Google Inloggningsalternativ
Kom ihåg mig
Detta rekommenderas inte för delade eller allmänna datorer

Logga in anonymt
Visa inte att jag är inloggad i listan över användare online

Personlig integritet
Logga in
Registrera konto

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Hijack this hjälp

Startat av kemsi, nov 04 2009 15:18

Nästa

Den här tråden har arkiverats. Det innebär att du inte längre kan svara på inlägg i tråden. Vänligen starta en ny tråd vid behov.

23 svar i den här tråden

#1 kemsi

Medlem
18 inlägg

Skrivet 04 november 2009 - 15:18

Min dator håller på dra sig tillbaka och bestämde mig för att köra en hijack this (i administratör läge) innan den dör helt!
Väldigt tacksam för svar!
Mvh Kemsi

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:33:34, on 2009-11-03
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Simon\My Documents\Hämtade filer\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Blogga detta - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blogga detta i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8617 bytes

Till toppen av sidan

ANNONS:

Inte din sorts mobil? Jämför priser på fler hos

PriceRunner

#2 Cecilia

Hedersmedlem
3 431 inlägg

Skrivet 04 november 2009 - 18:29

AVG version 8 har ersatts av AVG 9 så uppgradera till den nya versionen.

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
Det där är en annonstoolbar och inget man bör ha i datorn.

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
Räknas som tveksam

Kan du beskriva bättre vad du har för problem med datorn?

Till toppen av sidan

#3 kemsi

Medlem
18 inlägg

Skrivet 04 november 2009 - 19:03

Cecilia, den 04 november 2009 - 18:29 , skrev:

AVG version 8 har ersatts av AVG 9 så uppgradera till den nya versionen.

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
Det där är en annonstoolbar och inget man bör ha i datorn.

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
Räknas som tveksam

Kan du beskriva bättre vad du har för problem med datorn?

Den har allmänt blivit segare fast med lika mycket diskutrymme. Att öppna en mapp tar ca 5 - 15 sekunder och inte 1 sek som tidigare. Scannade med avg för någon dag sen och då fann den en rootkit som inte gick att ta bort, vet inte hur man ska ta bort den isåfall? Tack!

Till toppen av sidan

#4 Cecilia

Hedersmedlem
3 431 inlägg

Skrivet 04 november 2009 - 19:06

Citat

Cecilia, med anledning av tidigare diskusion omkring IObit och MBAM så vore det ett misstag om denna tråd kommit till som ett försök att statuera exempel här, då denna Hijackthis tråd dök upp lägligt precis efter mitt senaste inlägg i den andra tråden. Sånt pysslar du väl inte med?

Nej, det gör jag inte, för det har jag inte tid med. Klockan 15:18 så skyndade jag mig till pendeltåget och hade absolut ingen möjlighet att skriva några inlägg.

Det här inlägget har redigerats av Cecilia: 04 november 2009 - 19:07

Till toppen av sidan

#5 Cecilia

Hedersmedlem
3 431 inlägg

Skrivet 04 november 2009 - 19:08

kemsi, den 04 november 2009 - 19:03 , skrev:

Den har allmänt blivit segare fast med lika mycket diskutrymme. Att öppna en mapp tar ca 5 - 15 sekunder och inte 1 sek som tidigare. Scannade med avg för någon dag sen och då fann den en rootkit som inte gick att ta bort, vet inte hur man ska ta bort den isåfall? Tack!

Oj då, rootkit är inte kul. Kan du klistra in en logg från AVG där det framgår vad som hittades (finns väl en mer exakt benämning än bara rootkit) och i vilken fil och mapp den finns/fanns?

Till toppen av sidan

#6 si3rra

=^..^=

Hedersmedlem
2 636 inlägg

Skrivet 04 november 2009 - 19:47

Loggan ser ren ut, men frågan är vart alla dessa "[_nltide_2] regsvr32 /s /n /i:U shell32" kommer ifrån?..

Till toppen av sidan

#7 kemsi

Medlem
18 inlägg

Skrivet 05 november 2009 - 15:44

Cecilia, den 04 november 2009 - 19:08 , skrev:

Oj då, rootkit är inte kul. Kan du klistra in en logg från AVG där det framgår vad som hittades (finns väl en mer exakt benämning än bara rootkit) och i vilken fil och mapp den finns/fanns?

Håller på dra igenom scannern igen eftersom att jag inte lyckades hitta någon sparad logg från förra scanningen, men vad innebär egentligen en rootkit? kan den samla på sig känslig information samt ändra inställningar i datan? Nu när jag skulle scanna datan igen hände något underligt, listan över scanning området hade ändrats, allt var i markerat förutom "scanning for rootkit" som tycks av markerat sig själv!

Till toppen av sidan

#8 Cecilia

Hedersmedlem
3 431 inlägg

Skrivet 05 november 2009 - 15:59

Rootkit innebär att det är en typ av skadligt program som har förmågan att dölja sig för andra program, vilket gör att den är svår att hitta och ta bort för antivirusprogram och andra liknande program. Sedan vad som sker i datorn, t ex spioneri eller spamskickande, kan variera stort. Många skadliga program, även om de inte är rootkit, ändrar inställningar i Windows för att det ska bli svårare att ta bort dem, t ex kan de stänga av aktivitetshanteraren.

Gick det att markera rootkit-skanningen igen?

