:08   --------   d--h--w-   c:\program files\Panda Security
2011-04-13 20:59 . 2011-04-13 20:59   --------   d--h--w-   c:\documents and settings\All Users\Application Data\TEMP
2011-04-13 20:42 . 2011-04-13 20:42   --------   d--h--w-   c:\program files\Loaris
2011-04-13 17:44 . 2011-04-13 17:44   --------   d-----w-   C:\FOUND.004
2011-04-13 17:14 . 2011-04-13 17:14   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2011-04-13 16:18 . 2011-04-13 16:18   --------   d-----w-   C:\FOUND.003
2011-04-13 14:35 . 2011-04-13 14:35   --------   d--h--w-   c:\windows\Sun
2011-04-13 14:35 . 2011-04-17 22:22   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-04-13 14:35 . 2011-04-17 22:22   472808   ----a-w-   c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-13 14:22 . 2011-04-13 14:22   529052   ---ha-w-   c:\windows\system32\PerfStringBackup.TMP
2011-04-13 13:05 . 2011-04-13 13:05   --------   d--h--w-   c:\program files\Enigma Software Group
2011-04-13 13:04 . 2011-04-13 13:04   --------   d--h--w-   c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2011-04-13 13:04 . 2011-04-13 13:04   --------   d--h--w-   c:\program files\Common Files\Wise Installation Wizard
2011-04-13 12:39 . 2011-04-13 12:39   --------   d--h--w-   c:\program files\GridinSoft Trojan Killer
2011-04-13 12:10 . 2011-04-13 12:10   380   ---ha-w-   c:\windows\system32\drivers\sunkdkym.dat
2011-04-13 05:14 . 2011-04-13 05:14   --------   d--h--w-   c:\documents and settings\Christian\Local Settings\Application Data\WMTools Downloaded Files
2011-04-05 21:33 . 2011-04-05 21:33   --------   d--h--w-   c:\documents and settings\All Users\Application Data\WinZip
2011-04-05 21:21 . 2011-04-05 21:21   --------   d--h--w-   c:\program files\7-Zip
2011-03-21 12:26 . 2010-10-19 19:51   222080   ------w-   c:\windows\system32\MpSigStub.exe
2011-03-21 11:37 . 2011-03-21 11:37   --------   d--h--w-   c:\documents and settings\Christian\Application Data\Malwarebytes
2011-03-21 11:37 . 2011-03-21 11:37   --------   d--h--w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-21 11:37 . 2011-03-21 11:37   --------   d--h--w-   c:\program files\Malwarebytes' Anti-Malware
2011-03-21 10:50 . 2011-03-21 10:50   --------   d-----w-   C:\FOUND.002
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-09 18:36 . 2009-08-18 09:30   564632   ---ha-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\wlidui.dll
2011-03-09 18:36 . 2009-08-18 09:24   18328   ---ha-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-07 07:31 . 2011-02-20 14:55   57344   ---ha-r-   c:\documents and settings\Christian\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2011-03-07 07:30 . 2003-03-18 19:05   106496   ---ha-w-   c:\windows\system32\ATL71.DLL
2011-03-07 05:33 . 2004-08-10 18:00   692736   ---ha-w-   c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-10 18:00   420864   ---ha-w-   c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 18:00   1857920   ---ha-w-   c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-01-09 18:02   916480   ---ha-w-   c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-10 18:00   43520   ---ha-w-   c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-10 18:00   1469440   ---h--w-   c:\windows\system32\inetcpl.cpl
2011-02-22 11:42 . 2004-08-10 18:00   385024   ---ha-w-   c:\windows\system32\html.iec
2011-02-20 14:55 . 2011-02-20 14:55   49152   ---ha-r-   c:\documents and settings\Christian\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2011-02-17 13:18 . 2004-08-10 18:00   455936   ---ha-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 18:00   357888   ---ha-w-   c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2011-02-15 21:22   5120   ---ha-w-   c:\windows\system32\xpsp4res.dll
2011-02-15 19:19 . 2011-02-15 19:19   21275   ---ha-w-   c:\windows\system32\drivers\AegisP.sys
2011-02-15 19:17 . 2004-09-27 15:15   1003   ---ha-w-   c:\windows\CLEANUP.CMD
2011-02-15 16:49 . 2004-09-21 12:28   62   ---ha-w-   c:\windows\HotFix.bat
2011-02-15 12:56 . 2004-08-10 18:00   290432   ---ha-w-   c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2004-08-10 18:00   229888   ---ha-w-   c:\windows\system32\fxscover.exe
