Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92366 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Date and time suddenly changed to 12 arpil 2016. What to do?


  • This topic is locked This topic is locked
13 replies to this topic

#1 jockaio

jockaio

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 19 November 2009 - 12:35 PM

Hello! Yesterday when I was using my computer it suddenly changed date and time without warning. A half an hour before it did that explorer.exe crashed and had to be restarted. That has never happened before. While explorer was restarting it looked like something was installed which was added to the folder "C:\SUD". But when I look in C:\ I can't find a folder with that name. When I googled "april 12 2016" this forum came up and I saw that someone had the same problem as me. I tried to read and follow all the instructions but I somehow got lost in the thread. I downloaded and ran both "dds.scr" and "rootrepeal.exe". I have saved all the reports to my desktop. After that is where I got lost. I would be very happy if someone could tell me what the next step is. I really want to get rid of this malware or what you call it without reinstalling the whole computer... So please help me :blush: Thank you. Joakim

    Advertisements

Register to Remove


#2 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 19 November 2009 - 04:30 PM

Hello jockaio! Welcome to WTT Forums! :wavey:

My name is SweetTech. I would be glad to take a look at your log and help you with solving any malware problems. The logs from our tools can take a while to research, so please be patient and I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
Please do not delete anything unless instructed to.

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise.
This may cause a delay, but I will do my best to keep it as short as possible.

I am checking over your log , I will post back shortly with instructions.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#3 jockaio

jockaio

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 20 November 2009 - 02:39 AM

Hello SweetTech! I am very grateful that you have taken the time to help me. I will do the best I can to follow your instructions. Thank you very much!

#4 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 20 November 2009 - 10:42 AM

Before following the instructions below can you please attempt to change the clock back to the correct date and time?

Re-Scanning with DDS
Please re-run DDS by sUBs.
Make sure to pay attention to the directions below:
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by doing the following:
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post
Scanning with GMER
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Please make sure you include the following items in your next post:
1. The logs that were produced after running DDS.
2. The log that was produced after running GMER.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#5 jockaio

jockaio

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 21 November 2009 - 10:20 AM

OK, all the scans are finished. Here are the results.

DDS.txt:


DDS (Ver_09-10-26.01) - NTFSx86
Run by Joakim at 13:18:50,56 on 2009-11-21
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.1014.621 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\eManager\anbmServ.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program\Atheros\ACU.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE
C:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\bcd3kcpan.exe
C:\Program\Delade filer\Nokia\MPlatform\NokiaMServer.exe
C:\Program\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Joakim\Skrivbord\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local;<local>
BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program\delade filer\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [ACU] c:\program\atheros\ACU.exe -nogui
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SynTPLpr] c:\program\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program\synaptics\syntp\SynTPEnh.exe
mRun: [EPSON Stylus DX5000 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibve.exe /fu "c:\windows\temp\E_SCF.tmp" /EF "HKLM"
mRun: [QuickTime Task] "c:\program\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program\itunes\iTunesHelper.exe"
mRun: [BCD3000] %SystemRoot%\system32\bcd3kcpan.exe
mRun: [NokiaMServer] c:\program\delade filer\nokia\mplatform\NokiaMServer /watchfiles
mRun: [NokiaMusic FastStart] "c:\program\nokia\nokia music\NokiaMusic.exe" /command:faststart
mRun: [AdobeCS4ServiceManager] "c:\program\delade filer\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Save YouTube Video as MP3 - c:\program\delade filer\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246127144390
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program\delade~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {67KLN5J0-4OPM-01WE-AAX2-5657QCA554112} - c:\sud\ssow\sep.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joakim\applic~1\mozilla\firefox\profiles\q5lqbj6p.default\
FF - component: c:\program\delade filer\dvdvideosoft\dll\ffcontextmenuy\components\FFContextMenu.dll
FF - plugin: c:\documents and settings\joakim\lokala instã¤llningar\application data\myvrnpapi\npmyvr.dll
FF - plugin: c:\program\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program\veetle\player\npvlc.dll
FF - plugin: c:\program\veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");
c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");

============= SERVICES / DRIVERS ===============

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2003-4-24 14336]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2005-3-4 8704]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2005-1-14 4010]
S3 BCD3000;Behringer BCD3000 V1.1.2.0;c:\windows\system32\drivers\BCD3000.SYS [2009-8-10 42496]
S3 BCD3000WDM;Behringer BCD3000WDM V1.1.2.0;c:\windows\system32\drivers\BCD3000WDM.SYS [2009-8-10 21600]
S3 kwwalpgr;kwwalpgr;c:\docume~1\joakim\lokala~1\temp\kwwalpgr.sys [2003-3-2 31232]

=============== Created Last 30 ================

2009-11-12 22:50:19 0 d-sh--r- C:\SUD
2009-11-12 17:46:25 14385 ----a-w- c:\documents and settings\joakim\.recently-used.xbel
2009-11-07 01:30:23 0 d-----w- c:\program\Hasbro
2009-11-03 23:19:43 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-03 23:19:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-03 23:14:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Nokia

==================== Find3M ====================

2009-11-14 13:55:25 443186 ----a-w- c:\windows\system32\perfh01D.dat
2009-11-14 13:55:24 82334 ----a-w- c:\windows\system32\perfc01D.dat
2009-10-11 03:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:19:53 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:05:41 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:00:24 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:02:18 247326 ----a-w- c:\windows\system32\strmdll.dll

============= FINISH: 13:19:44,56 ===============


GMER.txt:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-21 17:08:42
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Joakim\LOKALA~1\Temp\kfpyiaow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

Attach.txt:

Attached File  Attach.txt   11.86KB   658 downloads

Thank you once again for helping me out. Just want to point out that from what I understand you didn't post any link on where to download GMER. It was no stress, I searched the forum and downloaded it anyway. I hope I did everything correct.