Till toppen av sidan

#9 kemsi

Medlem
18 inlägg

Skrivet 05 november 2009 - 21:12

Cecilia, den 05 november 2009 - 15:59 , skrev:

Rootkit innebär att det är en typ av skadligt program som har förmågan att dölja sig för andra program, vilket gör att den är svår att hitta och ta bort för antivirusprogram och andra liknande program. Sedan vad som sker i datorn, t ex spioneri eller spamskickande, kan variera stort. Många skadliga program, även om de inte är rootkit, ändrar inställningar i Windows för att det ska bli svårare att ta bort dem, t ex kan de stänga av aktivitetshanteraren.

Gick det att markera rootkit-skanningen igen?

Aha låter inte kul, det måste bort med andra ord. Jo det gick att markera "scan for rootkits" igen så inga problem där. Här är hela loggen för scanningen (ganska lång). AVG:n fann en massa "warnings" och en "rootkit" men den lyckades inte ta bort rootkiten som sagt eftersom den (som du sa) gömmer sig i något system sk "hidden driver". (inte uppdaterat AVG:n till ver.9 än, men fullt uppdaterad ver.8) Har även hittat en tidigare printscreen av min förra scanning där man ser mer detaljerad info om rootkiten. "C:\WINDOWS\SYSTEM32\Drivers\avw3tpy3.SYS" så heter den nu, men i förra scanningen hette den "C:\WINDOWS\SYSTEM32\Drivers\amb2d7rq.SYS" Tack!

"Scan ""Scan whole computer"" was finished."
"Rootkits";"1";"0";"1"
"Warnings";"31"
"Information";"94"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"den 5 november 2009, 15:30:37"
"Scan finished:";"den 5 november 2009, 16:52:51 (1 hour(s) 22 minute(s) 14 second(s))"
"Total object scanned:";"405720"
"User who launched the scan:";"kemsi"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\Simon\Cookies\simon@atdmt[2].txt:\atdmt.com.9e6d7fd3";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Simon\Cookies\simon@atdmt[2].txt:\atdmt.com.74c5668";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Simon\Cookies\simon@atdmt[2].txt";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\yadro.ru.c77afad5";"Found Tracking cookie.Yadro";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\tacoda.net.c4fe2ebb";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\tacoda.net.5935e89";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\tacoda.net.4366831a";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\tacoda.net.27341d57";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\serving-sys.com.c9034af6";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\serving-sys.com.6a1cf9e8";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\serving-sys.com.606c3d3b";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\searchportal.information.com.3a8d7204";"Found Tracking cookie.Information";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\serving-sys.com.4b416ef8";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\serving-sys.com.400f83f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\serving-sys.com.255d6f2f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\overture.com.d727de6f";"Found Tracking cookie.Overture";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\overture.com.52ca467a";"Found Tracking cookie.Overture";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\ivwbox.de.41d82fe2";"Found Tracking cookie.Ivwbox";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\revsci.net.3c8e1d5b";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adtech.de.a9245469";"Found Tracking cookie.Adtech";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adbrite.com.e1f04284";"Found Tracking cookie.Adbrite";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adbrite.com.775ee79c";"Found Tracking cookie.Adbrite";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adbrite.com.d5e309c2";"Found Tracking cookie.Adbrite";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adbrite.com.71beeff9";"Found Tracking cookie.Adbrite";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adbrite.com.557c9f74";"Found Tracking cookie.Adbrite";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adbrite.com.44f92a69";"Found Tracking cookie.Adbrite";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\2o7.net.706680ba";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite";"Found Tracking cookie.2o7";"Potentially dangerous object"

"Rootkits"
"File";"Infection";"Result"
"C:\WINDOWS\System32\Drivers\avw3tpy3.SYS";"Hidden driver";"Object is hidden"