2011-02-08 13:33 . 2004-08-10 18:00   978944   ---ha-w-   c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 18:00   974848   ---ha-w-   c:\windows\system32\mfc42u.dll
2011-02-04 15:48 . 2005-08-05 12:01   456192   ---ha-w-   c:\windows\system32\encdec.dll
2011-02-04 15:48 . 2005-08-05 12:01   291840   ---ha-w-   c:\windows\system32\sbe.dll
2011-02-02 06:58 . 2004-08-10 18:00   2067456   ---ha-w-   c:\windows\system32\mstscax.dll
2011-01-27 10:57 . 2004-08-10 18:00   677888   ---ha-w-   c:\windows\system32\mstsc.exe
2011-01-21 13:44 . 2004-08-10 18:00   439296   ---ha-w-   c:\windows\system32\shimgvw.dll
.
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-03-16 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 352256]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-07-20 593920]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2006-06-23 225280]
"LogitechCameraAssistant"="c:\program files\Acer\OrbiCam\CameraAssistant.exe" [2006-06-26 331776]
"LogitechVideo[inspector]"="c:\program files\Acer\OrbiCam\InstallHelper.exe" [2006-06-26 13:55 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"Nikon Message Center 2"="c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-25 619008]
"@OnlineArmor GUI"="c:\program files\Online Armor\OAui.exe" [2011-04-06 2477032]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-2-16 113664]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2011-2-9 610120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2011-04-06 354720]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R1 MpKsldb63392e;MpKsldb63392e;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8DA7A6F1-60E9-4F6A-AAE8-A22DBE966989}\MpKsldb63392e.sys [2011-04-20 28752]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2011-04-17 205864]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2011-04-17 25192]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2011-04-17 29464]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [2011-04-17 381512]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [2006-06-19 1097728]
S1 MpKsl2e392492;MpKsl2e392492;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{66815DCA-BA1A-432E-A86F-78E9E6A34E64}\MpKsl2e392492.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{66815DCA-BA1A-432E-A86F-78E9E6A34E64}\MpKsl2e392492.sys [?]
S1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2011-04-17 39048]
S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [2011-04-17 4326472]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
.
--- Övriga tjänster/drivrutiner i minnet ---
.
*NewlyCreated* - INT15.SYS
*NewlyCreated* - MPKSLDB63392E
.
Innehållet i mappen 'Schemalagda aktiviteter':
.
2011-04-18 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 14:07]
.
2011-04-17 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 14:07]
.
2011-04-19 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 14:07]
.
2011-04-18 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 14:07]
.
2011-04-20 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 10:26]
.
2011-04-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 10:26]
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.aftonbladet.se/
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Lägg till i Skydd mot webbannonser - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm
Trusted Zone: farman.se
Trusted Zone: farman.se\www
Trusted Zone: one.com\www
DPF: {DC6FEBC5-0A2D-458A-A01B-5DB15EEC4305} - hxxp://webc.farman.se/auth/controls/IlosoftImageUpload.dll
FF - ProfilePath - c:\documents and settings\Christian\Application Data\Mozilla\Firefox\Profiles\60wvxkr8.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -
.
AddRemove-{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A} - c:\program files\McAfee\SiteAdvisor\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-20 08:13
Windows 5.1.2600 Service Pack 3 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLer som "laddats" under processer som körs ---------------------
.
- - - - - - - > 'winlogon.exe'(520)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Sluttid: 2011-04-20 08:14:28
ComboFix-quarantined-files.txt 2011-04-20 06:14
.
Före genomsökningen: 31 309 070 336 bytes free
Efter genomsökningen: 31 332 728 832 byte ledigt
.
- - End Of File - - 15F08D1679DF294086BCE21D9CA5D97F

