Hijack this hjälp


Recommended Posts

Min dator håller på dra sig tillbaka och bestämde mig för att köra en hijack this (i administratör läge) innan den dör helt!

Väldigt tacksam för svar! :)

Mvh Kemsi

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:33:34, on 2009-11-03

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgfws8.exe

C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Simon\My Documents\Hämtade filer\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Blogga detta - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blogga detta i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe

O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe

O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe

O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 8617 bytes

Link to comment
Share on other sites

AVG version 8 har ersatts av AVG 9 så uppgradera till den nya versionen.

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll

Det där är en annonstoolbar och inget man bör ha i datorn.

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

Räknas som tveksam

Kan du beskriva bättre vad du har för problem med datorn?

Link to comment
Share on other sites

AVG version 8 har ersatts av AVG 9 så uppgradera till den nya versionen.

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll

Det där är en annonstoolbar och inget man bör ha i datorn.

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

Räknas som tveksam

Kan du beskriva bättre vad du har för problem med datorn?

Den har allmänt blivit segare fast med lika mycket diskutrymme. Att öppna en mapp tar ca 5 - 15 sekunder och inte 1 sek som tidigare. Scannade med avg för någon dag sen och då fann den en rootkit som inte gick att ta bort, vet inte hur man ska ta bort den isåfall? Tack! :)
Link to comment
Share on other sites

Cecilia, med anledning av tidigare diskusion omkring IObit och MBAM så vore det ett misstag om denna tråd kommit till som ett försök att statuera exempel här, då denna Hijackthis tråd dök upp lägligt precis efter mitt senaste inlägg i den andra tråden. Sånt pysslar du väl inte med?
Nej, det gör jag inte, för det har jag inte tid med. Klockan 15:18 så skyndade jag mig till pendeltåget och hade absolut ingen möjlighet att skriva några inlägg. Edited by Cecilia
Link to comment
Share on other sites

Den har allmänt blivit segare fast med lika mycket diskutrymme. Att öppna en mapp tar ca 5 - 15 sekunder och inte 1 sek som tidigare. Scannade med avg för någon dag sen och då fann den en rootkit som inte gick att ta bort, vet inte hur man ska ta bort den isåfall? Tack! :)

Oj då, rootkit är inte kul. Kan du klistra in en logg från AVG där det framgår vad som hittades (finns väl en mer exakt benämning än bara rootkit) och i vilken fil och mapp den finns/fanns?

Link to comment
Share on other sites

Oj då, rootkit är inte kul. Kan du klistra in en logg från AVG där det framgår vad som hittades (finns väl en mer exakt benämning än bara rootkit) och i vilken fil och mapp den finns/fanns?

Håller på dra igenom scannern igen eftersom att jag inte lyckades hitta någon sparad logg från förra scanningen, men vad innebär egentligen en rootkit? kan den samla på sig känslig information samt ändra inställningar i datan? Nu när jag skulle scanna datan igen hände något underligt, listan över scanning området hade ändrats, allt var i markerat förutom "scanning for rootkit" som tycks av markerat sig själv!

Link to comment
Share on other sites

Rootkit innebär att det är en typ av skadligt program som har förmågan att dölja sig för andra program, vilket gör att den är svår att hitta och ta bort för antivirusprogram och andra liknande program. Sedan vad som sker i datorn, t ex spioneri eller spamskickande, kan variera stort. Många skadliga program, även om de inte är rootkit, ändrar inställningar i Windows för att det ska bli svårare att ta bort dem, t ex kan de stänga av aktivitetshanteraren.

Gick det att markera rootkit-skanningen igen?

Link to comment
Share on other sites

Rootkit innebär att det är en typ av skadligt program som har förmågan att dölja sig för andra program, vilket gör att den är svår att hitta och ta bort för antivirusprogram och andra liknande program. Sedan vad som sker i datorn, t ex spioneri eller spamskickande, kan variera stort. Många skadliga program, även om de inte är rootkit, ändrar inställningar i Windows för att det ska bli svårare att ta bort dem, t ex kan de stänga av aktivitetshanteraren.

Gick det att markera rootkit-skanningen igen?

Aha låter inte kul, det måste bort med andra ord. Jo det gick att markera "scan for rootkits" igen så inga problem där. Här är hela loggen för scanningen (ganska lång). AVG:n fann en massa "warnings" och en "rootkit" men den lyckades inte ta bort rootkiten som sagt eftersom den (som du sa) gömmer sig i något system sk "hidden driver". (inte uppdaterat AVG:n till ver.9 än, men fullt uppdaterad ver.8) Har även hittat en tidigare printscreen av min förra scanning där man ser mer detaljerad info om rootkiten. "C:\WINDOWS\SYSTEM32\Drivers\avw3tpy3.SYS" så heter den nu, men i förra scanningen hette den "C:\WINDOWS\SYSTEM32\Drivers\amb2d7rq.SYS" Tack! :)

"Scan ""Scan whole computer"" was finished."