"Information"
"File";"Infection";"Result"
"C:\WINDOWS\system32\drivers\sptd.sys";"Locked file. Not tested.";"Locked file. Not tested."
"C:\WINDOWS\system32\config\system";"Locked file. Not tested.";"Locked file. Not tested."
"C:\WINDOWS\system32\config\software";"Locked file. Not tested.";"Locked file. Not tested."
"C:\WINDOWS\system32\config\SECURITY";"Locked file. Not tested.";"Locked file. Not tested."
"C:\WINDOWS\system32\config\SAM";"Locked file. Not tested.";"Locked file. Not tested."
"C:\WINDOWS\system32\config\default";"Locked file. Not tested.";"Locked file. Not tested."
"C:\WINDOWS\SoftwareDistribution\Download\99aa722de62f08eaf0a08e358055eff7\MAINSP3ff.cab:\MAINSP3ff.msp:\PCW_CAB_H6000_1:\EUROTOOL.XLA";"Contains macros";""
"C:\WINDOWS\SoftwareDistribution\Download\99aa722de62f08eaf0a08e358055eff7\MAINSP3ff.cab:\MAINSP3ff.msp:\PCW_CAB_H6000_1";"Contains macros";""
"C:\WINDOWS\SoftwareDistribution\Download\99aa722de62f08eaf0a08e358055eff7\MAINSP3ff.cab:\MAINSP3ff.msp";"Contains macros";""
"C:\WINDOWS\SoftwareDistribution\Download\99aa722de62f08eaf0a08e358055eff7\MAINSP3ff.cab";"Contains macros";""
"C:\System Volume Information\";"Locked file. Not tested.";"Locked file. Not tested."
"C:\Program Files\Microsoft Office\Templates\1053\Thesis.dot";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\PROFMLTR.DOT";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\PROFMFAX.DOT";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\PROFMADR.DOT";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\Professional Resume.dot";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\Professional Report.dot";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\Professional Letter.dot";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\Professional Fax.dot";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\MERGELTR.DOT";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\Manual.dot";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\ELEGMLTR.DOT";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\ELEGMFAX.DOT";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\ELEGMADR.DOT";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\Elegant Resume.dot";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\Elegant Report.dot";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\Elegant Memo.dot";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\Elegant Letter.dot";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\Elegant Fax.dot";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\Directory.dot";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\CONTMLTR.DOT";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\CONTMFAX.DOT";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\CONTMADR.DOT";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\Contemporary Resume.dot";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\Contemporary Report.dot";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\Contemporary Memo.dot";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\Contemporary Letter.dot";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\Contemporary Fax.dot";"Contains macros";""
"C:\Program Files\Microsoft Office\Templates\1053\Brochure.dot";"Contains macros";""
"C:\Program Files\Microsoft Office\Office10\Samples\SOLVSAMP.XLS";"Contains macros";""
"C:\Program Files\Microsoft Office\Office10\Samples\SAMPLES.XLS";"Contains macros";""
"C:\Program Files\Microsoft Office\Office10\Samples\Northwind.mdb:\embedded.doc";"Contains macros";""
"C:\Program Files\Microsoft Office\Office10\Samples\Northwind.mdb";"Contains macros";""
"C:\Program Files\Microsoft Office\Office10\Makrobib\SUMIF.XLA";"Contains macros";""
"C:\Program Files\Microsoft Office\Office10\Makrobib\Solver\SOLVER.XLA";"Contains macros";""
"C:\Program Files\Microsoft Office\Office10\Makrobib\LOOKUP.XLA";"Contains macros";""
"C:\Program Files\Microsoft Office\Office10\Makrobib\HTML.XLA";"Contains macros";""
"C:\Program Files\Microsoft Office\Office10\Makrobib\EUROTOOL.XLA";"Contains macros";""
"C:\Program Files\Microsoft Office\Office10\Makrobib\Analys\PROCDB.XLA";"Contains macros";""
"C:\Program Files\Microsoft Office\Office10\Makrobib\Analys\FUNCRES.XLA";"Contains macros";""
"C:\Program Files\Microsoft Office\Office10\Makrobib\Analys\ATPVBASV.XLA";"Contains macros";""
"C:\Program Files\Microsoft Office\Office10\Makrobib\Analys\ATPVBAEN.XLA";"Contains macros";""
"C:\Program Files\Microsoft Office\Office10\Macros\SUPPORT.DOT";"Contains macros";""
"C:\Program Files\Microsoft Office\Office10\1053\XL8GALRY.XLS";"Contains macros";""
"C:\Program Files\Microsoft Office\Office10\1053\FPNWIND.MDB:\embedded.doc";"Contains macros";""
"C:\Program Files\Microsoft Office\Office10\1053\FPNWIND.MDB";"Contains macros";""
"C:\Program Files\Microsoft Office\Office10\1053\EXPTOOWS.XLA";"Contains macros";""
"C:\Program Files\AVG\AVG8\IdentityProtection\agent\config\userList.zip";"Password-protected";""
"C:\Program Files\AVG\AVG8\IdentityProtection\agent\config\quarantinedList.zip";"Password-protected";""
"C:\Program Files\AVG\AVG8\IdentityProtection\agent\config\internalList.zip";"Password-protected";""
"C:\pagefile.sys";"Locked file. Not tested.";"Locked file. Not tested."
"C:\Documents and Settings\Simon\NTUSER.DAT";"Locked file. Not tested.";"Locked file. Not tested."
"C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\WWSUPPT.XLS";"Contains macros";""
"C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\REGKEY.XLS";"Contains macros";""
"C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\PRESBROD.XLS";"Contains macros";""
"C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\FILELIST.XLS";"Contains macros";""
"C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\ERRORMSG.XLS";"Contains macros";""
"C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\CLEANER.XLA";"Contains macros";""
"C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\ASPSCRPT.XLS";"Contains macros";""
"C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB";"Contains macros";""
"C:\Documents and Settings\Simon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat";"Locked file. Not tested.";"Locked file. Not tested."
"C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\WWSUPPT.XLS";"Contains macros";""
"C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\REGKEY.XLS";"Contains macros";""
"C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\PRESBROD.XLS";"Contains macros";""
"C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\FILELIST.XLS";"Contains macros";""
"C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\ERRORMSG.XLS";"Contains macros";""
"C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\CLEANER.XLA";"Contains macros";""
"C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\ASPSCRPT.XLS";"Contains macros";""
"C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB";"Contains macros";""
"C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\SUMIF.XLAM_1033";"Contains macros";""
"C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\SOLVSAMP.XLS_1033";"Contains macros";""
"C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\SOLVER.XLAM_1033";"Contains macros";""
"C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\PROCDB.XLAM_1033";"Contains macros";""
"C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\LOOKUP.XLAM_1033";"Contains macros";""
"C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\FUNCRES.XLAM_1033";"Contains macros";""
"C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\ATPVBAEN.XLAM_1033";"Contains macros";""
"C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab";"Contains macros";""
"C:\Documents and Settings\NetworkService\NTUSER.DAT";"Locked file. Not tested.";"Locked file. Not tested."
"C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat";"Locked file. Not tested.";"Locked file. Not tested."
"C:\Documents and Settings\LocalService\NTUSER.DAT";"Locked file. Not tested.";"Locked file. Not tested."
"C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat";"Locked file. Not tested.";"Locked file. Not tested."
"C:\Documents and Settings\All Users\Application Data\Downloaded Installations\{70ADDA88-7F88-46A1-A9C4-5BD9EA9934A1}\AVGIDP_setup.msi:\Data1.cab:\internallist.zip";"Password-protected";""
"C:\Documents and Settings\All Users\Application Data\Downloaded Installations\{70ADDA88-7F88-46A1-A9C4-5BD9EA9934A1}\AVGIDP_setup.msi:\Data1.cab";"Password-protected";""
"C:\Documents and Settings\All Users\Application Data\Downloaded Installations\{70ADDA88-7F88-46A1-A9C4-5BD9EA9934A1}\AVGIDP_setup.msi";"Password-protected";""