SuperDave · « **Reply #11 on:** April 20, 2011, 04:27:18 PM »

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

File::
C:\FOUND.005
C:\FOUND.004
C:\FOUND.003
C:\FOUND.002
C:\WINDOWS\system32\drivers\sunkdkym.dat

DDS::
Trusted Zone: farman.se
Trusted Zone: farman.se\www
Trusted Zone: one.com\www

MBR::
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

************************************************
* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

gripenfighter · « **Reply #12 on:** April 20, 2011, 11:35:43 PM »

ComboFix 11-04-19.02 - Christian 2011-04-20 8:09.2.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.2038.1465 [GMT 2:00]
Körs från: c:\documents and settings\Christian\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\npf.sys
.
---- Föregående körning -------
.
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
(((((((((((((((((((((((( Filer Skapade från 2011-03-20 till 2011-04-20 ))))))))))))))))))))))))))))))
.
.
2011-04-19 14:54 . 2011-04-11 07:04   7071056   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8DA7A6F1-60E9-4F6A-AAE8-A22DBE966989}\mpengine.dll
2011-04-19 14:08 . 2011-03-14 19:05   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-18 01:34 . 2011-04-18 01:34   --------   d-----w-   c:\program files\Microsoft Security Client
2011-04-18 01:30 . 2011-04-18 01:30   --------   d--h--w-   c:\windows\system32\GroupPolicy
2011-04-18 01:21 . 2011-04-18 01:21   --------   d-----w-   c:\program files\Common Files\McAfee
2011-04-18 01:20 . 2011-04-18 01:20   --------   d-----w-   c:\program files\McAfee
2011-04-18 01:20 . 2011-04-18 01:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2011-04-17 23:30 . 2011-04-17 23:30   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-17 23:30 . 2011-04-17 23:30   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
2011-04-17 22:25 . 2011-04-17 22:26   388096   ----a-r-   c:\documents and settings\Christian\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-17 22:25 . 2011-04-17 22:25   --------   d-----w-   c:\program files\Trend Micro
2011-04-17 22:22 . 2011-04-17 22:22   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-04-17 22:22 . 2011-04-17 22:22   --------   d-----w-   c:\program files\Java
2011-04-17 21:59 . 2010-12-20 16:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-17 21:59 . 2010-12-20 16:08   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-04-17 19:06 . 2011-04-17 19:06   --------   d-----w-   c:\documents and settings\Christian\Application Data\SUPERAntiSpyware.com
2011-04-17 19:06 . 2011-04-17 19:06   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-17 19:06 . 2011-04-17 19:06   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-04-17 18:54 . 2011-04-17 18:54   --------   d-----w-   c:\program files\CCleaner
2011-04-17 18:07 . 2011-04-17 18:07   --------   d-----w-   c:\documents and settings\Christian\Application Data\OnlineArmor
2011-04-17 18:07 . 2011-04-17 18:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2011-04-17 18:07 . 2011-04-06 11:02   39048   ----a-w-   c:\windows\system32\drivers\oahlp32.sys
2011-04-17 18:07 . 2011-04-06 11:01   29464   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2011-04-17 18:07 . 2011-04-06 11:01   25192   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2011-04-17 18:07 . 2011-04-06 11:01   205864   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2011-04-17 18:07 . 2011-04-17 18:07   --------   d-----w-   c:\program files\Online Armor
2011-04-14 14:29 . 2011-04-14 14:29   --------   d-----w-   C:\FOUND.005
2011-04-13 22:35 . 2011-04-13 22:35   --------   d--h--w-   c:\documents and settings\Christian\Local Settings\Application Data\Threat Expert
2011-04-13 21:24 . 2011-04-13 21:24   --------   d--h--w-   c:\program files\Spyware Doctor
2011-04-13 21:08 . 2011-04-13 21:08   --------   d--h--w-   c:\program files\Panda Security
2011-04-13 20:59 . 2011-04-13 20:59   --------   d--h--w-   c:\documents and settings\All Users\Application Data\TEMP
2011-04-13 20:42 . 2011-04-13 20:42   --------   d--h--w-   c:\program files\Loaris
