kemsi Posted November 4, 2009 Share Posted November 4, 2009 Min dator håller på dra sig tillbaka och bestämde mig för att köra en hijack this (i administratör läge) innan den dör helt! Väldigt tacksam för svar! Mvh Kemsi Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:33:34, on 2009-11-03 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\PROGRA~1\AVG\AVG8\avgfws8.exe C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe C:\PROGRA~1\AVG\AVG8\avgam.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Simon\My Documents\Hämtade filer\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Blogga detta - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blogga detta i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 8617 bytes Quote Link to comment Share on other sites More sharing options...
Cecilia Posted November 4, 2009 Share Posted November 4, 2009 AVG version 8 har ersatts av AVG 9 så uppgradera till den nya versionen. O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll Det där är en annonstoolbar och inget man bör ha i datorn. O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll Räknas som tveksam Kan du beskriva bättre vad du har för problem med datorn? Quote Link to comment Share on other sites More sharing options...
kemsi Posted November 4, 2009 Author Share Posted November 4, 2009 AVG version 8 har ersatts av AVG 9 så uppgradera till den nya versionen. O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll Det där är en annonstoolbar och inget man bör ha i datorn. O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll Räknas som tveksam Kan du beskriva bättre vad du har för problem med datorn? Den har allmänt blivit segare fast med lika mycket diskutrymme. Att öppna en mapp tar ca 5 - 15 sekunder och inte 1 sek som tidigare. Scannade med avg för någon dag sen och då fann den en rootkit som inte gick att ta bort, vet inte hur man ska ta bort den isåfall? Tack! Quote Link to comment Share on other sites More sharing options...
Cecilia Posted November 4, 2009 Share Posted November 4, 2009 (edited) Cecilia, med anledning av tidigare diskusion omkring IObit och MBAM så vore det ett misstag om denna tråd kommit till som ett försök att statuera exempel här, då denna Hijackthis tråd dök upp lägligt precis efter mitt senaste inlägg i den andra tråden. Sånt pysslar du väl inte med?Nej, det gör jag inte, för det har jag inte tid med. Klockan 15:18 så skyndade jag mig till pendeltåget och hade absolut ingen möjlighet att skriva några inlägg. Edited November 4, 2009 by Cecilia Quote Link to comment Share on other sites More sharing options...
Cecilia Posted November 4, 2009 Share Posted November 4, 2009 Den har allmänt blivit segare fast med lika mycket diskutrymme. Att öppna en mapp tar ca 5 - 15 sekunder och inte 1 sek som tidigare. Scannade med avg för någon dag sen och då fann den en rootkit som inte gick att ta bort, vet inte hur man ska ta bort den isåfall? Tack! Oj då, rootkit är inte kul. Kan du klistra in en logg från AVG där det framgår vad som hittades (finns väl en mer exakt benämning än bara rootkit) och i vilken fil och mapp den finns/fanns? Quote Link to comment Share on other sites More sharing options...
si3rra Posted November 4, 2009 Share Posted November 4, 2009 Loggan ser ren ut, men frågan är vart alla dessa "[_nltide_2] regsvr32 /s /n /i:U shell32" kommer ifrån?.. Quote Link to comment Share on other sites More sharing options...
kemsi Posted November 5, 2009 Author Share Posted November 5, 2009 Oj då, rootkit är inte kul. Kan du klistra in en logg från AVG där det framgår vad som hittades (finns väl en mer exakt benämning än bara rootkit) och i vilken fil och mapp den finns/fanns? Håller på dra igenom scannern igen eftersom att jag inte lyckades hitta någon sparad logg från förra scanningen, men vad innebär egentligen en rootkit? kan den samla på sig känslig information samt ändra inställningar i datan? Nu när jag skulle scanna datan igen hände något underligt, listan över scanning området hade ändrats, allt var i markerat förutom "scanning for rootkit" som tycks av markerat sig själv! Quote Link to comment Share on other sites More sharing options...
Cecilia Posted November 5, 2009 Share Posted November 5, 2009 Rootkit innebär att det är en typ av skadligt program som har förmågan att dölja sig för andra program, vilket gör att den är svår att hitta och ta bort för antivirusprogram och andra liknande program. Sedan vad som sker i datorn, t ex spioneri eller spamskickande, kan variera stort. Många skadliga program, även om de inte är rootkit, ändrar inställningar i Windows för att det ska bli svårare att ta bort dem, t ex kan de stänga av aktivitetshanteraren. Gick det att markera rootkit-skanningen igen? Quote Link to comment Share on other sites More sharing options...