"Rootkits";"1";"0";"1"

"Warnings";"31"

"Information";"94"

"Folders selected for scanning:";"Scan whole computer"

"Scan started:";"den 5 november 2009, 15:30:37"

"Scan finished:";"den 5 november 2009, 16:52:51 (1 hour(s) 22 minute(s) 14 second(s))"

"Total object scanned:";"405720"

"User who launched the scan:";"kemsi"

"Warnings"

"File";"Infection";"Result"

"C:\Documents and Settings\Simon\Cookies\simon@atdmt[2].txt:\atdmt.com.9e6d7fd3";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"

"C:\Documents and Settings\Simon\Cookies\simon@atdmt[2].txt:\atdmt.com.74c5668";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"

"C:\Documents and Settings\Simon\Cookies\simon@atdmt[2].txt";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\yadro.ru.c77afad5";"Found Tracking cookie.Yadro";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\tacoda.net.c4fe2ebb";"Found Tracking cookie.Tacoda";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\tacoda.net.5935e89";"Found Tracking cookie.Tacoda";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\tacoda.net.4366831a";"Found Tracking cookie.Tacoda";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\tacoda.net.27341d57";"Found Tracking cookie.Tacoda";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\serving-sys.com.c9034af6";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\serving-sys.com.6a1cf9e8";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\serving-sys.com.606c3d3b";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\searchportal.information.com.3a8d7204";"Found Tracking cookie.Information";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\serving-sys.com.4b416ef8";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\serving-sys.com.400f83f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\serving-sys.com.255d6f2f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\overture.com.d727de6f";"Found Tracking cookie.Overture";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\overture.com.52ca467a";"Found Tracking cookie.Overture";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\ivwbox.de.41d82fe2";"Found Tracking cookie.Ivwbox";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\revsci.net.3c8e1d5b";"Found Tracking cookie.Revsci";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adtech.de.a9245469";"Found Tracking cookie.Adtech";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adbrite.com.e1f04284";"Found Tracking cookie.Adbrite";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adbrite.com.775ee79c";"Found Tracking cookie.Adbrite";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adbrite.com.d5e309c2";"Found Tracking cookie.Adbrite";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adbrite.com.71beeff9";"Found Tracking cookie.Adbrite";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adbrite.com.557c9f74";"Found Tracking cookie.Adbrite";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\adbrite.com.44f92a69";"Found Tracking cookie.Adbrite";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite:\2o7.net.706680ba";"Found Tracking cookie.2o7";"Potentially dangerous object"

"C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\cookies.sqlite";"Found Tracking cookie.2o7";"Potentially dangerous object"

"Rootkits"

"File";"Infection";"Result"

"C:\WINDOWS\System32\Drivers\avw3tpy3.SYS";"Hidden driver";"Object is hidden"

"Information"

"File";"Infection";"Result"

"C:\WINDOWS\system32\drivers\sptd.sys";"Locked file. Not tested.";"Locked file. Not tested."

"C:\WINDOWS\system32\config\system";"Locked file. Not tested.";"Locked file. Not tested."

"C:\WINDOWS\system32\config\software";"Locked file. Not tested.";"Locked file. Not tested."

"C:\WINDOWS\system32\config\SECURITY";"Locked file. Not tested.";"Locked file. Not tested."

"C:\WINDOWS\system32\config\SAM";"Locked file. Not tested.";"Locked file. Not tested."

"C:\WINDOWS\system32\config\default";"Locked file. Not tested.";"Locked file. Not tested."

"C:\WINDOWS\SoftwareDistribution\Download\99aa722de62f08eaf0a08e358055eff7\MAINSP3ff.cab:\MAINSP3ff.msp:\PCW_CAB_H6000_1:\EUROTOOL.XLA";"Contains macros";""

"C:\WINDOWS\SoftwareDistribution\Download\99aa722de62f08eaf0a08e358055eff7\MAINSP3ff.cab:\MAINSP3ff.msp:\PCW_CAB_H6000_1";"Contains macros";""

"C:\WINDOWS\SoftwareDistribution\Download\99aa722de62f08eaf0a08e358055eff7\MAINSP3ff.cab:\MAINSP3ff.msp";"Contains macros";""

"C:\WINDOWS\SoftwareDistribution\Download\99aa722de62f08eaf0a08e358055eff7\MAINSP3ff.cab";"Contains macros";""

"C:\System Volume Information\";"Locked file. Not tested.";"Locked file. Not tested."

"C:\Program Files\Microsoft Office\Templates\1053\Thesis.dot";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\PROFMLTR.DOT";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\PROFMFAX.DOT";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\PROFMADR.DOT";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\Professional Resume.dot";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\Professional Report.dot";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\Professional Letter.dot";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\Professional Fax.dot";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\MERGELTR.DOT";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\Manual.dot";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\ELEGMLTR.DOT";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\ELEGMFAX.DOT";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\ELEGMADR.DOT";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\Elegant Resume.dot";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\Elegant Report.dot";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\Elegant Memo.dot";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\Elegant Letter.dot";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\Elegant Fax.dot";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\Directory.dot";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\CONTMLTR.DOT";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\CONTMFAX.DOT";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\CONTMADR.DOT";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\Contemporary Resume.dot";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\Contemporary Report.dot";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\Contemporary Memo.dot";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\Contemporary Letter.dot";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\Contemporary Fax.dot";"Contains macros";""

"C:\Program Files\Microsoft Office\Templates\1053\Brochure.dot";"Contains macros";""

"C:\Program Files\Microsoft Office\Office10\Samples\SOLVSAMP.XLS";"Contains macros";""

"C:\Program Files\Microsoft Office\Office10\Samples\SAMPLES.XLS";"Contains macros";""

"C:\Program Files\Microsoft Office\Office10\Samples\Northwind.mdb:\embedded.doc";"Contains macros";""

"C:\Program Files\Microsoft Office\Office10\Samples\Northwind.mdb";"Contains macros";""

"C:\Program Files\Microsoft Office\Office10\Makrobib\SUMIF.XLA";"Contains macros";""

