Avatar billede crasser83 Praktikant
22. oktober 2009 - 18:53 Der er 60 kommentarer og
1 løsning

Hjælp til fjernelse af "Antivirus Pro - 2010"

Har fået intalleret noget malware med navnet Antivirus Pro 2010 på en arbejdscomputer. Hvordan får jeg den renset?

Jeg har været inde på www.pcthreat.com, mere præcist "http://dk.pcthreat.com/parasitebyid-8239dk.html" som skriver dette:
"
Sådan renser du Antivirus Pro 2010 dig selv
 
For at spare tid og undgå at risikere at ødelægge din computer, anbefaler vi kraftigt at bruge en spyware-scanner Såsom SpyHunter, for at opdage Antivirus Pro 2010 Og andet spyware, adware, trojaner, virusser, keyloggers og andet, der kan blive gemt på din PC.
Fjerne registry entries (Antivirus Pro 2010):
Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010
Microsoft\Windows\CurrentVersion\Run\Antivirus Pro 2010
AntivirusPro_2010
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ Antivirus Pro 2010
HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Antivirus Pro 2010
RUNNING PROGRAM\AntivirusPro_2010.exe
"
De henviser ydermere til et anti spyware program der hedder spyhunter 3, som da også genkender malware programmet. Man skal dog købe den fulde version for at den vil fjerne den for mig. Mit spørgsmål er så om den kan løse mit problem hvis jeg punger ud eller om man kan og skal gøre det manuelt. Har nemlig tit oplevet at antispyware programmer ikke kan klare ærterne når den først er gal.

MVH Christian Ibsen-Bjerget
Avatar billede f-arn Guru
22. oktober 2009 - 18:56 #1
Hent "Malwarebytes' Anti-Malware" her: http://www.malwarebytes.org/mbam.php
Installer og start programmet, opdater, lav "Hurtig skan" under fanebladet "skanner".
Bagefter klik på "vis resultater", tryk på "Fjern det valgte" og send loggen herind sammen med en log fra DDS som du finder her: http://download.bleepingcomputer.com/sUBs/dds.scr

eller her: http://www.forospyware.com/sUBs/dds

Den laver to logs,(DDS.txt og Attach.txt) gem dem på skrivebordet og kopier indholdet af DDS.txt  herind.

OBS - DDS skal gemmes på computeren og ikke køres fra nettet

Mht.: Vista - Højreklik på filen - Kør som Administrator.

NB Når du opdaterer Malwarebytes, så klik på opdater til den skriver at der ikke er flere opdateringer.
Avatar billede crasser83 Praktikant
22. oktober 2009 - 19:31 #2
Her er de så. Og tak fir hjælpen og din tid.

Malwarebytes' Anti-Malware 1.41
Database version: 3012
Windows 5.1.2600 Service Pack 3

22-10-2009 19:22:22
mbam-log-2009-10-22 (19-22-22).txt

Skan type: Hurtig skanning
Objekter skannet: 106336
Tid tilbagelagt: 7 minute(s), 13 second(s)

Inficerede Hukommelses Processer: 7
Inficerede Hukommelses Moduler: 1
Inficerede Registeringsdatabase Nøgler: 2
Inficerede Registeringsdatabase Værdier: 12
Inficerede Registeringsdatabase Filer: 4
Inficerede Mapper: 4
Inficerede Filer: 49

Inficerede Hukommelses Processer:
C:\WINDOWS\Temp\_ex-08.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\Documents and Settings\Reception1\Application Data\seres.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Documents and Settings\Reception1\Application Data\svcst.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\WINDOWS\system32\qtplugin.exe (Rootkit.Agent) -> Unloaded process successfully.
C:\WINDOWS\Temp\wpv651255703227.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\Reception1\restorer64_a.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\WINDOWS\system32\restorer64_a.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Inficerede Hukommelses Moduler:
C:\WINDOWS\system32\cpcp.cpo (Trojan.Agent) -> Delete on reboot.

Inficerede Registeringsdatabase Nøgler:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Inficerede Registeringsdatabase Værdier:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\promoreg (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mserv (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysgif32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\registrymonitor1 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RList (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\restorer64_a (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\restorer64_a (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Inficerede Registeringsdatabase Filer:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe cpcp.cpo bef0regiiav) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Inficerede Mapper:
C:\Programmer\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Programmer\AntivirusPro_2010\data (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Programmer\AntivirusPro_2010\Microsoft.VC80.CRT (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Menuen Start\Programmer\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Inficerede Filer:
C:\WINDOWS\Temp\_ex-08.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Application Data\seres.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Application Data\svcst.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv581255562528.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BN10.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BN11.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BN12.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BN13.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BN14.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BN15.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BN16.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BN185.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BN2.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BN4.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BN5.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BN6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BN7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BN8.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BN9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BNA.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BNB.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BNC.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BND.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BNE.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Lokale indstillinger\Temp\BNF.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Programmer\AntivirusPro_2010\AntivirusPro_2010.cfg (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Programmer\AntivirusPro_2010\AntivirusPro_2010.exe (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Programmer\AntivirusPro_2010\AVEngn.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Programmer\AntivirusPro_2010\htmlayout.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Programmer\AntivirusPro_2010\pthreadVC2.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Programmer\AntivirusPro_2010\wscui.cpl (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Programmer\AntivirusPro_2010\data\daily.cvd (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Programmer\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Programmer\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Programmer\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Programmer\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Menuen Start\Programmer\AntivirusPro_2010\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Menuen Start\Programmer\AntivirusPro_2010\Uninstall.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cpcp.cpo (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Reception1\Application Data\lizkavd.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\WINDOWS\Temp\wpv651255703227.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qtplugin.exe (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\wpv881255137485.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Skrivebord\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reception1\restorer64_a.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\restorer64_a.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

------------------------------------------------------------

DDS (Ver_09-10-13.01) - NTFSx86 
Run by Reception1 at 19:23:01,64 on 22-10-2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional  5.1.2600.3.1252.45.1030.18.1015.392 [GMT 2:00]

AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning enabled* (Updated)  {9562DEF8-B4C4-4848-946E-F4F43834FB9F}
AV: avast! antivirus 4.8.1356 [VPS 091021-0] *On-access scanning enabled* (Updated)  {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Trend Micro Client-Server Security Agent Firewall *disabled*  {9562DEF8-B4C4-4848-946E-F4F43834FB9F}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.exe
svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmer\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Programmer\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Programmer\SetWeb\SetWeb.exe
C:\Programmer\OpenOffice.org 3\program\soffice.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\OpenOffice.org 3\program\soffice.bin
svchost
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Programmer\Java\jre6\bin\jqs.exe
C:\Programmer\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Programmer\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\TEMP\OECA52.EXE
C:\Programmer\Malwarebytes' Anti-Malware\mbam.exe
C:\Programmer\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\Reception1\Skrivebord\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = dk.msn.com//
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programmer\fælles filer\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Hjælp til tilmelding til Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programmer\fælles filer\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programmer\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programmer\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\programmer\canon\easy-webprint\Toolband.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\programmer\windows live\messenger\msnmsgr.exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [OfficeScanNT Monitor] "c:\programmer\trend micro\client server security agent\pccntmon.exe" -HideWindow
mRun: [Easy-PrintToolBox] c:\programmer\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [SunJavaUpdateSched] "c:\programmer\java\jre6\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SpyHunter Security Suite] c:\programmer\enigma software group\spyhunter\SpyHunter3.exe
mRun: [Regedit32] c:\windows\system32\regedit.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\programmer\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\recept~1\menuen~1\progra~1\start\openof~1.lnk - c:\programmer\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\documents and settings\reception1\menuen start\programmer\start\zavupd32.exe
StartupFolder: c:\docume~1\alluse~1\menuen~1\progra~1\start\adober~1.lnk - c:\programmer\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\menuen~1\progra~1\start\adober~2.lnk - c:\programmer\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\menuen~1\progra~1\start\setweb.lnk - c:\programmer\setweb\SetWeb.exe
IE: Easy-WebPrint Add To Print List - c:\programmer\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\programmer\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\programmer\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\programmer\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmer\messenger\msmsgs.exe
Trusted Zone: danid.dk
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://192.168.18.11:4343/officescan/console/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://192.168.18.11:4343/officescan/console/ClientInstall/setup.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://192.168.18.11:4343/officescan/console/ClientInstall/RemoveCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} - hxxps://192.168.18.11:4343/SMB/console/html/root/AtxEnc.cab
DPF: {9DF01F00-08E7-4DBE-9070-94841463B3FE} - hxxps://danid.dk/csp/authenticode/csp.exe
DPF: {C07E5288-22FB-11D7-962E-0004AC77C761} - hxxps://activex.dataloen.dk/controls/Dataloen3341.CAB
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} - hxxps://udstedelse.certifikat.tdc.dk/csp/authenticode/digitalsignatur-csp.exe
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-22 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-22 20560]
R2 TmFilter;Trend Micro Filter;c:\programmer\trend micro\client server security agent\tmxpflt.sys [2008-8-16 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\programmer\trend micro\client server security agent\tmpreflt.sys [2008-8-16 36368]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l251x86.sys [2008-6-18 30720]
R3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [2008-11-5 52026]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-10-22 38224]

=============== Created Last 30 ================

2009-10-22 19:13    <DIR>    --d-----    c:\docume~1\recept~1\applic~1\Malwarebytes
2009-10-22 19:13    38,224    a-------    c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 19:13    19,160    a-------    c:\windows\system32\drivers\mbam.sys
2009-10-22 19:13    <DIR>    --d-----    c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-22 19:13    <DIR>    --d-----    c:\programmer\Malwarebytes' Anti-Malware
2009-10-22 18:23    <DIR>    --d-----    c:\programmer\Enigma Software Group
2009-10-22 16:54    27,408    a-------    c:\windows\system32\drivers\aavmker4.sys
2009-10-21 15:59    19,168    a-------    c:\windows\system32\ruco.dll
2009-10-21 15:59    18,006    a-------    c:\windows\system32\vykeneh.com
2009-10-21 15:59    17,084    a-------    c:\windows\system32\ulubafe.ban
2009-10-21 15:59    14,574    a-------    c:\windows\sidyqyboc.ban
2009-10-21 15:59    11,706    a-------    c:\windows\system32\iryxojufu.com
2009-10-21 15:59    11,148    a-------    c:\windows\system32\otaqokihe.vbs
2009-10-21 15:59    10,007    a-------    c:\windows\ejovasadyd.vbs
2009-10-21 15:59    16,290    a-------    c:\windows\socegaji.sys
2009-10-21 15:59    14,573    a-------    c:\windows\genygy.lib
2009-10-21 15:59    14,421    a-------    c:\docume~1\recept~1\applic~1\iqefut.vbs
2009-10-21 15:59    14,308    a-------    c:\programmer\fælles filer\ipig.dll
2009-10-21 15:59    14,185    a-------    c:\docume~1\recept~1\applic~1\habadyt.com
2009-10-21 15:59    14,136    a-------    c:\windows\emutosaru.bin
2009-10-21 15:59    12,771    a-------    c:\docume~1\recept~1\applic~1\apuhiqud.bat
2009-10-21 15:55    42,368    ac------    c:\windows\system32\dllcache\agp440.sys
2009-10-21 15:55    27,136    --------    c:\windows\system32\cpcp.cpo
2009-10-15 09:08    208,744    a-------    c:\windows\system32\muweb.dll
2009-10-15 09:08    268,648    a-------    c:\windows\system32\mucltui.dll
2009-10-15 09:08    27,496    a-------    c:\windows\system32\mucltui.dll.mui
2009-10-14 10:24    <DIR>    --d-----    c:\documents and settings\reception1\Tracing
2009-10-14 10:24    <DIR>    --d-----    c:\programmer\Microsoft
2009-10-14 10:24    <DIR>    --d-----    c:\programmer\Windows Live SkyDrive
2009-10-14 10:16    <DIR>    --d-----    c:\programmer\fælles filer\Windows Live
2009-10-01 13:36    2,674,149    a-------    C:\Kontoudtog til Revisor.pdf
2009-09-30 14:43    278,528    a-------    c:\windows\system32\DSJPG.dll
2009-09-30 14:43    260,096    a-------    c:\windows\system32\TMDGUI20.dll
2009-09-30 14:42    279,552    a-------    c:\windows\system32\DSJPG_12Bit.dll