kemsi Posted November 5, 2009 Author Share Posted November 5, 2009 (edited) Rootkit innebär att det är en typ av skadligt program som har förmågan att dölja sig för andra program, vilket gör att den är svår att hitta och ta bort för antivirusprogram och andra liknande program. Sedan vad som sker i datorn, t ex spioneri eller spamskickande, kan variera stort. Många skadliga program, även om de inte är rootkit, ändrar inställningar i Windows för att det ska bli svårare att ta bort dem, t ex kan de stänga av aktivitetshanteraren. Gick det att markera rootkit-skanningen igen? Aha låter inte kul, det måste bort med andra ord. Jo det gick att markera "scan for rootkits" igen så inga problem där. Här är hela loggen för scanningen (ganska lång). AVG:n fann en massa "warnings" och en "rootkit" men den lyckades inte ta bort rootkiten som sagt eftersom den (som du sa) gömmer sig i något system sk "hidden driver". (inte uppdaterat AVG:n till ver.9 än, men fullt uppdaterad ver.8) Har även hittat en tidigare printscreen av min förra scanning där man ser mer detaljerad info om rootkiten. "C:\WINDOWS\SYSTEM32\Drivers\avw3tpy3.SYS" så heter den nu, men i förra scanningen hette den "C:\WINDOWS\SYSTEM32\Drivers\amb2d7rq.SYS" Tack! "Scan ""Scan whole computer"" was finished." "Rootkits";"1";"0";"1" "Warnings";"31" "Information";"94" "Folders selected for scanning:";"Scan whole computer" "Scan started:";"den 5 november 2009, 15:30:37" "Scan finished:";"den 5 november 2009, 16:52:51 (1 hour(s) 22 minute(s) 14 second(s))" "Total object scanned:";"405720" "User who launched the scan:";"kemsi" "Warnings" "File";"Infection";"Result" "C:\Documents and Settings\Simon\Cookies\simon@atdmt[2].txt:\atdmt.com.9e6d7fd3";"Found Tracking cookie.Atdmt";"Moved to Virus Vault" "C:\Documents and Settings\Simon\Cookies\simon@atdmt[2].txt:\atdmt.com.74c5668";"Found Tracking cookie.Atdmt";"Moved to Virus Vault" "C:\Documents and Settings\Simon\Cookies\simon@atdmt[2].txt";"Found Tracking cookie.Atdmt";"Moved to Virus Vault" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\yadro.ru.c77afad5";"Found Tracking cookie.Yadro";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\tacoda.net.c4fe2ebb";"Found Tracking cookie.Tacoda";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\tacoda.net.5935e89";"Found Tracking cookie.Tacoda";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\tacoda.net.4366831a";"Found Tracking cookie.Tacoda";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\tacoda.net.27341d57";"Found Tracking cookie.Tacoda";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\serving-sys.com.c9034af6";"Found Tracking cookie.Serving-sys";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\serving-sys.com.6a1cf9e8";"Found Tracking cookie.Serving-sys";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\serving-sys.com.606c3d3b";"Found Tracking cookie.Serving-sys";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\searchportal.information.com.3a8d7204";"Found Tracking cookie.Information";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\serving-sys.com.4b416ef8";"Found Tracking cookie.Serving-sys";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\serving-sys.com.400f83f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\serving-sys.com.255d6f2f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\overture.com.d727de6f";"Found Tracking cookie.Overture";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\overture.com.52ca467a";"Found Tracking cookie.Overture";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\ivwbox.de.41d82fe2";"Found Tracking cookie.Ivwbox";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\revsci.net.3c8e1d5b";"Found Tracking cookie.Revsci";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adtech.de.a9245469";"Found Tracking cookie.Adtech";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adbrite.com.e1f04284";"Found Tracking cookie.Adbrite";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adbrite.com.775ee79c";"Found Tracking cookie.Adbrite";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adbrite.com.d5e309c2";"Found Tracking cookie.Adbrite";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adbrite.com.71beeff9";"Found Tracking cookie.Adbrite";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adbrite.com.557c9f74";"Found Tracking cookie.Adbrite";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adbrite.com.44f92a69";"Found Tracking cookie.Adbrite";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\2o7.net.706680ba";"Found Tracking cookie.2o7";"Potentially dangerous object" "C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite";"Found Tracking cookie.2o7";"Potentially dangerous object" "Rootkits" "File";"Infection";"Result" "C:\WINDOWS\System32\Drivers\avw3tpy3.SYS";"Hidden driver";"Object is hidden" "Information" "File";"Infection";"Result" "C:\WINDOWS\system32\drivers\sptd.sys";"Locked file. Not tested.";"Locked file. Not tested." "C:\WINDOWS\system32\config\system";"Locked file. Not tested.";"Locked file. Not tested." "C:\WINDOWS\system32\config\software";"Locked file. Not tested.";"Locked file. Not tested." "C:\WINDOWS\system32\config\SECURITY";"Locked file. Not tested.";"Locked file. Not tested." "C:\WINDOWS\system32\config\SAM";"Locked file. Not tested.";"Locked file. Not tested." "C:\WINDOWS\system32\config\default";"Locked file. Not tested.";"Locked file. Not tested." "C:\WINDOWS\SoftwareDistribution\Download\99aa722de62f08eaf0a08e358055eff7\MAINSP3ff.cab:\MAINSP3ff.msp:\PCW_CAB_H6000_1:\EUROTOOL.XLA";"Contains macros";"" "C:\WINDOWS\SoftwareDistribution\Download\99aa722de62f08eaf0a08e358055eff7\MAINSP3ff.cab:\MAINSP3ff.msp:\PCW_CAB_H6000_1";"Contains macros";"" "C:\WINDOWS\SoftwareDistribution\Download\99aa722de62f08eaf0a08e358055eff7\MAINSP3ff.cab:\MAINSP3ff.msp";"Contains macros";"" "C:\WINDOWS\SoftwareDistribution\Download\99aa722de62f08eaf0a08e358055eff7\MAINSP3ff.cab";"Contains macros";"" "C:\System Volume Information\";"Locked file. Not tested.";"Locked file. Not tested." "C:\Program Files\Microsoft Office\Templates\1053\Thesis.dot";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\PROFMLTR.DOT";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\PROFMFAX.DOT";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\PROFMADR.DOT";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\Professional Resume.dot";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\Professional Report.dot";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\Professional Letter.dot";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\Professional Fax.dot";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\MERGELTR.DOT";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\Manual.dot";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\ELEGMLTR.DOT";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\ELEGMFAX.DOT";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\ELEGMADR.DOT";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\Elegant Resume.dot";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\Elegant Report.dot";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\Elegant Memo.dot";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\Elegant