Det här inlägget har redigerats av kemsi: 05 november 2009 - 21:25

Till toppen av sidan

#10 Cecilia

Hedersmedlem
3 431 inlägg

Skrivet 05 november 2009 - 23:04

Byt inte ut AVG för tillfället för det är alltid risk för att installationen går fel.

Spara ComboFix på Skrivbordet:
http://download.blee...Bs/ComboFix.exe

Stäng av alla program du ser inklusive antivirusprogram och antispionprogram men lämna brandväggen på.
Hur? Se http://www.bleepingc...opic114351.html
Kör ComboFix och följ anvisningarna som visas.
Om det kommer upp en fråga om du vill installera återställningskonsolen så svara ja.

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

När den är färdig så ska en logg komma upp, bifoga den till ditt svar. Kontrollera att antivirusprogram mm är igång innan du ansluter till internet.

Om du får problem med att komma ut på internet:
Kontrollpanelen - Nätverksanslutningar
högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.

Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix.

Till toppen av sidan

#11 Manneman

Moderator

Moderator
4 526 inlägg

Skrivet 06 november 2009 - 06:33

Tråden flyttat till rätt forumkategori...

Magnus

*  HP Envy 17-2092eo + Windows 7 x64 SP1  *
*  HP Pavilion DV6 1100 + Windows 8 Consumer Preview + Windows 7 x64 SP1 Dual Boot  *
*  HP 6530b (2st) + Windows 7 x86 SP1  *

Till toppen av sidan

#12 kemsi

Medlem
18 inlägg

Skrivet 06 november 2009 - 22:01

Cecilia, den 05 november 2009 - 23:04 , skrev:

Byt inte ut AVG för tillfället för det är alltid risk för att installationen går fel.

Spara ComboFix på Skrivbordet:
http://download.blee...Bs/ComboFix.exe

Stäng av alla program du ser inklusive antivirusprogram och antispionprogram men lämna brandväggen på.
Hur? Se http://www.bleepingc...opic114351.html
Kör ComboFix och följ anvisningarna som visas.
Om det kommer upp en fråga om du vill installera återställningskonsolen så svara ja.

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

När den är färdig så ska en logg komma upp, bifoga den till ditt svar. Kontrollera att antivirusprogram mm är igång innan du ansluter till internet.

Om du får problem med att komma ut på internet:
Kontrollpanelen - Nätverksanslutningar
högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.

Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix.

Sådär nu har jag nog lyckats scanna datorn med combofix på rätt sätt, hade lite problem med programmet i början då de hängde sig 3 till 4 gånger.
Här kommer loggen, hoppas den säger dig något. Tack

ComboFix 09-11-05.01 - Simon 2009-11-06 16:45.2.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.46.1033.18.2046.1481 [GMT 1:00]
Körs från: c:\documents and settings\Simon\My Documents\Hämtade filer\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

(((((((((((((((((((((((((((((((((((((((   Andra raderingar   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Föregående körning -------
.
C:\install.exe

.
((((((((((((((((((((((((   Filer Skapade från 2009-10-06 till 2009-11-06  ))))))))))))))))))))))))))))))
.

2009-11-06 14:05 . 2009-11-06 14:05 -------- d-----w- c:\windows\system32\xircom
2009-11-06 14:05 . 2009-11-06 14:05 -------- d-----w- c:\windows\system32\wbem\snmp
2009-11-06 14:05 . 2009-11-06 14:05 -------- d-----w- c:\program files\microsoft frontpage
2009-11-05 21:18 . 2009-11-05 21:18 152576 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-05 14:25 . 2009-10-21 09:41 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-03 14:49 . 2009-10-21 09:41 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-10-16 02:15 . 2009-07-17 16:22 1435648 ------w- c:\windows\system32\dllcache\query.dll
2009-10-16 02:15 . 2009-08-26 08:03 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-10-16 02:14 . 2009-09-04 21:03 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-10-13 19:42 . 2009-10-13 19:42 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-13 19:15 . 2009-10-13 19:41 -------- d-----w- c:\program files\LearnWARE