"C:\Program Files\Microsoft Office\Office10\Makrobib\Solver\SOLVER.XLA";"Contains macros";""

"C:\Program Files\Microsoft Office\Office10\Makrobib\LOOKUP.XLA";"Contains macros";""

"C:\Program Files\Microsoft Office\Office10\Makrobib\HTML.XLA";"Contains macros";""

"C:\Program Files\Microsoft Office\Office10\Makrobib\EUROTOOL.XLA";"Contains macros";""

"C:\Program Files\Microsoft Office\Office10\Makrobib\Analys\PROCDB.XLA";"Contains macros";""

"C:\Program Files\Microsoft Office\Office10\Makrobib\Analys\FUNCRES.XLA";"Contains macros";""

"C:\Program Files\Microsoft Office\Office10\Makrobib\Analys\ATPVBASV.XLA";"Contains macros";""

"C:\Program Files\Microsoft Office\Office10\Makrobib\Analys\ATPVBAEN.XLA";"Contains macros";""

"C:\Program Files\Microsoft Office\Office10\Macros\SUPPORT.DOT";"Contains macros";""

"C:\Program Files\Microsoft Office\Office10\1053\XL8GALRY.XLS";"Contains macros";""

"C:\Program Files\Microsoft Office\Office10\1053\FPNWIND.MDB:\embedded.doc";"Contains macros";""

"C:\Program Files\Microsoft Office\Office10\1053\FPNWIND.MDB";"Contains macros";""

"C:\Program Files\Microsoft Office\Office10\1053\EXPTOOWS.XLA";"Contains macros";""

"C:\Program Files\AVG\AVG8\IdentityProtection\agent\config\userList.zip";"Password-protected";""

"C:\Program Files\AVG\AVG8\IdentityProtection\agent\config\quarantinedList.zip";"Password-protected";""

"C:\Program Files\AVG\AVG8\IdentityProtection\agent\config\internalList.zip";"Password-protected";""

"C:\pagefile.sys";"Locked file. Not tested.";"Locked file. Not tested."

"C:\Documents and Settings\Simon\NTUSER.DAT";"Locked file. Not tested.";"Locked file. Not tested."

"C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\WWSUPPT.XLS";"Contains macros";""

"C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\REGKEY.XLS";"Contains macros";""

"C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\PRESBROD.XLS";"Contains macros";""

"C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\FILELIST.XLS";"Contains macros";""

"C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\ERRORMSG.XLS";"Contains macros";""

"C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\CLEANER.XLA";"Contains macros";""

"C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB:\ASPSCRPT.XLS";"Contains macros";""

"C:\Documents and Settings\Simon\My Documents\Downloads\ORK\ORK.CAB";"Contains macros";""

"C:\Documents and Settings\Simon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat";"Locked file. Not tested.";"Locked file. Not tested."

"C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\WWSUPPT.XLS";"Contains macros";""

"C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\REGKEY.XLS";"Contains macros";""

"C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\PRESBROD.XLS";"Contains macros";""

"C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\FILELIST.XLS";"Contains macros";""

"C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\ERRORMSG.XLS";"Contains macros";""

"C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\CLEANER.XLA";"Contains macros";""

"C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB:\ASPSCRPT.XLS";"Contains macros";""

"C:\Documents and Settings\Simon\Desktop\DC++\ORK\ORK.CAB";"Contains macros";""

"C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\SUMIF.XLAM_1033";"Contains macros";""

"C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\SOLVSAMP.XLS_1033";"Contains macros";""

"C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\SOLVER.XLAM_1033";"Contains macros";""

"C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\PROCDB.XLAM_1033";"Contains macros";""

"C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\LOOKUP.XLAM_1033";"Contains macros";""

"C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\FUNCRES.XLAM_1033";"Contains macros";""

"C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab:\ATPVBAEN.XLAM_1033";"Contains macros";""

"C:\Documents and Settings\Simon\Desktop\DC++\New Folder\Excel.en-us\ExcelLR.cab";"Contains macros";""

"C:\Documents and Settings\NetworkService\NTUSER.DAT";"Locked file. Not tested.";"Locked file. Not tested."

"C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat";"Locked file. Not tested.";"Locked file. Not tested."

"C:\Documents and Settings\LocalService\NTUSER.DAT";"Locked file. Not tested.";"Locked file. Not tested."

"C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat";"Locked file. Not tested.";"Locked file. Not tested."

"C:\Documents and Settings\All Users\Application Data\Downloaded Installations\{70ADDA88-7F88-46A1-A9C4-5BD9EA9934A1}\AVGIDP_setup.msi:\Data1.cab:\internallist.zip";"Password-protected";""

"C:\Documents and Settings\All Users\Application Data\Downloaded Installations\{70ADDA88-7F88-46A1-A9C4-5BD9EA9934A1}\AVGIDP_setup.msi:\Data1.cab";"Password-protected";""

"C:\Documents and Settings\All Users\Application Data\Downloaded Installations\{70ADDA88-7F88-46A1-A9C4-5BD9EA9934A1}\AVGIDP_setup.msi";"Password-protected";""

Edited by kemsi
Link to comment
Share on other sites

Byt inte ut AVG för tillfället för det är alltid risk för att installationen går fel.

Spara ComboFix på Skrivbordet:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Stäng av alla program du ser inklusive antivirusprogram och antispionprogram men lämna brandväggen på.

Hur? Se http://www.bleepingcomputer.com/forums/topic114351.html

Kör ComboFix och följ anvisningarna som visas.