==================== Find3M  ====================

2009-10-22 19:14    324,960    a-------    c:\windows\system32\perfh006.dat
2009-10-22 19:14    47,276    a-------    c:\windows\system32\perfc006.dat
2009-10-21 15:59    18,879    a-------    c:\programmer\fælles filer\ryrewut.db
2009-10-21 15:59    16,487    a-------    c:\programmer\fælles filer\dogyzip.ban
2009-10-21 15:59    16,445    a-------    c:\programmer\fælles filer\zobawot.db
2009-10-20 14:39    0    a-------    c:\documents and settings\reception1\temp.dat
2009-09-30 14:45    282,112    a-------    c:\windows\MiniWeb.exe
2009-09-30 14:43    144,896    a-------    c:\windows\system32\dsxml.dll
2009-09-30 14:43    155,648    a-------    c:\windows\system32\dsibapi.dll
2009-09-30 14:42    287,232    a-------    c:\windows\system32\DSPNG.dll
2009-09-30 14:42    109,568    a-------    c:\windows\system32\dszlib.dll
2009-09-30 14:42    101,888    a-------    c:\windows\system32\ToolBox20.dll
2009-09-11 16:19    136,192    a-------    c:\windows\system32\msv1_0.dll
2009-09-04 23:04    58,880    a-------    c:\windows\system32\msasn1.dll
2009-08-29 09:28    832,512    a-------    c:\windows\system32\wininet.dll
2009-08-29 09:28    78,336    a-------    c:\windows\system32\ieencode.dll
2009-08-29 09:28    17,408    --------    c:\windows\system32\corpol.dll
2009-08-26 10:02    247,326    a-------    c:\windows\system32\strmdll.dll
2009-08-05 11:00    204,800    a-------    c:\windows\system32\mswebdvd.dll
2009-08-04 19:29    2,147,840    a-------    c:\windows\system32\ntoskrnl.exe
2009-08-04 19:29    2,026,496    a-------    c:\windows\system32\ntkrnlpa.exe
2009-08-04 11:45    86,327    a-------    c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-26 16:44    48,448    a-------    c:\windows\system32\sirenacm.dll

============= FINISH: 19:23:32,82 ===============
Avatar billede crasser83 Praktikant
22. oktober 2009 - 20:09 #3
I forbindelse med fjernelsen med malwarebits, er alle skrivebordsikoner blevet slettet, computeren er meget langsom og baggrunden er som standard. Næsten som om at min bruger er blevet slettet... Alle filer ser dog stadig ud til at være der, men er utrolig langsomme om at åbne...
Avatar billede f-arn Guru
22. oktober 2009 - 21:19 #4
Du bør aldrig køre med to antivirus. Afinstaller enten Avast eller Trend Micro!

----------

Find og upload disse filer hos Jotti eller Virustotal:

c:\documents and settings\reception1\menuen start\programmer\start\zavupd32.exe
c:\windows\system32\drivers\cxbu0wdm.sys


http://virusscan.jotti.org/ - http://www.virustotal.com/en/indexf.html

Du skal måske slå vis skjulte filer og mapper til.
Hvis du ikke ved hvordan så se her:

http://www.it-artikler.dk/2008/03/05/vis-skjulte-filer-og-mapper/

Kopier resultatet herind

----------

Hent og gem Combofix på dit skrivebord:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Højreklik på skrivebordet og vælg ny->tekstdokument og kopier  indholdet mellem  linierne ind og gem filen som CFScript.txt

Du skal sikre dig at den ikke kommer til at hedde CFScript.txt.txt


--------------

Killall::
Snapshot::
DDS::
mRun: [Regedit32] c:\windows\system32\regedit.exe


--------------

Da Combofix kan konflikte med din antivirus er det vigtigt at du deaktiverer den.

Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du "giver slip" med musen.
http://www.fromsej.saknet.dk/billeder/cfscript.gif

Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når Combofix er færdig, og efter det (muligvis) har genstartet, skulle der gerne åbnes en logfil: combofix.txt som ligger her C:\Combofix.txt

Indholdet af denne fil må du gerne lægge herind.
Avatar billede crasser83 Praktikant
22. oktober 2009 - 21:37 #5
ok. jeg er ikke på arbejdet længere. Gør det i morgen ved en ti-tiden. Vender stærk tilbage. Skal jeg gøre det et skridt af gangen eller kan jeg kopiere begge ind samtidigt?
Avatar billede f-arn Guru
22. oktober 2009 - 21:47 #6
Har i ikke en IT ansvarlig du kan spørge til råds?
Avatar billede f-arn Guru
22. oktober 2009 - 21:51 #7
Du kan godt, i første omgang, nøjes med at uploade de to filer og kopiere resultatet herind. Så kan det jo være at jeg skal justere CFScript.txt
Avatar billede crasser83 Praktikant
22. oktober 2009 - 22:06 #8
ok. Det gør jeg i morgen. Vi er kun en lille tandklinik, så jeg har påtaget mig ansvaret for IT'en. Har lidt forstand på det meste men virus er lige ud over min kompetance. Havde ikke lige regnet med at en af klinikassistenterne hoppede på den gamle, "du har virus, skynd dig at downloade dette her program"-trick...
Avatar billede f-arn Guru
23. oktober 2009 - 06:05 #9
Det gør du bare  :)
Avatar billede crasser83 Praktikant
23. oktober 2009 - 12:52 #10
Så er jeg tilbage på arbejdet...

File cxbu0wdm.sys received on 2009.10.23 10:48:15 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 43 and 62 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email: 
 

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.23 -
AhnLab-V3 5.0.0.2 2009.10.22 -
AntiVir 7.9.1.44 2009.10.23 -
Antiy-AVL 2.0.3.7 2009.10.23 -
Authentium 5.1.2.4 2009.10.23 -
Avast 4.8.1351.0 2009.10.22 -
AVG 8.5.0.423 2009.10.23 -
BitDefender 7.2 2009.10.23 -
CAT-QuickHeal 10.00 2009.10.23 -
ClamAV 0.94.1 2009.10.23 -
Comodo 2701 2009.10.23 -
DrWeb 5.0.0.12182 2009.10.23 -
eSafe 7.0.17.0 2009.10.22 -
eTrust-Vet 35.1.7081 2009.10.23 -
F-Prot 4.5.1.85 2009.10.22 -
F-Secure 9.0.15370.0 2009.10.22 -
Fortinet 3.120.0.0 2009.10.23 -
GData 19 2009.10.23 -
Ikarus T3.1.1.72.0 2009.10.23 -
Jiangmin 11.0.800 2009.10.23 -
K7AntiVirus 7.10.877 2009.10.22 -
Kaspersky 7.0.0.125 2009.10.23 -
McAfee 5779 2009.10.22 -
McAfee+Artemis 5779 2009.10.22 -
McAfee-GW-Edition 6.8.5 2009.10.23 -
Microsoft 1.5202 2009.10.23 -
NOD32 4536 2009.10.23 -
Norman 6.03.02 2009.10.22 -
nProtect 2009.1.8.0 2009.10.23 -
Panda 10.0.2.2 2009.10.22 -
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.23 -
Rising 21.52.42.00 2009.10.23 -
Sophos 4.46.0 2009.10.23 -
Sunbelt 3.2.1858.2 2009.10.23 -
Symantec 1.4.4.12 2009.10.23 -
TheHacker 6.5.0.2.051 2009.10.22 -
TrendMicro 8.950.0.1094 2009.10.23 -
VBA32 3.12.10.11 2009.10.22 -
ViRobot 2009.10.23.2003 2009.10.23 -
VirusBuster 4.6.5.0 2009.10.22 -
Additional information
File size: 52026 bytes
MD5...: 008a09fa9c431d36bc3fa922f0cf3e55
SHA1..: 99df11a50e102b6dba8b723a46dd840e806bd5b6
SHA256: 906999420fe95d02c70ab1ece6811c0d1435b417bf8b1f43bc2218758a46741f
ssdeep: 768:KxCxkd5PLMTFQMTTqJmewhaVrwltVl7zuPgryC9siWRqaVOkNTCr:khd9LC3
TTlaAdzuorW1/bNo

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x21ec
timedatestamp.....: 0x400b917e (Mon Jan 19 08:12:46 2004)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0x8b38 0x8b40 6.33 9aefa89a342c8143e7c3b0aaee3d6468
.rdata 0x8e40 0x10c8 0x10e0 5.15 cdc95019cac1c3406204e26f70e95e6a
.data 0x9f20 0x590 0x5a0 4.57 a812d1441c71414f2aa511b3610b1b91
PAGE 0xa4c0 0x2de 0x2e0 5.85 40d2a317ed6a891c012b33eff2865448
INIT 0xa7a0 0x83a 0x840 5.15 829e6d912139b105739d068769b9c4c1
.rsrc 0xafe0 0x6b8 0x6c0 3.36 1144c77f5d66b3548f408471b9dc6855
.reloc 0xb6a0 0x90a 0x920 6.06 4735a93ddf02f56d0e4c7046c2f69808

( 5 imports )
> NTOSKRNL.EXE: KeSetEvent, IofCallDriver, IofCompleteRequest, PsTerminateSystemThread, KeWaitForSingleObject, KeClearEvent, ZwClose, KeReleaseMutex, ObReferenceObjectByHandle, ExAllocatePoolWithTag, wcslen, RtlInitUnicodeString, RtlCopyUnicodeString, IoRegisterDeviceInterface, KeInitializeSpinLock, IoCreateDevice, IoDeleteDevice, PsCreateSystemThread, ExFreePool, IoDeleteSymbolicLink, IoSetDeviceInterfaceState, InterlockedIncrement, InterlockedDecrement, KeInitializeEvent, RtlQueryRegistryValues, IoDetachDevice, InterlockedExchange, IoAcquireCancelSpinLock, IoAttachDeviceToDeviceStack, IoFreeIrp, PoCallDriver, PoSetPowerState, PoStartNextPowerIrp, PoSetSystemState, PoRequestPowerIrp, IoBuildDeviceIoControlRequest, IoWMIRegistrationControl, IoAllocateIrp, KeDelayExecutionThread, RtlFreeUnicodeString, IoReleaseCancelSpinLock, KeInitializeMutex, RtlUnicodeStringToInteger, IoIsWdmVersionAvailable, RtlFreeAnsiString, RtlCompareMemory, RtlUnicodeStringToAnsiString, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, RtlUnwind, IoCancelIrp
> HAL.DLL: KfAcquireSpinLock, KfReleaseSpinLock, KeStallExecutionProcessor, KeGetCurrentIrql
> SMCLIB.SYS: SmartcardT1Reply, SmartcardAcquireRemoveLock, SmartcardCreateLink, SmartcardExit, SmartcardReleaseRemoveLockAndWait, SmartcardReleaseRemoveLock, SmartcardDeviceControl, SmartcardInitialize, SmartcardT0Request, SmartcardT1Request, SmartcardUpdateCardCapabilities
> USBD.SYS: _USBD_CreateConfigurationRequestEx@8, _USBD_ParseConfigurationDescriptorEx@28, _USBD_ParseDescriptors@16
> WMILIB.SYS: WmiSystemControl, WmiCompleteRequest

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: OMNIKEY AG
copyright....: Copyright (c) 2000 - 2004 OMNIKEY AG
product......: PC/SC IFD handler for CCID compliant CardMan
description..: PC/SC IFD handler for CCID compliant CardMan
original name: CXBU0WDM.SYS
internal name: CXBU0WDM
file version.: 1.1.0.13
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

File File.ex received on 2009.10.22 17:06:05 (UTC)
Current status: finished

Result: 4/41 (9.76%)
Compact Print results 
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.22 -
AhnLab-V3 5.0.0.2 2009.10.22 -
AntiVir 7.9.1.44 2009.10.22 -
Antiy-AVL 2.0.3.7 2009.10.22 -
Authentium 5.1.2.4 2009.10.22 -
Avast 4.8.1351.0 2009.10.21 -
AVG 8.5.0.423 2009.10.22 -
BitDefender 7.2 2009.10.22 -
CAT-QuickHeal 10.00 2009.10.22 Win32.TrojanDownloader.Tibs.4
ClamAV 0.94.1 2009.10.22 -
Comodo 2692 2009.10.22 -
DrWeb 5.0.0.12182 2009.10.22 Trojan.Botnetlog.11
eSafe 7.0.17.0 2009.10.22 -
eTrust-Vet 35.1.7079 2009.10.22 -
F-Prot 4.5.1.85 2009.10.22 -
F-Secure 9.0.15370.0 2009.10.22 -
Fortinet 3.120.0.0 2009.10.22 -
GData 19 2009.10.22 -
Ikarus T3.1.1.72.0 2009.10.22 -
Jiangmin 11.0.800 2009.10.22 -
K7AntiVirus 7.10.877 2009.10.22 -
Kaspersky 7.0.0.125 2009.10.22 -
McAfee 5779 2009.10.22 -
McAfee+Artemis 5779 2009.10.22 -
McAfee-GW-Edition 6.8.5 2009.10.22 -
Microsoft 1.5202 2009.10.22 -
NOD32 4533 2009.10.22 -
Norman 6.03.02 2009.10.22 -
nProtect 2009.1.8.0 2009.10.22 -
Panda 10.0.2.2 2009.10.21 -
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.22 Medium Risk Malware
Rising 21.52.34.00 2009.10.22 -
Sophos 4.46.0 2009.10.22 -
Sunbelt 3.2.1858.2 2009.10.22 -
Symantec 1.4.4.12 2009.10.22 -
TheHacker 6.5.0.2.051 2009.10.22 -
TrendMicro 8.950.0.1094 2009.10.22 -
VBA32 3.12.10.11 2009.10.22 -
ViRobot 2009.10.22.2001 2009.10.22 Adware.AntivirusPro2010.R.17409
VirusBuster 4.6.5.0 2009.10.22 -
Additional information
File size: 17408 bytes
MD5  : 55ce22db7f491500db143bc1dcf821ed
SHA1  : ad6bf8ec413ffbebeb2c786662ad62a56ac196be
SHA256: 85185079d0f62c95eaf48615cfbe6791cc5e0ab7ada0adf2725c7862e83a75ce
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000
timedatestamp.....: 0x4ADCDE48 (Mon Oct 19 23:46:48 2009)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2C0 0x400 4.63 077af3b8aa039f9296f0248b7dc52a5b
.rdata 0x2000 0xF2 0x200 2.15 58cb2c7d082c5cece5509f425453d83f
.data 0x3000 0xF8 0x200 2.86 59a6579d2d1b13e176d04ae801d22b3a
.rsrc 0x4000 0x36B8 0x3800 7.83 28dc6f758ca2d514ed68558c1e33a3b7