2011-04-13 17:44 . 2011-04-13 17:44   --------   d-----w-   C:\FOUND.004
2011-04-13 17:14 . 2011-04-13 17:14   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2011-04-13 16:18 . 2011-04-13 16:18   --------   d-----w-   C:\FOUND.003
2011-04-13 14:35 . 2011-04-13 14:35   --------   d--h--w-   c:\windows\Sun
2011-04-13 14:35 . 2011-04-17 22:22   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-04-13 14:35 . 2011-04-17 22:22   472808   ----a-w-   c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-13 14:22 . 2011-04-13 14:22   529052   ---ha-w-   c:\windows\system32\PerfStringBackup.TMP
2011-04-13 13:05 . 2011-04-13 13:05   --------   d--h--w-   c:\program files\Enigma Software Group
2011-04-13 13:04 . 2011-04-13 13:04   --------   d--h--w-   c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2011-04-13 13:04 . 2011-04-13 13:04   --------   d--h--w-   c:\program files\Common Files\Wise Installation Wizard
2011-04-13 12:39 . 2011-04-13 12:39   --------   d--h--w-   c:\program files\GridinSoft Trojan Killer
2011-04-13 12:10 . 2011-04-13 12:10   380   ---ha-w-   c:\windows\system32\drivers\sunkdkym.dat
2011-04-13 05:14 . 2011-04-13 05:14   --------   d--h--w-   c:\documents and settings\Christian\Local Settings\Application Data\WMTools Downloaded Files
2011-04-05 21:33 . 2011-04-05 21:33   --------   d--h--w-   c:\documents and settings\All Users\Application Data\WinZip
2011-04-05 21:21 . 2011-04-05 21:21   --------   d--h--w-   c:\program files\7-Zip
2011-03-21 12:26 . 2010-10-19 19:51   222080   ------w-   c:\windows\system32\MpSigStub.exe
2011-03-21 11:37 . 2011-03-21 11:37   --------   d--h--w-   c:\documents and settings\Christian\Application Data\Malwarebytes
2011-03-21 11:37 . 2011-03-21 11:37   --------   d--h--w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-21 11:37 . 2011-03-21 11:37   --------   d--h--w-   c:\program files\Malwarebytes' Anti-Malware
2011-03-21 10:50 . 2011-03-21 10:50   --------   d-----w-   C:\FOUND.002
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-09 18:36 . 2009-08-18 09:30   564632   ---ha-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\wlidui.dll
2011-03-09 18:36 . 2009-08-18 09:24   18328   ---ha-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-07 07:31 . 2011-02-20 14:55   57344   ---ha-r-   c:\documents and settings\Christian\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2011-03-07 07:30 . 2003-03-18 19:05   106496   ---ha-w-   c:\windows\system32\ATL71.DLL
2011-03-07 05:33 . 2004-08-10 18:00   692736   ---ha-w-   c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-10 18:00   420864   ---ha-w-   c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 18:00   1857920   ---ha-w-   c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-01-09 18:02   916480   ---ha-w-   c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-10 18:00   43520   ---ha-w-   c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-10 18:00   1469440   ---h--w-   c:\windows\system32\inetcpl.cpl
2011-02-22 11:42 . 2004-08-10 18:00   385024   ---ha-w-   c:\windows\system32\html.iec
2011-02-20 14:55 . 2011-02-20 14:55   49152   ---ha-r-   c:\documents and settings\Christian\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2011-02-17 13:18 . 2004-08-10 18:00   455936   ---ha-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 18:00   357888   ---ha-w-   c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2011-02-15 21:22   5120   ---ha-w-   c:\windows\system32\xpsp4res.dll
2011-02-15 19:19 . 2011-02-15 19:19   21275   ---ha-w-   c:\windows\system32\drivers\AegisP.sys
2011-02-15 19:17 . 2004-09-27 15:15   1003   ---ha-w-   c:\windows\CLEANUP.CMD
2011-02-15 16:49 . 2004-09-21 12:28   62   ---ha-w-   c:\windows\HotFix.bat
2011-02-15 12:56 . 2004-08-10 18:00   290432   ---ha-w-   c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2004-08-10 18:00   229888   ---ha-w-   c:\windows\system32\fxscover.exe
2011-02-08 13:33 . 2004-08-10 18:00   978944   ---ha-w-   c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 18:00   974848   ---ha-w-   c:\windows\system32\mfc42u.dll