Om det kommer upp en fråga om du vill installera återställningskonsolen så svara ja.

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

När den är färdig så ska en logg komma upp, bifoga den till ditt svar. Kontrollera att antivirusprogram mm är igång innan du ansluter till internet.

Om du får problem med att komma ut på internet:

Kontrollpanelen - Nätverksanslutningar

högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.

Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix.

Link to comment
Share on other sites

Byt inte ut AVG för tillfället för det är alltid risk för att installationen går fel.

Spara ComboFix på Skrivbordet:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Stäng av alla program du ser inklusive antivirusprogram och antispionprogram men lämna brandväggen på.

Hur? Se http://www.bleepingcomputer.com/forums/topic114351.html

Kör ComboFix och följ anvisningarna som visas.

Om det kommer upp en fråga om du vill installera återställningskonsolen så svara ja.

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

När den är färdig så ska en logg komma upp, bifoga den till ditt svar. Kontrollera att antivirusprogram mm är igång innan du ansluter till internet.

Om du får problem med att komma ut på internet:

Kontrollpanelen - Nätverksanslutningar

högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.

Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix.

Sådär nu har jag nog lyckats scanna datorn med combofix på rätt sätt, hade lite problem med programmet i början då de hängde sig 3 till 4 gånger.

Här kommer loggen, hoppas den säger dig något. Tack :)

ComboFix 09-11-05.01 - Simon 2009-11-06 16:45.2.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.2046.1481 [GMT 1:00]

Körs från: c:\documents and settings\Simon\My Documents\Hämtade filer\ComboFix.exe

AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Föregående körning -------

.

C:\install.exe

.

(((((((((((((((((((((((( Filer Skapade från 2009-10-06 till 2009-11-06 ))))))))))))))))))))))))))))))

.

2009-11-06 14:05 . 2009-11-06 14:05 -------- d-----w- c:\windows\system32\xircom

2009-11-06 14:05 . 2009-11-06 14:05 -------- d-----w- c:\windows\system32\wbem\snmp

2009-11-06 14:05 . 2009-11-06 14:05 -------- d-----w- c:\program files\microsoft frontpage

2009-11-05 21:18 . 2009-11-05 21:18 152576 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-11-05 14:25 . 2009-10-21 09:41 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll

2009-11-03 14:49 . 2009-10-21 09:41 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe

2009-10-16 02:15 . 2009-07-17 16:22 1435648 ------w- c:\windows\system32\dllcache\query.dll

2009-10-16 02:15 . 2009-08-26 08:03 247326 ------w- c:\windows\system32\dllcache\strmdll.dll

2009-10-16 02:14 . 2009-09-04 21:03 58880 ------w- c:\windows\system32\dllcache\msasn1.dll

2009-10-13 19:42 . 2009-10-13 19:42 -------- d-----w- c:\windows\SxsCaPendDel

2009-10-13 19:15 . 2009-10-13 19:41 -------- d-----w- c:\program files\LearnWARE

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-05 21:19 . 2009-03-19 15:34 -------- d-----w- c:\program files\Java

2009-11-04 23:09 . 2009-03-12 00:12 -------- d-----w- c:\program files\Steam

2009-11-04 19:31 . 2009-01-26 20:33 38 ----a-w- c:\documents and settings\Simon\jagex_runescape_preferences.dat

2009-11-04 19:10 . 2009-09-02 13:08 63 ----a-w- c:\documents and settings\Simon\jagex_runescape_preferences2.dat

2009-10-27 21:09 . 2009-01-26 19:17 -------- d-----w- c:\documents and settings\Simon\Application Data\uTorrent

2009-10-23 15:50 . 2009-02-07 19:09 -------- d-----w- c:\documents and settings\Simon\Application Data\dvdcss

2009-10-11 03:17 . 2009-01-26 20:27 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-10-01 02:52 . 2009-03-01 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-09-29 14:30 . 2009-09-29 14:29 -------- d-----w- c:\program files\SwiftKit

2009-09-29 14:29 . 2009-09-29 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SwiftKit

2009-09-28 11:58 . 2009-09-25 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-09-25 21:02 . 2009-09-25 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations

2009-09-25 21:02 . 2009-09-25 21:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-09-25 21:02 . 2009-09-25 21:02 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

2009-09-25 21:02 . 2009-09-25 21:02 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-09-25 21:02 . 2009-09-25 21:02 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-09-25 21:02 . 2009-09-25 21:02 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-09-25 21:00 . 2009-09-25 21:00 50968 ----a-w- c:\windows\system32\avgfwdx.dll

2009-09-25 21:00 . 2009-09-25 21:00 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys

2009-09-25 21:00 . 2009-01-26 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-25 19:44 . 2009-03-01 14:50 -------- d-----w- c:\program files\NOS

2009-09-17 13:47 . 2009-09-17 13:46 -------- d-----w- c:\program files\Common Files\Adobe

2009-09-14 18:55 . 2009-09-14 18:55 -------- d-----w- c:\documents and settings\Simon\Application Data\Uniblue

2009-09-14 10:58 . 2009-09-14 10:58 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-09-12 13:20 . 2009-04-10 23:56 -------- d-----w- c:\program files\Free Music Zilla

2009-09-11 14:13 . 2009-01-08 19:09 136704 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-11 10:59 . 2009-03-03 22:14 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-10 19:55 . 2009-09-10 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2009-09-04 21:03 . 2008-04-14 04:42 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-09-03 16:56 . 2009-09-03 16:56 152576 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\jre1.6.0_16\lzma.dll