( 2 imports )

> crypt32.dll: CertFreeCRLContext
> kernel32.dll: LoadLibraryA, ReadFile, ExitProcess, CreateFileA, CloseHandle

( 0 exports )

TrID  : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 384:rIkyaucJ9Y++XMhSVCCtj3tsqwU2/VwrCETPH9:LX/hkNZTwD/qCKPH
Prevx Info: http://info.prevx.com/aboutprogramtext.asp?PX5=6B8EA49F00F12423449A0098B0EED900534CDBC8
PEiD  : -
RDS  : NSRL Reference Data Set
-

Her er de første to logs fra de oploadede filer.
er det gjort rigtigt?
Avatar billede f-arn Guru
23. oktober 2009 - 13:13 #11
Prøv lige c:\documents and settings\reception1\menuen start\programmer\start\zavupd32.exe igen.
Avatar billede crasser83 Praktikant
23. oktober 2009 - 13:18 #12
File File.ex received on 2009.10.22 17:06:05 (UTC)
Current status: finished

Result: 4/41 (9.76%)
Compact Print results 
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.22 -
AhnLab-V3 5.0.0.2 2009.10.22 -
AntiVir 7.9.1.44 2009.10.22 -
Antiy-AVL 2.0.3.7 2009.10.22 -
Authentium 5.1.2.4 2009.10.22 -
Avast 4.8.1351.0 2009.10.21 -
AVG 8.5.0.423 2009.10.22 -
BitDefender 7.2 2009.10.22 -
CAT-QuickHeal 10.00 2009.10.22 Win32.TrojanDownloader.Tibs.4
ClamAV 0.94.1 2009.10.22 -
Comodo 2692 2009.10.22 -
DrWeb 5.0.0.12182 2009.10.22 Trojan.Botnetlog.11
eSafe 7.0.17.0 2009.10.22 -
eTrust-Vet 35.1.7079 2009.10.22 -
F-Prot 4.5.1.85 2009.10.22 -
F-Secure 9.0.15370.0 2009.10.22 -
Fortinet 3.120.0.0 2009.10.22 -
GData 19 2009.10.22 -
Ikarus T3.1.1.72.0 2009.10.22 -
Jiangmin 11.0.800 2009.10.22 -
K7AntiVirus 7.10.877 2009.10.22 -
Kaspersky 7.0.0.125 2009.10.22 -
McAfee 5779 2009.10.22 -
McAfee+Artemis 5779 2009.10.22 -
McAfee-GW-Edition 6.8.5 2009.10.22 -
Microsoft 1.5202 2009.10.22 -
NOD32 4533 2009.10.22 -
Norman 6.03.02 2009.10.22 -
nProtect 2009.1.8.0 2009.10.22 -
Panda 10.0.2.2 2009.10.21 -
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.22 Medium Risk Malware
Rising 21.52.34.00 2009.10.22 -
Sophos 4.46.0 2009.10.22 -
Sunbelt 3.2.1858.2 2009.10.22 -
Symantec 1.4.4.12 2009.10.22 -
TheHacker 6.5.0.2.051 2009.10.22 -
TrendMicro 8.950.0.1094 2009.10.22 -
VBA32 3.12.10.11 2009.10.22 -
ViRobot 2009.10.22.2001 2009.10.22 Adware.AntivirusPro2010.R.17409
VirusBuster 4.6.5.0 2009.10.22 -
Additional information
File size: 17408 bytes
MD5  : 55ce22db7f491500db143bc1dcf821ed
SHA1  : ad6bf8ec413ffbebeb2c786662ad62a56ac196be
SHA256: 85185079d0f62c95eaf48615cfbe6791cc5e0ab7ada0adf2725c7862e83a75ce
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000
timedatestamp.....: 0x4ADCDE48 (Mon Oct 19 23:46:48 2009)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2C0 0x400 4.63 077af3b8aa039f9296f0248b7dc52a5b
.rdata 0x2000 0xF2 0x200 2.15 58cb2c7d082c5cece5509f425453d83f
.data 0x3000 0xF8 0x200 2.86 59a6579d2d1b13e176d04ae801d22b3a
.rsrc 0x4000 0x36B8 0x3800 7.83 28dc6f758ca2d514ed68558c1e33a3b7

( 2 imports )

> crypt32.dll: CertFreeCRLContext
> kernel32.dll: LoadLibraryA, ReadFile, ExitProcess, CreateFileA, CloseHandle

( 0 exports )

TrID  : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 384:rIkyaucJ9Y++XMhSVCCtj3tsqwU2/VwrCETPH9:LX/hkNZTwD/qCKPH
Prevx Info: http://info.prevx.com/aboutprogramtext.asp?PX5=6B8EA49F00F12423449A0098B0EED900534CDBC8
PEiD  : -
RDS  : NSRL Reference Data Set
-
Avatar billede f-arn Guru
23. oktober 2009 - 13:34 #13
Prøv lige begge filer hos den anden!
Avatar billede crasser83 Praktikant
23. oktober 2009 - 13:50 #14
Jotti's malware scan
This file has been scanned before. The results for this previous scan are listed below.

   



--------------------------------------------------------------------------------

Filename:  zavupd32.exe 
Status:  Scan finished. 0 out of 21 scanners reported malware.
Scan taken on:  Thu 22 Oct 2009 06:39:22 (CET) Permalink
   


--------------------------------------------------------------------------------
Additional info
File size:  17408 bytes 
Filetype:  PE32 executable for MS Windows (GUI) Intel 80386 32-bit 
MD5:  55ce22db7f491500db143bc1dcf821ed 
SHA1:  ad6bf8ec413ffbebeb2c786662ad62a56ac196be 







Scanners
  2009-10-20 Found nothing  2009-10-22 Found nothing
  2009-10-22 Found nothing  2009-10-22 Found nothing
  2009-10-21 Found nothing  2009-10-22 Found nothing
  2009-10-21 Found nothing  2009-10-21 Found nothing
  2009-10-21 Found nothing  2009-10-21 Found nothing
  2009-10-22 Found nothing  2009-10-21 Found nothing
  2009-10-22 Found nothing  2009-10-21 Found nothing
  2009-10-22 Found nothing  2009-10-22 Found nothing
  2009-10-22 Found nothing  2009-10-21 Found nothing
  2009-10-21 Found nothing  2009-10-21 Found nothing
  2009-10-22 Found nothing   



Jotti's malware scan
Filename:  cxbu0wdm.sys 
Status:  Scan finished. 0 out of 21 scanners reported malware.
Scan taken on:  Fri 23 Oct 2009 13:45:37 (CET) Permalink
   


--------------------------------------------------------------------------------
Additional info
File size:  52026 bytes 
Filetype:  PE32 executable for MS Windows (native) Intel 80386 32-bit 
MD5:  008a09fa9c431d36bc3fa922f0cf3e55 
SHA1:  99df11a50e102b6dba8b723a46dd840e806bd5b6 







Scanners
  2009-10-23 Found nothing  2009-10-23 Found nothing
  2009-10-23 Found nothing  2009-10-23 Found nothing
  2009-10-22 Found nothing  2009-10-23 Found nothing
  2009-10-23 Found nothing  2009-10-23 Found nothing
  2009-10-23 Found nothing  2009-10-22 Found nothing
  2009-10-23 Found nothing  2009-10-22 Found nothing
  2009-10-23 Found nothing  2009-10-22 Found nothing
  2009-10-23 Found nothing  2009-10-23 Found nothing
  2009-10-23 Found nothing  2009-10-22 Found nothing
  2009-10-22 Found nothing  2009-10-22 Found nothing
  2009-10-23 Found nothing   



--------------------------------------------------------------------------------
Den siger generelt at den ikke finder noget...
Avatar billede f-arn Guru
23. oktober 2009 - 14:01 #15
Ok

Hent og gem Combofix på dit skrivebord:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Højreklik på skrivebordet og vælg ny->tekstdokument og kopier  indholdet mellem  linierne ind og gem filen som CFScript.txt

Du skal sikre dig at den ikke kommer til at hedde CFScript.txt.txt

-------------

Killall::
Snapshot::
DDS::
mRun: [Regedit32] c:\windows\system32\regedit.exe


--------------

Da Combofix kan konflikte med din antivirus er det vigtigt at du deaktiverer den.

Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du "giver slip" med musen.
http://www.fromsej.saknet.dk/billeder/cfscript.gif

Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når Combofix er færdig, og efter det (muligvis) har genstartet, skulle der gerne åbnes en logfil: combofix.txt som ligger her C:\Combofix.txt

Indholdet af denne fil må du gerne lægge herind.
Avatar billede crasser83 Praktikant
23. oktober 2009 - 14:17 #16
der er noget der hedder "Trend Micro client-sever security" som Combo brokker sig over. Det kan jeg ikke slå fra...
Avatar billede crasser83 Praktikant
23. oktober 2009 - 14:37 #17
ComboFix 09-10-22.01 - Reception1 23-10-2009 14:25.1.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.45.1030.18.1015.501 [GMT 2:00]
Kører fra: C:\ComboFix.exe
Kommandoer benyttet :: C:\CFScript.txt.txt
AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning enabled* (Updated) {9562DEF8-B4C4-4848-946E-F4F43834FB9F}
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {9562DEF8-B4C4-4848-946E-F4F43834FB9F}

advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !!
.