2011-02-04 15:48 . 2005-08-05 12:01   456192   ---ha-w-   c:\windows\system32\encdec.dll
2011-02-04 15:48 . 2005-08-05 12:01   291840   ---ha-w-   c:\windows\system32\sbe.dll
2011-02-02 06:58 . 2004-08-10 18:00   2067456   ---ha-w-   c:\windows\system32\mstscax.dll
2011-01-27 10:57 . 2004-08-10 18:00   677888   ---ha-w-   c:\windows\system32\mstsc.exe
2011-01-21 13:44 . 2004-08-10 18:00   439296   ---ha-w-   c:\windows\system32\shimgvw.dll
.
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-03-16 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 352256]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-07-20 593920]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2006-06-23 225280]
"LogitechCameraAssistant"="c:\program files\Acer\OrbiCam\CameraAssistant.exe" [2006-06-26 331776]
"LogitechVideo[inspector]"="c:\program files\Acer\OrbiCam\InstallHelper.exe" [2006-06-26 13:55 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"Nikon Message Center 2"="c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-25 619008]
"@OnlineArmor GUI"="c:\program files\Online Armor\OAui.exe" [2011-04-06 2477032]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-2-16 113664]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2011-2-9 610120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2011-04-06 354720]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R1 MpKsldb63392e;MpKsldb63392e;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8DA7A6F1-60E9-4F6A-AAE8-A22DBE966989}\MpKsldb63392e.sys [2011-04-20 28752]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2011-04-17 205864]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2011-04-17 25192]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2011-04-17 29464]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [2011-04-17 381512]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [2006-06-19 1097728]
S1 MpKsl2e392492;MpKsl2e392492;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{66815DCA-BA1A-432E-A86F-78E9E6A34E64}\MpKsl2e392492.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{66815DCA-BA1A-432E-A86F-78E9E6A34E64}\MpKsl2e392492.sys [?]
S1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2011-04-17 39048]
S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [2011-04-17 4326472]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
.
--- Övriga tjänster/drivrutiner i minnet ---
.
*NewlyCreated* - INT15.SYS
*NewlyCreated* - MPKSLDB63392E
.
Innehållet i mappen 'Schemalagda aktiviteter':
.
2011-04-18 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 14:07]
.
2011-04-17 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 14:07]
.
2011-04-19 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 14:07]
.
2011-04-18 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 14:07]
.
2011-04-20 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 10:26]
.
2011-04-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 10:26]
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.aftonbladet.se/
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Lägg till i Skydd mot webbannonser - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm
Trusted Zone: farman.se
Trusted Zone: farman.se\www
Trusted Zone: one.com\www
DPF: {DC6FEBC5-0A2D-458A-A01B-5DB15EEC4305} - hxxp://webc.farman.se/auth/controls/IlosoftImageUpload.dll
FF - ProfilePath - c:\documents and settings\Christian\Application Data\Mozilla\Firefox\Profiles\60wvxkr8.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -
.
AddRemove-{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A} - c:\program files\McAfee\SiteAdvisor\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-20 08:13
Windows 5.1.2600 Service Pack 3 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLer som "laddats" under processer som körs ---------------------
.
- - - - - - - > 'winlogon.exe'(520)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Sluttid: 2011-04-20 08:14:28
ComboFix-quarantined-files.txt 2011-04-20 06:14
.
Före genomsökningen: 31 309 070 336 bytes free
Efter genomsökningen: 31 332 728 832 byte ledigt
.
- - End Of File - - 15F08D1679DF294086BCE21D9CA5D97F