2009-09-02 09:58 . 2009-09-28 11:58 1107200 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll

2009-08-29 08:08 . 2008-10-16 19:38 916480 ------w- c:\windows\system32\wininet.dll

2009-08-26 08:03 . 2009-01-08 19:12 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-17 11:52 . 2009-01-26 19:18 68840 ----a-w- c:\documents and settings\Simon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-11 14:48 . 2009-08-11 14:48 152576 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

------- Sigcheck -------

[-] 2009-01-08 . 5AE1C2695F6523AD98B948F2887D8C5E . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[-] 2009-01-08 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-11-06_10.50.41 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-11-06 14:10 . 2009-11-06 14:10 16384 c:\windows\Temp\Perflib_Perfdata_2e4.dat

.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Not* Tomma poster & legitima standardposter visas inte.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-09-02 09:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]

"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-07-22 1600008]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2009-01-26 577536]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-01-15 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_2"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-09-25 21:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BankID Security Application.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Simon^Start Menu^Programs^Startup^Free Music Zilla.lnk]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Documents and Settings\\Simon\\Desktop\\DC++\\DCPlusPlus.exe"=

"c:\\Program Files\\Steam\\steamapps\\baileys_boy15@hotmail.com\\counter-strike\\hl.exe"=

"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-07-22 25608]

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-09-25 12552]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-09-25 335240]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-09-25 108552]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-09-25 297752]

R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-09-25 1370488]

R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2009-07-22 571912]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-07-19 55152]

R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-09-25 29208]

R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [2009-07-22 121352]

R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [2009-07-22 30216]

R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [2009-07-22 27232]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [2009-07-22 5641736]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-09-25 29208]

S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]

--- Övriga tjänster/drivrutiner i minnet ---

*Deregistered* - mbr

*Deregistered* - PROCEXP113

.

Innehållet i mappen 'Schemalagda aktiviteter':

2009-10-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-11-06 c:\windows\Tasks\User_Feed_Synchronization-{5F672323-F82B-4270-B21F-20C416B04789}.job

- c:\windows\system32\msfeedssync.exe [2009-01-08 02:31]

.

.

------- Extra genomsökning -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Simon\Application Data\Mozilla\Firefox\Profiles\07lsd12p.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Live Search

FF - prefs.js: browser.startup.homepage - www.google.se

FF - prefs.js: keyword.URL - hxxp://se.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_se&p=

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Personal\bin\np_prsnl.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICY ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-06 16:50

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spcv.sys >>UNKNOWN [0x89E09938]<<

kernel: MBR read successfully

user & kernel MBR OK

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

atapi.sys @ 0x0 0x0 bytes

\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xB9DFCB40 atapi.sys

\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xB9DFCB40 atapi.sys

\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xB9DFCB40 atapi.sys

\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xB9DFCB40 atapi.sys

\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xB9DFCB40 atapi.sys

\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xB9DFCB40 atapi.sys

\Driver\atapi IRP hooks detected !

**************************************************************************

.

--------------------- DLLer som "laddats" under processer som körs ---------------------

- - - - - - - > 'explorer.exe'(220)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Sluttid: 2009-11-06 16:53

ComboFix-quarantined-files.txt 2009-11-06 15:52

Före genomsökningen: 21 507 198 976 bytes free

Efter genomsökningen: 21 471 346 688 bytes free

- - End Of File - - 6CB80DD0A77FF6A9EDC971DAFDCA9C60

Link to comment
Share on other sites

1. Om du har Daemon Tools, Alcohol 120% eller något liknande program som skapar virtuella CD-enheter så avinstallera det programmet för tillfället och starta sedan om datorn.

2. Spara denna fil på Skrivbordet:

http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

Kör programmet.

När det är klart så skapas en loggfil Win32kDiag.txt på Skrivbordet. Klistra in den i ditt svar.

3. Spara denna fil på Skrivbordet:

http://rootrepeal.googlepages.com/RootRepeal.zip

Packa upp zip-filen (extrahera) så att du får en programfil.

Starta RootRepeal.

Välj Report-fliken och tryck på Scan.

Bocka för alla sju valen och tryck sedan på Yes/Ja.

Välj C: och tryck Ok.

Det tar ett tag för RootRepeal att söka igenom C:.

När sökningen är klar så tryck på Save Report och spara den med namnet rootrepeal.log. Klistra in innehållet i rootrepeal.log.

4. Spara Gmer på Skrivbordet från en av dessa sidor:

http://www.gmer.net/files.php välj Gmer application

http://www.majorgeeks.com/GMER_d5198.html

Packa upp filen till Skrivbordet.

Dra ur internetanslutningen.

Stäng alla program, även antivirusprogram och brandvägg.

Starta programmet gmer.exe.

Om det kommer upp en fråga om "scan" så välj Nej/No. Spara loggen och klistra in i ditt svar. Gör inte mer.

Om frågan inte kommer så välj fliken Rootkit/Malware, kontrollera att allt är förbockat till höger utom Show All. Tryck på Scan. Låt datorn stå ifred medan Gmer håller på.

Tryck på Save och spara resultatet på Skrivbordet.

Sätt igång antivirusprogram och brandvägg innan du ansluter till internet.

Klistra in resultatet i ditt svar.

Link to comment
Share on other sites

1. Om du har Daemon Tools, Alcohol 120% eller något liknande program som skapar virtuella CD-enheter så avinstallera det programmet för tillfället och starta sedan om datorn.

2. Spara denna fil på Skrivbordet:

http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

Kör programmet.