(((((((((((((((((((((((((((((((((((((((  Andet, der er slettet  )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\23930421
c:\documents and settings\All Users\Application Data\23930421\23930421.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\yviwawod.scr
c:\documents and settings\All Users\Dokumenter\hyxihojim.dl
c:\documents and settings\All Users\Dokumenter\odymebas.bin
c:\documents and settings\All Users\Dokumenter\uvuq.reg
c:\documents and settings\All Users\Dokumenter\xevusud.dll
c:\documents and settings\All Users\Dokumenter\ynyke.sys
c:\documents and settings\Reception1\Application Data\apuhiqud.bat
c:\documents and settings\Reception1\Application Data\ecizaj.sys
c:\documents and settings\Reception1\Application Data\gekus.ban
c:\documents and settings\Reception1\Application Data\habadyt.com
c:\documents and settings\Reception1\Application Data\iqefut.vbs
c:\documents and settings\Reception1\Application Data\lizkavd.exe
c:\documents and settings\Reception1\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Reception1\Application Data\qibulasy._dl
c:\documents and settings\Reception1\Application Data\rynotexih.vbs
c:\documents and settings\Reception1\Application Data\seres.exe
c:\documents and settings\Reception1\Application Data\sibu.pif
c:\documents and settings\Reception1\Application Data\svcst.exe
c:\documents and settings\Reception1\Application Data\uhyk.com
c:\documents and settings\Reception1\Application Data\wiaserva.log
c:\documents and settings\Reception1\Application Data\ylyx._dl
c:\documents and settings\Reception1\Cookies\esoqaxubu.exe
c:\documents and settings\Reception1\Cookies\mekygyneh.bin
c:\documents and settings\Reception1\Cookies\nycyfaq.lib
c:\documents and settings\Reception1\Cookies\obewygusy._sy
c:\documents and settings\Reception1\Cookies\ojof.lib
c:\documents and settings\Reception1\Lokale indstillinger\Application Data\apuz.scr
c:\documents and settings\Reception1\Lokale indstillinger\Application Data\evuzoti.bat
c:\documents and settings\Reception1\Lokale indstillinger\Application Data\inewavutaj.bat
c:\documents and settings\Reception1\Lokale indstillinger\Application Data\xuhavaqyw.exe
c:\documents and settings\Reception1\Lokale indstillinger\Application Data\ykydo._dl
c:\documents and settings\Reception1\Lokale indstillinger\Temporary Internet Files\aquf.bin
c:\documents and settings\Reception1\Lokale indstillinger\Temporary Internet Files\balizeqaqe.reg
c:\documents and settings\Reception1\Lokale indstillinger\Temporary Internet Files\evovec.com
c:\documents and settings\Reception1\Lokale indstillinger\Temporary Internet Files\icizeba.bin
c:\documents and settings\Reception1\Lokale indstillinger\Temporary Internet Files\iqamiqaxyh.dl
c:\documents and settings\Reception1\Lokale indstillinger\Temporary Internet Files\roxo.vbs
c:\documents and settings\Reception1\Menuen Start\Programmer\AntivirusPro_2010
c:\documents and settings\Reception1\Menuen Start\Programmer\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Reception1\Menuen Start\Programmer\AntivirusPro_2010\Uninstall.lnk
c:\documents and settings\Reception1\Menuen Start\Programmer\Security Tool.lnk
c:\documents and settings\Reception1\restorer64_a.exe
c:\documents and settings\Reception1\Skrivebord\AntivirusPro_2010.lnk
c:\documents and settings\Reception1\Skrivebord\Security Tool.lnk
c:\programmer\AntivirusPro_2010
c:\programmer\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\programmer\AntivirusPro_2010\AntivirusPro_2010.exe
c:\programmer\AntivirusPro_2010\AVEngn.dll
c:\programmer\AntivirusPro_2010\data\daily.cvd
c:\programmer\AntivirusPro_2010\htmlayout.dll
c:\programmer\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\programmer\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
c:\programmer\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
c:\programmer\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
c:\programmer\AntivirusPro_2010\pthreadVC2.dll
c:\programmer\AntivirusPro_2010\Uninstall.exe
c:\programmer\AntivirusPro_2010\wscui.cpl
c:\programmer\Fælles filer\axapyvos._dl
c:\programmer\Fælles filer\dogyzip.ban
c:\programmer\Fælles filer\ifubymymo.bat
c:\programmer\Fælles filer\ipig.dll
c:\programmer\Fælles filer\neloqupata.ban
c:\programmer\Fælles filer\ytiqojuno.bin
c:\programmer\F‘lles filer\ifubymymo.bat
c:\recycler\S-1-5-21-1177238915-1078145449-839522115-500
c:\windows\ejovasadyd.vbs
c:\windows\emutosaru.bin
c:\windows\sidyqyboc.ban
c:\windows\socegaji.sys
c:\windows\system32\drivers\Pmloader.sys
c:\windows\system32\otaqokihe.vbs
c:\windows\system32\qtplugin.exe
c:\windows\system32\restorer64_a.exe
c:\windows\system32\ruco.dll
c:\windows\system32\ulubafe.ban
c:\windows\wowezej.dll

----- BITS: Mulige inficerede internetsteder -----

hxxp://j+|Cv+@J:NGD_DQ{zcxLJS@BdJrIJava Update
.
(((((((((((((((((((((((((((((  Filer skabt fra 2009-09-23 til 2009-10-23  )))))))))))))))))))))))))))))))))))
.

2009-10-23 10:53 . 2009-10-23 10:53    3351787    ----a-r-    C:\ComboFix.exe
2009-10-22 18:05 . 2009-10-22 18:05    17625    ----a-w-    c:\windows\ugytyjydab.dat
2009-10-22 17:13 . 2009-10-22 17:13    --------    d-----w-    c:\documents and settings\Reception1\Application Data\Malwarebytes
2009-10-22 17:13 . 2009-10-22 17:13    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 16:23 . 2009-10-22 16:23    --------    d-----w-    c:\programmer\Enigma Software Group
2009-10-22 14:54 . 2009-10-22 14:54    --------    d-----w-    c:\programmer\Alwil Software
2009-10-21 13:59 . 2009-10-21 13:59    18006    ----a-w-    c:\windows\system32\vykeneh.com
2009-10-21 13:59 . 2009-10-21 13:59    11706    ----a-w-    c:\windows\system32\iryxojufu.com
2009-10-21 13:55 . 2009-10-22 15:38    42368    -c--a-w-    c:\windows\system32\dllcache\agp440.sys
2009-10-15 07:08 . 2008-10-16 12:06    208744    ----a-w-    c:\windows\system32\muweb.dll
2009-10-15 07:08 . 2008-10-16 12:06    268648    ----a-w-    c:\windows\system32\mucltui.dll
2009-10-14 08:24 . 2009-10-23 12:10    --------    d-----w-    c:\documents and settings\Reception1\Tracing
2009-10-14 08:24 . 2009-10-14 08:24    --------    d-----w-    c:\programmer\Microsoft
2009-10-14 08:24 . 2009-10-14 08:24    --------    d-----w-    c:\programmer\Windows Live SkyDrive
2009-10-14 08:23 . 2009-10-14 08:24    --------    d-----w-    c:\programmer\Windows Live
2009-10-14 08:16 . 2009-10-14 08:16    --------    d-----w-    c:\programmer\Fælles filer\Windows Live
2009-09-30 12:43 . 2009-09-30 12:43    278528    ----a-w-    c:\windows\system32\DSJPG.dll
2009-09-30 12:43 . 2009-09-30 12:43    260096    ----a-w-    c:\windows\system32\TMDGUI20.dll
2009-09-30 12:42 . 2009-09-30 12:42    279552    ----a-w-    c:\windows\system32\DSJPG_12Bit.dll

.
((((((((((((((((((((((((((((((((((((((((  Find3M Rapport  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 12:31 . 2009-10-23 12:31    58729    ----a-w-    c:\windows\system32\restorer64_a.exe
2009-10-23 12:31 . 2009-10-23 12:31    58729    ----a-w-    c:\documents and settings\Reception1\restorer64_a.exe
2009-10-23 12:13 . 2008-06-18 14:33    47276    ----a-w-    c:\windows\system32\perfc006.dat
2009-10-23 12:13 . 2008-06-18 14:33    324960    ----a-w-    c:\windows\system32\perfh006.dat
2009-10-21 13:59 . 2009-10-21 13:59    18879    ----a-w-    c:\programmer\Fælles filer\ryrewut.db
2009-10-21 13:59 . 2009-10-21 13:59    16445    ----a-w-    c:\programmer\Fælles filer\zobawot.db
2009-10-21 11:02 . 2008-11-05 14:07    --------    d-----w-    c:\programmer\DYMO Label
2009-10-20 12:39 . 2009-04-16 07:05    0    ----a-w-    c:\documents and settings\Reception1\temp.dat
2009-10-14 08:24 . 2009-05-07 10:28    18632    ----a-w-    c:\documents and settings\Reception1\Lokale indstillinger\Application Data\GDIPFONTCACHEV1.DAT
2009-10-01 06:02 . 2008-11-05 11:34    --------    d-----w-    c:\programmer\DentalSuite
2009-09-30 12:45 . 2009-05-18 10:15    282112    ----a-w-    c:\windows\MiniWeb.exe
2009-09-30 12:43 . 2009-05-18 10:15    144896    ----a-w-    c:\windows\system32\dsxml.dll
2009-09-30 12:43 . 2009-05-18 10:15    155648    ----a-w-    c:\windows\system32\dsibapi.dll
2009-09-30 12:42 . 2009-05-18 10:15    287232    ----a-w-    c:\windows\system32\DSPNG.dll
2009-09-30 12:42 . 2009-06-22 07:22    101888    ----a-w-    c:\windows\system32\ToolBox20.dll
2009-09-30 12:42 . 2009-05-18 10:15    109568    ----a-w-    c:\windows\system32\dszlib.dll
2009-09-11 14:19 . 2008-06-18 14:33    136192    ----a-w-    c:\windows\system32\msv1_0.dll
2009-09-04 21:04 . 2008-06-18 14:33    58880    ----a-w-    c:\windows\system32\msasn1.dll
2009-08-29 07:28 . 2008-06-18 14:33    832512    ----a-w-    c:\windows\system32\wininet.dll
2009-08-29 07:28 . 2008-06-18 14:33    78336    ----a-w-    c:\windows\system32\ieencode.dll
2009-08-29 07:28 . 2008-06-18 14:33    17408    ------w-    c:\windows\system32\corpol.dll
2009-08-26 08:02 . 2008-06-18 14:33    247326    ----a-w-    c:\windows\system32\strmdll.dll
2009-08-05 09:00 . 2008-06-18 14:33    204800    ----a-w-    c:\windows\system32\mswebdvd.dll
2009-08-04 17:29 . 2004-08-26 17:50    2026496    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2009-08-04 17:29 . 2004-08-26 17:50    2147840    ----a-w-    c:\windows\system32\ntoskrnl.exe
2009-07-26 14:44 . 2009-07-26 14:44    48448    ----a-w-    c:\windows\system32\sirenacm.dll
.

(((((((((((((((((((((((((((((((((((  Start steder i reg.basen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\programmer\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-08 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-08 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-08 137752]
"OfficeScanNT Monitor"="c:\programmer\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-03-29 394952]
"Easy-PrintToolBox"="c:\programmer\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"SunJavaUpdateSched"="c:\programmer\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"restorer64_a"="c:\windows\system32\restorer64_a.exe" [2009-10-23 58729]
"sysgif32"="c:\windows\Temp\wpv141255703227.exe" [2009-10-23 21504]
"77839034"="c:\docume~1\ALLUSE~1\APPLIC~1\77839034\77839034.exe" [2009-10-23 1050665]
"RegistryMonitor1"="c:\windows\system32\qtplugin.exe" [2009-10-23 292352]
"PromoReg"="c:\windows\Temp\_ex-08.exe" [2009-10-23 419840]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-10-25 16855552]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-10-11 1826816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Reception1\Menuen Start\Programmer\Start\
OpenOffice.org 3.0.lnk - c:\programmer\OpenOffice.org 3\program\quickstart.exe [2008-10-5 393216]
zavupd32.exe [2008-4-14 17408]

c:\documents and settings\All Users\Menuen Start\Programmer\Start\
Adobe Reader Hurtigstart.lnk - c:\programmer\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\programmer\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
SetWeb.lnk - c:\programmer\SetWeb\SetWeb.exe [2008-11-5 847872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe rundll32.exe cpcp.cpo bef0regiiav"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmer\\DentalSuite\\DentalSuite.exe"=
"c:\\Programmer\\DentalSuite\\VNC\\winvnc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmer\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 TmFilter;Trend Micro Filter;c:\programmer\Trend Micro\Client Server Security Agent\tmxpflt.sys [16-08-2008 03:00 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\programmer\Trend Micro\Client Server Security Agent\tmpreflt.sys [16-08-2008 03:00 36368]
R3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [05-11-2008 15:17 52026]
.
.
------- Yderligere scanning -------
.
uStart Page = dk.msn.com//
IE: Easy-WebPrint Add To Print List - c:\programmer\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\programmer\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\programmer\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\programmer\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: danid.dk
DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} - hxxps://192.168.18.11:4343/SMB/console/html/root/AtxEnc.cab
DPF: {9DF01F00-08E7-4DBE-9070-94841463B3FE} - hxxps://danid.dk/csp/authenticode/csp.exe
DPF: {C07E5288-22FB-11D7-962E-0004AC77C761} - hxxps://activex.dataloen.dk/controls/Dataloen3341.CAB
DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} - hxxps://udstedelse.certifikat.tdc.dk/csp/authenticode/digitalsignatur-csp.exe
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
.
- - - - TOMME GENVEJE FJERNET - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\programmer\Malwarebytes' Anti-Malware\mbam.exe
HKLM-Run-23930421 - c:\docume~1\ALLUSE~1\APPLIC~1\23930421\23930421.exe
AddRemove-Mozilla Firefox (3.0.11) - c:\programmer\Mozilla Firefox\uninstall\helper.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 14:30
Windows 5.1.2600 Service Pack 3 NTFS

scanner skjulte processer ... 

scanner skjulte autostarter ...

scanner skjulte filer ... 


c:\windows\system32\qtplugin.exe 292352 bytes executable
c:\windows\system32\restorer64_a.exe 58729 bytes executable

scanning gennemført med succes
skjulte filer: 2

**************************************************************************
.
--------------------- DLLs startet under kørende Processer ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\programmer\SetWeb\setcsp.dll
c:\programmer\SetWeb\csputil.dll
c:\programmer\SetWeb\ssiutil.dll
c:\programmer\SetWeb\ssides.dll
c:\programmer\SetWeb\ssider.dll
c:\programmer\SetWeb\ssihash.dll
c:\programmer\SetWeb\ssirsa.dll
c:\programmer\SetWeb\SC.dll
c:\programmer\SetWeb\rsi32.dll
c:\programmer\SetWeb\ssirsakg.dll
c:\programmer\SetWeb\ssipk15.dll
.
------------------------ Andre kørende processer ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\combofix\CF22928.exe
c:\programmer\Java\jre6\bin\jqs.exe
c:\programmer\Trend Micro\Client Server Security Agent\ntrtscan.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
c:\windows\system32\igfxsrvc.exe
c:\programmer\Trend Micro\Client Server Security Agent\tmlisten.exe
c:\programmer\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
c:\programmer\OpenOffice.org 3\program\soffice.exe
c:\programmer\OpenOffice.org 3\program\soffice.bin
c:\docume~1\RECEPT~1\LOKALE~1\Temp\6.tmp
c:\windows\TEMP\AN981B.EXE
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Gennemført tid: 2009-10-23 14:35 - maskinen blev genstartet
ComboFix-quarantined-files.txt  2009-10-23 12:35