gripenfighter · « **Reply #13 on:** April 20, 2011, 11:43:38 PM »

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2011/04/21 07:39
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\catchme.sys
Address: 0xBA3C0000   Size: 31744   File Visible: No   Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8971000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5D6000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xBA64E000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xBA612000   Size: 7872   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA776E000   Size: 49152   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\HIBERFIL.SYS
Status: Locked to the Windows API!

Path: c:\documents and settings\christian\local settings\temporary internet files\content.ie5\4mxjmk1g\topic,118352.0[1].html
Status: Allocation size mismatch (API: 1081344, Raw: 163840)

SSDT
-------------------
#: 017   Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7b42c

#: 019   Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7a928

#: 031   Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7964c

#: 037   Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d80316

#: 041   Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d82242

#: 046   Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7946a

#: 047   Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7aee8

#: 048   Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d77978

#: 050   Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d774f2

#: 053   Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d78634

#: 057   Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d78d22

#: 068   Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7932c

#: 097   Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7a350

#: 116   Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d80694

#: 122   Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d78308

#: 125   Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d777b4

#: 128   Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d788b0

#: 137   Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7a6da

#: 180   Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7aa44

#: 199   Function Name: NtRequestPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d79cb0

#: 200   Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7a018

#: 204   Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d8010e

#: 206   Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d790ce

#: 210   Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7986e

#: 213   Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d78bcc

#: 240   Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7b0e0

#: 249   Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7a28a

#: 253   Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d791fe

#: 254   Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d78f7a

#: 255   Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d78e40

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xa8ddd620

#: 258   Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d78a66

#: 262   Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7a518

#: 277   Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa8d7a804

==EOF==

SuperDave · « **Reply #14 on:** April 21, 2011, 12:43:44 PM »

You did not run the ComboFix script as instructed. Please follow the instructions in Reply # 11 to run the script.

gripenfighter · « **Reply #15 on:** April 21, 2011, 01:48:04 PM »

I´m sorry here comes the content in combifix

omboFix 11-04-21.02 - Christian 2011-04-21 21:25:33.3.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.2038.1461 [GMT 2:00]
Körs från: C:\Documents and Settings\Christian\Desktop\ComboFix.exe
Använda kommandoväxlar :: C:\Documents and Settings\Christian\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

FILE ::
"C:\FOUND.002"
"C:\FOUND.003"
"C:\FOUND.004"
"C:\FOUND.005"
"C:\WINDOWS\system32\drivers\sunkdkym.dat"

gripenfighter · « **Reply #16 on:** April 22, 2011, 05:00:02 AM »

omboFix 11-04-21.02 - Christian 2011-04-21 21:25:33.3.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.2038.1461 [GMT 2:00]
Körs från: C:\Documents and Settings\Christian\Desktop\ComboFix.exe
Använda kommandoväxlar :: C:\Documents and Settings\Christian\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

FILE ::
"C:\FOUND.002"
"C:\FOUND.003"
"C:\FOUND.004"
"C:\FOUND.005"
"C:\WINDOWS\system32\drivers\sunkdkym.dat"

SuperDave · « **Reply #17 on:** April 22, 2011, 10:27:03 AM »

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

gripenfighter · « **Reply #18 on:** April 22, 2011, 12:06:25 PM »

Here it comes!!
First ESATScan
C:\Documents and Settings\Christian\Desktop\RegistryReviverSetup.exe   a variant of Win32/RegistryReviver application
C:\Documents and Settings\Christian\Desktop\setup-ltr1235.exe   a variant of Win32/1AntiVirus application
C:\System Volume Information\_restore{416E5BDF-7EAA-43AA-A635-E811315519C0}\RP80\A0022382.exe   a variant of Win32/1AntiVirus application
C:\System Volume Information\_restore{416E5BDF-7EAA-43AA-A635-E811315519C0}\RP80\A0029538.exe   a variant of Win32/1AntiVirus application
C:\System Volume Information\_restore{416E5BDF-7EAA-43AA-A635-E811315519C0}\RP80\A0035789.exe   a variant of Win32/1AntiVirus application

And then log file:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=e407c8712db8114091eba1fb4bf3e113
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-22 06:00:47
# local_time=2011-04-22 08:00:47 (+0100, W. Europe Daylight Time)
# country="Sweden"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 413705 413705 0 0
# compatibility_mode=2304 16777215 100 0 0 0 0 0
# compatibility_mode=5891 16776869 42 87 0 15544525 0 0
# compatibility_mode=6401 16777214 66 100 429237 1405199 0 0
# compatibility_mode=8192 67108863 100 0 283 283 0 0
# scanned=104932
# found=5
# cleaned=0
# scan_time=2383
C:\Documents and Settings\Christian\Desktop\RegistryReviverSetup.exe   a variant of Win32/RegistryReviver application (unable to clean)   00000000000000000000000000000000   I
C:\Documents and Settings\Christian\Desktop\setup-ltr1235.exe   a variant of Win32/1AntiVirus application (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{416E5BDF-7EAA-43AA-A635-E811315519C0}\RP80\A0022382.exe   a variant of Win32/1AntiVirus application (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{416E5BDF-7EAA-43AA-A635-E811315519C0}\RP80\A0029538.exe   a variant of Win32/1AntiVirus application (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{416E5BDF-7EAA-43AA-A635-E811315519C0}\RP80\A0035789.exe   a variant of Win32/1AntiVirus application (unable to clean)   00000000000000000000000000000000   I

gripenfighter · « **Reply #19 on:** April 22, 2011, 12:08:38 PM »

I didnot let the ESETScan erase the treats. Do you recommend that??