När det är klart så skapas en loggfil Win32kDiag.txt på Skrivbordet. Klistra in den i ditt svar.

3. Spara denna fil på Skrivbordet:

http://rootrepeal.googlepages.com/RootRepeal.zip

Packa upp zip-filen (extrahera) så att du får en programfil.

Starta RootRepeal.

Välj Report-fliken och tryck på Scan.

Bocka för alla sju valen och tryck sedan på Yes/Ja.

Välj C: och tryck Ok.

Det tar ett tag för RootRepeal att söka igenom C:.

När sökningen är klar så tryck på Save Report och spara den med namnet rootrepeal.log. Klistra in innehållet i rootrepeal.log.

4. Spara Gmer på Skrivbordet från en av dessa sidor:

http://www.gmer.net/files.php'>http://www.gmer.net/files.php välj Gmer application

http://www.majorgeeks.com/GMER_d5198.html

Packa upp filen till Skrivbordet.

Dra ur internetanslutningen.

Stäng alla program, även antivirusprogram och brandvägg.

Starta programmet gmer.exe.

Om det kommer upp en fråga om "scan" så välj Nej/No. Spara loggen och klistra in i ditt svar. Gör inte mer.

Om frågan inte kommer så välj fliken Rootkit/Malware, kontrollera att allt är förbockat till höger utom Show All. Tryck på Scan. Låt datorn stå ifred medan Gmer håller på.

Tryck på Save och spara resultatet på Skrivbordet.

Sätt igång antivirusprogram och brandvägg innan du ansluter till internet.

Klistra in resultatet i ditt svar.

Okej, nu har jag försökt inte missa något och klistrat in scanning loggarna från win32kdiag, rootrepeal och Gmer. :)

När jag scannade med win32kdiag uppkom "WARNING: Could not get backup privileges!" vad innebär detta? Tack:)

Win32kDiag.txt.

Running from: C:\Documents and Settings\Simon\Desktop\Win32kDiag(2).exe

Log file at : C:\Documents and Settings\Simon\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

rootrepeal.log.

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/11/07 02:29

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: a5bed12r.SYS

Image Path: C:\WINDOWS\System32\Drivers\a5bed12r.SYS

Address: 0xB8839000 Size: 221184 File Visible: No Signed: -

Status: -

Name: catchme.sys

Image Path: C:\DOCUME~1\Simon\LOCALS~1\Temp\catchme.sys

Address: 0xB4DD2000 Size: 31744 File Visible: No Signed: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xB56A8000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBA5D0000 Size: 8192 File Visible: No Signed: -

Status: -

Name: PCI_PNP2594

Image Path: \Driver\PCI_PNP2594

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

Name: PROCEXP113.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

Address: 0xBA5EE000 Size: 7872 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB4FEF000 Size: 49152 File Visible: No Signed: -

Status: -

Name: spcv.sys

Image Path: spcv.sys

Address: 0xB9EA7000 Size: 1048576 File Visible: No Signed: -

Status: -

Name: sptd

Image Path: \Driver\sptd

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

SSDT

-------------------

#: 025 Function Name: NtClose

Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c98a0

#: 041 Function Name: NtCreateKey

Status: Hooked by "spcv.sys" at address 0xb9ea80e0

#: 071 Function Name: NtEnumerateKey

Status: Hooked by "spcv.sys" at address 0xb9ec6ca2

#: 073 Function Name: NtEnumerateValueKey

Status: Hooked by "spcv.sys" at address 0xb9ec7030

#: 119 Function Name: NtOpenKey

Status: Hooked by "spcv.sys" at address 0xb9ea80c0

#: 122 Function Name: NtOpenProcess

Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c98d0

#: 160 Function Name: NtQueryKey

Status: Hooked by "spcv.sys" at address 0xb9ec7108

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "spcv.sys" at address 0xb9ec6f88

#: 247 Function Name: NtSetValueKey

Status: Hooked by "spcv.sys" at address 0xb9ec719a

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c9980

#: 258 Function Name: NtTerminateThread

Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c9a20

#: 277 Function Name: NtWriteVirtualMemory

Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c9ac0

Stealth Objects

-------------------

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]

Process: System Address: 0x89de71f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]

Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]

Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]

Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]

Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]

Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]

Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]

Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]

Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]

Process: System Address: 0x89967438 Size: 121

Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_CREATE]

Process: System Address: 0x89b2a1f8 Size: 121

Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_CLOSE]

Process: System Address: 0x89b2a1f8 Size: 121

Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x89b2a1f8 Size: 121

Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x89b2a1f8 Size: 121

Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_POWER]

Process: System Address: 0x89b2a1f8 Size: 121

Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x89b2a1f8 Size: 121

Object: Hidden Code [Driver: a5bed12rЅఅ瑎獆ର, IRP_MJ_PNP]

Process: System Address: 0x89b2a1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]

Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]

Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]

Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]

Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]

Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]

Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]

Process: System Address: 0x89b381f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]

Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]

Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]

Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]

Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]

Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]

Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]

Process: System Address: 0x89e551f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]

Process: System Address: 0x89ce81f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]

Process: System Address: 0x89ce81f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x89ce81f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x89ce81f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]

Process: System Address: 0x89ce81f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x89ce81f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]

Process: System Address: 0x89ce81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]

Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]

Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]

Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]

Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]

Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]

Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]

Process: System Address: 0x89de91f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]

Process: System Address: 0x895bd1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]

Process: System Address: 0x895bd1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x895bd1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x895bd1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]

Process: System Address: 0x895bd1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]

Process: System Address: 0x895bd1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]