.
((((((((((((((((((((((((((((((((((((((((   Find3M Rapport   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 21:19 . 2009-03-19 15:34 -------- d-----w- c:\program files\Java
2009-11-04 23:09 . 2009-03-12 00:12 -------- d-----w- c:\program files\Steam
2009-11-04 19:31 . 2009-01-26 20:33 38 ----a-w- c:\documents and settings\Simon\jagex_runescape_preferences.dat
2009-11-04 19:10 . 2009-09-02 13:08 63 ----a-w- c:\documents and settings\Simon\jagex_runescape_preferences2.dat
2009-10-27 21:09 . 2009-01-26 19:17 -------- d-----w- c:\documents and settings\Simon\Application Data\uTorrent
2009-10-23 15:50 . 2009-02-07 19:09 -------- d-----w- c:\documents and settings\Simon\Application Data\dvdcss
2009-10-11 03:17 . 2009-01-26 20:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 02:52 . 2009-03-01 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-29 14:30 . 2009-09-29 14:29 -------- d-----w- c:\program files\SwiftKit
2009-09-29 14:29 . 2009-09-29 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SwiftKit
2009-09-28 11:58 . 2009-09-25 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-25 21:02 . 2009-09-25 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-09-25 21:02 . 2009-09-25 21:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-25 21:02 . 2009-09-25 21:02 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-09-25 21:02 . 2009-09-25 21:02 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-25 21:02 . 2009-09-25 21:02 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-25 21:02 . 2009-09-25 21:02 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-25 21:00 . 2009-09-25 21:00 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-09-25 21:00 . 2009-09-25 21:00 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-09-25 21:00 . 2009-01-26 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-25 19:44 . 2009-03-01 14:50 -------- d-----w- c:\program files\NOS
2009-09-17 13:47 . 2009-09-17 13:46 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-14 18:55 . 2009-09-14 18:55 -------- d-----w- c:\documents and settings\Simon\Application Data\Uniblue
2009-09-14 10:58 . 2009-09-14 10:58 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-12 13:20 . 2009-04-10 23:56 -------- d-----w- c:\program files\Free Music Zilla
2009-09-11 14:13 . 2009-01-08 19:09 136704 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 10:59 . 2009-03-03 22:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-10 19:55 . 2009-09-10 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-09-04 21:03 . 2008-04-14 04:42 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 16:56 . 2009-09-03 16:56 152576 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-09-02 09:58 . 2009-09-28 11:58 1107200 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-08-29 08:08 . 2008-10-16 19:38 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:03 . 2009-01-08 19:12 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-17 11:52 . 2009-01-26 19:18 68840 ----a-w- c:\documents and settings\Simon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-11 14:48 . 2009-08-11 14:48 152576 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2009-01-08 . 5AE1C2695F6523AD98B948F2887D8C5E . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[-] 2009-01-08 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((   SnapShot@2009-11-06_10.50.41   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-06 14:10 . 2009-11-06 14:10 16384              c:\windows\Temp\Perflib_Perfdata_2e4.dat
.
((((((((((((((((((((((((((((((((((   Startpunkter i registret   )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not*  Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 09:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-07-22 1600008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2009-01-26 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-01-15 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-25 21:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BankID Security Application.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Simon^Start Menu^Programs^Startup^Free Music Zilla.lnk]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Simon\\Desktop\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Steam\\steamapps\\baileys_boy15@hotmail.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-07-22 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-09-25 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-09-25 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-09-25 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-09-25 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-09-25 1370488]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2009-07-22 571912]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-07-19 55152]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-09-25 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [2009-07-22 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [2009-07-22 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [2009-07-22 27232]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [2009-07-22 5641736]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-09-25 29208]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]

--- Övriga tjänster/drivrutiner i minnet ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Innehållet i mappen 'Schemalagda aktiviteter':

2009-10-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-11-06 c:\windows\Tasks\User_Feed_Synchronization-{5F672323-F82B-4270-B21F-20C416B04789}.job
- c:\windows\system32\msfeedssync.exe [2009-01-08 02:31]
.
.
------- Extra genomsökning -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - www.google.se
FF - prefs.js: keyword.URL - hxxp://se.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_se&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Personal\bin\np_prsnl.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICY ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 16:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spcv.sys >>UNKNOWN [0x89E09938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

atapi.sys @ 0x0 0x0 bytes

\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xB9DFCB40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xB9DFCB40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xB9DFCB40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xB9DFCB40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xB9DFCB40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xB9DFCB40 atapi.sys
\Driver\atapi IRP hooks detected !

**************************************************************************
.
--------------------- DLLer som "laddats" under processer som körs ---------------------

- - - - - - - > 'explorer.exe'(220)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Sluttid: 2009-11-06 16:53
ComboFix-quarantined-files.txt  2009-11-06 15:52

Före genomsökningen: 21 507 198 976 bytes free
Efter genomsökningen: 21 471 346 688 bytes free

- - End Of File - - 6CB80DD0A77FF6A9EDC971DAFDCA9C60

Till toppen av sidan

#13 Cecilia

Hedersmedlem
3 431 inlägg

Skrivet 06 november 2009 - 22:39

1. Om du har Daemon Tools, Alcohol 120% eller något liknande program som skapar virtuella CD-enheter så avinstallera det programmet för tillfället och starta sedan om datorn.

2. Spara denna fil på Skrivbordet:
http://download.blee.../Win32kDiag.exe
Kör programmet.
När det är klart så skapas en loggfil Win32kDiag.txt på Skrivbordet. Klistra in den i ditt svar.

3. Spara denna fil på Skrivbordet:
http://rootrepeal.go.../RootRepeal.zip
Packa upp zip-filen (extrahera) så att du får en programfil.
Starta RootRepeal.
Välj Report-fliken och tryck på Scan.
Bocka för alla sju valen och tryck sedan på Yes/Ja.
Välj C: och tryck Ok.
Det tar ett tag för RootRepeal att söka igenom C:.
När sökningen är klar så tryck på Save Report och spara den med namnet rootrepeal.log. Klistra in innehållet i rootrepeal.log.

4. Spara Gmer på Skrivbordet från en av dessa sidor:
http://www.gmer.net/files.php välj Gmer application
http://www.majorgeek...GMER_d5198.html
Packa upp filen till Skrivbordet.
Dra ur internetanslutningen.
Stäng alla program, även antivirusprogram och brandvägg.
Starta programmet gmer.exe.
Om det kommer upp en fråga om "scan" så välj Nej/No. Spara loggen och klistra in i ditt svar. Gör inte mer.