Letter.dot";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\Elegant Fax.dot";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\Directory.dot";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\CONTMLTR.DOT";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\CONTMFAX.DOT";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\CONTMADR.DOT";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\Contemporary Resume.dot";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\Contemporary Report.dot";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\Contemporary Memo.dot";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\Contemporary Letter.dot";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\Contemporary Fax.dot";"Contains macros";"" "C:\Program Files\Microsoft Office\Templates\1053\Brochure.dot";"Contains macros";"" "C:\Program Files\Microsoft Office\Office10\Samples\SOLVSAMP.XLS";"Contains macros";"" "C:\Program Files\Microsoft Office\Office10\Samples\SAMPLES.XLS";"Contains macros";"" "C:\Program Files\Microsoft Office\Office10\Samples\Northwind.mdb:\embedded.doc";"Contains macros";"" "C:\Program Files\Microsoft Office\Office10\Samples\Northwind.mdb";"Contains macros";"" "C:\Program Files\Microsoft Office\Office10\Makrobib\SUMIF.XLA";"Contains macros";"" "C:\Program Files\Microsoft Office\Office10\Makrobib\Solver\SOLVER.XLA";"Contains macros";"" "C:\Program Files\Microsoft Office\Office10\Makrobib\LOOKUP.XLA";"Contains macros";"" "C:\Program Files\Microsoft Office\Office10\Makrobib\HTML.XLA";"Contains macros";"" "C:\Program Files\Microsoft Office\Office10\Makrobib\EUROTOOL.XLA";"Contains macros";"" "C:\Program Files\Microsoft Office\Office10\Makrobib\Analys\PROCDB.XLA";"Contains macros";"" "C:\Program Files\Microsoft Office\Office10\Makrobib\Analys\FUNCRES.XLA";"Contains macros";"" "C:\Program Files\Microsoft Office\Office10\Makrobib\Analys\ATPVBASV.XLA";"Contains macros";"" "C:\Program Files\Microsoft Office\Office10\Makrobib\Analys\ATPVBAEN.XLA";"Contains macros";"" "C:\Program Files\Microsoft Office\Office10\Macros\SUPPORT.DOT";"Contains macros";"" "C:\Program Files\Microsoft Office\Office10\1053\XL8GALRY.XLS";"Contains macros";"" "C:\Program Files\Microsoft Office\Office10\1053\FPNWIND.MDB:\embedded.doc";"Contains macros";"" "C:\Program Files\Microsoft Office\Office10\1053\FPNWIND.MDB";"Contains macros";"" "C:\Program Files\Microsoft Office\Office10\1053\EXPTOOWS.XLA";"Contains macros";"" "C:\Program Files\AVG\AVG8\IdentityProtection\agent\config\userList.zip";"Password-protected";"" "C:\Program Files\AVG\AVG8\IdentityProtection\agent\config\quarantinedList.zip";"Password-protected";"" "C:\Program Files\AVG\AVG8\IdentityProtection\agent\config\internalList.zip";"Password-protected";"" "C:\pagefile.sys";"Locked file. Not tested.";"Locked file. Not tested." "C:\Documents and Settings\Simon\NTUSER.DAT";"Locked file. Not tested.";"Locked file. Not tested." "C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\WWSUPPT.XLS";"Contains macros";"" "C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\REGKEY.XLS";"Contains macros";"" "C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\PRESBROD.XLS";"Contains macros";"" "C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\FILELIST.XLS";"Contains macros";"" "C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\ERRORMSG.XLS";"Contains macros";"" "C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\CLEANER.XLA";"Contains macros";"" "C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\ASPSCRPT.XLS";"Contains macros";"" "C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB";"Contains macros";"" "C:\Documents and Settings\Simon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat";"Locked file. Not tested.";"Locked file. Not tested." "C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\WWSUPPT.XLS";"Contains macros";"" "C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\REGKEY.XLS";"Contains macros";"" "C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\PRESBROD.XLS";"Contains macros";"" "C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\FILELIST.XLS";"Contains macros";"" "C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\ERRORMSG.XLS";"Contains macros";"" "C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\CLEANER.XLA";"Contains macros";"" "C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\ASPSCRPT.XLS";"Contains macros";"" "C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB";"Contains macros";"" "C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\SUMIF.XLAM_1033";"Contains macros";"" "C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\SOLVSAMP.XLS_1033";"Contains macros";"" "C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\SOLVER.XLAM_1033";"Contains macros";"" "C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\PROCDB.XLAM_1033";"Contains macros";"" "C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\LOOKUP.XLAM_1033";"Contains macros";"" "C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\FUNCRES.XLAM_1033";"Contains macros";"" "C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\ATPVBAEN.XLAM_1033";"Contains macros";"" "C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab";"Contains macros";"" "C:\Documents and Settings\NetworkService\NTUSER.DAT";"Locked file. Not tested.";"Locked file. Not tested." "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat";"Locked file. Not tested.";"Locked file. Not tested." "C:\Documents and Settings\LocalService\NTUSER.DAT";"Locked file. Not tested.";"Locked file. Not tested." "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat";"Locked file. Not tested.";"Locked file. Not tested." "C:\Documents and Settings\All Users\Application Data\Downloaded Installations\{70ADDA88-7F88-46A1-A9C4-5BD9EA9934A1}\AVGIDP_setup.msi:\Data1.cab:\internallist.zip";"Password-protected";"" "C:\Documents and Settings\All Users\Application Data\Downloaded Installations\{70ADDA88-7F88-46A1-A9C4-5BD9EA9934A1}\AVGIDP_setup.msi:\Data1.cab";"Password-protected";"" "C:\Documents and Settings\All Users\Application Data\Downloaded Installations\{70ADDA88-7F88-46A1-A9C4-5BD9EA9934A1}\AVGIDP_setup.msi";"Password-protected";"" Edited November 5, 2009 by kemsi Quote Link to comment Share on other sites More sharing options...
Cecilia Posted November 5, 2009 Share Posted November 5, 2009 Byt inte ut AVG för tillfället för det är alltid risk för att installationen går fel. Spara ComboFix på Skrivbordet: http://download.bleepingcomputer.com/sUBs/ComboFix.exe Stäng av alla program du ser inklusive antivirusprogram och antispionprogram men lämna brandväggen på. Hur? Se http://www.bleepingcomputer.com/forums/topic114351.html Kör ComboFix och följ anvisningarna som visas. Om det kommer upp en fråga om du vill installera återställningskonsolen så svara ja. VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig. När den är färdig så ska en logg komma upp, bifoga den till ditt svar. Kontrollera att antivirusprogram mm är igång innan du ansluter till internet. Om du får problem med att komma ut på internet: Kontrollpanelen - Nätverksanslutningar högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn. Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix. Quote Link to comment Share on other sites More sharing options...