Process: System Address: 0x89cf0500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]

Process: System Address: 0x89cf0500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x89cf0500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x89cf0500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]

Process: System Address: 0x89cf0500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x89cf0500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]

Process: System Address: 0x89cf0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]

Process: System Address: 0x89596500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_CREATE]

Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_CLOSE]

Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_READ]

Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_CLEANUP]

Process: System Address: 0x8991b500 Size: 121

Object: Hidden Code [Driver: Mup, IRP_MJ_PNP]

Process: System Address: 0x8991b500 Size: 121

Shadow SSDT

-------------------

#: 383 Function Name: NtUserGetAsyncKeyState

Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c9440

#: 414 Function Name: NtUserGetKeyboardState

Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c93b0

#: 416 Function Name: NtUserGetKeyState

Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c93f0

#: 549 Function Name: NtUserSetWindowsHookEx

Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba3c9330

==EOF==

Gmer.log

GMER 1.0.15.15163 - http://www.gmer.net

Rootkit scan 2009-11-07 14:35:21

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\Simon\LOCALS~1\Temp\uxtdypow.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwClose [0xBA3C98A0]

SSDT spcv.sys ZwCreateKey [0xB9EA80E0]

SSDT spcv.sys ZwEnumerateKey [0xB9EC6CA2]

SSDT spcv.sys ZwEnumerateValueKey [0xB9EC7030]

SSDT spcv.sys ZwOpenKey [0xB9EA80C0]

SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwOpenProcess [0xBA3C98D0]

SSDT spcv.sys ZwQueryKey [0xB9EC7108]

SSDT spcv.sys ZwQueryValueKey [0xB9EC6F88]

SSDT spcv.sys ZwSetValueKey [0xB9EC719A]

SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateProcess [0xBA3C9980]

SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateThread [0xBA3C9A20]

SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwWriteVirtualMemory [0xBA3C9AC0]

INT 0x62 ? 89DE8BF8

INT 0x63 ? 89DE8BF8

INT 0x73 ? 89DE8BF8

INT 0x73 ? 89DE8BF8

INT 0x73 ? 89DE8BF8

INT 0xA4 ? 89CE9BF8

INT 0xB4 ? 89CE9BF8

Code \??\C:\DOCUME~1\Simon\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? spcv.sys The system cannot find the file specified. !

.text USBPORT.SYS!DllUnload B92BB934 5 Bytes JMP 89CE91D8

? System32\Drivers\a5bed12r.SYS The system cannot find the path specified. !

? C:\DOCUME~1\Simon\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !

? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [b9EA9040] spcv.sys

IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [b9EA913C] spcv.sys

IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [b9EA90BE] spcv.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [b9EA97FC] spcv.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [b9EA96D2] spcv.sys

IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [b9EB9048] spcv.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89DE71F8

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )

Device \FileSystem\Fastfat \FatCdrom 89967438

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbohci \Device\USBPDO-0 89CE81F8

Device \Driver\dmio \Device\DmControl\DmIoDaemon 89E551F8

Device \Driver\dmio \Device\DmControl\DmConfig 89E551F8

Device \Driver\dmio \Device\DmControl\DmPnP 89E551F8

Device \Driver\dmio \Device\DmControl\DmInfo 89E551F8

Device \Driver\usbehci \Device\USBPDO-1 89CF0500

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume1 89DE91F8

Device \Driver\Cdrom \Device\CdRom0 89B381F8

Device \Driver\Cdrom \Device\CdRom1 89B381F8

Device \Driver\atapi \Device\Ide\IdePort0 [b9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [b9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort1 [b9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort2 [b9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [b9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort3 [b9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort4 [b9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort5 [b9DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\NetBT \Device\NetBt_Wins_Export 895BD1F8

Device \Driver\NetBT \Device\NetbiosSmb 895BD1F8

Device \Driver\PCI_PNP2594 \Device\0000004d spcv.sys

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device \Driver\NetBT \Device\NetBT_Tcpip_{77919B9D-AD1B-4EEF-8615-E359AA46085D} 895BD1F8

Device \Driver\usbohci \Device\USBFDO-0 89CE81F8

Device \Driver\usbehci \Device\USBFDO-1 89CF0500

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89596500

Device \FileSystem\MRxSmb \Device\LanmanRedirector 89596500

Device \Driver\sptd \Device\3276161344 spcv.sys

Device \Driver\Ftdisk \Device\FtControl 89DE91F8

Device \Driver\a5bed12r \Device\Scsi\a5bed12r1 89B2A1F8

Device \Driver\a5bed12r \Device\Scsi\a5bed12r1Port6Path0Target0Lun0 89B2A1F8

Device \FileSystem\Fastfat \Fat 89967438

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )

Device \FileSystem\Cdfs \Cdfs 8991B500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCC 0x9F 0xB3 0x36 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCD 0xBE 0xD1 0x25 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAD 0x92 0x98 0xFF ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCC 0x9F 0xB3 0x36 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCD 0xBE 0xD1 0x25 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAD 0x92 0x98 0xFF ...

---- EOF - GMER 1.0.15 ----

Link to comment
Share on other sites

Det är väldigt mycket i loggarna som ser ut att ha med Daemon Tools att göra. Är du säker på att programmet är avinstallerat?