Om frågan inte kommer så välj fliken Rootkit/Malware, kontrollera att allt är förbockat till höger utom Show All. Tryck på Scan. Låt datorn stå ifred medan Gmer håller på.
Tryck på Save och spara resultatet på Skrivbordet.
Sätt igång antivirusprogram och brandvägg innan du ansluter till internet.
Klistra in resultatet i ditt svar.

Till toppen av sidan

#14 kemsi

Medlem
18 inlägg

Skrivet 07 november 2009 - 14:53

[quote name='Cecilia' date='06 november 2009 - 22:39 ' timestamp='1257543548' post='143411']
1. Om du har Daemon Tools, Alcohol 120% eller något liknande program som skapar virtuella CD-enheter så avinstallera det programmet för tillfället och starta sedan om datorn.

2. Spara denna fil på Skrivbordet:
http://download.blee.../Win32kDiag.exe
Kör programmet.
När det är klart så skapas en loggfil Win32kDiag.txt på Skrivbordet. Klistra in den i ditt svar.

3. Spara denna fil på Skrivbordet:
http://rootrepeal.go.../RootRepeal.zip
Packa upp zip-filen (extrahera) så att du får en programfil.
Starta RootRepeal.
Välj Report-fliken och tryck på Scan.
Bocka för alla sju valen och tryck sedan på Yes/Ja.
Välj C: och tryck Ok.
Det tar ett tag för RootRepeal att söka igenom C:.
När sökningen är klar så tryck på Save Report och spara den med namnet rootrepeal.log. Klistra in innehållet i rootrepeal.log.

4. Spara Gmer på Skrivbordet från en av dessa sidor:
http://www.gmer.net/files.php välj Gmer application
http://www.majorgeek...GMER_d5198.html
Packa upp filen till Skrivbordet.
Dra ur internetanslutningen.
Stäng alla program, även antivirusprogram och brandvägg.
Starta programmet gmer.exe.
Om det kommer upp en fråga om "scan" så välj Nej/No. Spara loggen och klistra in i ditt svar. Gör inte mer.

Om frågan inte kommer så välj fliken Rootkit/Malware, kontrollera att allt är förbockat till höger utom Show All. Tryck på Scan. Låt datorn stå ifred medan Gmer håller på.
Tryck på Save och spara resultatet på Skrivbordet.
Sätt igång antivirusprogram och brandvägg innan du ansluter till internet.
Klistra in resultatet i ditt svar.
[/quote]
Okej, nu har jag försökt inte missa något och klistrat in scanning loggarna från win32kdiag, rootrepeal och Gmer.

När jag scannade med win32kdiag uppkom "WARNING: Could not get backup privileges!" vad innebär detta? Tack:)

Win32kDiag.txt.

Running from: C:\Documents and Settings\Simon\Desktop\Win32kDiag(2).exe

Log file at : C:\Documents and Settings\Simon\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

rootrepeal.log.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/07 02:29
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: a5bed12r.SYS
Image Path: C:\WINDOWS\System32\Drivers\a5bed12r.SYS
Address: 0xB8839000 Size: 221184 File Visible: No Signed: -
Status: -

Name: catchme.sys
Image Path: C:\DOCUME~1\Simon\LOCALS~1\Temp\catchme.sys
Address: 0xB4DD2000 Size: 31744 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB56A8000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5D0000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP2594
Image Path: \Driver\PCI_PNP2594
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xBA5EE000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB4FEF000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spcv.sys
Image Path: spcv.sys
Address: 0xB9EA7000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c98a0

#: 041 Function Name: NtCreateKey
Status: Hooked by "spcv.sys" at address 0xb9ea80e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spcv.sys" at address 0xb9ec6ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spcv.sys" at address 0xb9ec7030

#: 119 Function Name: NtOpenKey
Status: Hooked by "spcv.sys" at address 0xb9ea80c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c98d0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spcv.sys" at address 0xb9ec7108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spcv.sys" at address 0xb9ec6f88

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spcv.sys" at address 0xb9ec719a

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c9980

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c9a20

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c9ac0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_CREATE]
Process: System Address: 0x89b2a1f8 Size: 121

Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_CLOSE]
Process: System Address: 0x89b2a1f8 Size: 121

Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b2a1f8 Size: 121

Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89b2a1f8 Size: 121

Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_POWER]
Process: System Address: 0x89b2a1f8 Size: 121

Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89b2a1f8 Size: 121

Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_PNP]
Process: System Address: 0x89b2a1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x89ce81f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x89ce81f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ce81f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89ce81f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x89ce81f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89ce81f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x89ce81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x895bd1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x895bd1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x895bd1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x895bd1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x895bd1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x895bd1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x89cf0500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x89cf0500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89cf0500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89cf0500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x89cf0500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89cf0500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x89cf0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_CREATE]
Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_CLOSE]
Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_READ]
Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_CLEANUP]
Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_PNP]
Process: System Address: 0x8991b500 Size: 121

Shadow SSDT
-------------------
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c9440

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c93b0

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c93f0

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c9330

==EOF==

Gmer.log

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-07 14:35:21
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Simon\LOCALS~1\Temp\uxtdypow.sys