SuperDave · « **Reply #20 on:** April 22, 2011, 06:08:11 PM »

Quote from: gripenfighter on April 22, 2011, 12:08:38 PM

I didnot let the ESETScan erase the treats. Do you recommend that??

Yes. That the reason for running ESET. Please post the log when finished.

gripenfighter · « **Reply #21 on:** April 24, 2011, 12:06:48 PM »

Here is the log:

C:\Documents and Settings\Christian\Desktop\RegistryReviverSetup.exe   a variant of Win32/RegistryReviver application   deleted - quarantined
C:\Documents and Settings\Christian\Desktop\setup-ltr1235.exe   a variant of Win32/1AntiVirus application   deleted - quarantined
C:\System Volume Information\_restore{416E5BDF-7EAA-43AA-A635-E811315519C0}\RP80\A0022382.exe   a variant of Win32/1AntiVirus application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{416E5BDF-7EAA-43AA-A635-E811315519C0}\RP80\A0029538.exe   a variant of Win32/1AntiVirus application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{416E5BDF-7EAA-43AA-A635-E811315519C0}\RP80\A0035789.exe   a variant of Win32/1AntiVirus application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{416E5BDF-7EAA-43AA-A635-E811315519C0}\RP80\A0038147.exe   a variant of Win32/RegistryReviver application   deleted - quarantined
C:\System Volume Information\_restore{416E5BDF-7EAA-43AA-A635-E811315519C0}\RP80\A0038148.exe   a variant of Win32/1AntiVirus application   deleted - quarantined

And here is the other one:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=e407c8712db8114091eba1fb4bf3e113
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-22 06:00:47
# local_time=2011-04-22 08:00:47 (+0100, W. Europe Daylight Time)
# country="Sweden"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 413705 413705 0 0
# compatibility_mode=2304 16777215 100 0 0 0 0 0
# compatibility_mode=5891 16776869 42 87 0 15544525 0 0
# compatibility_mode=6401 16777214 66 100 429237 1405199 0 0
# compatibility_mode=8192 67108863 100 0 283 283 0 0
# scanned=104932
# found=5
# cleaned=0
# scan_time=2383
C:\Documents and Settings\Christian\Desktop\RegistryReviverSetup.exe   a variant of Win32/RegistryReviver application (unable to clean)   00000000000000000000000000000000   I
C:\Documents and Settings\Christian\Desktop\setup-ltr1235.exe   a variant of Win32/1AntiVirus application (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{416E5BDF-7EAA-43AA-A635-E811315519C0}\RP80\A0022382.exe   a variant of Win32/1AntiVirus application (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{416E5BDF-7EAA-43AA-A635-E811315519C0}\RP80\A0029538.exe   a variant of Win32/1AntiVirus application (unable to clean)   00000000000000000000000000000000   I
C:\System Volume Information\_restore{416E5BDF-7EAA-43AA-A635-E811315519C0}\RP80\A0035789.exe   a variant of Win32/1AntiVirus application (unable to clean)   00000000000000000000000000000000   I
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=e407c8712db8114091eba1fb4bf3e113
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-23 11:55:43
# local_time=2011-04-23 01:55:43 (+0100, W. Europe Daylight Time)
# country="Sweden"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 480135 480135 0 0
# compatibility_mode=2304 16777215 100 0 0 0 0 0
# compatibility_mode=5891 16776869 42 87 0 15610955 0 0
# compatibility_mode=6401 16777214 66 100 495667 1471629 0 0
# compatibility_mode=8192 67108863 100 0 66713 66713 0 0
# scanned=28290
# found=0
# cleaned=0
# scan_time=450
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=e407c8712db8114091eba1fb4bf3e113
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-24 05:39:49
# local_time=2011-04-24 07:39:49 (+0100, W. Europe Daylight Time)
# country="Sweden"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 585237 585237 0 0
# compatibility_mode=2304 16777215 100 0 0 0 0 0
# compatibility_mode=5891 16776869 42 87 0 15716057 0 0
# compatibility_mode=6401 16777214 66 100 600769 1576731 0 0
# compatibility_mode=8192 67108863 100 0 171815 171815 0 0
# scanned=102885
# found=7
# cleaned=7
# scan_time=2393
C:\Documents and Settings\Christian\Desktop\RegistryReviverSetup.exe   a variant of Win32/RegistryReviver application (deleted - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\Christian\Desktop\setup-ltr1235.exe   a variant of Win32/1AntiVirus application (deleted - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{416E5BDF-7EAA-43AA-A635-E811315519C0}\RP80\A0022382.exe   a variant of Win32/1AntiVirus application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{416E5BDF-7EAA-43AA-A635-E811315519C0}\RP80\A0029538.exe   a variant of Win32/1AntiVirus application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{416E5BDF-7EAA-43AA-A635-E811315519C0}\RP80\A0035789.exe   a variant of Win32/1AntiVirus application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{416E5BDF-7EAA-43AA-A635-E811315519C0}\RP80\A0038147.exe   a variant of Win32/RegistryReviver application (deleted - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{416E5BDF-7EAA-43AA-A635-E811315519C0}\RP80\A0038148.exe   a variant of Win32/1AntiVirus application (deleted - quarantined)   00000000000000000000000000000000   C