Talk to you soon! :)

#6 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 22 November 2009 - 11:08 AM

Please do the following:
  • Double-click My Computer.
  • Click the Tools menu, and then click Folder Options.
  • Click the View tab.
  • Uncheck "Hide file extensions for known file types."
  • Under the "Hidden files" folder, select "Show hidden files and folders."
  • Uncheck "Hide protected operating system files."
  • Click Apply, and then click OK.

Please go to: VirusTotal
  • Posted Image
  • Click the Browse button and search for the following file: c:\docume~1\joakim\lokala~1\temp\kwwalpgr.sys
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"

Please post the results in your next reply

Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the following items in your next post:
1. The results of the VirusTotal scan.
2. The log that was produced after running ComboFix.
3. An update on the status of your computer.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#7 jockaio

jockaio

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 23 November 2009 - 05:09 PM

Hey!

Here are the results from VirusTotal scan:

Fil kwwalpgr.sys mottagen 2009.11.23 22:33:47 (UTC)
Närvarande status: Laddar ... köad väntar söker genomförd EJ FUNNEN STOPPAD
Resultat: 0/40 (0%)
Laddar server information...
Din fil är köad i position: 3.
Uppskattat starttid är mellan 60 och 85 sekunder.
Stäng inte ner detta fönster förens sökningen är genomförd.
Scannern som arbetade med din fil har stoppat, vi kommer att vänta ett par sekunder för att försöka återställa ditt resultat.
Om du väntar i mer än 5 minuter måste du skicka in din fil igen.
Din fil blir genomsökt av VirusTotal för tillfället,
resultat kommer att visas när de är klara.
Compact Compact
Skriv ut resultat Skriv ut resultat
Din fil har upphört eller existerar inte.
Tjänsten är stoppad för tillfället, din fil väntar på att bli genomsökt (position: ) för en obestämd tid.

Du kan vänta på ett svar (automatisk uppdatering) eller ange din email i formuläret nedan och klicka "begär" så kommer systemet att skicka dig ett email när sökningen är genomförd.
Email:

Antivirus Version Senaste Uppdatering Resultat
a-squared 4.5.0.43 2009.11.23 -
AhnLab-V3 5.0.0.2 2009.11.23 -
AntiVir 7.9.1.70 2009.11.23 -
Antiy-AVL 2.0.3.7 2009.11.23 -
Authentium 5.2.0.5 2009.11.23 -
Avast 4.8.1351.0 2009.11.23 -
AVG 8.5.0.425 2009.11.23 -
BitDefender 7.2 2009.11.23 -
CAT-QuickHeal 10.00 2009.11.23 -
ClamAV 0.94.1 2009.11.23 -
Comodo 3013 2009.11.23 -
DrWeb 5.0.0.12182 2009.11.23 -
eSafe 7.0.17.0 2009.11.23 -
eTrust-Vet 35.1.7137 2009.11.23 -
F-Prot 4.5.1.85 2009.11.23 -
Fortinet 3.120.0.0 2009.11.23 -
GData 19 2009.11.23 -
Ikarus T3.1.1.74.0 2009.11.23 -
Jiangmin 11.0.800 2009.11.23 -
K7AntiVirus 7.10.903 2009.11.23 -
Kaspersky 7.0.0.125 2009.11.23 -
McAfee 5811 2009.11.23 -
McAfee+Artemis 5811 2009.11.23 -
McAfee-GW-Edition 6.8.5 2009.11.23 -
Microsoft 1.5302 2009.11.23 -
NOD32 4631 2009.11.23 -
Norman 6.03.02 2009.11.23 -
nProtect 2009.1.8.0 2009.11.23 -
Panda 10.0.2.2 2009.11.23 -
PCTools 7.0.3.5 2009.11.23 -
Prevx 3.0 2009.11.23 -
Rising 22.23.00.09 2009.11.23 -
Sophos 4.47.0 2009.11.23 -
Sunbelt 3.2.1858.2 2009.11.23 -
Symantec 1.4.4.12 2009.11.23 -
TheHacker 6.5.0.2.076 2009.11.23 -
TrendMicro 9.0.0.1003 2009.11.23 -
VBA32 3.12.12.0 2009.11.22 -
ViRobot 2009.11.23.2049 2009.11.23 -
VirusBuster 5.0.21.0 2009.11.23 -
Övrig information
File size: 31232 bytes
MD5...: 9e902ad0e29f342f0b145466044ff7a0
SHA1..: 50a3de5696e511cac27c09a6e697161b1a30a349
SHA256: 9a3d48e334982d203b80a45f0a67e4b9f6ec7926fb83cddfc477a73790cdfbdf
ssdeep: 384:sV7BL971Vf57q9rbZuXI8woZFnXnKRtrMrv6ATCptii6wJ7PHFI8V9I7gAy:
sVDfex8naRtr1S2q80R
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1fb0
timedatestamp.....: 0x4395b421 (Tue Dec 06 15:54:09 2005)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5f38 0x6000 5.97 071dbff74d11b1d59bacccd448acbe41
.rdata 0x7000 0x4f4 0x600 4.66 57f17eea5efed6557c713575ec96af96
.data 0x8000 0xb78 0x200 0.10 d0a0a7e2f73d139162bee2a3160d89ab
INIT 0x9000 0x694 0x800 4.72 975ec054cd51f4473e16ff3368b82968
.reloc 0xa000 0x488 0x600 5.49 b3f830bd075673cb5644d434ea3ee002