---- System - GMER 1.0.15 ----

SSDT            \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies )  ZwClose [0xBA3C98A0]
SSDT            spcv.sys                                                                                                                                                      ZwCreateKey [0xB9EA80E0]
SSDT            spcv.sys                                                                                                                                                      ZwEnumerateKey [0xB9EC6CA2]
SSDT            spcv.sys                                                                                                                                                      ZwEnumerateValueKey [0xB9EC7030]
SSDT            spcv.sys                                                                                                                                                      ZwOpenKey [0xB9EA80C0]
SSDT            \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies )  ZwOpenProcess [0xBA3C98D0]
SSDT            spcv.sys                                                                                                                                                      ZwQueryKey [0xB9EC7108]
SSDT            spcv.sys                                                                                                                                                      ZwQueryValueKey [0xB9EC6F88]
SSDT            spcv.sys                                                                                                                                                      ZwSetValueKey [0xB9EC719A]
SSDT            \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies )  ZwTerminateProcess [0xBA3C9980]
SSDT            \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies )  ZwTerminateThread [0xBA3C9A20]
SSDT            \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies )  ZwWriteVirtualMemory [0xBA3C9AC0]

INT 0x62        ?                                                                                                                                                             89DE8BF8
INT 0x63        ?                                                                                                                                                             89DE8BF8
INT 0x73        ?                                                                                                                                                             89DE8BF8
INT 0x73        ?                                                                                                                                                             89DE8BF8
INT 0x73        ?                                                                                                                                                             89DE8BF8
INT 0xA4        ?                                                                                                                                                             89CE9BF8
INT 0xB4        ?                                                                                                                                                             89CE9BF8

Code            \??\C:\DOCUME~1\Simon\LOCALS~1\Temp\catchme.sys                                                                                                               pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

?               spcv.sys                                                                                                                                                      The system cannot find the file specified. !
.text           USBPORT.SYS!DllUnload                                                                                                                                         B92BB934 5 Bytes  JMP 89CE91D8
?               System32\Drivers\a5bed12r.SYS                                                                                                                                 The system cannot find the path specified. !
?               C:\DOCUME~1\Simon\LOCALS~1\Temp\catchme.sys                                                                                                                   The system cannot find the file specified. !
?               C:\WINDOWS\system32\Drivers\PROCEXP113.SYS                                                                                                                    The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT             atapi.sys[HAL.dll!READ_PORT_UCHAR]                                                                                                                            [B9EA9040] spcv.sys
IAT             atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT]                                                                                                                    [B9EA913C] spcv.sys
IAT             atapi.sys[HAL.dll!READ_PORT_USHORT]                                                                                                                           [B9EA90BE] spcv.sys
IAT             atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                                                                                   [B9EA97FC] spcv.sys
IAT             atapi.sys[HAL.dll!WRITE_PORT_UCHAR]                                                                                                                           [B9EA96D2] spcv.sys
IAT             \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR]                                                                                            [B9EB9048] spcv.sys

---- Devices - GMER 1.0.15 ----

Device          \FileSystem\Ntfs \Ntfs                                                                                                                                        89DE71F8

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                                                        AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )

Device          \FileSystem\Fastfat \FatCdrom                                                                                                                                 89967438

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                                      avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device          \Driver\usbohci \Device\USBPDO-0                                                                                                                              89CE81F8
Device          \Driver\dmio \Device\DmControl\DmIoDaemon                                                                                                                     89E551F8
Device          \Driver\dmio \Device\DmControl\DmConfig                                                                                                                       89E551F8
Device          \Driver\dmio \Device\DmControl\DmPnP                                                                                                                          89E551F8
Device          \Driver\dmio \Device\DmControl\DmInfo                                                                                                                         89E551F8
Device          \Driver\usbehci \Device\USBPDO-1                                                                                                                              89CF0500

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                                     avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                                     fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device          \Driver\Ftdisk \Device\HarddiskVolume1                                                                                                                        89DE91F8
Device          \Driver\Cdrom \Device\CdRom0                                                                                                                                  89B381F8
Device          \Driver\Cdrom \Device\CdRom1                                                                                                                                  89B381F8
Device          \Driver\atapi \Device\Ide\IdePort0                                                                                                                            [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4                                                                                                                   [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort1                                                                                                                            [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort2                                                                                                                            [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c                                                                                                                   [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort3                                                                                                                            [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort4                                                                                                                            [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort5                                                                                                                            [B9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\NetBT \Device\NetBt_Wins_Export                                                                                                                       895BD1F8
Device          \Driver\NetBT \Device\NetbiosSmb                                                                                                                              895BD1F8
Device          \Driver\PCI_PNP2594 \Device\0000004d                                                                                                                          spcv.sys

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                                     avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                                     fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                                   avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                                   fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device          \Driver\NetBT \Device\NetBT_Tcpip_{77919B9D-AD1B-4EEF-8615-E359AA46085D}                                                                                      895BD1F8
Device          \Driver\usbohci \Device\USBFDO-0                                                                                                                              89CE81F8
Device          \Driver\usbehci \Device\USBFDO-1                                                                                                                              89CF0500
Device          \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                                                                             89596500
Device          \FileSystem\MRxSmb \Device\LanmanRedirector                                                                                                                   89596500
Device          \Driver\sptd \Device\3276161344                                                                                                                               spcv.sys
Device          \Driver\Ftdisk \Device\FtControl                                                                                                                              89DE91F8
Device          \Driver\a5bed12r \Device\Scsi\a5bed12r1                                                                                                                       89B2A1F8
Device          \Driver\a5bed12r \Device\Scsi\a5bed12r1Port6Path0Target0Lun0                                                                                                  89B2A1F8
Device          \FileSystem\Fastfat \Fat                                                                                                                                      89967438

AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                                                      fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                                                      AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )

Device          \FileSystem\Cdfs \Cdfs                                                                                                                                        8991B500

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                                                            771343423
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                                                            285507792
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                                                            1
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                                                           C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                                                           0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                                                        0xCC 0x9F 0xB3 0x36 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                                                                  0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                                                               0xCD 0xBE 0xD1 0x25 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                                                         0xAD 0x92 0x98 0xFF ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                                                               C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                                                               0
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                                                            0xCC 0x9F 0xB3 0x36 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                                                                      0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                                                                   0xCD 0xBE 0xD1 0x25 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                                                             0xAD 0x92 0x98 0xFF ...