Name: sptd

Image Path: \Driver\sptd

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

Körs bara Daemon Tools eget avinstallationsprogram så försvinner inte drivrutinen SPTD.sys. För att få bort alla spår av den måste du köra installationsprogrammet från Duplex Secure och välja alternativet avinstallera i det programmet.

http://www.duplexsecure.com/downloads

:)

Link to comment
Share on other sites

Tack, Cynthia! :)

Det är ju ofta som det är Daemon-drivrutiner som gör det svårt att hitta de skadliga programmen bland alla Daemon-rader i loggarna.

Är det bara just SPTD.sys som tas bort eller är det även den andra drivrutinen som Daemon Tools installerar? I loggen ovanför heter den SPCV.sys men det varierar mellan olika datorer.

Link to comment
Share on other sites

Hej! :)

SPTD.sys används även av en del andra program från Daemon Tools, t ex BlindWrite och det är väl därför inte Daemon Tools tar bort den drivrutinen. Vad jag vet så är det bara SPTD.sys som blir avinstallerad med programmet från Duplex Secure.

Försökte hitta vem som ligger bakom SPCV.sys på nätet, men det enda jag hittade var att den fanns listad i några loggar från antivirus/rootkit program. Så frågan är om det är en "riktig" fil. Möjligt att jag är ute och cyklar, men jag får intrycket att det är en fil som skapas av virus.

Link to comment
Share on other sites

Det är väldigt mycket i loggarna som ser ut att ha med Daemon Tools att göra. Är du säker på att programmet är avinstallerat?

De här filerna som AVG har hittat finns de i AVGs karantän?

Jo de finns i karaktän ser det ut som.

Nu har jag tagit bort Daemon tools på rätt sätt och scannat om allt som i dina anvisningar. Det kanske ser bättre ut nu!

Tack!:)

Win32Diag

Running from: C:\Documents and Settings\Simon\Desktop\Win32kDiag(2).exe

Log file at : C:\Documents and Settings\Simon\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/11/08 14:19

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xB625A000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBA5CC000 Size: 8192 File Visible: No Signed: -

Status: -

SSDT

-------------------

#: 025 Function Name: NtClose

Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba4898a0

#: 122 Function Name: NtOpenProcess

Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba4898d0

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba489980

#: 258 Function Name: NtTerminateThread

Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba489a20

#: 277 Function Name: NtWriteVirtualMemory

Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba489ac0

Shadow SSDT

-------------------

#: 383 Function Name: NtUserGetAsyncKeyState

Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba489440

#: 414 Function Name: NtUserGetKeyboardState

Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba4893b0

#: 416 Function Name: NtUserGetKeyState

Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba4893f0

#: 549 Function Name: NtUserSetWindowsHookEx

Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xba489330

==EOF==

GMER 1.0.15.15163 - http://www.gmer.net

Rootkit scan 2009-11-08 15:19:56

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\Simon\LOCALS~1\Temp\uxtdypow.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwClose [0xBA4898A0]

SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwOpenProcess [0xBA4898D0]

SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateProcess [0xBA489980]

SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateThread [0xBA489A20]

SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwWriteVirtualMemory [0xBA489AC0]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCC 0x9F 0xB3 0x36 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCD 0xBE 0xD1 0x25 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAD 0x92 0x98 0xFF ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCC 0x9F 0xB3 0x36 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCD 0xBE 0xD1 0x25 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAD 0x92 0x98 0xFF ...

---- EOF - GMER 1.0.15 ----

Link to comment
Share on other sites

Ja, nu går det att se att det inte ser ut att finnas några rootkits.

Jag misstänker att AVG falsklarmade och att drivrutinen den satte i karantän tillhör Daemon Tools. För att ta reda på det så skulle jag vilja att du återställer en av filerna i karantänen och sedan bläddrar fram filen på sidan http://www.virustotal.com . Tryck därefter på Skicka Fil och vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in resultatet från de olika antivirusprogrammen (inte Övrig information) eller en länk till resultatet här.

Link to comment
Share on other sites

Ja, nu går det att se att det inte ser ut att finnas några rootkits.

Jag misstänker att AVG falsklarmade och att drivrutinen den satte i karantän tillhör Daemon Tools. För att ta reda på det så skulle jag vilja att du återställer en av filerna i karantänen och sedan bläddrar fram filen på sidan http://www.virustotal.com . Tryck därefter på Skicka Fil och vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in resultatet från de olika antivirusprogrammen (inte Övrig information) eller en länk till resultatet här.

Hmm, okej så vilken fil som helst från avg karantänen alltså? tog en (av vad jag gissar på är en av de filerna du menar) och körde igenom virustotal och de här blev resultatet (i länken nedan). Obs! jag tryckte på "restore as" till skrivbordet så jag lättare skulle hitta den, gick de bra att göra så? Tack! :)

http://www.virustotal.com/sv/analisis/57fd36595250cde1ac56c28bfa370c3bf861b7d238aebb125a94ed73cbfb71f6-1257696087

Link to comment
Share on other sites

Javisst går det bra att återställa den till skrivbordet.

Jag blir däremot lite osäker på vilken fil du har skannat. Det skulle vara en av filerna som AVG sa var ett rootkit, dvs avw3tpy3.SYS eller amb2d7rq.SYS, men det är ett helt annat namn som står på virustotal-sidan. Jag är ledsen att jag skrev så otydligt så det inte framgick.

Link to comment
Share on other sites

Hej Kemsi, kanske har du löst problemet. Jag hade en liknande problem för några veckor sedan, tog en kvart innan Datorn öppnade programmen. Har

Har Advanced System care installerad (gratis) tryckte på knappen. Det hittade massor med fel som den fixade till. Tog några få minuter, sedan var

Datorn som ny. Prova.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share