Manneman Posted November 6, 2009 Share Posted November 6, 2009 Tråden flyttat till rätt forumkategori... Magnus Quote Link to comment Share on other sites More sharing options...
kemsi Posted November 6, 2009 Author Share Posted November 6, 2009 Byt inte ut AVG för tillfället för det är alltid risk för att installationen går fel. Spara ComboFix på Skrivbordet: http://download.bleepingcomputer.com/sUBs/ComboFix.exe Stäng av alla program du ser inklusive antivirusprogram och antispionprogram men lämna brandväggen på. Hur? Se http://www.bleepingcomputer.com/forums/topic114351.html Kör ComboFix och följ anvisningarna som visas. Om det kommer upp en fråga om du vill installera återställningskonsolen så svara ja. VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig. När den är färdig så ska en logg komma upp, bifoga den till ditt svar. Kontrollera att antivirusprogram mm är igång innan du ansluter till internet. Om du får problem med att komma ut på internet: Kontrollpanelen - Nätverksanslutningar högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn. Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix. Sådär nu har jag nog lyckats scanna datorn med combofix på rätt sätt, hade lite problem med programmet i början då de hängde sig 3 till 4 gånger. Här kommer loggen, hoppas den säger dig något. Tack ComboFix 09-11-05.01 - Simon 2009-11-06 16:45.2.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.2046.1481 [GMT 1:00] Körs från: c:\documents and settings\Simon\My Documents\Hämtade filer\ComboFix.exe AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66} . ((((((((((((((((((((((((((((((((((((((( Andra raderingar )))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Föregående körning ------- . C:\install.exe . (((((((((((((((((((((((( Filer Skapade från 2009-10-06 till 2009-11-06 )))))))))))))))))))))))))))))) . 2009-11-06 14:05 . 2009-11-06 14:05 -------- d-----w- c:\windows\system32\xircom 2009-11-06 14:05 . 2009-11-06 14:05 -------- d-----w- c:\windows\system32\wbem\snmp 2009-11-06 14:05 . 2009-11-06 14:05 -------- d-----w- c:\program files\microsoft frontpage 2009-11-05 21:18 . 2009-11-05 21:18 152576 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-11-05 14:25 . 2009-10-21 09:41 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll 2009-11-03 14:49 . 2009-10-21 09:41 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe 2009-10-16 02:15 . 2009-07-17 16:22 1435648 ------w- c:\windows\system32\dllcache\query.dll 2009-10-16 02:15 . 2009-08-26 08:03 247326 ------w- c:\windows\system32\dllcache\strmdll.dll 2009-10-16 02:14 . 2009-09-04 21:03 58880 ------w- c:\windows\system32\dllcache\msasn1.dll 2009-10-13 19:42 . 2009-10-13 19:42 -------- d-----w- c:\windows\SxsCaPendDel 2009-10-13 19:15 . 2009-10-13 19:41 -------- d-----w- c:\program files\LearnWARE . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-05 21:19 . 2009-03-19 15:34 -------- d-----w- c:\program files\Java 2009-11-04 23:09 . 2009-03-12 00:12 -------- d-----w- c:\program files\Steam 2009-11-04 19:31 . 2009-01-26 20:33 38 ----a-w- c:\documents and settings\Simon\jagex_runescape_preferences.dat 2009-11-04 19:10 . 2009-09-02 13:08 63 ----a-w- c:\documents and settings\Simon\jagex_runescape_preferences2.dat 2009-10-27 21:09 . 2009-01-26 19:17 -------- d-----w- c:\documents and settings\Simon\Application Data\uTorrent 2009-10-23 15:50 . 2009-02-07 19:09 -------- d-----w- c:\documents and settings\Simon\Application Data\dvdcss 2009-10-11 03:17 . 2009-01-26 20:27 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-10-01 02:52 . 2009-03-01 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-09-29 14:30 . 2009-09-29 14:29 -------- d-----w- c:\program files\SwiftKit 2009-09-29 14:29 . 2009-09-29 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SwiftKit 2009-09-28 11:58 . 2009-09-25 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-09-25 21:02 . 2009-09-25 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations 2009-09-25 21:02 . 2009-09-25 21:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-09-25 21:02 . 2009-09-25 21:02 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys 2009-09-25 21:02 . 2009-09-25 21:02 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-09-25 21:02 . 2009-09-25 21:02 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-09-25 21:02 . 2009-09-25 21:02 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-09-25 21:00 . 2009-09-25 21:00 50968 ----a-w- c:\windows\system32\avgfwdx.dll 2009-09-25 21:00 . 2009-09-25 21:00 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys 2009-09-25 21:00 . 2009-01-26 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-09-25 19:44 . 2009-03-01 14:50 -------- d-----w- c:\program files\NOS 2009-09-17 13:47 . 2009-09-17 13:46 -------- d-----w- c:\program files\Common Files\Adobe 2009-09-14 18:55 . 2009-09-14 18:55 -------- d-----w- c:\documents and settings\Simon\Application Data\Uniblue 2009-09-14 10:58 . 2009-09-14 10:58 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-09-12 13:20 . 2009-04-10 23:56 -------- d-----w- c:\program files\Free Music Zilla 2009-09-11 14:13 . 2009-01-08 19:09 136704 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-11 10:59 . 2009-03-03 22:14 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-09-10 19:55 . 2009-09-10 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan 2009-09-04 21:03 . 2008-04-14 04:42 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-03 16:56 . 2009-09-03 16:56 152576 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\jre1.6.0_16\lzma.dll 2009-09-02 09:58 . 2009-09-28 11:58 1107200 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll 2009-08-29 08:08 . 2008-10-16 19:38 916480 ------w- c:\windows\system32\wininet.dll 2009-08-26 08:03 . 2009-01-08 19:12 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-17 11:52 . 2009-01-26 19:18 68840 ----a-w- c:\documents and settings\Simon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-11 14:48 . 2009-08-11 14:48 152576 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\jre1.6.0_15\lzma.dll 2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll . ------- Sigcheck ------- [-] 2009-01-08 . 5AE1C2695F6523AD98B948F2887D8C5E . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys [-] 2009-01-08 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll . ((((((((((((((((((((((((((((( SnapShot@2009-11-06_10.50.41 ))))))))))))))))))))))))))))))))))))))))) . + 2009-11-06 14:10 . 2009-11-06 14:10 16384 c:\windows\Temp\Perflib_Perfdata_2e4.dat . (((((((((((((((((((((((((((((((((( Startpunkter i registret ))))))))))))))))))))))))))))))))))))))))))))))) . . *Not* Tomma poster & legitima standardposter visas inte. REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-09-02 09:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312] "AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-07-22 1600008] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] "SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2009-01-26 577536] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-01-15 1657376] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "_nltide_2"="shell32" [X] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-09-25 21:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BankID Security Application.lnk] [HKLM\~\startupfolder\C:^Documents and Settings^Simon^Start Menu^Programs^Startup^Free Music Zilla.lnk] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Documents and Settings\\Simon\\Desktop\\DC++\\DCPlusPlus.exe"= "c:\\Program Files\\Steam\\steamapps\\baileys_boy15@hotmail.com\\counter-strike\\hl.exe"= "c:\\Program Files\\Free Music Zilla\\FMZilla.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\AVG\\AVG8\\avgam.exe"= "c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-07-22 25608] R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-09-25 12552] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-09-25 335240] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-09-25 108552] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-09-25 297752] R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-09-25 1370488] R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2009-07-22 571912] R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-07-19 55152] R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-09-25 29208] R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [2009-07-22 121352] R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [2009-07-22 30216] R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [2009-07-22 27232] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?] S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [2009-07-22 5641736] S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-09-25 29208] S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360] --- Övriga tjänster/drivrutiner i minnet --- *Deregistered* - mbr *Deregistered* - PROCEXP113 . Innehållet i mappen 'Schemalagda aktiviteter': 2009-10-29 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2009-11-06 c:\windows\Tasks\User_Feed_Synchronization-{5F672323-F82B-4270-B21F-20C416B04789}.job - c:\windows\system32\msfeedssync.exe [2009-01-08 02:31] . . ------- Extra genomsökning ------- . uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q= FF - prefs.js: browser.search.selectedEngine - Live Search FF - prefs.js: browser.startup.homepage - www.google.se FF - prefs.js: keyword.URL - hxxp://se.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_se&p= FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Personal\bin\np_prsnl.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICY ---- c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-06 16:50 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spcv.sys >>UNKNOWN [0x89E09938]<< kernel: MBR read successfully user & kernel MBR OK Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net atapi.sys @ 0x0 0x0 bytes \Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xB9DFCB40 atapi.sys \Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xB9DFCB40 atapi.sys \Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xB9DFCB40 atapi.sys \Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xB9DFCB40 atapi.sys \Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xB9DFCB40 atapi.sys \Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xB9DFCB40 atapi.sys \Driver\atapi IRP hooks detected ! ************************************************************************** . --------------------- DLLer som "laddats" under processer som körs --------------------- - - - - - - - > 'explorer.exe'(220) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Sluttid: 2009-11-06 16:53 ComboFix-quarantined-files.txt 2009-11-06 15:52 Före genomsökningen: 21 507 198 976 bytes free Efter genomsökningen: 21 471 346 688 bytes free - - End Of File - - 6CB80DD0A77FF6A9EDC971DAFDCA9C60 Quote Link to comment Share on other sites More sharing options...
Cecilia Posted November 6, 2009 Share Posted November 6, 2009 1. Om du har Daemon Tools, Alcohol 120% eller något liknande program som skapar virtuella CD-enheter så avinstallera det programmet för tillfället och starta sedan om datorn. 2. Spara denna fil på Skrivbordet: http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe Kör programmet. När det är klart så skapas en loggfil Win32kDiag.txt på Skrivbordet. Klistra in den i ditt svar. 3. Spara denna fil på Skrivbordet: http://rootrepeal.googlepages.com/RootRepeal.zip Packa upp zip-filen (extrahera) så att du får en programfil. Starta RootRepeal. Välj Report-fliken och tryck på Scan. Bocka för alla sju valen och tryck sedan på Yes/Ja. Välj C: och tryck Ok. Det tar ett tag för RootRepeal att söka igenom C:. När sökningen är klar så tryck på Save Report och spara den med namnet rootrepeal.log. Klistra in innehållet i rootrepeal.log. 4. Spara Gmer på Skrivbordet från en av dessa sidor: http://www.gmer.net/files.php välj Gmer application http://www.majorgeeks.com/GMER_d5198.html Packa upp filen till Skrivbordet. Dra ur internetanslutningen. Stäng alla program, även antivirusprogram och brandvägg. Starta programmet gmer.exe. Om det kommer upp en fråga om "scan" så välj Nej/No. Spara loggen och klistra in i ditt svar. Gör inte mer. Om frågan inte kommer så välj fliken Rootkit/Malware, kontrollera att allt är förbockat till höger utom Show All. Tryck på Scan. Låt datorn stå ifred medan Gmer håller på. Tryck på Save och spara resultatet på Skrivbordet. Sätt igång antivirusprogram och brandvägg innan du ansluter till internet. Klistra in resultatet i ditt svar. Quote Link to comment Share on other sites More sharing options...