Pre-Kørsel: 69.233.582.080 byte ledig
Post-Kørsel: 69.743.525.888 byte ledig

- - End Of File - - 06F9E56B79D94644644874FAE9179F18
Avatar billede crasser83 Praktikant
23. oktober 2009 - 14:40 #18
Det så ud som om den var væk... for en tid. Ikonerne kom tilbage på skrivebordet, der var ingen pop-ups eller ikoner i startlinien. Men efter ca. 1 minut kom det hele gradvist tilbage...
Avatar billede f-arn Guru
23. oktober 2009 - 15:40 #19
Højreklik der hvor combofix ligger og vælg ny->tekstdokument og kopier indholdet mellem  linierne ind og gem filen som CFScript.txt

Du skal sikre dig at den ikke kommer til at hedde CFScript.txt.txt

--------------

Killall::
Snapshot::
File::
c:\windows\system32\restorer64_a.exe
c:\windows\Temp\wpv141255703227.exe
c:\docume~1\ALLUSE~1\APPLIC~1\77839034\77839034.exe
c:\windows\Temp\_ex-08.exe
c:\windows\system32\DSJPG.dll
c:\windows\system32\TMDGUI20.dll
c:\windows\system32\DSJPG_12Bit.dll
Filelook::
c:\windows\system32\dllcache\agp440.sys
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"restorer64_a"=-
"sysgif32"=-
"77839034"=-
"PromoReg"=-


--------------

Da Combofix kan konflikte med din antivirus er det vigtigt at du deaktiverer den.

Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du "giver slip" med musen.
http://www.fromsej.saknet.dk/billeder/cfscript.gif

Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når Combofix er færdig, og efter det (muligvis) har genstartet, skulle der gerne åbnes en logfil combofix.txt som ligger her C:\Combofix.txt

Indholdet af denne fil må du gerne lægge herind.
Avatar billede f-arn Guru
23. oktober 2009 - 16:00 #20
Jeg glemtenoget så hvis du ikke har nået at køre den endnu så læg lige et indlæg.
Avatar billede crasser83 Praktikant
23. oktober 2009 - 16:25 #21
Den kører stadig...?! Skal jeg annulere?
Avatar billede crasser83 Praktikant
23. oktober 2009 - 16:26 #22
Sidder foran computeren, så jeg gør det så snart du svarer. :-)
Avatar billede crasser83 Praktikant
23. oktober 2009 - 16:27 #23
Og jeg svarer dig vha. Min iPhone. :-)
Avatar billede f-arn Guru
23. oktober 2009 - 16:35 #24
Nej, det kan være Combofix selv ta'r den. Jeg glemte bare et start punkt der skulle være slettet.
Avatar billede crasser83 Praktikant
23. oktober 2009 - 16:41 #25
Men nu har den scannet i snart en time. Skal den bare fortsætte? Det tog ikke en brøkdel af den tid ved 1. Scannning.
Avatar billede f-arn Guru
23. oktober 2009 - 16:46 #26
ja, lad den fortsætte. Det er ikke usædvanligt.
Avatar billede crasser83 Praktikant
23. oktober 2009 - 17:26 #27
Stadig ingenting sket... :-(
Avatar billede crasser83 Praktikant
23. oktober 2009 - 17:50 #28
Nå, jeg lader den stå til kl. 20, så burde den vel være færdig?
Avatar billede f-arn Guru
23. oktober 2009 - 18:02 #29
Hvad skriver den? Virker det som om den er gået i stå?
Avatar billede crasser83 Praktikant
23. oktober 2009 - 20:40 #30
Den står og blinker som om den stadig kører... Men det har den jo gjort i 4 timer nu...
Avatar billede f-arn Guru
23. oktober 2009 - 21:15 #31
Så prøv at se om du kan stoppe den. Prøv først Ctrl-alt-del. Ellers må du prøve reboot knappen.
Avatar billede crasser83 Praktikant
23. oktober 2009 - 21:35 #32
Den startes hermed på ny...
Avatar billede f-arn Guru
24. oktober 2009 - 09:48 #33
Tjjaaa  jeg vil da gerne høre hvordan det gik.
Avatar billede crasser83 Praktikant
24. oktober 2009 - 12:09 #34
Jeg genstartede den i går ved en 21:30 tiden da jeg skrev sidste gang og den gik i gang med at scanne igen. Har endnu ikke set om denne scanning også er gået i stå. Skriver så snart jeg har nyt. Regner med at det bliver søndag eftermiddag eller mandag morgen.
Avatar billede crasser83 Praktikant
25. oktober 2009 - 23:10 #35
Jeg er klar foran computeren fra i morgen kl. 9. FYI. :-)
Avatar billede crasser83 Praktikant
26. oktober 2009 - 10:13 #36
Hej Igen.
Den er frosset igen... Nu har den stået siden fredag aften og er ikke kommet længere end "scanning for infected files". Den står og blinker i programmet, men...

Nogen forslag?
Avatar billede crasser83 Praktikant
26. oktober 2009 - 12:05 #37
Jeg har kørt den oprindelige Combpfix:
-------------

Killall::
Snapshot::
DDS::
mRun: [Regedit32] c:\windows\system32\regedit.exe

--------------
Og lagt loggen herind. Venter på dit svar.

ComboFix 09-10-25.02 - Reception1 26-10-2009 11:52.2.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.45.1030.18.1015.566 [GMT 1:00]
Kører fra: C:\ComboFix.exe
Kommandoer benyttet :: C:\CFScript.txt
AV: avast! antivirus 4.8.1356 [VPS 091025-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning enabled* (Updated) {9562DEF8-B4C4-4848-946E-F4F43834FB9F}
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {9562DEF8-B4C4-4848-946E-F4F43834FB9F}
* Dannede nyt systemgendannelsespunkt

advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !!
.

(((((((((((((((((((((((((((((((((((((((  Andet, der er slettet  )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\77839034
c:\documents and settings\All Users\Application Data\77839034\77839034.exe
c:\documents and settings\All Users\Application Data\dofa.ban
c:\documents and settings\All Users\Application Data\usuvyw.com
c:\documents and settings\All Users\Dokumenter\kanixocap.bat
c:\documents and settings\Reception1\Application Data\aqem._sy
c:\documents and settings\Reception1\Application Data\qazetu.reg
c:\documents and settings\Reception1\Application Data\qigesag.dl
c:\documents and settings\Reception1\Application Data\wiaserva.log
c:\documents and settings\Reception1\Application Data\ykosare.com
c:\documents and settings\Reception1\Cookies\huqutosohi.bat
c:\documents and settings\Reception1\Lokale indstillinger\Application Data\asijisehi.dll
c:\documents and settings\Reception1\Lokale indstillinger\Application Data\epaq.bin
c:\documents and settings\Reception1\Lokale indstillinger\Application Data\obelox._dl
c:\documents and settings\Reception1\Lokale indstillinger\Temporary Internet Files\ocugyvakev.com
c:\documents and settings\Reception1\Lokale indstillinger\Temporary Internet Files\yfytenif.com
c:\documents and settings\Reception1\Lokale indstillinger\Temporary Internet Files\yvomotuzoh.com
c:\documents and settings\Reception1\Menuen Start\Programmer\Security Tool.lnk
c:\documents and settings\Reception1\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\Reception1\restorer64_a.exe
c:\documents and settings\Reception1\Skrivebord\Security Tool.lnk
c:\programmer\Fælles filer\ahix.exe
c:\windows\pavamimih.pif
c:\windows\system32\cpcp.cpo
c:\windows\system32\oqykub.reg
c:\windows\system32\qtplugin.exe
c:\windows\system32\restorer64_a.exe
c:\windows\system32\TMDGUI20.dll

.
(((((((((((((((((((((((((((((  Filer skabt fra 2009-09-26 til 2009-10-26  )))))))))))))))))))))))))))))))))))
.

2009-10-26 10:19 . 2009-09-15 11:54    52368    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2009-10-26 10:19 . 2009-09-15 11:54    23152    ----a-w-    c:\windows\system32\drivers\aswRdr.sys
2009-10-26 10:19 . 2009-09-15 11:53    27408    ----a-w-    c:\windows\system32\drivers\aavmker4.sys
2009-10-26 10:19 . 2009-09-15 11:56    93424    ----a-w-    c:\windows\system32\drivers\aswmon.sys
2009-10-26 10:19 . 2009-09-15 11:56    94160    ----a-w-    c:\windows\system32\drivers\aswmon2.sys
2009-10-26 10:19 . 2009-09-15 11:55    114768    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2009-10-26 10:19 . 2009-09-15 11:55    20560    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2009-10-26 10:19 . 2009-09-15 11:53    97480    ----a-w-    c:\windows\system32\AvastSS.scr
2009-10-26 10:19 . 2009-09-15 11:59    1279968    ----a-w-    c:\windows\system32\aswBoot.exe
2009-10-26 10:19 . 2009-10-26 10:19    --------    d-----w-    c:\programmer\Alwil Software
2009-10-23 10:53 . 2009-10-26 10:50    3436986    ----a-r-    C:\ComboFix.exe
2009-10-22 18:05 . 2009-10-22 18:05    17625    ----a-w-    c:\windows\ugytyjydab.dat
2009-10-22 17:13 . 2009-10-22 17:13    --------    d-----w-    c:\documents and settings\Reception1\Application Data\Malwarebytes
2009-10-22 17:13 . 2009-10-22 17:13    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-21 13:59 . 2009-10-21 13:59    18006    ----a-w-    c:\windows\system32\vykeneh.com
2009-10-21 13:59 . 2009-10-21 13:59    11706    ----a-w-    c:\windows\system32\iryxojufu.com
2009-10-21 13:55 . 2009-10-22 15:38    42368    -c--a-w-    c:\windows\system32\dllcache\agp440.sys
2009-10-15 07:08 . 2008-10-16 12:06    208744    ----a-w-    c:\windows\system32\muweb.dll
2009-10-15 07:08 . 2008-10-16 12:06    268648    ----a-w-    c:\windows\system32\mucltui.dll
2009-10-14 08:24 . 2009-10-26 10:44    --------    d-----w-    c:\documents and settings\Reception1\Tracing
2009-10-14 08:24 . 2009-10-14 08:24    --------    d-----w-    c:\programmer\Microsoft
2009-10-14 08:24 . 2009-10-14 08:24    --------    d-----w-    c:\programmer\Windows Live SkyDrive
2009-10-14 08:23 . 2009-10-14 08:24    --------    d-----w-    c:\programmer\Windows Live
2009-10-14 08:16 . 2009-10-14 08:16    --------    d-----w-    c:\programmer\Fælles filer\Windows Live
2009-09-30 12:43 . 2009-09-30 12:43    278528    ----a-w-    c:\windows\system32\DSJPG.dll
2009-09-30 12:42 . 2009-09-30 12:42    279552    ----a-w-    c:\windows\system32\DSJPG_12Bit.dll

.
((((((((((((((((((((((((((((((((((((((((  Find3M Rapport  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 10:47 . 2008-06-18 14:33    47276    ----a-w-    c:\windows\system32\perfc006.dat
2009-10-26 10:47 . 2008-06-18 14:33    324960    ----a-w-    c:\windows\system32\perfh006.dat
2009-10-23 13:12 . 2009-10-23 13:12    15050    ----a-w-    c:\programmer\Fælles filer\anawyk.db
2009-10-21 13:59 . 2009-10-21 13:59    18879    ----a-w-    c:\programmer\Fælles filer\ryrewut.db
2009-10-21 13:59 . 2009-10-21 13:59    16445    ----a-w-    c:\programmer\Fælles filer\zobawot.db
2009-10-21 11:02 . 2008-11-05 14:07    --------    d-----w-    c:\programmer\DYMO Label
2009-10-20 12:39 . 2009-04-16 07:05    0    ----a-w-    c:\documents and settings\Reception1\temp.dat
2009-10-14 08:24 . 2009-05-07 10:28    18632    ----a-w-    c:\documents and settings\Reception1\Lokale indstillinger\Application Data\GDIPFONTCACHEV1.DAT
2009-10-01 06:02 . 2008-11-05 11:34    --------    d-----w-    c:\programmer\DentalSuite
2009-09-30 12:45 . 2009-05-18 10:15    282112    ----a-w-    c:\windows\MiniWeb.exe
2009-09-30 12:43 . 2009-05-18 10:15    144896    ----a-w-    c:\windows\system32\dsxml.dll
2009-09-30 12:43 . 2009-05-18 10:15    155648    ----a-w-    c:\windows\system32\dsibapi.dll
2009-09-30 12:42 . 2009-05-18 10:15    287232    ----a-w-    c:\windows\system32\DSPNG.dll
2009-09-30 12:42 . 2009-06-22 07:22    101888    ----a-w-    c:\windows\system32\ToolBox20.dll
2009-09-30 12:42 . 2009-05-18 10:15    109568    ----a-w-    c:\windows\system32\dszlib.dll
2009-09-11 14:19 . 2008-06-18 14:33    136192    ----a-w-    c:\windows\system32\msv1_0.dll
2009-09-04 21:04 . 2008-06-18 14:33    58880    ----a-w-    c:\windows\system32\msasn1.dll
2009-08-29 07:28 . 2008-06-18 14:33    832512    ------w-    c:\windows\system32\wininet.dll
2009-08-29 07:28 . 2008-06-18 14:33    78336    ----a-w-    c:\windows\system32\ieencode.dll
2009-08-29 07:28 . 2008-06-18 14:33    17408    ------w-    c:\windows\system32\corpol.dll
2009-08-26 08:02 . 2008-06-18 14:33    247326    ----a-w-    c:\windows\system32\strmdll.dll
2009-08-05 09:00 . 2008-06-18 14:33    204800    ----a-w-    c:\windows\system32\mswebdvd.dll
2009-08-04 17:29 . 2004-08-26 17:50    2026496    ------w-    c:\windows\system32\ntkrnlpa.exe
2009-08-04 17:29 . 2004-08-26 17:50    2147840    ------w-    c:\windows\system32\ntoskrnl.exe
.