SuperDave · « **Reply #22 on:** April 24, 2011, 12:21:48 PM »

That looks great. How's your computer running now?

gripenfighter · « **Reply #23 on:** April 24, 2011, 11:44:37 PM »

Hello again!

My computer works fine after I followed your instructions. It appears that you have eliminated viruses / trojans. I'm just wondering over some things. Under the program icon in the start bar, it seems still there are no programs located there except the ones we have installed during the cleanup process. I can nevertheless see all the programs in place under Add or remove program bar in the controlpanel, so it seems like they are still located on my computer but not appears under the program bar. Likewise, I can not find any document under for example Christian Documents or Guest Dokument on disk C. In addition, the icons Christian Dokument, Guest dokument located on the C looks like they appears in a brighter tone of colour. Do you know how a can restore this problem? Do you know how to get the programs and datafiles back into the right place ?

Christian

SuperDave · « **Reply #24 on:** April 25, 2011, 05:58:42 PM »

Ok. There is nothing that we did that would cause that sort of problem with the taskbar. Perhaps you could post this question in the software forum. Let's do some cleanup.

To uninstall ComboFix

Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
In the field, type in ComboFix /uninstall

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

Then, press Enter, or click OK.
This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

********************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
**********************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

gripenfighter · « **Reply #25 on:** April 28, 2011, 09:01:40 PM »

Hi again,

My computer still works after your helpful help thank you. But I have to ask you one question. After we had done all cleanup-sessions on my system suddenly I can find accessories under Start - program. Before we started the cleanup process I couldnot find systemrestore program and we tried to find it with some kind of test but we didnt. Now it seems like I got back the systemrestore program with system restore points all the way back in march. Do you know if there is a good thing to restore my system from an early date in march to get the system back in shape it was before the infection or should I let the computer runs from where it is today??? I mean I dont want to destroy my system after all help I got from you. What do you think about it??

Christian

SuperDave · « **Reply #26 on:** April 29, 2011, 01:08:03 PM »

Quote

Now it seems like I got back the systemrestore program with system restore points all the way back in march. Do you know if there is a good thing to restore my system from an early date in march to get the system back in shape it was before the infection or should I let the computer runs from where it is today??? I mean I dont want to destroy my system after all help I got from you. What do you think about it??

When you uninstall ComboFix using the method I outline it should have wiped out all the restore points and gave you a new, clean point.

Computer Hope Forum

News:

Author Topic: Trojan windows restore, help me?? (Read 16751 times)

gripenfighter

Allan

gripenfighter

gripenfighter

SuperDave

gripenfighter

gripenfighter

gripenfighter

gripenfighter

SuperDave

gripenfighter

SuperDave

gripenfighter

gripenfighter

SuperDave

gripenfighter

gripenfighter

SuperDave

gripenfighter

gripenfighter

SuperDave

gripenfighter

SuperDave

gripenfighter

SuperDave

gripenfighter

SuperDave