kemsi Posted November 7, 2009 Author Share Posted November 7, 2009 1. Om du har Daemon Tools, Alcohol 120% eller något liknande program som skapar virtuella CD-enheter så avinstallera det programmet för tillfället och starta sedan om datorn. 2. Spara denna fil på Skrivbordet: http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe Kör programmet. När det är klart så skapas en loggfil Win32kDiag.txt på Skrivbordet. Klistra in den i ditt svar. 3. Spara denna fil på Skrivbordet: http://rootrepeal.googlepages.com/RootRepeal.zip Packa upp zip-filen (extrahera) så att du får en programfil. Starta RootRepeal. Välj Report-fliken och tryck på Scan. Bocka för alla sju valen och tryck sedan på Yes/Ja. Välj C: och tryck Ok. Det tar ett tag för RootRepeal att söka igenom C:. När sökningen är klar så tryck på Save Report och spara den med namnet rootrepeal.log. Klistra in innehållet i rootrepeal.log. 4. Spara Gmer på Skrivbordet från en av dessa sidor: http://www.gmer.net/files.php'>http://www.gmer.net/files.php välj Gmer application http://www.majorgeeks.com/GMER_d5198.html Packa upp filen till Skrivbordet. Dra ur internetanslutningen. Stäng alla program, även antivirusprogram och brandvägg. Starta programmet gmer.exe. Om det kommer upp en fråga om "scan" så välj Nej/No. Spara loggen och klistra in i ditt svar. Gör inte mer. Om frågan inte kommer så välj fliken Rootkit/Malware, kontrollera att allt är förbockat till höger utom Show All. Tryck på Scan. Låt datorn stå ifred medan Gmer håller på. Tryck på Save och spara resultatet på Skrivbordet. Sätt igång antivirusprogram och brandvägg innan du ansluter till internet. Klistra in resultatet i ditt svar. Okej, nu har jag försökt inte missa något och klistrat in scanning loggarna från win32kdiag, rootrepeal och Gmer. När jag scannade med win32kdiag uppkom "WARNING: Could not get backup privileges!" vad innebär detta? Tack:) Win32kDiag.txt. Running from: C:\Documents and Settings\Simon\Desktop\Win32kDiag(2).exe Log file at : C:\Documents and Settings\Simon\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Finished! rootrepeal.log. ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/11/07 02:29 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: a5bed12r.SYS Image Path: C:\WINDOWS\System32\Drivers\a5bed12r.SYS Address: 0xB8839000 Size: 221184 File Visible: No Signed: - Status: - Name: catchme.sys Image Path: C:\DOCUME~1\Simon\LOCALS~1\Temp\catchme.sys Address: 0xB4DD2000 Size: 31744 File Visible: No Signed: - Status: - Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB56A8000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xBA5D0000 Size: 8192 File Visible: No Signed: - Status: - Name: PCI_PNP2594 Image Path: \Driver\PCI_PNP2594 Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: PROCEXP113.SYS Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Address: 0xBA5EE000 Size: 7872 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB4FEF000 Size: 49152 File Visible: No Signed: - Status: - Name: spcv.sys Image Path: spcv.sys Address: 0xB9EA7000 Size: 1048576 File Visible: No Signed: - Status: - Name: sptd Image Path: \Driver\sptd Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - SSDT ------------------- #: 025 Function Name: NtClose Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c98a0 #: 041 Function Name: NtCreateKey Status: Hooked by "spcv.sys" at address 0xb9ea80e0 #: 071 Function Name: NtEnumerateKey Status: Hooked by "spcv.sys" at address 0xb9ec6ca2 #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "spcv.sys" at address 0xb9ec7030 #: 119 Function Name: NtOpenKey Status: Hooked by "spcv.sys" at address 0xb9ea80c0 #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c98d0 #: 160 Function Name: NtQueryKey Status: Hooked by "spcv.sys" at address 0xb9ec7108 #: 177 Function Name: NtQueryValueKey Status: Hooked by "spcv.sys" at address 0xb9ec6f88 #: 247 Function Name: NtSetValueKey Status: Hooked by "spcv.sys" at address 0xb9ec719a #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c9980 #: 258 Function Name: NtTerminateThread Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c9a20 #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c9ac0 Stealth Objects ------------------- Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP] Process: System Address: 0x89de71f8 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE] Process: System Address: 0x89967438 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE] Process: System Address: 0x89967438 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ] Process: System Address: 0x89967438 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE] Process: System Address: 0x89967438 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x89967438 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION] Process: System Address: 0x89967438 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA] Process: System Address: 0x89967438 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA] Process: System Address: 0x89967438 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x89967438 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x89967438 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x89967438 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x89967438 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x89967438 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x89967438 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN] Process: System Address: 0x89967438 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x89967438 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP] Process: System Address: 0x89967438 Size: 121 Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP] Process: System Address: 0x89967438 Size: 121 Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_CREATE] Process: System Address: 0x89b2a1f8 Size: 121 Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_CLOSE] Process: System Address: 0x89b2a1f8 Size: 121 Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x89b2a1f8 Size: 121 Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x89b2a1f8 Size: 121 Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_POWER] Process: System Address: 0x89b2a1f8 Size: 121 Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x89b2a1f8 Size: 121 Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_PNP] Process: System Address: 0x89b2a1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE] Process: System Address: 0x89b381f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE] Process: System Address: 0x89b381f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ] Process: System Address: 0x89b381f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE] Process: System Address: 0x89b381f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x89b381f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x89b381f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x89b381f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN] Process: System Address: 0x89b381f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER] Process: System Address: 0x89b381f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x89b381f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP] Process: System Address: 0x89b381f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE] Process: System Address: 0x89e551f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE] Process: System Address: 0x89e551f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_READ] Process: System Address: 0x89e551f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE] Process: System Address: 0x89e551f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x89e551f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x89e551f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x89e551f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN] Process: System Address: 0x89e551f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_POWER] Process: System Address: 0x89e551f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x89e551f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_PNP] Process: System Address: 0x89e551f8 Size: 121 Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE] Process: System Address: 0x89ce81f8 Size: 121 Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE] Process: System Address: 0x89ce81f8 Size: 121 Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x89ce81f8 Size: 121 Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x89ce81f8 Size: 121 Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER] Process: System Address: 0x89ce81f8 Size: 121 Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x89ce81f8 Size: 121 Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP] Process: System Address: 0x89ce81f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE] Process: System Address: 0x89de91f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ] Process: System Address: 