( 2 imports )
> ntoskrnl.exe: ExAllocatePoolWithTag, IoGetDeviceObjectPointer, RtlInitUnicodeString, ObfDereferenceObject, ZwClose, ZwReadFile, ZwQueryInformationFile, ZwCreateFile, IoRegisterDriverReinitialization, IofCompleteRequest, IoUnregisterPlugPlayNotification, KeSetEvent, DbgBreakPoint, IoFreeWorkItem, IoRegisterPlugPlayNotification, IoQueueWorkItem, KeWaitForSingleObject, IoAllocateWorkItem, RtlCompareMemory, KeInitializeEvent, IoCreateDevice, IoDeleteDevice, IoDeleteSymbolicLink, IofCallDriver, IoBuildSynchronousFsdRequest, RtlUnicodeStringToAnsiString, ZwQueryValueKey, ZwOpenKey, ZwWriteFile, KeQuerySystemTime, PsGetCurrentProcessId, IoGetAttachedDeviceReference, DbgPrint, MmMapLockedPagesSpecifyCache, RtlCompareUnicodeString, IoBuildDeviceIoControlRequest, RtlAnsiStringToUnicodeString, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, RtlCopyUnicodeString, RtlEqualUnicodeString, RtlAppendUnicodeStringToString, RtlUnicodeStringToInteger, RtlIntegerToUnicodeString, IoFreeMdl, MmUnlockPages, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, MmUnmapLockedPages, memset, memcpy, RtlFreeAnsiString, ExFreePool, RtlInitAnsiString, KeInitializeSpinLock
> HAL.dll: KeStallExecutionProcessor, KeGetCurrentIrql, KfAcquireSpinLock, KfReleaseSpinLock, KeQueryPerformanceCounter

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


Here are the results from Combofix:

ComboFix 09-11-23.01 - Joakim 2009-11-23 23:45.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.1014.663 [GMT 1:00]
Körs från: c:\documents and settings\Joakim\Skrivbord\ComboFix.exe
* Skapade en ny återställningspunkt
.

(((((((((((((((((((((((( Filer Skapade från 2009-10-23 till 2009-11-23 ))))))))))))))))))))))))))))))
.

2009-11-12 22:50 . 2009-11-12 22:50 -------- d-----r- C:\SUD
2009-11-07 01:30 . 2009-11-07 01:30 -------- d-----w- c:\program\Hasbro
2009-11-03 23:19 . 2001-09-06 19:33 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-03 23:19 . 2008-04-14 17:04 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-03 23:16 . 2009-11-03 23:15 24411168 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\NokiaSoftwareUpdaterSetup_1.8.10SE.exe
2009-11-03 23:15 . 2009-11-03 23:15 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\msxml6Exec.exe
2009-11-03 23:15 . 2009-11-03 23:15 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\Sleep.exe
2009-11-03 23:15 . 2009-11-03 23:15 3203453 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\vcredistExec.exe
2009-11-03 23:15 . 2009-11-03 23:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-11-03 23:14 . 2009-11-03 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia
2009-11-03 22:57 . 2009-11-03 22:57 152576 ----a-w- c:\documents and settings\Joakim\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-03 09:00 . 2009-11-03 17:06 -------- d-----w- c:\documents and settings\Joakim\Application Data\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 22:40 . 2009-06-30 23:12 -------- d-----w- c:\documents and settings\Joakim\Application Data\uTorrent
2009-11-21 18:28 . 2009-06-27 22:38 -------- d-----w- c:\documents and settings\Joakim\Application Data\Spotify
2009-11-21 17:37 . 2009-09-27 21:39 -------- d-----w- c:\documents and settings\Joakim\Application Data\vlc
2009-11-18 18:33 . 2009-06-27 21:52 -------- d-----w- c:\documents and settings\Joakim\Application Data\Skype
2009-11-18 18:31 . 2009-06-27 21:52 -------- d-----w- c:\documents and settings\Joakim\Application Data\skypePM
2009-11-14 13:55 . 2003-04-24 12:00 443186 ----a-w- c:\windows\system32\perfh01D.dat
2009-11-14 13:55 . 2003-04-24 12:00 82334 ----a-w- c:\windows\system32\perfc01D.dat
2009-11-12 17:46 . 2009-10-19 12:42 -------- d-----w- c:\documents and settings\Joakim\Application Data\gtk-2.0
2009-11-12 17:28 . 2009-07-31 10:35 1 ----a-w- c:\documents and settings\Joakim\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-03 23:17 . 2009-09-03 11:40 -------- d-----w- c:\program\Delade filer\Nokia
2009-11-03 23:17 . 2009-09-03 11:38 -------- d-----w- c:\program\Nokia
2009-11-03 23:13 . 2009-09-03 12:04 -------- d-----w- c:\documents and settings\Joakim\Application Data\Nseries
2009-11-03 22:57 . 2009-07-31 10:31 -------- d-----w- c:\program\Java
2009-10-19 15:00 . 2009-08-10 11:29 -------- d-----w- c:\program\Audacity
2009-10-19 12:37 . 2009-10-19 12:37 -------- d-----w- c:\program\GIMP-2.0
2009-10-18 17:04 . 2009-10-18 16:46 -------- d-----w- c:\documents and settings\Joakim\Application Data\FileZilla
2009-10-18 16:45 . 2009-10-18 16:45 -------- d-----w- c:\program\FileZilla FTP Client
2009-10-11 03:17 . 2009-07-31 10:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 20:26 . 2009-10-06 20:25 -------- d-----w- c:\program\Windows Live
2009-10-06 20:26 . 2009-10-06 20:26 -------- d-----w- c:\program\Microsoft
2009-10-06 20:25 . 2009-10-06 20:25 -------- d-----w- c:\program\Windows Live SkyDrive
2009-10-06 20:14 . 2009-10-06 20:14 -------- d-----w- c:\program\Delade filer\Windows Live
2009-09-30 12:59 . 2009-08-01 14:22 -------- d-----w- c:\program\Delade filer\DVDVideoSoft
2009-09-28 12:26 . 2009-09-09 21:03 -------- d-----w- c:\documents and settings\Joakim\Application Data\TraderaProLister
2009-09-11 14:19 . 2003-04-24 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 11:01 . 2009-09-10 11:01 152576 ----a-w- c:\documents and settings\Joakim\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-04 21:05 . 2003-04-24 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:00 . 2003-04-24 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:02 . 2003-04-24 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"NokiaMServer"="c:\program\Delade filer\Nokia\MPlatform\NokiaMServer" [X]
"ACU"="c:\program\Atheros\ACU.exe" [2005-01-31 253952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"SynTPLpr"="c:\program\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 102490]
"SynTPEnh"="c:\program\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 708698]
"QuickTime Task"="c:\program\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"BCD3000"="c:\windows\system32\bcd3kcpan.exe" [2009-08-10 552960]
"NokiaMusic FastStart"="c:\program\Nokia\Nokia Music\NokiaMusic.exe" [2009-07-22 2331936]
"AdobeCS4ServiceManager"="c:\program\Delade filer\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-04-15 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program\\Spotify\\spotify.exe"=
"c:\\Program\\uTorrent\\uTorrent.exe"=
"c:\\Program\\Bonjour\\mDNSResponder.exe"=
"c:\\Program\\iTunes\\iTunes.exe"=
"c:\\Program\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program\\SopCast\\SopCast.exe"=
"c:\\Program\\Mozilla Firefox\\firefox.exe"=
"c:\\Program\\Delade filer\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=
"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program\\Delade filer\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59389:TCP"= 59389:TCP:1
"60039:TCP"= 60039:TCP:127.0.0.1
"5353:TCP"= 5353:TCP:Adobe CSI CS4