(((((((((((((((((((((((((((((((((((  Start steder i reg.basen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\programmer\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-08 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-08 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-08 137752]
"OfficeScanNT Monitor"="c:\programmer\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-03-29 394952]
"Easy-PrintToolBox"="c:\programmer\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"SunJavaUpdateSched"="c:\programmer\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-10-25 16855552]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-10-11 1826816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Reception1\Menuen Start\Programmer\Start\
OpenOffice.org 3.0.lnk - c:\programmer\OpenOffice.org 3\program\quickstart.exe [2008-10-4 393216]

c:\documents and settings\All Users\Menuen Start\Programmer\Start\
Adobe Reader Hurtigstart.lnk - c:\programmer\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\programmer\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
SetWeb.lnk - c:\programmer\SetWeb\SetWeb.exe [2008-11-5 847872]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmer\\DentalSuite\\DentalSuite.exe"=
"c:\\Programmer\\DentalSuite\\VNC\\winvnc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmer\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [26-10-2009 11:19 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [26-10-2009 11:19 20560]
R2 TmFilter;Trend Micro Filter;c:\programmer\Trend Micro\Client Server Security Agent\tmxpflt.sys [16-08-2008 02:00 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\programmer\Trend Micro\Client Server Security Agent\tmpreflt.sys [16-08-2008 02:00 36368]
S3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [05-11-2008 14:17 52026]

--- Andre Services/Drivers i Hukommelsen ---

*Deregistered* - mbr
.
.
------- Yderligere scanning -------
.
uStart Page = dk.msn.com//
IE: Easy-WebPrint Add To Print List - c:\programmer\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\programmer\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\programmer\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\programmer\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: danid.dk
DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} - hxxps://192.168.18.11:4343/SMB/console/html/root/AtxEnc.cab
DPF: {9DF01F00-08E7-4DBE-9070-94841463B3FE} - hxxps://danid.dk/csp/authenticode/csp.exe
DPF: {C07E5288-22FB-11D7-962E-0004AC77C761} - hxxps://activex.dataloen.dk/controls/Dataloen3341.CAB
DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} - hxxps://udstedelse.certifikat.tdc.dk/csp/authenticode/digitalsignatur-csp.exe
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
.
- - - - TOMME GENVEJE FJERNET - - - -

HKLM-Run-restorer64_a - c:\windows\system32\restorer64_a.exe
HKLM-Run-77839034 - c:\docume~1\ALLUSE~1\APPLIC~1\77839034\77839034.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-26 11:56
Windows 5.1.2600 Service Pack 3 NTFS

scanner skjulte processer ... 

scanner skjulte autostarter ...

scanner skjulte filer ... 

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
------------------------ Andre kørende processer ------------------------
.
c:\programmer\Alwil Software\Avast4\aswUpdSv.exe
c:\programmer\Alwil Software\Avast4\ashServ.exe
c:\combofix\CF8610.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\igfxsrvc.exe
c:\programmer\Java\jre6\bin\jqs.exe
c:\programmer\Trend Micro\Client Server Security Agent\ntrtscan.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
c:\programmer\Trend Micro\Client Server Security Agent\tmlisten.exe
c:\programmer\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
c:\programmer\OpenOffice.org 3\program\soffice.exe
c:\programmer\OpenOffice.org 3\program\soffice.bin
c:\programmer\Alwil Software\Avast4\ashMaiSv.exe
c:\programmer\Alwil Software\Avast4\ashWebSv.exe
c:\windows\TEMP\DEECE0.EXE
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Gennemført tid: 2009-10-26 12:00 - maskinen blev genstartet
ComboFix-quarantined-files.txt  2009-10-26 11:00
ComboFix2.txt  2009-10-23 12:35

Pre-Kørsel: 69.656.125.440 byte ledig
Post-Kørsel: 69.680.660.480 byte ledig

- - End Of File - - 7A52205E251BE30B6086830B7CBC8FF0
Avatar billede f-arn Guru
26. oktober 2009 - 17:41 #38
Smid den combofix du har væk.

Hent og gem Combofix på dit skrivebord:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe


Højreklik på skrivebordet og vælg ny->tekstdokument og kopier  indholdet mellem  linierne ind og gem filen som CFScript.txt

Du skal sikre dig at den ikke kommer til at hedde CFScript.txt.txt


--------------

[b]Killall::
Snapshot::

--------------

Da Combofix kan konflikte med din antivirus er det vigtigt at du deaktiverer den.

Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du "giver slip" med musen.
http://www.fromsej.saknet.dk/billeder/cfscript.gif

Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når Combofix er færdig, og efter det (muligvis) har genstartet, skulle der gerne åbnes en logfil combofix.txt som ligger her C:\Combofix.txt

Indholdet af denne fil må du gerne lægge herind.
Avatar billede crasser83 Praktikant
26. oktober 2009 - 18:22 #39
Ok. Jeg prøver igen. Det er bare det problem at jeg ikke kan deaktivere det antivirusprogram der kører. Den kræver simpelthen en kode jeg ikke har.
Desuden gemte jeg Combofix under denne computer da skrivebordet var fuldstændig i kluddermor og intet der var derpå kunne se eller aktiveres. Det er dog blevet bedre nu og alle de mærkelige reklamer er også forsvundet, selvom Avast når jeg installere det stadig finder virus hist og her. Jeg gentager processen i morgen ved en 11-tiden. Den var forresten gået i stå over weekenden og stod og blinkede med det blå vindue hvor der står scanner efter osv. Den nåede aldrig til "1. runde, 1. osv.
Avatar billede f-arn Guru
26. oktober 2009 - 18:58 #40
holt!!!!
Avatar billede f-arn Guru
26. oktober 2009 - 20:22 #41
Vi prøver på en lidt anden måde, Smid den combofix du har væk:

Hent og gem Combofix på dit skrivebord som alg.exe:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Start alg.exe og følg anvisningerne.

Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke

på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når Combofix er færdig, og efter det (muligvis) har genstartet, skulle der gerne åbnes en logfil combofix.txt som ligger her: C:\Combofix.txt

Indholdet af denne fil må du gerne lægge herind.
Avatar billede crasser83 Praktikant
28. oktober 2009 - 11:28 #42
Så er jeg tilbage på arbejdet og jeg har gjort som du bad om.

ComboFix 09-10-27.07 - Reception1 28-10-2009 11:22.3.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.45.1030.18.1015.477 [GMT 1:00]
Kører fra: c:\documents and settings\Reception1\Skrivebord\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091027-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning enabled* (Updated) {9562DEF8-B4C4-4848-946E-F4F43834FB9F}
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {9562DEF8-B4C4-4848-946E-F4F43834FB9F}

advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !!
.

(((((((((((((((((((((((((((((  Filer skabt fra 2009-09-28 til 2009-10-28  )))))))))))))))))))))))))))))))))))
.

2009-10-26 14:40 . 2009-09-15 11:54    52368    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2009-10-26 14:40 . 2009-09-15 11:54    23152    ----a-w-    c:\windows\system32\drivers\aswRdr.sys
2009-10-26 14:40 . 2009-09-15 11:53    27408    ----a-w-    c:\windows\system32\drivers\aavmker4.sys
2009-10-26 14:40 . 2009-09-15 11:56    93424    ----a-w-    c:\windows\system32\drivers\aswmon.sys
2009-10-26 14:40 . 2009-09-15 11:56    94160    ----a-w-    c:\windows\system32\drivers\aswmon2.sys
2009-10-26 14:40 . 2009-09-15 11:55    114768    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2009-10-26 14:40 . 2009-09-15 11:55    20560    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2009-10-26 14:40 . 2009-09-15 11:53    97480    ----a-w-    c:\windows\system32\AvastSS.scr
2009-10-26 14:40 . 2009-09-15 11:59    1279968    ----a-w-    c:\windows\system32\aswBoot.exe
2009-10-26 14:26 . 2009-10-26 14:26    --------    d-----w-    c:\programmer\DYMO Label
2009-10-26 10:19 . 2009-10-26 10:19    --------    d-----w-    c:\programmer\Alwil Software
2009-10-22 18:05 . 2009-10-22 18:05    17625    ----a-w-    c:\windows\ugytyjydab.dat
2009-10-22 17:13 . 2009-10-22 17:13    --------    d-----w-    c:\documents and settings\Reception1\Application Data\Malwarebytes
2009-10-22 17:13 . 2009-10-22 17:13    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-21 13:59 . 2009-10-21 13:59    18006    ----a-w-    c:\windows\system32\vykeneh.com
2009-10-21 13:59 . 2009-10-21 13:59    11706    ----a-w-    c:\windows\system32\iryxojufu.com
2009-10-21 13:55 . 2009-10-22 15:38    42368    -c--a-w-    c:\windows\system32\dllcache\agp440.sys
2009-10-15 07:08 . 2008-10-16 12:06    208744    ----a-w-    c:\windows\system32\muweb.dll
2009-10-15 07:08 . 2008-10-16 12:06    268648    ----a-w-    c:\windows\system32\mucltui.dll
2009-10-14 08:24 . 2009-10-26 15:07    --------    d-----w-    c:\documents and settings\Reception1\Tracing
2009-10-14 08:24 . 2009-10-14 08:24    --------    d-----w-    c:\programmer\Microsoft
2009-10-14 08:24 . 2009-10-14 08:24    --------    d-----w-    c:\programmer\Windows Live SkyDrive
2009-10-14 08:23 . 2009-10-14 08:24    --------    d-----w-    c:\programmer\Windows Live
2009-10-14 08:16 . 2009-10-14 08:16    --------    d-----w-    c:\programmer\Fælles filer\Windows Live
2009-09-30 12:43 . 2009-09-30 12:43    278528    ----a-w-    c:\windows\system32\DSJPG.dll
2009-09-30 12:42 . 2009-09-30 12:42    279552    ----a-w-    c:\windows\system32\DSJPG_12Bit.dll

.
((((((((((((((((((((((((((((((((((((((((  Find3M Rapport  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 15:10 . 2008-06-18 14:33    47276    ----a-w-    c:\windows\system32\perfc006.dat
2009-10-26 15:10 . 2008-06-18 14:33    324960    ----a-w-    c:\windows\system32\perfh006.dat
2009-10-23 13:12 . 2009-10-23 13:12    15050    ----a-w-    c:\programmer\Fælles filer\anawyk.db
2009-10-21 13:59 . 2009-10-21 13:59    18879    ----a-w-    c:\programmer\Fælles filer\ryrewut.db
2009-10-21 13:59 . 2009-10-21 13:59    16445    ----a-w-    c:\programmer\Fælles filer\zobawot.db
2009-10-20 12:39 . 2009-04-16 07:05    0    ----a-w-    c:\documents and settings\Reception1\temp.dat
2009-10-14 08:24 . 2009-05-07 10:28    18632    ----a-w-    c:\documents and settings\Reception1\Lokale indstillinger\Application Data\GDIPFONTCACHEV1.DAT
2009-10-01 06:02 . 2008-11-05 11:34    --------    d-----w-    c:\programmer\DentalSuite
2009-09-30 12:45 . 2009-05-18 10:15    282112    ----a-w-    c:\windows\MiniWeb.exe
2009-09-30 12:43 . 2009-05-18 10:15    144896    ----a-w-    c:\windows\system32\dsxml.dll
2009-09-30 12:43 . 2009-05-18 10:15    155648    ----a-w-    c:\windows\system32\dsibapi.dll
2009-09-30 12:42 . 2009-05-18 10:15    287232    ----a-w-    c:\windows\system32\DSPNG.dll
2009-09-30 12:42 . 2009-06-22 07:22    101888    ----a-w-    c:\windows\system32\ToolBox20.dll
2009-09-30 12:42 . 2009-05-18 10:15    109568    ----a-w-    c:\windows\system32\dszlib.dll
2009-09-11 14:19 . 2008-06-18 14:33    136192    ----a-w-    c:\windows\system32\msv1_0.dll
2009-09-04 21:04 . 2008-06-18 14:33    58880    ----a-w-    c:\windows\system32\msasn1.dll
2009-08-29 07:28 . 2008-06-18 14:33    832512    ------w-    c:\windows\system32\wininet.dll
2009-08-29 07:28 . 2008-06-18 14:33    78336    ----a-w-    c:\windows\system32\ieencode.dll
2009-08-29 07:28 . 2008-06-18 14:33    17408    ------w-    c:\windows\system32\corpol.dll
2009-08-26 08:02 . 2008-06-18 14:33    247326    ----a-w-    c:\windows\system32\strmdll.dll
2009-08-05 09:00 . 2008-06-18 14:33    204800    ----a-w-    c:\windows\system32\mswebdvd.dll
2009-08-04 17:29 . 2004-08-26 17:50    2026496    ------w-    c:\windows\system32\ntkrnlpa.exe
2009-08-04 17:29 . 2004-08-26 17:50    2147840    ------w-    c:\windows\system32\ntoskrnl.exe
.