0x89de91f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE] Process: System Address: 0x89de91f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x89de91f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x89de91f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x89de91f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN] Process: System Address: 0x89de91f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP] Process: System Address: 0x89de91f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER] Process: System Address: 0x89de91f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x89de91f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP] Process: System Address: 0x89de91f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE] Process: System Address: 0x895bd1f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE] Process: System Address: 0x895bd1f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x895bd1f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x895bd1f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP] Process: System Address: 0x895bd1f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP] Process: System Address: 0x895bd1f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE] Process: System Address: 0x89cf0500 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE] Process: System Address: 0x89cf0500 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x89cf0500 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x89cf0500 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER] Process: System Address: 0x89cf0500 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x89cf0500 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP] Process: System Address: 0x89cf0500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP] Process: System Address: 0x89596500 Size: 121 Object: Hidden Code [Driver: Mup, IRP_MJ_CREATE] Process: System Address: 0x8991b500 Size: 121 Object: Hidden Code [Driver: Mup, IRP_MJ_CLOSE] Process: System Address: 0x8991b500 Size: 121 Object: Hidden Code [Driver: Mup, IRP_MJ_READ] Process: System Address: 0x8991b500 Size: 121 Object: Hidden Code [Driver: Mup, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x8991b500 Size: 121 Object: Hidden Code [Driver: Mup, IRP_MJ_SET_INFORMATION] Process: System Address: 0x8991b500 Size: 121 Object: Hidden Code [Driver: Mup, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x8991b500 Size: 121 Object: Hidden Code [Driver: Mup, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x8991b500 Size: 121 Object: Hidden Code [Driver: Mup, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x8991b500 Size: 121 Object: Hidden Code [Driver: Mup, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8991b500 Size: 121 Object: Hidden Code [Driver: Mup, IRP_MJ_SHUTDOWN] Process: System Address: 0x8991b500 Size: 121 Object: Hidden Code [Driver: Mup, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x8991b500 Size: 121 Object: Hidden Code [Driver: Mup, IRP_MJ_CLEANUP] Process: System Address: 0x8991b500 Size: 121 Object: Hidden Code [Driver: Mup, IRP_MJ_PNP] Process: System Address: 0x8991b500 Size: 121 Shadow SSDT ------------------- #: 383 Function Name: NtUserGetAsyncKeyState Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c9440 #: 414 Function Name: NtUserGetKeyboardState Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c93b0 #: 416 Function Name: NtUserGetKeyState Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c93f0 #: 549 Function Name: NtUserSetWindowsHookEx Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c9330 ==EOF== Gmer.log GMER 1.0.15.15163 - http://www.gmer.net Rootkit scan 2009-11-07 14:35:21 Windows 5.1.2600 Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\Simon\LOCALS~1\Temp\uxtdypow.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwClose [0xBA3C98A0] SSDT spcv.sys ZwCreateKey [0xB9EA80E0] SSDT spcv.sys ZwEnumerateKey [0xB9EC6CA2] SSDT spcv.sys ZwEnumerateValueKey [0xB9EC7030] SSDT spcv.sys ZwOpenKey [0xB9EA80C0] SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwOpenProcess [0xBA3C98D0] SSDT spcv.sys ZwQueryKey [0xB9EC7108] SSDT spcv.sys ZwQueryValueKey [0xB9EC6F88] SSDT spcv.sys ZwSetValueKey [0xB9EC719A] SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateProcess [0xBA3C9980] SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateThread [0xBA3C9A20] SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwWriteVirtualMemory [0xBA3C9AC0] INT 0x62 ? 89DE8BF8 INT 0x63 ? 89DE8BF8 INT 0x73 ? 89DE8BF8 INT 0x73 ? 89DE8BF8 INT 0x73 ? 89DE8BF8 INT 0xA4 ? 89CE9BF8 INT 0xB4 ? 89CE9BF8 Code \??\C:\DOCUME~1\Simon\LOCALS~1\Temp\catchme.sys pIofCallDriver ---- Kernel code sections - GMER 1.0.15 ---- ? spcv.sys The system cannot find the file specified. ! .text USBPORT.SYS!DllUnload B92BB934 5 Bytes JMP 89CE91D8 ? System32\Drivers\a5bed12r.SYS The system cannot find the path specified. ! ? C:\DOCUME~1\Simon\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. ! ? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. ! ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [b9EA9040] spcv.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [b9EA913C] spcv.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [b9EA90BE] spcv.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [b9EA97FC] spcv.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [b9EA96D2] spcv.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [b9EB9048] spcv.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 89DE71F8 AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies ) Device \FileSystem\Fastfat \FatCdrom 89967438 AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\usbohci \Device\USBPDO-0 89CE81F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 89E551F8 Device \Driver\dmio \Device\DmControl\DmConfig 89E551F8 Device \Driver\dmio \Device\DmControl\DmPnP 89E551F8 Device \Driver\dmio \Device\DmControl\DmInfo 89E551F8 Device \Driver\usbehci \Device\USBPDO-1 89CF0500 AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation) Device \Driver\Ftdisk \Device\HarddiskVolume1 89DE91F8 Device \Driver\Cdrom \Device\CdRom0 89B381F8 Device \Driver\Cdrom \Device\CdRom1 89B381F8 Device \Driver\atapi \Device\Ide\IdePort0 [b9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [b9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [b9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [b9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [b9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [b9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort4 [b9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort5 [b9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 895BD1F8 Device \Driver\NetBT \Device\NetbiosSmb 895BD1F8 Device \Driver\PCI_PNP2594 \Device\0000004d spcv.sys AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation) Device \Driver\NetBT \Device\NetBT_Tcpip_{77919B9D-AD1B-4EEF-8615-E359AA46085D} 895BD1F8 Device \Driver\usbohci \Device\USBFDO-0 89CE81F8 Device \Driver\usbehci \Device\USBFDO-1 89CF0500 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89596500 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89596500 Device \Driver\sptd \Device\3276161344 spcv.sys Device \Driver\Ftdisk \Device\FtControl 89DE91F8 Device \Driver\a5bed12r \Device\Scsi\a5bed12r1 89B2A1F8 Device \Driver\a5bed12r \Device\Scsi\a5bed12r1Port6Path0Target0Lun0 89B2A1F8 Device \FileSystem\Fastfat \Fat 89967438 AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies ) Device \FileSystem\Cdfs \Cdfs 8991B500 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCC 0x9F 0xB3 0x36 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCD 0xBE 0xD1 0x25 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAD 0x92 0x98 0xFF ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCC 0x9F 0xB3 0x36 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCD 0xBE 0xD1 0x25 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAD 0x92 0x98 0xFF ... ---- EOF - GMER 1.0.15 ---- Quote Link to comment Share on other sites More sharing options...
Cecilia Posted November 7, 2009 Share Posted November 7, 2009 Det är väldigt mycket i loggarna som ser ut att ha med Daemon Tools att göra. Är du säker på att programmet är avinstallerat? De här filerna som AVG har hittat finns de i AVGs karantän? Quote Link to comment Share on other sites More sharing options...
Cynthia Posted November 7, 2009 Share Posted November 7, 2009 Det är väldigt mycket i loggarna som ser ut att ha med Daemon Tools att göra. Är du säker på att programmet är avinstallerat? Name: sptdImage Path: \Driver\sptd Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Körs bara Daemon Tools eget avinstallationsprogram så försvinner inte drivrutinen SPTD.sys. För att få bort alla spår av den måste du köra installationsprogrammet från Duplex Secure och välja alternativet avinstallera i det programmet. http://www.duplexsecure.com/downloads Quote Link to comment Share on other sites More sharing options...