---- EOF - GMER 1.0.15 ----

Till toppen av sidan

#15 Cecilia

Hedersmedlem
3 431 inlägg

Skrivet 07 november 2009 - 15:46

Det är väldigt mycket i loggarna som ser ut att ha med Daemon Tools att göra. Är du säker på att programmet är avinstallerat?

De här filerna som AVG har hittat finns de i AVGs karantän?

Till toppen av sidan

#16 Cynthia

Användardefinierad titel

Medlem
636 inlägg

Skrivet 07 november 2009 - 16:29

Cecilia, den 07 november 2009 - 15:46 , skrev:

Det är väldigt mycket i loggarna som ser ut att ha med Daemon Tools att göra. Är du säker på att programmet är avinstallerat?

Citat

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Körs bara Daemon Tools eget avinstallationsprogram så försvinner inte drivrutinen SPTD.sys. För att få bort alla spår av den måste du köra installationsprogrammet från Duplex Secure och välja alternativet avinstallera i det programmet.

http://www.duplexsecure.com/downloads

Till toppen av sidan

#17 Cecilia

Hedersmedlem
3 431 inlägg

Skrivet 07 november 2009 - 16:40

Tack, Cynthia!

Det är ju ofta som det är Daemon-drivrutiner som gör det svårt att hitta de skadliga programmen bland alla Daemon-rader i loggarna.
Är det bara just SPTD.sys som tas bort eller är det även den andra drivrutinen som Daemon Tools installerar? I loggen ovanför heter den SPCV.sys men det varierar mellan olika datorer.

Till toppen av sidan

#18 Cynthia

Användardefinierad titel

Medlem
636 inlägg

Skrivet 07 november 2009 - 16:54

Hej!

SPTD.sys används även av en del andra program från Daemon Tools, t ex BlindWrite och det är väl därför inte Daemon Tools tar bort den drivrutinen. Vad jag vet så är det bara SPTD.sys som blir avinstallerad med programmet från Duplex Secure.

Försökte hitta vem som ligger bakom SPCV.sys på nätet, men det enda jag hittade var att den fanns listad i några loggar från antivirus/rootkit program. Så frågan är om det är en "riktig" fil. Möjligt att jag är ute och cyklar, men jag får intrycket att det är en fil som skapas av virus.

Till toppen av sidan

#19 kemsi

Medlem
18 inlägg

Skrivet 08 november 2009 - 15:23

Cecilia, den 07 november 2009 - 15:46 , skrev:

Det är väldigt mycket i loggarna som ser ut att ha med Daemon Tools att göra. Är du säker på att programmet är avinstallerat?

De här filerna som AVG har hittat finns de i AVGs karantän?

Jo de finns i karaktän ser det ut som.
Nu har jag tagit bort Daemon tools på rätt sätt och scannat om allt som i dina anvisningar. Det kanske ser bättre ut nu!
Tack!

Win32Diag

Running from: C:\Documents and Settings\Simon\Desktop\Win32kDiag(2).exe

Log file at : C:\Documents and Settings\Simon\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/08 14:19
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB625A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5CC000 Size: 8192 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba4898a0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba4898d0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba489980

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba489a20

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba489ac0

Shadow SSDT
-------------------
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba489440

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba4893b0

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba4893f0

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba489330

==EOF==

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-08 15:19:56
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Simon\LOCALS~1\Temp\uxtdypow.sys

---- System - GMER 1.0.15 ----

SSDT            \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies )  ZwClose [0xBA4898A0]
SSDT            \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies )  ZwOpenProcess [0xBA4898D0]
SSDT            \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies )  ZwTerminateProcess [0xBA489980]
SSDT            \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies )  ZwTerminateThread [0xBA489A20]
SSDT            \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies )  ZwWriteVirtualMemory [0xBA489AC0]

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                                                        AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                                      avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                                     avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                                     fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                                     avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                                     fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                                   avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                                   fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                                                           C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                                                           0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                                                        0xCC 0x9F 0xB3 0x36 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                                                                  0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                                                               0xCD 0xBE 0xD1 0x25 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                                                         0xAD 0x92 0x98 0xFF ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                                                               C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                                                               0
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                                                            0xCC 0x9F 0xB3 0x36 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                                                                      0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                                                                   0xCD 0xBE 0xD1 0x25 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                                                             0xAD 0x92 0x98 0xFF ...

---- EOF - GMER 1.0.15 ----

Till toppen av sidan

#20 Cecilia

Hedersmedlem
3 431 inlägg

Skrivet 08 november 2009 - 15:51

Ja, nu går det att se att det inte ser ut att finnas några rootkits.

Jag misstänker att AVG falsklarmade och att drivrutinen den satte i karantän tillhör Daemon Tools. För att ta reda på det så skulle jag vilja att du återställer en av filerna i karantänen och sedan bläddrar fram filen på sidan http://www.virustotal.com . Tryck därefter på Skicka Fil och vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in resultatet från de olika antivirusprogrammen (inte Övrig information) eller en länk till resultatet här.