(((((((((((((((((((((((((((((((((((  Start steder i reg.basen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\programmer\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-08 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-08 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-08 137752]
"OfficeScanNT Monitor"="c:\programmer\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-03-29 394952]
"Easy-PrintToolBox"="c:\programmer\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"SunJavaUpdateSched"="c:\programmer\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-10-25 16855552]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-10-11 1826816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Reception1\Menuen Start\Programmer\Start\
OpenOffice.org 3.0.lnk - c:\programmer\OpenOffice.org 3\program\quickstart.exe [2008-10-4 393216]

c:\documents and settings\All Users\Menuen Start\Programmer\Start\
Adobe Reader Hurtigstart.lnk - c:\programmer\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\programmer\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
SetWeb.lnk - c:\programmer\SetWeb\SetWeb.exe [2008-11-5 847872]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmer\\DentalSuite\\DentalSuite.exe"=
"c:\\Programmer\\DentalSuite\\VNC\\winvnc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmer\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [26-10-2009 15:40 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [26-10-2009 15:40 20560]
R2 TmFilter;Trend Micro Filter;c:\programmer\Trend Micro\Client Server Security Agent\tmxpflt.sys [16-08-2008 02:00 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\programmer\Trend Micro\Client Server Security Agent\tmpreflt.sys [16-08-2008 02:00 36368]
S3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [05-11-2008 14:17 52026]

--- Andre Services/Drivers i Hukommelsen ---

*NewlyCreated* - ASWUPDSV
*NewlyCreated* - AVAST!_ANTIVIRUS
*NewlyCreated* - AVAST!_MAIL_SCANNER
*NewlyCreated* - AVAST!_WEB_SCANNER
*Deregistered* - mbr
.
.
------- Yderligere scanning -------
.
uStart Page = dk.msn.com//
IE: Easy-WebPrint Add To Print List - c:\programmer\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\programmer\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\programmer\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\programmer\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: danid.dk
DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} - hxxps://192.168.18.11:4343/SMB/console/html/root/AtxEnc.cab
DPF: {9DF01F00-08E7-4DBE-9070-94841463B3FE} - hxxps://danid.dk/csp/authenticode/csp.exe
DPF: {C07E5288-22FB-11D7-962E-0004AC77C761} - hxxps://activex.dataloen.dk/controls/Dataloen3341.CAB
DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} - hxxps://udstedelse.certifikat.tdc.dk/csp/authenticode/digitalsignatur-csp.exe
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 11:25
Windows 5.1.2600 Service Pack 3 NTFS

scanner skjulte processer ... 

scanner skjulte autostarter ...

scanner skjulte filer ... 

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
Gennemført tid: 2009-10-28 11:26
ComboFix-quarantined-files.txt  2009-10-28 10:26

Pre-Kørsel: 69.776.109.568 byte ledig
Post-Kørsel: 69.790.457.856 byte ledig

- - End Of File - - 13DF058F6288090E086ED514BA8892D4
Avatar billede crasser83 Praktikant
29. oktober 2009 - 00:12 #43
Desuden vil jeg lige høre om du kender en god, billig og effektiv antivirusprogram som jeg efterfølgende på computerne?
Avatar billede f-arn Guru
13. november 2009 - 18:31 #44
Beklager, du er da blevet glemt. Hvordan kører computeren? Der er lidt rester, men da der er gået så lang tid vil jeg gerne se en ny combolog lavet som her!

http://www.eksperten.dk/spm/890327#reply_7476130
Avatar billede crasser83 Praktikant
16. november 2009 - 01:18 #45
ok. :-)
Sender den på Torsdag når jeg er tilbage på arbejdet. Computeren kører fint og der er ikke nogen pop up af nogen slags.
Tak for din hjælp.
Avatar billede crasser83 Praktikant
19. november 2009 - 15:43 #46
Så lykkes det. Ogsp at få luket vores antivirusprogram midlkertidigt fra.

Her kommer den så:

ComboFix 09-11-18.07 - Reception1 19-11-2009 15:34.4.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.45.1030.18.1015.602 [GMT 1:00]
Kører fra: c:\documents and settings\Reception1\Skrivebord\alg.exe
AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning disabled* (Outdated) {9562DEF8-B4C4-4848-946E-F4F43834FB9F}
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {9562DEF8-B4C4-4848-946E-F4F43834FB9F}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !!
.

(((((((((((((((((((((((((((((  Filer skabt fra 2009-10-19 til 2009-11-19  )))))))))))))))))))))))))))))))))))
.

2009-11-17 10:31 . 2009-11-17 10:31    --------    d-----w-    c:\documents and settings\Reception1\Lokale indstillinger\Application Data\Help
2009-10-29 17:29 . 2009-07-06 14:11    59920    ----a-w-    c:\windows\system32\drivers\tmactmon.sys
2009-10-29 17:29 . 2009-07-06 14:11    50704    ----a-w-    c:\windows\system32\drivers\tmevtmgr.sys
2009-10-29 17:29 . 2009-10-29 17:29    --------    d-----w-    C:\temp
2009-10-29 17:29 . 2009-10-29 17:29    --------    d-----w-    c:\documents and settings\All Users\Application Data\Trend Micro
2009-10-29 17:25 . 2009-11-02 07:04    50758    ----a-w-    c:\windows\system32\prfc0406.dat
2009-10-29 17:25 . 2009-11-02 07:04    335956    ----a-w-    c:\windows\system32\prfh0406.dat
2009-10-29 17:25 . 2009-10-29 17:25    --------    d-----w-    c:\windows\system32\log
2009-10-29 17:25 . 2009-07-15 17:37    89872    ----a-w-    c:\windows\system32\drivers\tmtdi.sys
2009-10-29 17:16 . 2009-10-29 17:16    152576    ----a-w-    c:\documents and settings\Reception1\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-26 14:26 . 2009-11-17 10:24    --------    d-----w-    c:\programmer\DYMO Label
2009-10-26 10:19 . 2009-10-26 10:19    --------    d-----w-    c:\programmer\Alwil Software
2009-10-22 18:05 . 2009-10-22 18:05    17625    ----a-w-    c:\windows\ugytyjydab.dat
2009-10-22 17:13 . 2009-10-22 17:13    --------    d-----w-    c:\documents and settings\Reception1\Application Data\Malwarebytes
2009-10-22 17:13 . 2009-10-22 17:13    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-21 13:59 . 2009-10-21 13:59    18006    ----a-w-    c:\windows\system32\vykeneh.com
2009-10-21 13:59 . 2009-10-21 13:59    11706    ----a-w-    c:\windows\system32\iryxojufu.com
2009-10-21 13:55 . 2009-10-22 15:38    42368    -c--a-w-    c:\windows\system32\dllcache\agp440.sys

.
((((((((((((((((((((((((((((((((((((((((  Find3M Rapport  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-19 14:30 . 2008-06-18 14:33    57722    ----a-w-    c:\windows\system32\perfc006.dat
2009-11-19 14:30 . 2008-06-18 14:33    357942    ----a-w-    c:\windows\system32\perfh006.dat
2009-11-19 09:24 . 2008-12-04 16:52    1    ----a-w-    c:\documents and settings\Reception1\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-17 08:30 . 2009-04-16 07:05    0    ----a-w-    c:\documents and settings\Reception1\temp.dat
2009-10-30 08:00 . 2008-11-05 11:34    --------    d-----w-    c:\programmer\DentalSuite
2009-10-29 17:29 . 2008-11-05 11:37    --------    d-----w-    c:\programmer\Trend Micro
2009-10-29 17:17 . 2008-11-05 13:18    --------    d-----w-    c:\programmer\Java
2009-10-28 13:17 . 2008-11-05 11:34    737280    ----a-w-    c:\windows\iun6002.exe
2009-10-28 13:17 . 2008-11-05 11:34    --------    d-----w-    c:\programmer\Firebird2
2009-10-23 13:12 . 2009-10-23 13:12    15050    ----a-w-    c:\programmer\Fælles filer\anawyk.db
2009-10-21 13:59 . 2009-10-21 13:59    18879    ----a-w-    c:\programmer\Fælles filer\ryrewut.db
2009-10-21 13:59 . 2009-10-21 13:59    16445    ----a-w-    c:\programmer\Fælles filer\zobawot.db
2009-10-14 08:24 . 2009-05-07 10:28    18632    ----a-w-    c:\documents and settings\Reception1\Lokale indstillinger\Application Data\GDIPFONTCACHEV1.DAT
2009-10-14 08:24 . 2009-10-14 08:23    --------    d-----w-    c:\programmer\Windows Live
2009-10-14 08:24 . 2009-10-14 08:24    --------    d-----w-    c:\programmer\Microsoft
2009-10-14 08:24 . 2009-10-14 08:24    --------    d-----w-    c:\programmer\Windows Live SkyDrive
2009-10-14 08:16 . 2009-10-14 08:16    --------    d-----w-    c:\programmer\Fælles filer\Windows Live
2009-10-08 17:04 . 2009-02-03 19:31    282112    ----a-w-    c:\windows\MiniWeb.exe
2009-10-08 17:02 . 2009-10-08 17:02    278528    ----a-w-    c:\windows\system32\DSJPG.dll
2009-10-08 17:02 . 2009-02-03 19:31    144896    ----a-w-    c:\windows\system32\dsxml.dll
2009-10-08 17:02 . 2009-09-19 14:28    260096    ----a-w-    c:\windows\system32\TMDGUI20.dll
2009-10-08 17:02 . 2009-09-19 14:28    155648    ----a-w-    c:\windows\system32\dsibapi.dll
2009-10-08 17:02 . 2009-10-08 17:02    279552    ----a-w-    c:\windows\system32\DSJPG_12Bit.dll
2009-10-08 17:02 . 2009-09-19 14:22    287232    ----a-w-    c:\windows\system32\DSPNG.dll
2009-10-08 17:01 . 2009-09-13 10:22    109568    ----a-w-    c:\windows\system32\dszlib.dll
2009-10-08 17:01 . 2009-09-13 10:22    101888    ----a-w-    c:\windows\system32\ToolBox20.dll
2009-09-11 14:19 . 2008-06-18 14:33    136192    ----a-w-    c:\windows\system32\msv1_0.dll
2009-09-04 21:04 . 2008-06-18 14:33    58880    ----a-w-    c:\windows\system32\msasn1.dll
2009-08-29 07:28 . 2008-06-18 14:33    832512    ------w-    c:\windows\system32\wininet.dll
2009-08-29 07:28 . 2008-06-18 14:33    78336    ----a-w-    c:\windows\system32\ieencode.dll
2009-08-29 07:28 . 2008-06-18 14:33    17408    ------w-    c:\windows\system32\corpol.dll
2009-08-26 08:02 . 2008-06-18 14:33    247326    ----a-w-    c:\windows\system32\strmdll.dll
.