Cecilia Posted November 7, 2009 Share Posted November 7, 2009 Tack, Cynthia! Det är ju ofta som det är Daemon-drivrutiner som gör det svårt att hitta de skadliga programmen bland alla Daemon-rader i loggarna. Är det bara just SPTD.sys som tas bort eller är det även den andra drivrutinen som Daemon Tools installerar? I loggen ovanför heter den SPCV.sys men det varierar mellan olika datorer. Quote Link to comment Share on other sites More sharing options...
Cynthia Posted November 7, 2009 Share Posted November 7, 2009 Hej! SPTD.sys används även av en del andra program från Daemon Tools, t ex BlindWrite och det är väl därför inte Daemon Tools tar bort den drivrutinen. Vad jag vet så är det bara SPTD.sys som blir avinstallerad med programmet från Duplex Secure. Försökte hitta vem som ligger bakom SPCV.sys på nätet, men det enda jag hittade var att den fanns listad i några loggar från antivirus/rootkit program. Så frågan är om det är en "riktig" fil. Möjligt att jag är ute och cyklar, men jag får intrycket att det är en fil som skapas av virus. Quote Link to comment Share on other sites More sharing options...
kemsi Posted November 8, 2009 Author Share Posted November 8, 2009 Det är väldigt mycket i loggarna som ser ut att ha med Daemon Tools att göra. Är du säker på att programmet är avinstallerat? De här filerna som AVG har hittat finns de i AVGs karantän? Jo de finns i karaktän ser det ut som. Nu har jag tagit bort Daemon tools på rätt sätt och scannat om allt som i dina anvisningar. Det kanske ser bättre ut nu! Tack! Win32Diag Running from: C:\Documents and Settings\Simon\Desktop\Win32kDiag(2).exe Log file at : C:\Documents and Settings\Simon\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Finished! ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/11/08 14:19 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB625A000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xBA5CC000 Size: 8192 File Visible: No Signed: - Status: - SSDT ------------------- #: 025 Function Name: NtClose Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba4898a0 #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba4898d0 #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba489980 #: 258 Function Name: NtTerminateThread Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba489a20 #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba489ac0 Shadow SSDT ------------------- #: 383 Function Name: NtUserGetAsyncKeyState Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba489440 #: 414 Function Name: NtUserGetKeyboardState Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba4893b0 #: 416 Function Name: NtUserGetKeyState Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba4893f0 #: 549 Function Name: NtUserSetWindowsHookEx Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba489330 ==EOF== GMER 1.0.15.15163 - http://www.gmer.net Rootkit scan 2009-11-08 15:19:56 Windows 5.1.2600 Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\Simon\LOCALS~1\Temp\uxtdypow.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwClose [0xBA4898A0] SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwOpenProcess [0xBA4898D0] SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateProcess [0xBA489980] SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateThread [0xBA489A20] SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwWriteVirtualMemory [0xBA489AC0] ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies ) AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCC 0x9F 0xB3 0x36 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCD 0xBE 0xD1 0x25 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAD 0x92 0x98 0xFF ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCC 0x9F 0xB3 0x36 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCD 0xBE 0xD1 0x25 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAD 0x92 0x98 0xFF ... ---- EOF - GMER 1.0.15 ---- Quote Link to comment Share on other sites More sharing options...
Cecilia Posted November 8, 2009 Share Posted November 8, 2009 Ja, nu går det att se att det inte ser ut att finnas några rootkits. Jag misstänker att AVG falsklarmade och att drivrutinen den satte i karantän tillhör Daemon Tools. För att ta reda på det så skulle jag vilja att du återställer en av filerna i karantänen och sedan bläddrar fram filen på sidan http://www.virustotal.com . Tryck därefter på Skicka Fil och vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in resultatet från de olika antivirusprogrammen (inte Övrig information) eller en länk till resultatet här. Quote Link to comment Share on other sites More sharing options...
kemsi Posted November 8, 2009 Author Share Posted November 8, 2009 Ja, nu går det att se att det inte ser ut att finnas några rootkits. Jag misstänker att AVG falsklarmade och att drivrutinen den satte i karantän tillhör Daemon Tools. För att ta reda på det så skulle jag vilja att du återställer en av filerna i karantänen och sedan bläddrar fram filen på sidan http://www.virustotal.com . Tryck därefter på Skicka Fil och vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in resultatet från de olika antivirusprogrammen (inte Övrig information) eller en länk till resultatet här. Hmm, okej så vilken fil som helst från avg karantänen alltså? tog en (av vad jag gissar på är en av de filerna du menar) och körde igenom virustotal och de här blev resultatet (i länken nedan). Obs! jag tryckte på "restore as" till skrivbordet så jag lättare skulle hitta den, gick de bra att göra så? Tack! http://www.virustotal.com/sv/analisis/57fd36595250cde1ac56c28bfa370c3bf861b7d238aebb125a94ed73cbfb71f6-1257696087 Quote Link to comment Share on other sites More sharing options...
Cecilia Posted November 8, 2009 Share Posted November 8, 2009 Javisst går det bra att återställa den till skrivbordet. Jag blir däremot lite osäker på vilken fil du har skannat. Det skulle vara en av filerna som AVG sa var ett rootkit, dvs avw3tpy3.SYS eller amb2d7rq.SYS, men det är ett helt annat namn som står på virustotal-sidan. Jag är ledsen att jag skrev så otydligt så det inte framgick. Quote Link to comment Share on other sites More sharing options...
Cecilia Posted November 9, 2009 Share Posted November 9, 2009 Det ser ut som att AVG falsklarmade och att det inte fanns något rootkit i datorn. För säkerhets skull så sök igenom datorn med AVG nu när Daemon Tools är avinstallerad. Kör ComboFix igen och klistra in den nya loggen. Quote Link to comment Share on other sites More sharing options...
kontakten Posted November 11, 2009 Share Posted November 11, 2009 Hej Kemsi, kanske har du löst problemet. Jag hade en liknande problem för några veckor sedan, tog en kvart innan Datorn öppnade programmen. Har Har Advanced System care installerad (gratis) tryckte på knappen. Det hittade massor med fel som den fixade till. Tog några få minuter, sedan var Datorn som ny. Prova. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.