S3 BCD3000;Behringer BCD3000 V1.1.2.0;c:\windows\system32\drivers\BCD3000.SYS [2009-08-10 42496]
S3 BCD3000WDM;Behringer BCD3000WDM V1.1.2.0;c:\windows\system32\drivers\BCD3000WDM.SYS [2009-08-10 21600]
S3 kwwalpgr;kwwalpgr;\??\c:\docume~1\Joakim\LOKALA~1\Temp\kwwalpgr.sys --> c:\docume~1\Joakim\LOKALA~1\Temp\kwwalpgr.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-01WE-AAX2-5657QCA554112}]
c:\sud\SSOW\sep.exe
.
Innehållet i mappen 'Schemalagda aktiviteter':

2009-08-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-11-23 c:\windows\Tasks\User_Feed_Synchronization-{AC9A189E-7CC2-4C9D-92CE-361B9D2E9F9D}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Extra genomsökning -------
.
uInternet Settings,ProxyOverride = *.local;<local>
IE: Save YouTube Video as MP3 - c:\program\Delade filer\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
FF - ProfilePath - c:\documents and settings\Joakim\Application Data\Mozilla\Firefox\Profiles\q5lqbj6p.default\
FF - component: c:\program\Delade filer\DVDVideoSoft\Dll\FFContextMenuY\components\FFContextMenu.dll
FF - plugin: c:\program\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program\Veetle\Player\npvlc.dll
FF - plugin: c:\program\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICY ----
c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -

AddRemove-Broadcom 802.11b Network Adapter - c:\windows\system32\BCMWLU00.exe verbose



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-23 23:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLer som "laddats" under processer som körs ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\program\Delade filer\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1576)
c:\program\Bonjour\mdnsNSP.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Sluttid: 2009-11-23 23:51
ComboFix-quarantined-files.txt 2009-11-23 22:51

Före genomsökningen: 8 002 809 856 byte ledigt
Efter genomsökningen: 8 876 900 352 byte ledigt

WindowsXP-KB310994-SP2-Home-BootDisk-SVE.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 4897369485081C6AD903E0BCEEC16F38

How the computer is acting:

It doesn't seem slower or faster than usual but the startmenu-list sometimes crashes and has to restart. When it restarted the last time an icon had been added to the desktop. It was the "Internet Explorer" icon. I always use Mozilla Firefox and when I'm on the internet and when I started it after the crash it asked me if I wanted to have it as the standard web-browser although it already should have been the standard webbrowser. I answerd yes on the question and put it back as the standard one.

Thanks for helping.

Joakim

#8 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 23 November 2009 - 11:26 PM

When it restarted the last time an icon had been added to the desktop. It was the "Internet Explorer" icon. I always use Mozilla Firefox and when I'm on the internet and when I started it after the crash it asked me if I wanted to have it as the standard web-browser although it already should have been the standard webbrowser. I answerd yes on the question and put it back as the standard one.

When you ran ComboFix it reset your default browser. Hence, why you were prompted to set Firefox as your default browser after running ComboFix.

the startmenu-list sometimes crashes and has to restart.

Could you please elaborate on this a little bit more??

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/Date_time_suddenly_changed_12_arpil_2016_What_do_t108373.html&view=findpost&p=612938#entry612938
Folder::
C:\SUD

Suspect:: 
c:\docume~1\Joakim\LOKALA~1\Temp\kwwalpgr.sys 

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-01WE-AAX2-5657QCA554112}]

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
    **Note**
    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please make sure that you post the log that was produced after running ComboFix.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#9 jockaio

jockaio

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 24 November 2009 - 03:10 AM

The ComboFix-log:

ComboFix 09-11-23.01 - Joakim 2009-11-24 9:26.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.1014.694 [GMT 1:00]
Körs från: c:\documents and settings\Joakim\Skrivbord\ComboFix.exe
Använda kommandoväxlar :: c:\documents and settings\Joakim\Skrivbord\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\SUD
c:\sud\SSOW\DesKTop.ini
c:\sud\SSOW\sep.exe

.
(((((((((((((((((((((((( Filer Skapade från 2009-10-24 till 2009-11-24 ))))))))))))))))))))))))))))))
.

2009-11-23 23:16 . 2009-11-23 23:18 -------- d-----w- c:\program\Yawcam
2009-11-07 01:30 . 2009-11-07 01:30 -------- d-----w- c:\program\Hasbro
2009-11-03 23:19 . 2001-09-06 19:33 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-03 23:19 . 2008-04-14 17:04 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-03 23:16 . 2009-11-03 23:15 24411168 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\NokiaSoftwareUpdaterSetup_1.8.10SE.exe
2009-11-03 23:15 . 2009-11-03 23:15 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\msxml6Exec.exe
2009-11-03 23:15 . 2009-11-03 23:15 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\Sleep.exe
2009-11-03 23:15 . 2009-11-03 23:15 3203453 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\vcredistExec.exe
2009-11-03 23:15 . 2009-11-03 23:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-11-03 23:14 . 2009-11-03 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia
2009-11-03 22:57 . 2009-11-03 22:57 152576 ----a-w- c:\documents and settings\Joakim\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-03 09:00 . 2009-11-03 17:06 -------- d-----w- c:\documents and settings\Joakim\Application Data\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 23:21 . 2009-06-27 21:52 -------- d-----w- c:\documents and settings\Joakim\Application Data\Skype
2009-11-23 23:09 . 2009-06-27 21:52 -------- d-----w- c:\documents and settings\Joakim\Application Data\skypePM
2009-11-23 22:40 . 2009-06-30 23:12 -------- d-----w- c:\documents and settings\Joakim\Application Data\uTorrent
2009-11-21 18:28 . 2009-06-27 22:38 -------- d-----w- c:\documents and settings\Joakim\Application Data\Spotify
2009-11-21 17:37 . 2009-09-27 21:39 -------- d-----w- c:\documents and settings\Joakim\Application Data\vlc
2009-11-14 13:55 . 2003-04-24 12:00 443186 ----a-w- c:\windows\system32\perfh01D.dat
2009-11-14 13:55 . 2003-04-24 12:00 82334 ----a-w- c:\windows\system32\perfc01D.dat
2009-11-12 17:46 . 2009-10-19 12:42 -------- d-----w- c:\documents and settings\Joakim\Application Data\gtk-2.0
2009-11-12 17:28 . 2009-07-31 10:35 1 ----a-w- c:\documents and settings\Joakim\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-03 23:17 . 2009-09-03 11:40 -------- d-----w- c:\program\Delade filer\Nokia
2009-11-03 23:17 . 2009-09-03 11:38 -------- d-----w- c:\program\Nokia
2009-11-03 23:13 . 2009-09-03 12:04 -------- d-----w- c:\documents and settings\Joakim\Application Data\Nseries
2009-11-03 22:57 . 2009-07-31 10:31 -------- d-----w- c:\program\Java
2009-10-19 15:00 . 2009-08-10 11:29 -------- d-----w- c:\program\Audacity
2009-10-19 12:37 . 2009-10-19 12:37 -------- d-----w- c:\program\GIMP-2.0
2009-10-18 17:04 . 2009-10-18 16:46 -------- d-----w- c:\documents and settings\Joakim\Application Data\FileZilla
2009-10-18 16:45 . 2009-10-18 16:45 -------- d-----w- c:\program\FileZilla FTP Client
2009-10-11 03:17 . 2009-07-31 10:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 20:26 . 2009-10-06 20:25 -------- d-----w- c:\program\Windows Live
2009-10-06 20:26 . 2009-10-06 20:26 -------- d-----w- c:\program\Microsoft
2009-10-06 20:25 . 2009-10-06 20:25 -------- d-----w- c:\program\Windows Live SkyDrive
2009-10-06 20:14 . 2009-10-06 20:14 -------- d-----w- c:\program\Delade filer\Windows Live
2009-09-30 12:59 . 2009-08-01 14:22 -------- d-----w- c:\program\Delade filer\DVDVideoSoft
2009-09-28 12:26 . 2009-09-09 21:03 -------- d-----w- c:\documents and settings\Joakim\Application Data\TraderaProLister
2009-09-11 14:19 . 2003-04-24 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 11:01 . 2009-09-10 11:01 152576 ----a-w- c:\documents and settings\Joakim\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-04 21:05 . 2003-04-24 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:00 . 2003-04-24 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-23_22.50.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2016-04-12 00:00 . 2016-04-12 00:00 16384 c:\windows\Temp\Perflib_Perfdata_44c.dat
+ 2009-11-23 23:08 . 2008-04-14 17:04 54272 c:\windows\system32\vfwwdm32.dll
+ 2009-11-23 23:08 . 2008-04-13 19:46 19200 c:\windows\system32\drivers\WSTCODEC.SYS
+ 2009-11-23 23:08 . 2008-04-13 19:46 15232 c:\windows\system32\drivers\StreamIP.sys
+ 2009-11-23 23:08 . 2008-04-13 19:46 11136 c:\windows\system32\drivers\SLIP.sys
+ 2009-11-23 23:08 . 2008-04-13 19:46 10880 c:\windows\system32\drivers\NdisIP.sys
+ 2009-11-23 23:08 . 2008-04-13 19:46 85248 c:\windows\system32\drivers\NABTSFEC.sys
+ 2009-11-23 23:08 . 2008-04-13 19:46 17024 c:\windows\system32\drivers\CCDECODE.sys
+ 2009-11-23 23:08 . 2008-04-13 19:46 19200 c:\windows\system32\dllcache\wstcodec.sys
+ 2009-11-23 23:08 . 2008-04-14 17:04 54272 c:\windows\system32\dllcache\vfwwdm32.dll
+ 2009-11-23 23:08 . 2008-04-13 19:46 15232 c:\windows\system32\dllcache\streamip.sys
+ 2009-11-23 23:08 . 2008-04-13 19:46 11136 c:\windows\system32\dllcache\slip.sys
+ 2009-11-23 23:08 . 2008-04-13 19:46 10880 c:\windows\system32\dllcache\ndisip.sys
+ 2009-11-23 23:08 . 2008-04-13 19:46 85248 c:\windows\system32\dllcache\nabtsfec.sys
+ 2009-11-23 23:08 . 2008-04-13 19:46 17024 c:\windows\system32\dllcache\ccdecode.sys
+ 2009-11-23 23:08 . 2008-04-13 19:39 5504 c:\windows\system32\drivers\MSTEE.sys
+ 2009-11-23 23:08 . 2008-04-13 19:39 5504 c:\windows\system32\dllcache\mstee.sys
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"NokiaMServer"="c:\program\Delade filer\Nokia\MPlatform\NokiaMServer" [X]
"ACU"="c:\program\Atheros\ACU.exe" [2005-01-31 253952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"SynTPLpr"="c:\program\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 102490]
"SynTPEnh"="c:\program\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 708698]
"QuickTime Task"="c:\program\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"BCD3000"="c:\windows\system32\bcd3kcpan.exe" [2009-08-10 552960]
"NokiaMusic FastStart"="c:\program\Nokia\Nokia Music\NokiaMusic.exe" [2009-07-22 2331936]
"AdobeCS4ServiceManager"="c:\program\Delade filer\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-04-15 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program\\Spotify\\spotify.exe"=
"c:\\Program\\uTorrent\\uTorrent.exe"=
"c:\\Program\\Bonjour\\mDNSResponder.exe"=
"c:\\Program\\iTunes\\iTunes.exe"=
"c:\\Program\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program\\SopCast\\SopCast.exe"=
"c:\\Program\\Mozilla Firefox\\firefox.exe"=
"c:\\Program\\Delade filer\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=
"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program\\Delade filer\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59389:TCP"= 59389:TCP:1
"60039:TCP"= 60039:TCP:127.0.0.1
"5353:TCP"= 5353:TCP:Adobe CSI CS4

S3 BCD3000;Behringer BCD3000 V1.1.2.0;c:\windows\system32\drivers\BCD3000.SYS [2009-08-10 42496]
S3 BCD3000WDM;Behringer BCD3000WDM V1.1.2.0;c:\windows\system32\drivers\BCD3000WDM.SYS [2009-08-10 21600]
S3 kwwalpgr;kwwalpgr;\??\c:\docume~1\Joakim\LOKALA~1\Temp\kwwalpgr.sys --> c:\docume~1\Joakim\LOKALA~1\Temp\kwwalpgr.sys [?]
.
Innehållet i mappen 'Schemalagda aktiviteter':

2009-08-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-11-24 c:\windows\Tasks\User_Feed_Synchronization-{AC9A189E-7CC2-4C9D-92CE-361B9D2E9F9D}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Extra genomsökning -------
.
uInternet Settings,ProxyOverride = *.local;<local>
IE: Save YouTube Video as MP3 - c:\program\Delade filer\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
FF - ProfilePath - c:\documents and settings\Joakim\Application Data\Mozilla\Firefox\Profiles\q5lqbj6p.default\
FF - component: c:\program\Delade filer\DVDVideoSoft\Dll\FFContextMenuY\components\FFContextMenu.dll
FF - plugin: c:\program\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program\Veetle\Player\npvlc.dll
FF - plugin: c:\program\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICY ----
c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-24 09:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLer som "laddats" under processer som körs ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\program\Delade filer\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\System32\BCMLogon.dll
.
Sluttid: 2009-11-24 09:35
ComboFix-quarantined-files.txt 2009-11-24 08:35
ComboFix2.txt 2009-11-23 22:51

Före genomsökningen: 8 866 136 064 byte ledigt
Efter genomsökningen: 8 831 733 760 byte ledigt

- - End Of File - - 2893A325D40F4BCBEDF2A42EDEC5A644

How the computer is acting:

I'm sorry I was so unclear last time I tried to explain the problem. This is what is happening. It actually happend while I was running the combofix-scan.

A message-box pops up saying:
Explorer.exe has preformed an illegal operation and has to be terminated.
I googled for pics that is similar to what the message-box looks like and this is kind of close: (I believe the pic is not from a XP-computer which mine is)
100690err.gif

After I click "close" everthing on screen disappears and you can only see my desktop-background for a couple of seconds.

Then there's another little message box appearing for a short period of seconds. It says:
Installing adjusted settings for:
c:\sud\SSOW\sep.exe


After the message-box has disappeard everthing goes back normal. The start-menu and the icons come back on the desktop and I can manage my computer just like before.

When this happened while ComboFix was running the CF-window never disappeard. I never clicked the on the CF-window but I clicked "close" on the message-box.

I hope this elaboration is helping you understand whats going on. :)

#10 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 24 November 2009 - 09:08 PM

Are you using any USB storage devices? Have you recently plugged in any USB storage devices? If you have any USB storage devices please plug them in before running ComboFix.

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/Date_time_suddenly_changed_12_arpil_2016_What_do_t108373.html&view=findpost&p=613051#entry613051
KillAll::
File::
c:\windows\Temp\Perflib_Perfdata_44c.dat
Suspect::
c:\docume~1\Joakim\LOKALA~1\Temp\kwwalpgr.sys
Collect::
c:\sud\SSOW\sep.exe
Folder::
c:\sud\
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-01WE-AAX2-5657QCA554112}]

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please post the log that is produced after running ComboFix.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#11 jockaio

jockaio

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 25 November 2009 - 03:22 PM

Here is the log:

ComboFix 09-11-23.01 - Joakim 2009-11-25 22:06.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.1014.676 [GMT 1:00]
Körs från: c:\documents and settings\Joakim\Skrivbord\ComboFix.exe
Använda kommandoväxlar :: c:\documents and settings\Joakim\Skrivbord\CFScript.txt
* Skapade en ny återställningspunkt

FILE ::
"c:\windows\Temp\Perflib_Perfdata_44c.dat"
.

(((((((((((((((((((((((( Filer Skapade från 2009-10-25 till 2009-11-25 ))))))))))))))))))))))))))))))
.

2009-11-23 23:16 . 2009-11-23 23:18 -------- d-----w- c:\program\Yawcam
2009-11-07 01:30 . 2009-11-07 01:30 -------- d-----w- c:\program\Hasbro
2009-11-03 23:19 . 2001-09-06 19:33 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-03 23:19 . 2008-04-14 17:04 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-03 23:16 . 2009-11-03 23:15 24411168 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\NokiaSoftwareUpdaterSetup_1.8.10SE.exe
2009-11-03 23:15 . 2009-11-03 23:15 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\msxml6Exec.exe
2009-11-03 23:15 . 2009-11-03 23:15 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\Sleep.exe
2009-11-03 23:15 . 2009-11-03 23:15 3203453 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\vcredistExec.exe
2009-11-03 23:15 . 2009-11-03 23:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-11-03 23:14 . 2009-11-03 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia
2009-11-03 22:57 . 2009-11-03 22:57 152576 ----a-w- c:\documents and settings\Joakim\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-03 09:00 . 2009-11-03 17:06 -------- d-----w- c:\documents and settings\Joakim\Application Data\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-24 22:02 . 2009-06-27 22:38 -------- d-----w- c:\documents and settings\Joakim\Application Data\Spotify
2009-11-24 18:25 . 2009-06-27 21:52 -------- d-----w- c:\documents and settings\Joakim\Application Data\Skype
2009-11-24 17:31 . 2009-06-27 21:52 -------- d-----w- c:\documents and settings\Joakim\Application Data\skypePM
2009-11-24 10:37 . 2009-06-30 23:12 -------- d-----w- c:\documents and settings\Joakim\Application Data\uTorrent
2009-11-21 17:37 . 2009-09-27 21:39 -------- d-----w- c:\documents and settings\Joakim\Application Data\vlc
2009-11-14 13:55 . 2003-04-24 12:00 443186 ----a-w- c:\windows\system32\perfh01D.dat
2009-11-14 13:55 . 2003-04-24 12:00 82334 ----a-w- c:\windows\system32\perfc01D.dat
2009-11-12 17:46 . 2009-10-19 12:42 -------- d-----w- c:\documents and settings\Joakim\Application Data\gtk-2.0
2009-11-12 17:28 . 2009-07-31 10:35 1 ----a-w- c:\documents and settings\Joakim\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-03 23:17 . 2009-09-03 11:40 -------- d-----w- c:\program\Delade filer\Nokia
2009-11-03 23:17 . 2009-09-03 11:38 -------- d-----w- c:\program\Nokia
2009-11-03 23:13 . 2009-09-03 12:04 -------- d-----w- c:\documents and settings\Joakim\Application Data\Nseries
2009-11-03 22:57 . 2009-07-31 10:31 -------- d-----w- c:\program\Java
2009-10-19 15:00 . 2009-08-10 11:29 -------- d-----w- c:\program\Audacity
2009-10-19 12:37 . 2009-10-19 12:37 -------- d-----w- c:\program\GIMP-2.0
2009-10-18 17:04 . 2009-10-18 16:46 -------- d-----w- c:\documents and settings\Joakim\Application Data\FileZilla
2009-10-18 16:45 . 2009-10-18 16:45 -------- d-----w- c:\program\FileZilla FTP Client
2009-10-11 03:17 . 2009-07-31 10:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 20:26 . 2009-10-06 20:25 -------- d-----w- c:\program\Windows Live
2009-10-06 20:26 . 2009-10-06 20:26 -------- d-----w- c:\program\Microsoft
2009-10-06 20:25 . 2009-10-06 20:25 -------- d-----w- c:\program\Windows Live SkyDrive
2009-10-06 20:14 . 2009-10-06 20:14 -------- d-----w- c:\program\Delade filer\Windows Live
2009-09-30 12:59 . 2009-08-01 14:22 -------- d-----w- c:\program\Delade filer\DVDVideoSoft
2009-09-28 12:26 . 2009-09-09 21:03 -------- d-----w- c:\documents and settings\Joakim\Application Data\TraderaProLister
2009-09-11 14:19 . 2003-04-24 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 11:01 . 2009-09-10 11:01 152576 ----a-w- c:\documents and settings\Joakim\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-04 21:05 . 2003-04-24 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:00 . 2003-04-24 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-23_22.50.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-25 21:14 . 2009-11-25 21:14 16384 c:\windows\temp\Perflib_Perfdata_798.dat
+ 2009-11-23 23:08 . 2008-04-14 17:04 54272 c:\windows\system32\vfwwdm32.dll
+ 2009-11-23 23:08 . 2008-04-13 19:46 19200 c:\windows\system32\drivers\WSTCODEC.SYS
+ 2009-11-23 23:08 . 2008-04-13 19:46 15232 c:\windows\system32\drivers\StreamIP.sys
+ 2009-11-23 23:08 . 2008-04-13 19:46 11136 c:\windows\system32\drivers\SLIP.sys
+ 2009-11-23 23:08 . 2008-04-13 19:46 10880 c:\windows\system32\drivers\NdisIP.sys
+ 2009-11-23 23:08 . 2008-04-13 19:46 85248 c:\windows\system32\drivers\NABTSFEC.sys
+ 2009-11-23 23:08 . 2008-04-13 19:46 17024 c:\windows\system32\drivers\CCDECODE.sys
+ 2009-11-23 23:08 . 2008-04-13 19:46 19200 c:\windows\system32\dllcache\wstcodec.sys
+ 2009-11-23 23:08 . 2008-04-14 17:04 54272 c:\windows\system32\dllcache\vfwwdm32.dll
+ 2009-11-23 23:08 . 2008-04-13 19:46 15232 c:\windows\system32\dllcache\streamip.sys
+ 2009-11-23 23:08 . 2008-04-13 19:46 11136 c:\windows\system32\dllcache\slip.sys
+ 2009-11-23 23:08 . 2008-04-13 19:46 10880 c:\windows\system32\dllcache\ndisip.sys
+ 2009-11-23 23:08 . 2008-04-13 19:46 85248 c:\windows\system32\dllcache\nabtsfec.sys
+ 2009-11-23 23:08 . 2008-04-13 19:46 17024 c:\windows\system32\dllcache\ccdecode.sys
+ 2009-11-23 23:08 . 2008-04-13 19:39 5504 c:\windows\system32\drivers\MSTEE.sys
+ 2009-11-23 23:08 . 2008-04-13 19:39 5504 c:\windows\system32\dllcache\mstee.sys
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"NokiaMServer"="c:\program\Delade filer\Nokia\MPlatform\NokiaMServer" [X]
"ACU"="c:\program\Atheros\ACU.exe" [2005-01-31 253952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"SynTPLpr"="c:\program\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 102490]
"SynTPEnh"="c:\program\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 708698]
"QuickTime Task"="c:\program\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"BCD3000"="c:\windows\system32\bcd3kcpan.exe" [2009-08-10 552960]
"NokiaMusic FastStart"="c:\program\Nokia\Nokia Music\NokiaMusic.exe" [2009-07-22 2331936]
"AdobeCS4ServiceManager"="c:\program\Delade filer\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-04-15 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program\\Spotify\\spotify.exe"=
"c:\\Program\\uTorrent\\uTorrent.exe"=
"c:\\Program\\Bonjour\\mDNSResponder.exe"=
"c:\\Program\\iTunes\\iTunes.exe"=
"c:\\Program\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program\\SopCast\\SopCast.exe"=
"c:\\Program\\Mozilla Firefox\\firefox.exe"=
"c:\\Program\\Delade filer\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=
"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program\\Delade filer\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59389:TCP"= 59389:TCP:1
"60039:TCP"= 60039:TCP:127.0.0.1
"5353:TCP"= 5353:TCP:Adobe CSI CS4

S3 BCD3000;Behringer BCD3000 V1.1.2.0;c:\windows\system32\drivers\BCD3000.SYS [2009-08-10 42496]
S3 BCD3000WDM;Behringer BCD3000WDM V1.1.2.0;c:\windows\system32\drivers\BCD3000WDM.SYS [2009-08-10 21600]
S3 kwwalpgr;kwwalpgr;\??\c:\docume~1\Joakim\LOKALA~1\Temp\kwwalpgr.sys --> c:\docume~1\Joakim\LOKALA~1\Temp\kwwalpgr.sys [?]
.
Innehållet i mappen 'Schemalagda aktiviteter':

2009-08-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-11-25 c:\windows\Tasks\User_Feed_Synchronization-{AC9A189E-7CC2-4C9D-92CE-361B9D2E9F9D}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Extra genomsökning -------
.
uInternet Settings,ProxyOverride = *.local;<local>
IE: Save YouTube Video as MP3 - c:\program\Delade filer\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
FF - ProfilePath - c:\documents and settings\Joakim\Application Data\Mozilla\Firefox\Profiles\q5lqbj6p.default\
FF - component: c:\program\Delade filer\DVDVideoSoft\Dll\FFContextMenuY\components\FFContextMenu.dll
FF - plugin: c:\program\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program\Veetle\Player\npvlc.dll
FF - plugin: c:\program\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICY ----
c:\program\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 22:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLer som "laddats" under processer som körs ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\program\Delade filer\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(796)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andra processer som körs ------------------------
.
c:\windows\System32\bcmwltry.exe
c:\windows\system32\WLTRAY.exe
c:\program\Delade filer\Nokia\MPlatform\NokiaMServer.exe
c:\acer\eManager\anbmServ.exe
c:\program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program\Bonjour\mDNSResponder.exe
c:\program\Java\jre6\bin\jqs.exe
c:\program\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Sluttid: 2009-11-25 22:18 - datorn startades om.
ComboFix-quarantined-files.txt 2009-11-25 21:18
ComboFix2.txt 2009-11-24 08:35
ComboFix3.txt 2009-11-23 22:51

Före genomsökningen: 8 785 702 912 byte ledigt
Efter genomsökningen: 8 752 254 976 byte ledigt

- - End Of File - - 2E7079E08FE951D1F0D7217A16F900C4

#12 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 25 November 2009 - 07:31 PM

Scanning with MalwareBytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Add/Remove Programs
I would also like to see a list of installed programs, so please do this:
Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Post the contents of that file in your next reply.
Please make sure you include the following items in your next post:
1. The log that was produced after running MalwareBytes' Anti-Malware.
2. The log that was produced after running the ESET Online Scanner.
3. The contnets of the Add-Remove Programs file.
4. An update on how your computer is running.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#13 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 28 November 2009 - 01:41 PM

Hello jockaio! It's been several days since I last posted instructions for you to complete. Do you still require assistance in getting your computer cleaned up? Thanks, SweetTech.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#14 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,755 posts

Posted 01 December 2009 - 07:44 PM

Due to inactivity this topic will be closed. If you need help please start a new thread.

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users