(((((((((((((((((((((((((((((  SnapShot@2009-10-28_10.25.33  )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-19 14:26 . 2009-11-19 14:26    16384              c:\windows\temp\Perflib_Perfdata_584.dat
+ 2006-05-09 08:50 . 2009-08-06 18:24    44768              c:\windows\system32\wups2.dll
+ 2008-06-18 12:46 . 2009-08-06 18:24    35552              c:\windows\system32\wups.dll
+ 2008-06-18 12:46 . 2009-08-06 18:24    53472              c:\windows\system32\wuauclt.exe
- 2008-11-06 18:00 . 2009-05-26 11:40    17784              c:\windows\system32\spmsg.dll
+ 2008-11-06 18:00 . 2008-07-08 13:00    17784              c:\windows\system32\spmsg.dll
+ 2009-11-13 06:47 . 2009-08-06 18:24    44768              c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2009-11-13 06:47 . 2009-08-06 18:24    35552              c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2008-06-18 14:33 . 2009-11-19 14:30    43610              c:\windows\system32\perfc009.dat
+ 2008-06-18 12:46 . 2009-08-06 18:24    35552              c:\windows\system32\dllcache\wups.dll
+ 2008-06-18 12:46 . 2009-08-06 18:24    53472              c:\windows\system32\dllcache\wuauclt.exe
+ 2008-06-18 14:33 . 2009-08-06 18:24    96480              c:\windows\system32\dllcache\cdm.dll
+ 2009-02-03 19:31 . 1998-07-28 10:53    12288              c:\windows\system32\Dgtscan.dll
- 2009-05-18 10:15 . 2007-12-05 13:37    12288              c:\windows\system32\Dgtscan.dll
+ 2009-02-03 19:31 . 1999-03-30 01:10    18432              c:\windows\system32\Commsc32.dll
- 2009-05-18 10:15 . 2007-12-05 13:37    18432              c:\windows\system32\Commsc32.dll
- 2009-05-18 10:15 . 2007-12-05 13:37    43520              c:\windows\system32\Cdrvxf32.dll
+ 2009-02-03 19:31 . 1999-03-30 01:10    43520              c:\windows\system32\Cdrvxf32.dll
- 2009-05-18 10:15 . 2007-12-05 13:37    32256              c:\windows\system32\Cdrvhf32.dll
+ 2009-02-03 19:31 . 1999-03-30 01:10    32256              c:\windows\system32\Cdrvhf32.dll
- 2009-05-18 10:15 . 2007-12-05 13:37    31232              c:\windows\system32\Cdrvdl32.dll
+ 2009-02-03 19:31 . 1999-03-30 01:09    31232              c:\windows\system32\Cdrvdl32.dll
+ 2008-06-18 14:33 . 2009-08-06 18:24    96480              c:\windows\system32\cdm.dll
+ 2008-06-18 12:46 . 2009-08-06 18:24    209632              c:\windows\system32\wuweb.dll
+ 2008-06-18 12:46 . 2009-08-06 18:24    327896              c:\windows\system32\wucltui.dll
+ 2008-06-18 12:46 . 2009-08-06 18:23    575704              c:\windows\system32\wuapi.dll
+ 2008-06-18 14:33 . 2009-11-19 14:30    322734              c:\windows\system32\perfh009.dat
+ 2009-10-15 07:08 . 2009-08-06 18:23    215920              c:\windows\system32\muweb.dll
+ 2009-10-15 07:08 . 2009-08-06 18:23    274288              c:\windows\system32\mucltui.dll
+ 2009-10-29 17:17 . 2009-07-25 04:23    149280              c:\windows\system32\javaws.exe
+ 2009-10-29 17:17 . 2009-07-25 04:23    145184              c:\windows\system32\javaw.exe
+ 2009-10-29 17:17 . 2009-07-25 04:23    145184              c:\windows\system32\java.exe
- 2008-06-18 14:39 . 2009-10-15 07:06    114968              c:\windows\system32\FNTCACHE.DAT
+ 2008-06-18 14:39 . 2009-11-13 06:44    114968              c:\windows\system32\FNTCACHE.DAT
+ 2008-11-05 11:38 . 2009-07-06 14:11    158224              c:\windows\system32\drivers\tmcomm.sys
+ 2007-03-22 08:54 . 2009-07-15 17:37    339984              c:\windows\system32\drivers\TM_CFW.sys
+ 2008-06-18 12:46 . 2009-08-06 18:24    209632              c:\windows\system32\dllcache\wuweb.dll
+ 2008-06-18 12:46 . 2009-08-06 18:24    327896              c:\windows\system32\dllcache\wucltui.dll
+ 2008-06-18 12:46 . 2009-08-06 18:23    575704              c:\windows\system32\dllcache\wuapi.dll
+ 2008-11-05 13:18 . 2009-07-25 04:23    411368              c:\windows\system32\deploytk.dll
+ 2009-11-03 15:00 . 2009-05-26 11:40    394616              c:\windows\ie7updates\KB976749-IE7\spuninst\updspapi.dll
+ 2009-11-03 15:00 . 2009-05-26 11:40    232824              c:\windows\ie7updates\KB976749-IE7\spuninst\spuninst.exe
+ 2008-06-18 12:46 . 2009-08-06 18:23    1929952              c:\windows\system32\wuaueng.dll
+ 2008-06-18 14:33 . 2009-08-14 15:15    1850624              c:\windows\system32\win32k.sys
+ 2008-06-18 14:33 . 2009-10-21 04:07    3598336              c:\windows\system32\mshtml.dll
- 2008-06-18 14:33 . 2009-08-29 07:28    3598336              c:\windows\system32\mshtml.dll
+ 2008-06-18 12:46 . 2009-08-06 18:23    1929952              c:\windows\system32\dllcache\wuaueng.dll
+ 2008-11-07 07:08 . 2009-08-14 15:15    1850624              c:\windows\system32\dllcache\win32k.sys
+ 2008-06-18 14:33 . 2009-10-21 04:07    3598336              c:\windows\system32\dllcache\mshtml.dll
- 2008-06-18 14:33 . 2009-08-29 07:28    3598336              c:\windows\system32\dllcache\mshtml.dll
+ 2009-11-03 15:00 . 2009-08-29 07:28    3598336              c:\windows\ie7updates\KB976749-IE7\mshtml.dll
+ 2008-11-10 16:41 . 2009-11-05 17:36    26768832              c:\windows\system32\MRT.exe
.
-- Snapshot sat til dags dato --
.
(((((((((((((((((((((((((((((((((((  Start steder i reg.basen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-08 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-08 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-08 137752]
"OfficeScanNT Monitor"="c:\programmer\Trend Micro\Client Server Security Agent\pccntmon.exe" [2009-10-08 943400]
"Easy-PrintToolBox"="c:\programmer\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"SunJavaUpdateSched"="c:\programmer\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"OE"="c:\programmer\Trend Micro\Client Server Security Agent\TMAS_OE\TMAS_OEMon.exe" [2009-08-31 492808]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-10-25 16855552]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-10-11 1826816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Reception1\Menuen Start\Programmer\Start\
OpenOffice.org 3.0.lnk - c:\programmer\OpenOffice.org 3\program\quickstart.exe [2008-10-4 393216]

c:\documents and settings\All Users\Menuen Start\Programmer\Start\
Adobe Reader Hurtigstart.lnk - c:\programmer\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\programmer\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
SetWeb.lnk - c:\programmer\SetWeb\SetWeb.exe [2008-11-5 847872]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmer\\DentalSuite\\DentalSuite.exe"=
"c:\\Programmer\\DentalSuite\\VNC\\winvnc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmer\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 TmPreFilter;Trend Micro PreFilter;c:\programmer\Trend Micro\Client Server Security Agent\tmpreflt.sys [16-08-2008 02:00 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [22-03-2007 09:54 339984]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [29-10-2009 18:29 50704]
S2 TmFilter;Trend Micro Filter;c:\programmer\Trend Micro\Client Server Security Agent\tmxpflt.sys [16-08-2008 02:00 230928]
S3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [05-11-2008 14:17 52026]
S3 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall;c:\programmer\Trend Micro\Client Server Security Agent\TmPfw.exe [29-10-2009 18:25 497008]
S3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\programmer\Trend Micro\Client Server Security Agent\TmProxy.exe [29-10-2009 18:25 689416]

--- Andre Services/Drivers i Hukommelsen ---

*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
.
------- Yderligere scanning -------
.
uStart Page = dk.msn.com//
IE: Easy-WebPrint Add To Print List - c:\programmer\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\programmer\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\programmer\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\programmer\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: danid.dk
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\programmer\Trend Micro\Client Server Security Agent\bho\1003\TmIEPlg.dll
DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} - hxxps://192.168.18.11:4343/SMB/console/html/root/AtxEnc.cab
DPF: {9DF01F00-08E7-4DBE-9070-94841463B3FE} - hxxps://danid.dk/csp/authenticode/csp.exe
DPF: {C07E5288-22FB-11D7-962E-0004AC77C761} - hxxps://activex.dataloen.dk/controls/Dataloen3341.CAB
DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} - hxxps://udstedelse.certifikat.tdc.dk/csp/authenticode/digitalsignatur-csp.exe
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-19 15:39
Windows 5.1.2600 Service Pack 3 NTFS

scanner skjulte processer ... 

scanner skjulte autostarter ...

scanner skjulte filer ... 

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
Gennemført tid: 2009-11-19 15:40
ComboFix-quarantined-files.txt  2009-11-19 14:40

Pre-Kørsel: 69.375.778.816 byte ledig
Post-Kørsel: 69.703.368.704 byte ledig

- - End Of File - - FAED57CC7D0DAD477EF47D0A982AB17E
Avatar billede f-arn Guru
20. november 2009 - 07:22 #47
Slet disse manuelt:

c:\windows\ugytyjydab.dat
c:\windows\system32\vykeneh.com
c:\windows\system32\iryxojufu.com
c:\programmer\Fælles filer\anawyk.db
c:\programmer\Fælles filer\ryrewut.db
c:\programmer\Fælles filer\zobawot.db


Prøv så at køre denne online skanner for at se om den finder flere rester. Du skal også her slå din  antivirus fra. Lad mig vide hvad den siger.

http://www.eset.com/onlinescan/index.php
Avatar billede crasser83 Praktikant
20. november 2009 - 14:49 #48
Ok, det gør jeg når jeg er der på Mandag. Hold øjnene åbne. :-)
Avatar billede f-arn Guru
20. november 2009 - 14:58 #49
Ok :)
Avatar billede crasser83 Praktikant
25. november 2009 - 00:53 #50
Det bliver først torsdag, da jeg ikke har været på klinikken før alligevel.
Avatar billede f-arn Guru
25. november 2009 - 01:07 #51
Jeg er her nok "osse" torsdag :)
Avatar billede crasser83 Praktikant
26. november 2009 - 16:46 #52
Den siger no virus found, men er MEGET hurtig overstået. 0,0Dek. NB. Første gang den gjorde det gik den galt med "unexpeted error"...
Avatar billede crasser83 Praktikant
26. november 2009 - 16:54 #53
ps. filerne er fundet og fjernet.
Avatar billede f-arn Guru
26. november 2009 - 17:07 #54
Så prøv dennne:
http://security.symantec.com/sscv6/ssc_EULA.asp?langid=ie&venid=sym&plfid=23&pkj=QIZCGVRVRMNRYBXUQIZ&vc_scanstate=2&bhcp=1

Deaktiver din antivirus og lad den downloade det den skal bruge.
Avatar billede crasser83 Praktikant
26. november 2009 - 17:38 #55
Den virker og er i gang.... Skriver ASAP
Avatar billede crasser83 Praktikant
26. november 2009 - 17:59 #56
Det er et godt tegn ikk? :-)


Virus status: SAFE!

Your computer is free of known threats.

51257 files scanned, 0 file(s) infected on your disk drives.

No viruses were detected in memory

Your computer is free of known threats.  Virus Detection does not check compressed files.

Your computer appears safe for now.  For real-time protection from viruses, hackers and privacy threats, upgrade to Norton Internet Security™.
Avatar billede f-arn Guru
26. november 2009 - 19:08 #57
Jo - jeg tror ikke der er mere, men prøv at sætte jeres egen antivirus til at lave en fuld system skanning. Det kan jo være den kan finde lidt.
Avatar billede crasser83 Praktikant
26. november 2009 - 19:33 #58
ok mange tak! Vil du have dine velfortjente point? :)
Avatar billede f-arn Guru
26. november 2009 - 20:30 #59
Desuden vil jeg lige høre om du kender en god, billig og effektiv antivirusprogram som jeg efterfølgende på computerne?

Det ved jeg ikke rigtig, men det er jo klart at jeres nuværende ikke var særligt effektivt. Hvor mange computere skal det bruges til?

Klik start, kør og kopier dettte: combofix /uninstall
Tryk enter
Det vil fjerne Combofix og nulstille urets indstillinger.
Nulstille systemgendannelsen.
Skjule filtypenavne hvis det kræves.
Skjule System/skjulte filer hvis det kræves
Avatar billede crasser83 Praktikant
27. november 2009 - 08:51 #60
Vi har fået opgraderet vores antivirus/antimalware program så det nu er helt i orden, ellers tak.

MANGE, MANGE, MANGE TAK FOR HJÆLPEN!

VÆRSGO!
Avatar billede f-arn Guru
27. november 2009 - 09:14 #61
Takker for point, men må jeg for sjovs skyld høre hvad i valgte?
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester