Spywarefri Forum | Adware tracking cookie

1 af 2

Adware tracking cookie

[ Ignorer ] Keld Gartner
18.02.2007 21:21:01 Antal indlæg: 17	Så har jeg igen brug for lidt hjælp.Ovennævnte har ødelagt eller blokeret avg anti virus,avg antispywaren kan jeg ikke få realtime protection (ikke udløbet).Når jeg scanner med superantispyware,genstarter den når den næsten er færdig med registry,den når lige at finde Adware tracking cookie. Her er loggen fra Hijackthis Logfile of HijackThis v1.99.1 Scan saved at 18:57:03, on 18-02-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe D:\Installeret\Power Cinema\Kernel\TV\CLCapSvc.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe D:\Installeret\Power Cinema\Kernel\TV\CLSched.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\CTHELPER.EXE C:\Programmer\Creative\Surround Mixer\CTSysVol.exe C:\Programmer\Creative\DVDAudio\CTDVDDET.EXE C:\Programmer\Lexmark X1100 Series\lxbkbmgr.exe C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe C:\Programmer\Lexmark X1100 Series\lxbkbmon.exe C:\WINDOWS\system32\RUNDLL32.EXE D:\Installeret\HP\HP Software Update\HPWuSchd2.exe C:\Programmer\Creative\MediaSource\Detector\CTDetect.exe C:\WINDOWS\system32\ctfmon.exe C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Programmer\Messenger\msmsgs.exe C:\Programmer\CaptureWiz\Pro\CaptureWiz.exe C:\WINDOWS\system32\cidaemon.exe C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Documents and Settings\Keld Sørensen\Skrivebord\System værktøjer\alternativ.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/webhp?sourceid=navclient&ie=UTF-8 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks R3 - URLSearchHook: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Programmer\Multi_Media\tbMult.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Programmer\Multi_Media\tbMult.dll O3 - Toolbar: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Programmer\Multi_Media\tbMult.dll O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTSysVol] C:\Programmer\Creative\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDET] C:\Programmer\Creative\DVDAudio\CTDVDDET.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] “C:\Programmer\Lexmark X1100 Series\lxbkbmgr.exe” O4 - HKLM\..\Run: [SunJavaUpdateSched] “C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe” O4 - HKLM\..\Run: [!AVG Anti-Spyware] “C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [HP Software Update] D:\Installeret\HP\HP Software Update\HPWuSchd2.exe O4 - HKCU\..\Run: [Creative Detector] “C:\Programmer\Creative\MediaSource\Detector\CTDetect.exe” /R O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [MSMSGS] “C:\Programmer\Messenger\msmsgs.exe” /background O4 - Startup: CaptureWiz.lnk = C:\Programmer\CaptureWiz\Pro\CaptureWiz.exe O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://D:\INSTAL~1\OFFICE~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: E&xport; to Microsoft Excel - res://D:\INSTAL~1\OFFICE~1\OFFICE12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Programmer\XstreamRadio 3.02\RadioHelper.dll O9 - Extra ‘Tools’ menuitem: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Programmer\XstreamRadio 3.02\RadioHelper.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\INSTAL~1\OFFICE~1\OFFICE12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168195788671 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168195777937 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586-jc.cab O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmer\Fælles filer\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programmer\Fælles filer\Microsoft Shared\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing) O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - D:\Installeret\Power Cinema\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - D:\Installeret\Power Cinema\Kernel\TV\CLSched.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NBService - Nero AG - D:\Installeret\Nero.v7.0.Ultra.Edition\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programmer\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programmer\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe M.V.H. Keld Gartner[:(!]
[ Ignorer ] [ # 1 ] Resist TeamSpywarefri
18.02.2007 22:03:48 Redaktør Team Spywarefri Antal indlæg: 11785	Hej Fix disse med HijackThis (marker nedenstående linjer i HijackThis, luk andre programmer undtagen HijackThis - tryk herefter på ”Fix checked” i HijackThis): R3 - URLSearchHook: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Programmer\Multi_Media\tbMult.dll O2 - BHO: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Programmer\Multi_Media\tbMult.dll O3 - Toolbar: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Programmer\Multi_Media\tbMult.dll Jeg kan se, at du har SuperAntiSpyware installeret. Opdater programmet. —— Åbn en mappe, klik på Funktioner=>Mappeindstillinger=>Vis. Fjern flueben ved “Skjul beskyttede operativsystemfiler”. Fjern flueben ved “Skjul filtypenavne for kendte filtyper”. Sæt prik i “Vis skjulte filer og mapper”. —— Genstart i fejlsikret tilstand (F8 i opstart). Find og slet: C:\Programmer\Multi_Media\ >>>> mappen Tag en scanning med SAS, hvor du får programmet til at fjerne inficerede filer. Gem en log fra programmet. Genstart almindeligt og send en SAS-log og en frisk HijackThis-log herind i tråden til tjek – tak. Signatur Med venlig hilsen Resist TeamSpywarefri Member of: Alliance of Security Analysis Professionals
[ Ignorer ] [ # 2 ] Keld Gartner
19.02.2007 01:26:14 Antal indlæg: 17	Har fixed det jeg skulle og fjernet multimedia i C:\programmer,men den vil ikke genstarte i fejlsikret og den genstarter også jeg scanner med SAS. Har kørt CC og cleantemp.SAS er opdateret. Ny log Logfile of HijackThis v1.99.1 Scan saved at 23:15:26, on 18-02-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\cisvc.exe D:\Installeret\Power Cinema\Kernel\TV\CLCapSvc.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe D:\Installeret\Power Cinema\Kernel\TV\CLSched.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\CTHELPER.EXE C:\Programmer\Creative\Surround Mixer\CTSysVol.exe C:\Programmer\Creative\DVDAudio\CTDVDDET.EXE C:\Programmer\Lexmark X1100 Series\lxbkbmgr.exe C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\RUNDLL32.EXE D:\Installeret\HP\HP Software Update\HPWuSchd2.exe C:\Programmer\Lexmark X1100 Series\lxbkbmon.exe C:\Programmer\Creative\MediaSource\Detector\CTDetect.exe C:\WINDOWS\system32\ctfmon.exe C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Programmer\Messenger\msmsgs.exe C:\Programmer\CaptureWiz\Pro\CaptureWiz.exe C:\WINDOWS\system32\cidaemon.exe C:\Documents and Settings\Keld Sørensen\Skrivebord\System værktøjer\alternativ.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/webhp?sourceid=navclient&ie=UTF-8 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTSysVol] C:\Programmer\Creative\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDET] C:\Programmer\Creative\DVDAudio\CTDVDDET.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] “C:\Programmer\Lexmark X1100 Series\lxbkbmgr.exe” O4 - HKLM\..\Run: [SunJavaUpdateSched] “C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe” O4 - HKLM\..\Run: [!AVG Anti-Spyware] “C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [HP Software Update] D:\Installeret\HP\HP Software Update\HPWuSchd2.exe O4 - HKCU\..\Run: [Creative Detector] “C:\Programmer\Creative\MediaSource\Detector\CTDetect.exe” /R O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [MSMSGS] “C:\Programmer\Messenger\msmsgs.exe” /background O4 - Startup: CaptureWiz.lnk = C:\Programmer\CaptureWiz\Pro\CaptureWiz.exe O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://D:\INSTAL~1\OFFICE~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: E&xport; to Microsoft Excel - res://D:\INSTAL~1\OFFICE~1\OFFICE12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Programmer\XstreamRadio 3.02\RadioHelper.dll O9 - Extra ‘Tools’ menuitem: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Programmer\XstreamRadio 3.02\RadioHelper.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\INSTAL~1\OFFICE~1\OFFICE12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168195788671 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168195777937 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586-jc.cab O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmer\Fælles filer\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programmer\Fælles filer\Microsoft Shared\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing) O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - D:\Installeret\Power Cinema\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - D:\Installeret\Power Cinema\Kernel\TV\CLSched.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NBService - Nero AG - D:\Installeret\Nero.v7.0.Ultra.Edition\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programmer\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programmer\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe
[ Ignorer ] [ # 3 ] Magic Emeritus
19.02.2007 10:45:06 Administrator Supporter Emeritus Antal indlæg: 29613	Så er der ikke mere at komme efter. Hvordan ser tingene ud nu [?]
[ Ignorer ] [ # 4 ] Keld Gartner
19.02.2007 22:25:05 Antal indlæg: 17	Tingene ser ikke så godt ud.Jeg kan stadig ikke starte i fejlsikret,kan ikke installere avg antivirus. avg anti spywaren nul realtimeprotection+opdatering,sas kan stadig ikke scanne længere end registret Logfile of HijackThis v1.99.1 Scan saved at 20:11:02, on 19-02-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\CTHELPER.EXE C:\Programmer\Creative\Surround Mixer\CTSysVol.exe C:\Programmer\Creative\DVDAudio\CTDVDDET.EXE C:\Programmer\Lexmark X1100 Series\lxbkbmgr.exe C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe C:\Programmer\Lexmark X1100 Series\lxbkbmon.exe C:\WINDOWS\system32\RUNDLL32.EXE D:\Installeret\HP\HP Software Update\HPWuSchd2.exe C:\Programmer\Creative\MediaSource\Detector\CTDetect.exe C:\WINDOWS\system32\ctfmon.exe C:\Programmer\Messenger\msmsgs.exe C:\WINDOWS\system32\cisvc.exe D:\Installeret\Power Cinema\Kernel\TV\CLCapSvc.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe D:\Installeret\Power Cinema\Kernel\TV\CLSched.exe C:\WINDOWS\system32\cidaemon.exe C:\Documents and Settings\Keld Sørensen\Skrivebord\System værktøjer\alternativ.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/webhp?sourceid=navclient&ie=UTF-8 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTSysVol] C:\Programmer\Creative\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDET] C:\Programmer\Creative\DVDAudio\CTDVDDET.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] “C:\Programmer\Lexmark X1100 Series\lxbkbmgr.exe” O4 - HKLM\..\Run: [SunJavaUpdateSched] “C:\Programmer\Java\jre1.5.0_10\bin\jusched.exe” O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [HP Software Update] D:\Installeret\HP\HP Software Update\HPWuSchd2.exe O4 - HKCU\..\Run: [Creative Detector] “C:\Programmer\Creative\MediaSource\Detector\CTDetect.exe” /R O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] “C:\Programmer\Messenger\msmsgs.exe” /background O4 - Startup: CaptureWiz.lnk = C:\Programmer\CaptureWiz\Pro\CaptureWiz.exe O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://D:\INSTAL~1\OFFICE~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: E&xport; to Microsoft Excel - res://D:\INSTAL~1\OFFICE~1\OFFICE12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Programmer\XstreamRadio 3.02\RadioHelper.dll O9 - Extra ‘Tools’ menuitem: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Programmer\XstreamRadio 3.02\RadioHelper.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\INSTAL~1\OFFICE~1\OFFICE12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168195788671 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168195777937 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586-jc.cab O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmer\Fælles filer\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programmer\Fælles filer\Microsoft Shared\OFFICE12\MSOXMLMF.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing) O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - D:\Installeret\Power Cinema\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - D:\Installeret\Power Cinema\Kernel\TV\CLSched.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NBService - Nero AG - D:\Installeret\Nero.v7.0.Ultra.Edition\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programmer\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programmer\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe ******************************* ROOTCHK-LOG, by ejvindh 19-02-2007 20:11:46,68 Rootkit driver m_hook is present. A rootkit scan is required. ******************************* ROOTCHK-LOG-end Mangler der noget i loggen? MVH Keld Gartner
[ Ignorer ] [ # 5 ] Ejvindh
20.02.2007 01:02:08 Redaktør Team Spywarefri Antal indlæg: 6048	Det var godt, at du fik kørt rootchk-værktøjet, for det viste at du har et rootkit på din computer. Jeg overfører derfor tråden til Rootkit-kategorien. Der gælder nogle særlige forhold for supporten i denne kategori, som du kan læse om her: http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=29320 —Hent dette værktøj, og gem det på skrivebordet: http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe —Hent Avenger her: http://swandog46.geekstogo.com/avenger.zip —Pak Avenger-programmet ud og dobbeltklik på avenger.exe —Sæt en prik i “Input Script Manually” og klik på Luppen - nu dukker der et lille vindue op, hvor du skal kopiere indholdet mellem de stiplede linier ind: ——————————————- Folders to Delete: %userprofile%\Application Data\hidn registry values to delete: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \| drv_st_key drivers to unload: m_hook ——————————————- —Klik på Trafiklyset i Avenger. Programmet vil opfordre dig til at genstarte computeren straks, hvilket du skal gøre. Programmet vil lukke din computer, slette filerne og starte computeren igen. —Efter genstarten vil der dukke et notepad-vindue op, med en log for Avengers handlinger. Den må du gerne lægge ind i dit næste svar. —Dobbeltklik på SafeBootKeyRepair, og følg instruksionerne. Når programmet har gjort sit arbejde, åbnes en logfil, som du gerne må lægge herind til check. Prøv herefter om du nu kan genstarte til fejlsikret tilstand, og meld tilbage, hvad du finder ud af. —Genstart så til normal tilstand, og lav en ny log med Hijackthis, så jeg kan se, om dit rootkit har skjult nogle ting, der skal fjernes.
[ Ignorer ] [ # 6 ] Keld Gartner
20.02.2007 03:34:27 Antal indlæg: 17	Jeg kan starte i fejlsikret nu.Her er 3 logs Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\iendaowv ***************** Script file located at: \??\C:\Documents and Settings\fplicugw.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: Folder C:\Documents and Settings\Keld Sørensen\Application Data\hidn not found! Deletion of folder C:\Documents and Settings\Keld Sørensen\Application Data\hidn failed! Could not process line: C:\Documents and Settings\Keld Sørensen\Application Data\hidn Status: 0xc0000034 Driver m_hook unloaded successfully. Could not delete registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|drv_st_key Deletion of registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|drv_st_key failed! Status: 0xc0000034 Completed script processing. ***************** Finished! Terminate. Backups found: 2007-02-19 21:45:52 4894720 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP119\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-02-19 20:06:14 4894720 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP118\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-02-19 19:31:48 4894720 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP117\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-02-18 18:18:26 4894720 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP116\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-02-18 16:58:00 4894720 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP115\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-02-18 13:01:46 4894720 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP114\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-02-17 22:06:38 4894720 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP113\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-02-16 19:06:12 4878336 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP112\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-02-15 19:35:56 4878336 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP111\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-02-15 18:38:56 4878336 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP110\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-02-15 18:38:46 4878336 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP109\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-02-15 18:03:38 4878336 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP108\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-02-15 18:02:34 4878336 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP107\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-02-15 18:02:10 4878336 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP106\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-02-15 18:01:48 4878336 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP105\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-02-15 18:01:38 4878336 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP104\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-02-15 18:01:16 4878336 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP103\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-02-15 17:59:16 4878336 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP102\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-02-15 17:50:58 4878336 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP101\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-02-15 17:50:52 4878336 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP100\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-02-14 20:01:18 4878336 “C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP99\snapshot\_REGISTRY_MACHINE_SYSTEM” 2007-01-07 14:19:38 1101824 “C:\WINDOWS\repair\system” Backup used: - C:\System Volume Information\_restore{D103D39C-116F-414D-8D1D-A1BED2258811}\RP114\snapshot\_REGISTRY_MACHINE_SYSTEM Reg export of SafeBoot key after repair: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot] “AlternateShell”=“cmd.exe” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys] @=“FSFilter System Recovery” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}] @=“Universal Serial Bus controllers” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}] @=“CD-ROM Drive” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}] @=“DiskDrive” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}] @=“Standard floppy disk controller” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}] @=“Hdc” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}] @=“Keyboard” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}] @=“Mouse” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}] @=“PCMCIA Adapters” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}] @=“SCSIAdapter” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}] @=“System” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}] @=“Floppy disk drive” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}] @=“Volume” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}] @=“Human Interface Devices” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys] @=“FSFilter System Recovery” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}] @=“Universal Serial Bus controllers” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}] @=“CD-ROM Drive” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}] @=“DiskDrive” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}] @=“Standard floppy disk controller” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}] @=“Hdc” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}] @=“Keyboard” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}] @=“Mouse” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}] @=“Net” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}] @=“NetClient” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}] @=“NetService” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}] @=“NetTrans” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}] @=“PCMCIA Adapters” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}] @=“SCSIAdapter” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}] @=“System” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}] @=“Floppy disk drive” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}] @=“Volume” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}] @=“Human Interface Devices” Logfile of HijackThis v1.99.1 Scan saved at 01:28:06, on 20-02-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\cisvc.exe D:\Installeret\Power Cinema\Kernel\TV\CLCapSvc.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE D:\Installeret\Power Cinema\Kernel\TV\CLSched.exe C:\WINDOWS\CTHELPER.EXE C:\Programmer\Creative\Surround Mixer\CTSysVol.exe C:\Programmer\Creative\DVDAudio\CTDVDDET.EXE C:\Programmer\Lexmark X1100 Series\lxbkbmgr.exe C:\Programmer\Java\jre1.5.0_11\bin\jusched.exe C:\Programmer\Lexmark X1100 Series\lxbkbmon.exe C:\WINDOWS\system32\RUNDLL32.EXE D:\Installeret\HP\HP Software Update\HPWuSchd2.exe C:\Programmer\Creative\MediaSource\Detector\CTDetect.exe C:\WINDOWS\system32\ctfmon.exe C:\Programmer\Messenger\msmsgs.exe C:\Programmer\CaptureWiz\Pro\CaptureWiz.exe C:\Documents and Settings\Keld Sørensen\Skrivebord\System værktøjer\alternativ.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/webhp?sourceid=navclient&ie=UTF-8 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTSysVol] C:\Programmer\Creative\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDET] C:\Programmer\Creative\DVDAudio\CTDVDDET.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] “C:\Programmer\Lexmark X1100 Series\lxbkbmgr.exe” O4 - HKLM\..\Run: [SunJavaUpdateSched] “C:\Programmer\Java\jre1.5.0_11\bin\jusched.exe” O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [HP Software Update] D:\Installeret\HP\HP Software Update\HPWuSchd2.exe O4 - HKCU\..\Run: [Creative Detector] “C:\Programmer\Creative\MediaSource\Detector\CTDetect.exe” /R O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] “C:\Programmer\Messenger\msmsgs.exe” /background O4 - Startup: CaptureWiz.lnk = C:\Programmer\CaptureWiz\Pro\CaptureWiz.exe O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://D:\INSTAL~1\OFFICE~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: E&xport; to Microsoft Excel - res://D:\INSTAL~1\OFFICE~1\OFFICE12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Programmer\XstreamRadio 3.02\RadioHelper.dll O9 - Extra ‘Tools’ menuitem: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Programmer\XstreamRadio 3.02\RadioHelper.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\INSTAL~1\OFFICE~1\OFFICE12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168195788671 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168195777937 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmer\Fælles filer\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programmer\Fælles filer\Microsoft Shared\OFFICE12\MSOXMLMF.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing) O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - D:\Installeret\Power Cinema\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - D:\Installeret\Power Cinema\Kernel\TV\CLSched.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NBService - Nero AG - D:\Installeret\Nero.v7.0.Ultra.Edition\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programmer\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programmer\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe MVH Keld Gartner
[ Ignorer ] [ # 7 ] Ejvindh
20.02.2007 15:21:19 Redaktør Team Spywarefri Antal indlæg: 6048	Det ser godt ud. Jeg tror vi fik den i første hug. Men lige lidt yderligere oprydning: —Hent Bobbi Flekman’s RegSearch herfra: http://www.bleepingcomputer.com/files/regsearch.php Pak programmet ud til en mappe på skrivebordet. —Kør avenger igen, og kopier denne gang følgende tekst ind: ——————————————- Files to delete: %systemroot%\system32\re_file.exe C:\temp.zip C:\error.gif registry keys to delete: HKCU\Software\FirstRuxzx ——————————————- —Klik på Trafiklyset i Avenger. Programmet vil opfordre dig til at genstarte computeren straks, hvilket du skal gøre. Programmet vil lukke din computer, slette filerne og starte computeren igen. —Efter genstarten vil der dukke et notepad-vindue op, med en log for Avengers handlinger. Den må du gerne lægge ind i dit næste svar. —Kopiér så indholdet mellem de stiplede linier ind i et notepad-vindue, og gem indholdet på skrivebordet som regfix.reg. Når du gemmer, skal du sikre, at der under “filtyper” står “alle filer”. ——————————————— REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess] “Start”=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter] “Start”=dword:00000004 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisuio] “Start”=dword:00000003 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv] “Start”=dword:00000002 ——————————————— Dobbeltklik så på den fil, som du lige har lavet, og bekræft at du vil tilføje oplysningerne til registreringsdatabasen. —Kør herefter Regsearch, som du hentede tidligere. I øverste vindue skriver du følgende: FirstRu Klik på OK. Når programmet er færdig med at søge, dukker der et notepad-vindue op. Indholdet af dette vindue kan du kopiere herind i tråden.
[ Ignorer ] [ # 8 ] Keld Gartner
20.02.2007 18:59:31 Antal indlæg: 17	[:p] Her er log fra avenger+regsearch ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Syntax error in line—- does not appear to be a valid registry path. Line will be ignored. Error code: 0 Line: HKCU\Software\FirstRuxzx Windows Registry Editor Version 5.00 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.2.0 ; Results at 20-02-2007 16:47:09 for strings: ; ‘firstru’ ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SOFTWARE\Hewlett-Packard\Image Zone Express] “FirstRun”=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0\Publisher\FirstRun] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0\Publisher\FirstRun] “FirstRun”=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] “FirstRunDisabled”=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] “CreateFirstRunRp”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\Parameters] “FirstRun”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sr\Parameters] “FirstRun”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters] “FirstRun”=dword:00000000 [HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences] “FirstRun”=dword:00000000 [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\General] “FirstRun”=dword:00000000 [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook] “FirstRunDialog”=“False” [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Options] “FirstRun”=dword:00000000 [HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\General] “FirstRun”=dword:00000000 [HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Options] “FirstRun”=dword:00000000 [HKEY_CURRENT_USER\Software\Microsoft\Security Center] “FirstRun”=dword:00000001 [HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4] “FirstRun”=dword:00000001 ; End Of The Log… Er det muligt at min exefil til avg antivirus er blevet ødelagt eller har det at gøre med det vi har rettet. Foreløbig Tak Keld Gartner
[ Ignorer ] [ # 9 ] Keld Gartner
20.02.2007 21:03:56 Antal indlæg: 17	Jeg har stadig de samme problemer avg antivirus+antispyware,under installering af antivirus får jeg følgende melding Local machine: installation failed Installation: Error: Action failed for file avgamsvr.exe: creating file…. No such file or directory Det kan være jeg snart må gøre det grimme (formatC:) Hilsen Keld Gartner
[ Ignorer ] [ # 10 ] Ejvindh
21.02.2007 00:26:55 Redaktør Team Spywarefri Antal indlæg: 6048	Det kunne godt tyde på, at vi skal tage et par ekstra check, inden vi kalder din computer ren. Men prøv først lige at hente en ny installationsfil, og se om det løser dit problem. Hvis ikke det gør det, så prøv følgende: (1) Prøv først at lave en ny log med rootchk, som du lægger herind. (2) Download Gmer-rootkit scanner, og pak den ud til skrivebordet: http://www.young-andersen.dk/gamer/gamer.zip Start med at omdøbe programmet gmer.exe (fx til abc.exe). Kør programmet, klik på fanebladet “Rootkit”, og klik på “Scan”. Imens der scannes, er det vigtigt at du ikke bruger computeren til andre ting. Når scanningen er færdig, skal du klikke på “Copy”. Så dukker et vindue op, som fortæller at resultatet af rootkit-scanningen er blevet lagt ind i udklipsholderen. Du kan herefter gå ind i denne tråd, og kopiere indholdet herind, ved at stille dig i indtastningsfeltet, og trykke ctrl-v. (3) Download Rootkit Unhooker herfra: http://rku.xell.ru/?l=e&a=dl Installér programmet. Kør så RKU. Klik på Setup-“Extended mode”. Du vil så blive bedt om at genstarte, hvilket du skal gøre. Kør så Rootkit Unhooker igen, klik på fanebladet “Report”, klik på knappen “Scan”. Lad programmet skanne færdig, klik på “File-Save Report”, og gem rapporten et sted, hvor du kan finde den igen. Læg indholdet af denne rapport herind.
[ Ignorer ] [ # 11 ] Keld Gartner
22.02.2007 22:12:08 Antal indlæg: 17	Så har jeg udført de 3 punkter,her er de 3 logs ******************************* ROOTCHK-LOG, by ejvindh 22-02-2007 20:08:01,46 Rootkit driver m_hook is present. A rootkit scan is required. ******************************* ROOTCHK-LOG-end MER 1.0.12.12027 - http://www.gmer.net Rootkit scan 2007-02-22 18:10:44 Windows 5.1.2600 Service Pack 2 ——System - GMER 1.0.12—— SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwAllocateVirtualMemory SSDT Vax347b.sys ZwClose SSDT \??\C:\Documents and Settings\Keld Sørensen\Application Data\hidires\m_hook.sys ZwCreateFile SSDT Vax347b.sys ZwCreateKey SSDT Vax347b.sys ZwCreatePagingFile SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwCreateThread SSDT \??\C:\Documents and Settings\Keld Sørensen\Application Data\hidires\m_hook.sys ZwEnumerateKey SSDT \??\C:\Documents and Settings\Keld Sørensen\Application Data\hidires\m_hook.sys ZwEnumerateValueKey SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwMapViewOfSection SSDT Vax347b.sys ZwOpenKey SSDT \??\C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory SSDT \??\C:\Documents and Settings\Keld Sørensen\Application Data\hidires\m_hook.sys ZwQueryDirectoryFile SSDT \??\C:\Documents and Settings\Keld Sørensen\Application Data\hidires\m_hook.sys ZwQueryKey SSDT \??\C:\Documents and Settings\Keld Sørensen\Application Data\hidires\m_hook.sys ZwQuerySystemInformation SSDT Vax347b.sys ZwQueryValueKey SSDT Vax347b.sys ZwSetSystemPowerState SSDT sptd.sys ZwSetValueKey SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwShutdownSystem SSDT \??\C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwWriteVirtualMemory ——Kernel code sections - GMER 1.0.12—— .text USBPORT.SYS!DllUnload B99E462C 5 Bytes JMP 8980A720 .text tcpip.sys!IPTransmit + 10BC B6DC2CFA 6 Bytes CALL BAF1AE50 Teefer.sys .text tcpip.sys!IPTransmit + 2810 B6DC444E 6 Bytes CALL BAF1AE50 Teefer.sys .text tcpip.sys!ARPRcv + 506D B6DC94E0 6 Bytes CALL BAF1AE50 Teefer.sys .text wanarp.sys F74873FD 7 Bytes CALL BAF1AFA0 Teefer.sys ——User code sections - GMER 1.0.12—— .text C:\Programmer\Internet Explorer\iexplore.exe[648] USER32.dll!DialogBoxParamW 77D4662C 5 Bytes JMP 7E1FF205 C:\WINDOWS\system32\IEFRAME.dll .text C:\Programmer\Internet Explorer\iexplore.exe[648] USER32.dll!DialogBoxIndirectParamW 77D52043 5 Bytes JMP 7E38FEBF C:\WINDOWS\system32\IEFRAME.dll .text C:\Programmer\Internet Explorer\iexplore.exe[648] USER32.dll!MessageBoxIndirectA 77D5A05A 5 Bytes JMP 7E38FE40 C:\WINDOWS\system32\IEFRAME.dll .text C:\Programmer\Internet Explorer\iexplore.exe[648] USER32.dll!DialogBoxParamA 77D5B11C 5 Bytes JMP 7E38FE84 C:\WINDOWS\system32\IEFRAME.dll .text C:\Programmer\Internet Explorer\iexplore.exe[648] USER32.dll!MessageBoxExW 77D70538 5 Bytes JMP 7E38FDCC C:\WINDOWS\system32\IEFRAME.dll .text C:\Programmer\Internet Explorer\iexplore.exe[648] USER32.dll!MessageBoxExA 77D7055C 5 Bytes JMP 7E38FE06 C:\WINDOWS\system32\IEFRAME.dll .text C:\Programmer\Internet Explorer\iexplore.exe[648] USER32.dll!DialogBoxIndirectParamA 77D76CAD 5 Bytes JMP 7E38FEFA C:\WINDOWS\system32\IEFRAME.dll .text C:\Programmer\Internet Explorer\iexplore.exe[648] USER32.dll!MessageBoxIndirectW 77D86093 5 Bytes JMP 7E2215DA C:\WINDOWS\system32\IEFRAME.dll ——Devices - GMER 1.0.12—— Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 89B981D8 Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 89B981D8 Device \Driver\usbstor \Device\0000008f IRP_MJ_CREATE 880BA980 Device \Driver\usbstor \Device\0000008f IRP_MJ_CLOSE 880BA980 Device \Driver\usbstor \Device\0000008f IRP_MJ_READ 880BA980 Device \Driver\usbstor \Device\0000008f IRP_MJ_WRITE 880BA980 Device \Driver\usbstor \Device\0000008f IRP_MJ_DEVICE_CONTROL 880BA980 Device \Driver\usbstor \Device\0000008f IRP_MJ_INTERNAL_DEVICE_CONTROL 880BA980 Device \Driver\usbstor \Device\0000008f IRP_MJ_POWER 880BA980 Device \Driver\usbstor \Device\0000008f IRP_MJ_SYSTEM_CONTROL 880BA980 Device \Driver\usbstor \Device\0000008f IRP_MJ_PNP 880BA980 Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F7473220] wpsdrvnt.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F7473480] wpsdrvnt.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F74735A0] wpsdrvnt.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F74735D0] wpsdrvnt.sys Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CREATE 898091D8 Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CLOSE 898091D8 Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 898091D8 Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 898091D8 Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_POWER 898091D8 Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 898091D8 Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_PNP 898091D8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 89B9A1D8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 89B9A1D8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 89B9A1D8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 89B9A1D8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 89B9A1D8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 89B9A1D8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 89B9A1D8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 89B9A1D8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 89B9A1D8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 89B9A1D8 Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP RkUnhooker report generator v0.5c ============================================== Rootkit Unhooker kernel version: 3.20.130.388 ============================================== Windows Major Version: 5 Windows Minor Version: 1 Windows Build Number: 2600 ============================================== >SSDT State NtAllocateVirtualMemory Actual Address 0xF7444B30 Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys NtClose Actual Address 0xF74CDC58 Hooked by: Vax347b.sys NtCreateFile Actual Address 0xB49EE986 Hooked by: C:\Documents and Settings\Keld Sørensen\Application Data\hidires\m_hook.sys NtCreateKey Actual Address 0xF74CDC10 Hooked by: Vax347b.sys NtCreatePagingFile Actual Address 0xF74C1C70 Hooked by: Vax347b.sys NtCreateThread Actual Address 0xF74446F0 Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys NtEnumerateKey Actual Address 0xB49EECCA Hooked by: C:\Documents and Settings\Keld Sørensen\Application Data\hidires\m_hook.sys NtEnumerateValueKey Actual Address 0xB49EEA16 Hooked by: C:\Documents and Settings\Keld Sørensen\Application Data\hidires\m_hook.sys NtMapViewOfSection Actual Address 0xF7444470 Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys NtOpenKey Actual Address 0xF74CDBD4 Hooked by: Vax347b.sys NtOpenProcess Actual Address 0xBADB88AC Hooked by: C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.sys NtProtectVirtualMemory Actual Address 0xF7444C50 Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys NtQueryDirectoryFile Actual Address 0xB49EEF6A Hooked by: C:\Documents and Settings\Keld Sørensen\Application Data\hidires\m_hook.sys NtQueryKey Actual Address 0xB49EF338 Hooked by: C:\Documents and Settings\Keld Sørensen\Application Data\hidires\m_hook.sys NtQuerySystemInformation Actual Address 0xB49EF110 Hooked by: C:\Documents and Settings\Keld Sørensen\Application Data\hidires\m_hook.sys NtQueryValueKey Actual Address 0xF74CDCA6 Hooked by: Vax347b.sys NtSetSystemPowerState Actual Address 0xF74CD4F0 Hooked by: Vax347b.sys NtSetValueKey Actual Address 0xF7505D56 Hooked by: sptd.sys NtShutdownSystem Actual Address 0xF7444990 Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys NtTerminateProcess Actual Address 0xBADB8812 Hooked by: C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.sys NtWriteVirtualMemory Actual Address 0xF7444D60 Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys ============================================== >Processes Process: System Process Id: 4 EPROCESS Address: 0x89BFD660 Process: C:\WINDOWS\explorer.exe Process Id: 200 EPROCESS Address: 0x87F5B3D8 Process: C:\Programmer\Creative\MediaSource\Detector\CTDetect.exe Process Id: 320 EPROCESS Address: 0x87F03DA0 Process: C:\WINDOWS\system32\ctfmon.exe Process Id: 404 EPROCESS Address: 0x87EA9B88 Process: C:\Programmer\Messenger\msmsgs.exe Process Id: 504 EPROCESS Address: 0x87ED39E0 Process: D:\Installeret\Power Cinema\Kernel\TV\CLSched.exe Process Id: 528 EPROCESS Address: 0x88029D70 Process: C:\WINDOWS\system32\smss.exe Process Id: 712 EPROCESS Address: 0x8965BA78 Process: C:\Programmer\CaptureWiz\Pro\CaptureWiz.exe Process Id: 720 EPROCESS Address: 0x87E96790 Process: C:\WINDOWS\system32\csrss.exe Process Id: 776 EPROCESS Address: 0x89878C28 Process: C:\WINDOWS\system32\winlogon.exe Process Id: 808 EPROCESS Address: 0x89651228 Process: C:\WINDOWS\system32\services.exe Process Id: 852 EPROCESS Address: 0x89848980 Process: C:\WINDOWS\system32\lsass.exe Process Id: 864 EPROCESS Address: 0x8956CC10 Process: C:\WINDOWS\system32\hldrrr.exe Process Id: 908 EPROCESS Address: 0x87E9E790 Process: C:\WINDOWS\system32\svchost.exe Process Id: 1032 EPROCESS Address: 0x896956A8 Process: C:\WINDOWS\system32\svchost.exe Process Id: 1100 EPROCESS Address: 0x89872030 Process: C:\WINDOWS\system32\svchost.exe Process Id: 1196 EPROCESS Address: 0x88035DA0 Process: C:\WINDOWS\CTHELPER.EXE Process Id: 1220 EPROCESS Address: 0x87F1A790 Process: C:\Programmer\Creative\Surround Mixer\CTSysVol.exe Process Id: 1236 EPROCESS Address: 0x87F13790 Process: C:\WINDOWS\system32\svchost.exe Process Id: 1256 EPROCESS Address: 0x8800B458 Process: C:\Programmer\Creative\DVDAudio\CTDVDDET.exe Process Id: 1268 EPROCESS Address: 0x87F0F790 Process: C:\Programmer\Lexmark X1100 Series\lxbkbmgr.exe Process Id: 1292 EPROCESS Address: 0x87F06790 Process: C:\Programmer\Java\jre1.5.0_11\bin\jusched.exe Process Id: 1308 EPROCESS Address: 0x87EFE790 Process: C:\Programmer\Lexmark X1100 Series\lxbkbmon.exe Process Id: 1336 EPROCESS Address: 0x87F17B88 Process: C:\WINDOWS\system32\rundll32.exe Process Id: 1348 EPROCESS Address: 0x87EF2790 Process: C:\WINDOWS\system32\svchost.exe Process Id: 1352 EPROCESS Address: 0x87FFA6E8 Process: C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe Process Id: 1408 EPROCESS Address: 0x87EF4A58 Process: C:\WINDOWS\system32\LEXBCES.EXE Process Id: 1500 EPROCESS Address: 0x8997AD18 Process: C:\WINDOWS\system32\spoolsv.exe Process Id: 1532 EPROCESS Address: 0x89585B08 Process: C:\WINDOWS\system32\LEXPPS.EXE Process Id: 1540 EPROCESS Address: 0x8969EDA0 Process: D:\Installeret\HP\HP Software Update\hpwuSchd2.exe Process Id: 1652 EPROCESS Address: 0x87F05DA0 Process: C:\WINDOWS\system32\cisvc.exe Process Id: 1712 EPROCESS Address: 0x890AA030 Process: D:\Installeret\Power Cinema\Kernel\TV\CLCapSvc.exe Process Id: 1724 EPROCESS Address: 0x89568808 Process: C:\WINDOWS\system32\CTSVCCDA.EXE Process Id: 1736 EPROCESS Address: 0x896B5DA0 Process: C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe Process Id: 1756 EPROCESS Address: 0x89648DA0 Process: C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLService.exe Process Id: 1776 EPROCESS Address: 0x89649528 Process: C:\WINDOWS\system32\nvsvc32.exe Process Id: 1812 EPROCESS Address: 0x896A52D0 Process: C:\WINDOWS\system32\HPZipm12.exe Process Id: 1824 EPROCESS Address: 0x88026790 Process: C:\WINDOWS\system32\svchost.exe Process Id: 1916 EPROCESS Address: 0x89066B18 Process: C:\WINDOWS\system32\notepad.exe Process Id: 3472 EPROCESS Address: 0x87F0CB18 !!!!!!!!!!!Hidden process: C:\WINDOWS\system32\wintems.exe Process Id: 564 EPROCESS Address: 0x87EA79C0 !!!!!!!!!!!Hidden process: C:\WINDOWS\system32\hldrrr.exe Process Id: 1840 EPROCESS Address: 0x87F063E0 Process: C:\RkUnhooker\2b55t1j6Y4Boy7t.exe Process Id: 3448 EPROCESS Address: 0x87E4B030 ============================================== >Drivers Driver: nv4_disp.dll Address: 0xBF9D4000 Size: 4530176 bytes Driver: nv4_mini.sys Address: 0xB9C65000 Size: 3997696 bytes Driver: ntoskrnl.exe Address: 0x804D7000 Size: 2256896 bytes Driver: PnpManager Address: 0x804D7000 Size: 2256896 bytes Driver: RAW Address: 0x804D7000 Size: 2256896 bytes Driver: WMIxWDM Address: 0x804D7000 Size: 2256896 bytes Driver: Win32k Address: 0xBF800000 Size: 1843200 bytes Driver: win32k.sys Address: 0xBF800000 Size: 1843200 bytes Driver: ha10kx2k.sys Address: 0xB71CE000 Size: 1052672 bytes Driver: 00000124 Address: 0xF74FF000 Size: 880640 bytes Driver: sptd.sys Address: 0xF74FF000 Size: 880640 bytes Driver: ctac32k.sys Address: 0xB70DE000 Size: 638976 bytes Driver: Ntfs.sys Address: 0xBAF5C000 Size: 577536 bytes Driver: mrxsmb.sys Address: 0xB6AAF000 Size: 454656 bytes Driver: ctaud2k.sys Address: 0xB9BC2000 Size: 442368 bytes Driver: tcpip.sys Address: 0xB6BBB000 Size: 360448 bytes Driver: srv.sys Address: 0xB508B000 Size: 335872 bytes Driver: HTTP.sys Address: 0xB4C9F000 Size: 266240 bytes Driver: update.sys Address: 0xB9A58000 Size: 212992 bytes Driver: ctoss2k.sys Address: 0xB9B49000 Size: 204800 bytes Driver: rdpdr.sys Address: 0xB9A8C000 Size: 200704 bytes Driver: ACPI.sys Address: 0xF7492000 Size: 188416 bytes Driver: emupia2k.sys Address: 0xB71A1000 Size: 184320 bytes Driver: mrxdav.sys Address: 0xB5231000 Size: 184320 bytes Driver: NDIS.sys Address: 0xBAF2F000 Size: 184320 bytes Driver: rdbss.sys Address: 0xB6B1E000 Size: 176128 bytes Driver: hap16v2k.sys Address: 0xB72CF000 Size: 172032 bytes Driver: netbt.sys Address: 0xB6B6B000 Size: 163840 bytes Driver: ctsfm2k.sys Address: 0xB717A000 Size: 159744 bytes Driver: Vax347b.sys Address: 0xF74C0000 Size: 159744 bytes Driver: dmio.sys Address: 0xF7831000 Size: 155648 bytes Driver: portcls.sys Address: 0xB9B9E000 Size: 147456 bytes Driver: ks.sys Address: 0xB9B7B000 Size: 143360 bytes Driver: USBPORT.SYS Address: 0xB9C2E000 Size: 143360 bytes Driver: afd.sys Address: 0xB6B49000 Size: 139264 bytes Driver: ACPI_HAL Address: 0x806FE000 Size: 134400 bytes Driver: hal.dll Address: 0x806FE000 Size: 134400 bytes Driver: fltMgr.sys Address: 0xF794F000 Size: 131072 bytes Driver: ftdisk.sys Address: 0xF7857000 Size: 126976 bytes Driver: Teefer.sys Address: 0xBAF12000 Size: 118784 bytes Driver: Mup.sys Address: 0xBAEF7000 Size: 110592 bytes Driver: Address: 0xF796F000 Size: 98304 bytes Driver: dump_atapi.sys Address: 0xB6A1F000 Size: 98304 bytes Driver: SCSIPORT.SYS Address: 0xF74E7000 Size: 98304 bytes Driver: KSecDD.sys Address: 0xBAFE9000 Size: 94208 bytes Driver: ndiswan.sys Address: 0xB9B1E000 Size: 94208 bytes Driver: wdmaud.sys Address: 0xB4FAE000 Size: 86016 bytes Driver: parport.sys Address: 0xB9B35000 Size: 81920 bytes Driver: VIDEOPRT.SYS Address: 0xB9C51000 Size: 81920 bytes Driver: ipsec.sys Address: 0xB6C13000 Size: 77824 bytes Driver: dxg.sys Address: 0xBF9C2000 Size: 73728 bytes Driver: sr.sys Address: 0xF7A3D000 Size: 73728 bytes Driver: m_hook.sys Address: 0xB49E6000 Size: 69632 bytes Driver: pci.sys Address: 0xF7876000 Size: 69632 bytes Driver: psched.sys Address: 0xB9B0D000 Size: 69632 bytes Driver: Cdfs.SYS Address: 0xBA075000 Size: 65536 bytes Driver: nic1394.sys Address: 0xBAE67000 Size: 65536 bytes Driver: serial.sys Address: 0xF76A7000 Size: 65536 bytes Driver: arp1394.sys Address: 0xF7432000 Size: 61440 bytes Driver: drmk.sys Address: 0xBAE57000 Size: 61440 bytes Driver: ohci1394.sys Address: 0xF7607000 Size: 61440 bytes Driver: redbook.sys Address: 0xF76E7000 Size: 61440 bytes Driver: sysaudio.sys Address: 0xB51AD000 Size: 61440 bytes Driver: usbhub.sys Address: 0xBA045000 Size: 61440 bytes Driver: VolSnap.sys Address: 0xF7637000 Size: 57344 bytes Driver: 1394BUS.SYS Address: 0xF7617000 Size: 53248 bytes Driver: cdrom.sys Address: 0xF76D7000 Size: 53248 bytes Driver: CLASSPNP.SYS Address: 0xF7657000 Size: 53248 bytes Driver: HPZid412.sys Address: 0xBAEB7000 Size: 53248 bytes Driver: i8042prt.sys Address: 0xF76B7000 Size: 53248 bytes Driver: rasl2tp.sys Address: 0xF76F7000 Size: 53248 bytes Driver: pcouffin.sys Address: 0xBA095000 Size: 49152 bytes Driver: raspptp.sys Address: 0xBA0B5000 Size: 49152 bytes Driver: agp440.sys Address: 0xF7677000 Size: 45056 bytes Driver: getnd5b.sys Address: 0xBAE77000 Size: 45056 bytes Driver: imapi.sys Address: 0xF76C7000 Size: 45056 bytes Driver: MountMgr.sys Address: 0xF7627000 Size: 45056 bytes Driver: raspppoe.sys Address: 0xBA0C5000 Size: 45056 bytes Driver: intelppm.sys Address: 0xBAE87000 Size: 40960 bytes Driver: NDProxy.SYS Address: 0xBA065000 Size: 40960 bytes Driver: termdd.sys Address: 0xBA085000 Size: 40960 bytes Driver: disk.sys Address: 0xF7647000 Size: 36864 bytes Driver: Fips.SYS Address: 0xF7412000 Size: 36864 bytes Driver: HIDCLASS.SYS Address: 0xF7887000 Size: 36864 bytes Driver: isapnp.sys Address: 0xF75F7000 Size: 36864 bytes Driver: msgpc.sys Address: 0xBA0A5000 Size: 36864 bytes Driver: netbios.sys Address: 0xF7422000 Size: 36864 bytes Driver: PxHelp20.sys Address: 0xF7667000 Size: 36864 bytes Driver: wanarp.sys Address: 0xF7452000 Size: 36864 bytes Driver: wpsdrvnt.sys Address: 0xF7442000 Size: 36864 bytes Driver: ctprxy2k.sys Address: 0xF77D7000 Size: 32768 bytes Driver: Npfs.SYS Address: 0xF7767000 Size: 32768 bytes Driver: usbccgp.sys Address: 0xF776F000 Size: 32768 bytes Driver: fdc.sys Address: 0xF77DF000 Size: 28672 bytes Driver: HIDPARSE.SYS Address: 0xF7727000 Size: 28672 bytes Driver: kbdclass.sys Address: 0xF77E7000 Size: 28672 bytes Driver: PCIIDEX.SYS Address: 0xF770F000 Size: 28672 bytes Driver: usbehci.sys Address: 0xF77CF000 Size: 28672 bytes Driver: usbprint.sys Address: 0xF777F000 Size: 28672 bytes Driver: USBSTOR.SYS Address: 0xF778F000 Size: 28672 bytes Driver: HPZius12.sys Address: 0xF7787000 Size: 24576 bytes Driver: mouclass.sys Address: 0xF7807000 Size: 24576 bytes Driver: rkhdrv31.sys Address: 0xF7707000 Size: 24576 bytes Driver: vga.sys Address: 0xF7757000 Size: 24576 bytes Driver: flpydisk.sys Address: 0xF7817000 Size: 20480 bytes Driver: Msfs.SYS Address: 0xF775F000 Size: 20480 bytes Driver: PartMgr.sys Address: 0xF7717000 Size: 20480 bytes Driver: ptilink.sys Address: 0xF77F7000 Size: 20480 bytes Driver: raspti.sys Address: 0xF77FF000 Size: 20480 bytes Driver: TDI.SYS Address: 0xF77EF000 Size: 20480 bytes Driver: usbuhci.sys Address: 0xF77C7000 Size: 20480 bytes Driver: watchdog.sys Address: 0xF7797000 Size: 20480 bytes Driver: ASPI32.SYS Address: 0xBADEF000 Size: 16384 bytes Driver: HPZipr12.sys Address: 0xB9A48000 Size: 16384 bytes Driver: kbdhid.sys Address: 0xBADEB000 Size: 16384 bytes Driver: mssmbios.sys Address: 0xBADA9000 Size: 16384 bytes Driver: serenum.sys Address: 0xBADD7000 Size: 16384 bytes Driver: BOOTVID.dll Address: 0xF7897000 Size: 12288 bytes Driver: ctgame.sys Address: 0xBADDB000 Size: 12288 bytes Driver: Dxapi.sys Address: 0xB9A3C000 Size: 12288 bytes Driver: hidusb.sys Address: 0xBADF3000 Size: 12288 bytes Driver: mouhid.sys Address: 0xBADE7000 Size: 12288 bytes Driver: ndistapi.sys Address: 0xBADCB000 Size: 12288 bytes Driver: rasacd.sys Address: 0xBACD3000 Size: 12288 bytes Driver: wg3n.sys Address: 0xB5536000 Size: 12288 bytes Driver: wg4n.sys Address: 0xB552E000 Size: 12288 bytes Driver: wg5n.sys Address: 0xB5526000 Size: 12288 bytes Driver: wg6n.sys Address: 0xB551A000 Size: 12288 bytes Driver: Beep.SYS Address: 0xF79A5000 Size: 8192 bytes Driver: dmload.sys Address: 0xF798D000 Size: 8192 bytes Driver: dump_WMILIB.SYS Address: 0xF79B3000 Size: 8192 bytes Driver: EGATHDRV.SYS Address: 0xF79E7000 Size: 8192 bytes Driver: Fs_Rec.SYS Address: 0xF79A3000 Size: 8192 bytes Driver: intelide.sys Address: 0xF798B000 Size: 8192 bytes Driver: KDCOM.DLL Address: 0xF7987000 Size: 8192 bytes Driver: mnmdd.SYS Address: 0xF79A9000 Size: 8192 bytes Driver: ParVdm.SYS Address: 0xF79E1000 Size: 8192 bytes Driver: RDPCDD.sys Address: 0xF79AB000 Size: 8192 bytes Driver: swenum.sys Address: 0xF799F000 Size: 8192 bytes Driver: USBD.SYS Address: 0xF79A1000 Size: 8192 bytes Driver: Vax347s.sys Address: 0xF798F000 Size: 8192 bytes Driver: WMILIB.SYS Address: 0xF7989000 Size: 8192 bytes Driver: audstub.sys Address: 0xBA6FF000 Size: 4096 bytes Driver: AvgAsCln.sys Address: 0xB6C91000 Size: 4096 bytes Driver: dxgthk.sys Address: 0xB6C60000 Size: 4096 bytes Driver: guard.sys Address: 0xBADB8000 Size: 4096 bytes Driver: Null.SYS Address: 0xB6C94000 Size: 4096 bytes Driver: pciide.sys Address: 0xF7A4F000 Size: 4096 bytes Driver: ?_unknown_code_page_? Address: 0x8957E030 Size: 4048 bytes Driver: ?_unknown_code_page_? Address: 0x89B981D8 Size: 3624 bytes Driver: ?_unknown_code_page_? Address: 0x89C091D8 Size: 3624 bytes Driver: ?_unknown_code_page_? Address: 0x89C071D8 Size: 3624 bytes Driver: ?_unknown_code_page_? Address: 0x897E51D8 Size: 3624 bytes Driver: ?_unknown_code_page_? Address: 0x88D21270 Size: 3472 bytes Driver: ?_unknown_code_page_? Address: 0x896D62B0 Size: 3408 bytes Driver: ?_unknown_code_page_? Address: 0x896932B8 Size: 3400 bytes Driver: ?_unknown_code_page_? Address: 0x896683D8 Size: 3112 bytes Driver: ?_unknown_code_page_? Address: 0x880B3470 Size: 2960 bytes Driver: ?_unknown_code_page_? Address: 0x89680640 Size: 2496 bytes Driver: ?_unknown_code_page_? Address: 0x89821820 Size: 2016 bytes Driver: ?_unknown_code_page_? Address: 0x885F1980 Size: 1664 bytes Driver: ?_unknown_code_page_? Address: 0x87FD1980 Size: 1664 bytes Driver: ?_unknown_code_page_? Address: 0x89866AD8 Size: 1320 bytes Driver: ?_unknown_code_page_? Address: 0x8984EC48 Size: 952 bytes Driver: ?_unknown_code_page_? Address: 0x88D20DD0 Size: 560 bytes Driver: ?_unknown_code_page_? Address: 0x896C2E70 Size: 400 bytes ============================================== >Files Suspect File: C:\$Extend\$UsnJrnl:$J:$DATA Status: Opened for exclusive access by other app or by System Suspect File: C:\$Extend\$UsnJrnl:$Max:$DATA Status: Opened for exclusive access by other app or by System Suspect File: C:\Documents and Settings\Keld Sørensen\Application Data\hidires\hidr.exe Status: Hidden Suspect File: C:\Documents and Settings\Keld Sørensen\Application Data\hidires\m_hook.sys Status: Hidden Suspect File: C:\Programmer\Fælles filer\Microsoft Shared\DevHelp\Shared\v8.0\1033\_SharedStub.hxq Status: Hidden Suspect File: C:\Programmer\Movie Maker\Shared\Empty.txt Status: Hidden Suspect File: C:\Programmer\Movie Maker\Shared\Filters.xml Status: Hidden Suspect File: C:\Programmer\Movie Maker\Shared\news.png Status: Hidden Suspect File: C:\Programmer\Movie Maker\Shared\paint.png Status: Hidden Suspect File: C:\Programmer\Movie Maker\Shared\Profiles\Blank.txt Status: Hidden Suspect File: C:\Programmer\Movie Maker\Shared\Sample1.jpg Status: Hidden Suspect File: C:\Programmer\Movie Maker\Shared\Sample2.jpg Status: Hidden Suspect File: C:\WINDOWS\system32\hldrrr.exe Status: Hidden Suspect File: C:\WINDOWS\system32\wintems.exe Status: Hidden Suspect File: D:\$Extend\$UsnJrnl:$J:$DATA Status: Opened for exclusive access by other app or by System Suspect File: D:\$Extend\$UsnJrnl:$Max:$DATA Status: Opened for exclusive access by other app or by System Suspect File: D:\EXE\Nero\Nero Premium Full Retail 7.5.0.2\Installation\Redist\Nero SIPPS\Common Files\Shared\SharedPhone1.txt Status: Hidden Suspect File: D:\System Volume Information\catalog.wci\00010005.ci Status: Hidden Suspect File: D:\System Volume Information\catalog.wci\00010005.dir Status: Hidden Suspect File: D:\System Volume Information\catalog.wci\CiFLfffd.000 Status: Hidden Suspect File: D:\System Volume Information\catalog.wci\CiFLfffd.001 Status: Hidden Suspect File: D:\System Volume Information\catalog.wci\CiFLfffd.002 Status: Hidden Suspect File: E:\$Extend\$UsnJrnl:$J:$DATA Status: Opened for exclusive access by other app or by System Suspect File: E:\$Extend\$UsnJrnl:$Max:$DATA Status: Opened for exclusive access by other app or by System ============================================== >Hooks IDT—>Int 0x00000093, Type: IDT modification hook handler located in [?_unknown_code_page_?] tcpip.sys+0x00003CFA, Type: Inline - RelativeCall at address 0xB6BBECFA hook handler located in [Teefer.sys] tcpip.sys+0x0000544E, Type: Inline - RelativeCall at address 0xB6BC044E hook handler located in [Teefer.sys] tcpip.sys+0x0000A4E0, Type: Inline - RelativeCall at address 0xB6BC54E0 hook handler located in [Teefer.sys] tcpip.sys—>ndis.sys—>NdisCloseAdapter, Type: IAT modification at address 0xB6BF9F28 hook handler located in [Teefer.sys] tcpip.sys—>ndis.sys—>NdisOpenAdapter, Type: IAT modification at address 0xB6BF9F54 hook handler located in [Teefer.sys] tcpip.sys—>ndis.sys—>NdisRegisterProtocol, Type: IAT modification at address 0xB6BF9F60 hook handler located in [Teefer.sys] wanarp.sys+0x000053FD, Type: Inline - RelativeCall at address 0xF74573FD hook handler located in [Teefer.sys] wanarp.sys—>ndis.sys—>NdisCloseAdapter, Type: IAT modification at address 0xF7457B4C hook handler located in [Teefer.sys] wanarp.sys—>ndis.sys—>NdisDeregisterProtocol, Type: IAT modification at address 0xF7457B1C hook handler located in [Teefer.sys] wanarp.sys—>ndis.sys—>NdisOpenAdapter, Type: IAT modification at address 0xF7457B3C hook handler located in [Teefer.sys] wanarp.sys—>ndis.sys—>NdisRegisterProtocol, Type: IAT modification at address 0xF7457B28 hook handler located in [Teefer.sys] Hilsen Keld Gartner
[ Ignorer ] [ # 12 ] Ejvindh
22.02.2007 23:53:13 Redaktør Team Spywarefri Antal indlæg: 6048	Nej, den lever desværre stadigvæk. Men til gengæld fik jeg nogle ekstra oplysninger om infektionen. Så Avenger får lige en sidste chance (bemærk at når man kører Avenger flere gange, kan det godt nogle gange give problemer med, at den ikke vil køre. Så kan du prøve at slette mappen c:\avenger, herefter genstarte, og så prøve igen): Kør Avenger igen. Sæt en prik i “Input Script Manually” og klik på Luppen - nu dukker der et lille vindue op, hvor du skal kopiere indholdet mellem de stiplede linier ind: ——————————————- Files to delete: C:\WINDOWS\system32\wintems.exe C:\WINDOWS\system32\hldrrr.exe Folders to Delete: C:\Documents and Settings\Keld Sørensen\Application Data\hidires drivers to unload: m_hook ——————————————- —Klik på Trafiklyset i Avenger. Programmet vil opfordre dig til at genstarte computeren straks, hvilket du skal gøre. Programmet vil lukke din computer, slette filerne og starte computeren igen. —Efter genstarten vil der dukke et notepad-vindue op, med en log for Avengers handlinger. Den må du gerne lægge ind i dit næste svar. —Ideelt set ville jeg herefter gerne have en ny log fra både Gmer og Rootkitunhooker igen, men det kan godt være at Rootkitunhooker ikke vil køre, fordi du har Gmer på maskinen. I så fald må jeg nøjes med en log fra Gmer.
[ Ignorer ] [ # 13 ] Keld Gartner
23.02.2007 02:58:58 Antal indlæg: 17	Hej igen her er et par friske logs.Ang rku skal man bare genstarte så kører den fint Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\aanqckkn ***************** Script file located at: \??\C:\pqrympls.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: File C:\WINDOWS\system32\wintems.exe deleted successfully. File C:\WINDOWS\system32\hldrrr.exe deleted successfully. Folder C:\Documents and Settings\Keld Sørensen\Application Data\hidires deleted successfully. Driver m_hook unloaded successfully. Completed script processing. ***************** Finished! Terminate. RkUnhooker report generator v0.5c ============================================== Rootkit Unhooker kernel version: 3.20.130.388 ============================================== Windows Major Version: 5 Windows Minor Version: 1 Windows Build Number: 2600 ============================================== >SSDT State NtAllocateVirtualMemory Actual Address 0xF7474B30 Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys NtClose Actual Address 0xF74CDC58 Hooked by: Vax347b.sys NtCreateKey Actual Address 0xF74CDC10 Hooked by: Vax347b.sys NtCreatePagingFile Actual Address 0xF74C1C70 Hooked by: Vax347b.sys NtCreateThread Actual Address 0xF74746F0 Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys NtEnumerateKey Actual Address 0xF74C24FE Hooked by: Vax347b.sys NtEnumerateValueKey Actual Address 0xF74CDD50 Hooked by: Vax347b.sys NtMapViewOfSection Actual Address 0xF7474470 Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys NtOpenKey Actual Address 0xF74CDBD4 Hooked by: Vax347b.sys NtOpenProcess Actual Address 0xB6FDC8AC Hooked by: C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.sys NtProtectVirtualMemory Actual Address 0xF7474C50 Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys NtQueryKey Actual Address 0xF74C251E Hooked by: Vax347b.sys NtQueryValueKey Actual Address 0xF74CDCA6 Hooked by: Vax347b.sys NtSetSystemPowerState Actual Address 0xF74CD4F0 Hooked by: Vax347b.sys NtSetValueKey Actual Address 0xF7505D56 Hooked by: sptd.sys NtShutdownSystem Actual Address 0xF7474990 Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys NtTerminateProcess Actual Address 0xB6FDC812 Hooked by: C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.sys NtWriteVirtualMemory Actual Address 0xF7474D60 Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys ============================================== >Processes Process: System Process Id: 4 EPROCESS Address: 0x89BFD660 Process: C:\WINDOWS\system32\ctfmon.exe Process Id: 272 EPROCESS Address: 0x88ADDDA0 Process: C:\Programmer\Messenger\msmsgs.exe Process Id: 276 EPROCESS Address: 0x89524988 Process: C:\Programmer\CaptureWiz\Pro\CaptureWiz.exe Process Id: 332 EPROCESS Address: 0x88AD7658 Process: C:\WINDOWS\system32\cisvc.exe Process Id: 584 EPROCESS Address: 0x8955D3C8 Process: D:\Installeret\Power Cinema\Kernel\TV\CLCapSvc.exe Process Id: 620 EPROCESS Address: 0x87F623F0 Process: C:\WINDOWS\system32\CTSVCCDA.EXE Process Id: 632 EPROCESS Address: 0x87F50448 Process: C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe Process Id: 652 EPROCESS Address: 0x87E9E668 Process: C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLService.exe Process Id: 676 EPROCESS Address: 0x87F57778 Process: C:\WINDOWS\system32\nvsvc32.exe Process Id: 716 EPROCESS Address: 0x87F42790 Process: C:\WINDOWS\system32\smss.exe Process Id: 728 EPROCESS Address: 0x894A5558 Process: C:\WINDOWS\system32\HPZipm12.exe Process Id: 744 EPROCESS Address: 0x87F4FDA0 Process: C:\WINDOWS\system32\csrss.exe Process Id: 784 EPROCESS Address: 0x8951C650 Process: C:\WINDOWS\system32\svchost.exe Process Id: 788 EPROCESS Address: 0x87E96790 Process: C:\WINDOWS\system32\winlogon.exe Process Id: 808 EPROCESS Address: 0x8951CA78 Process: C:\WINDOWS\system32\services.exe Process Id: 860 EPROCESS Address: 0x8951A228 Process: C:\WINDOWS\system32\lsass.exe Process Id: 872 EPROCESS Address: 0x8951A650 Process: C:\WINDOWS\system32\svchost.exe Process Id: 1040 EPROCESS Address: 0x8951B3C0 Process: C:\WINDOWS\system32\svchost.exe Process Id: 1108 EPROCESS Address: 0x8951C228 Process: C:\WINDOWS\system32\svchost.exe Process Id: 1204 EPROCESS Address: 0x89519980 Process: C:\WINDOWS\system32\svchost.exe Process Id: 1252 EPROCESS Address: 0x89557558 Process: C:\WINDOWS\system32\svchost.exe Process Id: 1360 EPROCESS Address: 0x895367E8 Process: C:\WINDOWS\system32\LEXBCES.EXE Process Id: 1492 EPROCESS Address: 0x89869980 Process: C:\WINDOWS\system32\spoolsv.exe Process Id: 1540 EPROCESS Address: 0x8955E988 Process: C:\WINDOWS\system32\LEXPPS.EXE Process Id: 1548 EPROCESS Address: 0x894BE558 Process: D:\Installeret\Power Cinema\Kernel\TV\CLSched.exe Process Id: 1668 EPROCESS Address: 0x87F24DA0 Process: C:\WINDOWS\explorer.exe Process Id: 1824 EPROCESS Address: 0x896E05E8 Process: C:\WINDOWS\CTHELPER.EXE Process Id: 1936 EPROCESS Address: 0x894AC650 Process: C:\Programmer\Creative\Surround Mixer\CTSysVol.exe Process Id: 1944 EPROCESS Address: 0x894A9650 Process: C:\Programmer\Creative\DVDAudio\CTDVDDET.exe Process Id: 1952 EPROCESS Address: 0x896F5030 Process: C:\Programmer\Lexmark X1100 Series\lxbkbmgr.exe Process Id: 1968 EPROCESS Address: 0x896A2790 Process: C:\Programmer\Java\jre1.5.0_11\bin\jusched.exe Process Id: 1976 EPROCESS Address: 0x894CB2C0 Process: C:\Programmer\Lexmark X1100 Series\lxbkbmon.exe Process Id: 1988 EPROCESS Address: 0x8986CB18 Process: C:\WINDOWS\system32\rundll32.exe Process Id: 2016 EPROCESS Address: 0x896E16E8 Process: D:\Installeret\HP\HP Software Update\hpwuSchd2.exe Process Id: 2024 EPROCESS Address: 0x88AF0538 Process: C:\Programmer\Creative\MediaSource\Detector\CTDetect.exe Process Id: 2032 EPROCESS Address: 0x894CE408 Process: C:\RkUnhooker\2b55t1j6Y4Boy7t.exe Process Id: 2660 EPROCESS Address: 0x87E55180 ============================================== >Drivers Driver: nv4_disp.dll Address: 0xBF9D4000 Size: 4530176 bytes Driver: nv4_mini.sys Address: 0xB98A6000 Size: 3997696 bytes Driver: ntoskrnl.exe Address: 0x804D7000 Size: 2256896 bytes Driver: PnpManager Address: 0x804D7000 Size: 2256896 bytes Driver: RAW Address: 0x804D7000 Size: 2256896 bytes Driver: WMIxWDM Address: 0x804D7000 Size: 2256896 bytes Driver: Win32k Address: 0xBF800000 Size: 1843200 bytes Driver: win32k.sys Address: 0xBF800000 Size: 1843200 bytes Driver: ha10kx2k.sys Address: 0xB6DA1000 Size: 1052672 bytes Driver: 00000068 Address: 0xF74FF000 Size: 880640 bytes Driver: sptd.sys Address: 0xF74FF000 Size: 880640 bytes Driver: ctac32k.sys Address: 0xB6CB1000 Size: 638976 bytes Driver: Ntfs.sys Address: 0xBAF5C000 Size: 577536 bytes Driver: mrxsmb.sys Address: 0xB6B1A000 Size: 454656 bytes Driver: ctaud2k.sys Address: 0xB9803000 Size: 442368 bytes Driver: tcpip.sys Address: 0xB6C26000 Size: 360448 bytes Driver: srv.sys Address: 0xB4E3B000 Size: 335872 bytes Driver: HTTP.sys Address: 0xB4B52000 Size: 266240 bytes Driver: update.sys Address: 0xB9656000 Size: 212992 bytes Driver: ctoss2k.sys Address: 0xB978A000 Size: 204800 bytes Driver: rdpdr.sys Address: 0xB96CD000 Size: 200704 bytes Driver: ACPI.sys Address: 0xF7492000 Size: 188416 bytes Driver: emupia2k.sys Address: 0xB6D74000 Size: 184320 bytes Driver: mrxdav.sys Address: 0xB501D000 Size: 184320 bytes Driver: NDIS.sys Address: 0xBAF2F000 Size: 184320 bytes Driver: rdbss.sys Address: 0xB6B89000 Size: 176128 bytes Driver: hap16v2k.sys Address: 0xB6EA2000 Size: 172032 bytes Driver: netbt.sys Address: 0xB6BD6000 Size: 163840 bytes Driver: ctsfm2k.sys Address: 0xB6D4D000 Size: 159744 bytes Driver: Vax347b.sys Address: 0xF74C0000 Size: 159744 bytes Driver: dmio.sys Address: 0xF7831000 Size: 155648 bytes Driver: portcls.sys Address: 0xB97DF000 Size: 147456 bytes Driver: ks.sys Address: 0xB97BC000 Size: 143360 bytes Driver: USBPORT.SYS Address: 0xB986F000 Size: 143360 bytes Driver: afd.sys Address: 0xB6BB4000 Size: 139264 bytes Driver: ACPI_HAL Address: 0x806FE000 Size: 134400 bytes Driver: hal.dll Address: 0x806FE000 Size: 134400 bytes Driver: fltMgr.sys Address: 0xF794F000 Size: 131072 bytes Driver: ftdisk.sys Address: 0xF7857000 Size: 126976 bytes Driver: Teefer.sys Address: 0xBAF12000 Size: 118784 bytes Driver: Mup.sys Address: 0xBAEF7000 Size: 110592 bytes Driver: Address: 0xF796F000 Size: 98304 bytes Driver: dump_atapi.sys Address: 0xB6A8A000 Size: 98304 bytes Driver: SCSIPORT.SYS Address: 0xF74E7000 Size: 98304 bytes Driver: KSecDD.sys Address: 0xBAFE9000 Size: 94208 bytes Driver: ndiswan.sys Address: 0xB975F000 Size: 94208 bytes Driver: wdmaud.sys Address: 0xB528C000 Size: 86016 bytes Driver: parport.sys Address: 0xB9776000 Size: 81920 bytes Driver: VIDEOPRT.SYS Address: 0xB9892000 Size: 81920 bytes Driver: ipsec.sys Address: 0xB6C7E000 Size: 77824 bytes Driver: dxg.sys Address: 0xBF9C2000 Size: 73728 bytes Driver: sr.sys Address: 0xF7A3D000 Size: 73728 bytes Driver: pci.sys Address: 0xF7876000 Size: 69632 bytes Driver: psched.sys Address: 0xB974E000 Size: 69632 bytes Driver: Cdfs.SYS Address: 0xBAED7000 Size: 65536 bytes Driver: nic1394.sys Address: 0xBAE87000 Size: 65536 bytes Driver: serial.sys Address: 0xBAE67000 Size: 65536 bytes Driver: arp1394.sys Address: 0xF7452000 Size: 61440 bytes Driver: drmk.sys Address: 0xBAE77000 Size: 61440 bytes Driver: ohci1394.sys Address: 0xF7607000 Size: 61440 bytes Driver: redbook.sys Address: 0xF76C7000 Size: 61440 bytes Driver: sysaudio.sys Address: 0xB5411000 Size: 61440 bytes Driver: usbhub.sys Address: 0xBA0BE000 Size: 61440 bytes Driver: VolSnap.sys Address: 0xF7637000 Size: 57344 bytes Driver: 1394BUS.SYS Address: 0xF7617000 Size: 53248 bytes Driver: cdrom.sys Address: 0xF76B7000 Size: 53248 bytes Driver: CLASSPNP.SYS Address: 0xF7657000 Size: 53248 bytes Driver: HPZid412.sys Address: 0xBAEE7000 Size: 53248 bytes Driver: i8042prt.sys Address: 0xBAE57000 Size: 53248 bytes Driver: rasl2tp.sys Address: 0xF76D7000 Size: 53248 bytes Driver: pcouffin.sys Address: 0xBA10E000 Size: 49152 bytes Driver: raspptp.sys Address: 0xF76F7000 Size: 49152 bytes Driver: agp440.sys Address: 0xF7677000 Size: 45056 bytes Driver: getnd5b.sys Address: 0xBAE97000 Size: 45056 bytes Driver: imapi.sys Address: 0xF76A7000 Size: 45056 bytes Driver: MountMgr.sys Address: 0xF7627000 Size: 45056 bytes Driver: raspppoe.sys Address: 0xF76E7000 Size: 45056 bytes Driver: intelppm.sys Address: 0xBAEA7000 Size: 40960 bytes Driver: NDProxy.SYS Address: 0xBA0DE000 Size: 40960 bytes Driver: termdd.sys Address: 0xBA0FE000 Size: 40960 bytes Driver: disk.sys Address: 0xF7647000 Size: 36864 bytes Driver: Fips.SYS Address: 0xF7432000 Size: 36864 bytes Driver: HIDCLASS.SYS Address: 0xF7402000 Size: 36864 bytes Driver: isapnp.sys Address: 0xF75F7000 Size: 36864 bytes Driver: msgpc.sys Address: 0xF7462000 Size: 36864 bytes Driver: netbios.sys Address: 0xF7442000 Size: 36864 bytes Driver: PxHelp20.sys Address: 0xF7667000 Size: 36864 bytes Driver: wanarp.sys Address: 0xF7482000 Size: 36864 bytes Driver: wpsdrvnt.sys Address: 0xF7472000 Size: 36864 bytes Driver: ctprxy2k.sys Address: 0xF77D7000 Size: 32768 bytes Driver: Npfs.SYS Address: 0xF7767000 Size: 32768 bytes Driver: usbccgp.sys Address: 0xF776F000 Size: 32768 bytes Driver: fdc.sys Address: 0xF77DF000 Size: 28672 bytes Driver: HIDPARSE.SYS Address: 0xF7727000 Size: 28672 bytes Driver: kbdclass.sys Address: 0xF77E7000 Size: 28672 bytes Driver: PCIIDEX.SYS Address: 0xF770F000 Size: 28672 bytes Driver: usbehci.sys Address: 0xF77CF000 Size: 28672 bytes Driver: usbprint.sys Address: 0xF777F000 Size: 28672 bytes Driver: USBSTOR.SYS Address: 0xF778F000 Size: 28672 bytes Driver: HPZius12.sys Address: 0xF7787000 Size: 24576 bytes Driver: mouclass.sys Address: 0xF7807000 Size: 24576 bytes Driver: rkhdrv31.sys Address: 0xF7707000 Size: 24576 bytes Driver: vga.sys Address: 0xF7757000 Size: 24576 bytes Driver: flpydisk.sys Address: 0xF7817000 Size: 20480 bytes Driver: Msfs.SYS Address: 0xF775F000 Size: 20480 bytes Driver: PartMgr.sys Address: 0xF7717000 Size: 20480 bytes Driver: ptilink.sys Address: 0xF77F7000 Size: 20480 bytes Driver: raspti.sys Address: 0xF77FF000 Size: 20480 bytes Driver: TDI.SYS Address: 0xF77EF000 Size: 20480 bytes Driver: usbuhci.sys Address: 0xF77C7000 Size: 20480 bytes Driver: watchdog.sys Address: 0xF7797000 Size: 20480 bytes Driver: ASPI32.SYS Address: 0xBADE3000 Size: 16384 bytes Driver: HPZipr12.sys Address: 0xB963E000 Size: 16384 bytes Driver: kbdhid.sys Address: 0xB9646000 Size: 16384 bytes Driver: mssmbios.sys Address: 0xBADA5000 Size: 16384 bytes Driver: serenum.sys Address: 0xBADD3000 Size: 16384 bytes Driver: BOOTVID.dll Address: 0xF7897000 Size: 12288 bytes Driver: ctgame.sys Address: 0xBADD7000 Size: 12288 bytes Driver: Dxapi.sys Address: 0xB6EFA000 Size: 12288 bytes Driver: hidusb.sys Address: 0xB9652000 Size: 12288 bytes Driver: mouhid.sys Address: 0xB9642000 Size: 12288 bytes Driver: ndistapi.sys Address: 0xBADC7000 Size: 12288 bytes Driver: rasacd.sys Address: 0xBAE0F000 Size: 12288 bytes Driver: wg3n.sys Address: 0xB5599000 Size: 12288 bytes Driver: wg4n.sys Address: 0xB5595000 Size: 12288 bytes Driver: wg5n.sys Address: 0xB5585000 Size: 12288 bytes Driver: wg6n.sys Address: 0xB5581000 Size: 12288 bytes Driver: Beep.SYS Address: 0xF79A5000 Size: 8192 bytes Driver: dmload.sys Address: 0xF798D000 Size: 8192 bytes Driver: dump_WMILIB.SYS Address: 0xF79B1000 Size: 8192 bytes Driver: EGATHDRV.SYS Address: 0xF79D3000 Size: 8192 bytes Driver: Fs_Rec.SYS Address: 0xF79A3000 Size: 8192 bytes Driver: intelide.sys Address: 0xF798B000 Size: 8192 bytes Driver: KDCOM.DLL Address: 0xF7987000 Size: 8192 bytes Driver: mnmdd.SYS Address: 0xF79A9000 Size: 8192 bytes Driver: ParVdm.SYS Address: 0xF79C7000 Size: 8192 bytes Driver: RDPCDD.sys Address: 0xF79AB000 Size: 8192 bytes Driver: swenum.sys Address: 0xF799F000 Size: 8192 bytes Driver: USBD.SYS Address: 0xF79A1000 Size: 8192 bytes Driver: Vax347s.sys Address: 0xF798F000 Size: 8192 bytes Driver: WMILIB.SYS Address: 0xF7989000 Size: 8192 bytes Driver: audstub.sys Address: 0xF7AA8000 Size: 4096 bytes Driver: AvgAsCln.sys Address: 0xB6FF8000 Size: 4096 bytes Driver: dxgthk.sys Address: 0xF7AB0000 Size: 4096 bytes Driver: guard.sys Address: 0xB6FDC000 Size: 4096 bytes Driver: Null.SYS Address: 0xB6FF9000 Size: 4096 bytes Driver: pciide.sys Address: 0xF7A4F000 Size: 4096 bytes Driver: ?_unknown_code_page_? Address: 0x89B971D8 Size: 3624 bytes Driver: ?_unknown_code_page_? Address: 0x89C0A1D8 Size: 3624 bytes Driver: ?_unknown_code_page_? Address: 0x89C081D8 Size: 3624 bytes Driver: ?_unknown_code_page_? Address: 0x8980B1D8 Size: 3624 bytes Driver: ?_unknown_code_page_? Address: 0x897A81D8 Size: 3624 bytes Driver: ?_unknown_code_page_? Address: 0x88AED240 Size: 3520 bytes Driver: ?_unknown_code_page_? Address: 0x88AC0248 Size: 3512 bytes Driver: ?_unknown_code_page_? Address: 0x8955B3C8 Size: 3128 bytes Driver: ?_unknown_code_page_? Address: 0x8858C3F0 Size: 3088 bytes Driver: ?_unknown_code_page_? Address: 0x897D4738 Size: 2248 bytes Driver: ?_unknown_code_page_? Address: 0x89706738 Size: 2248 bytes Driver: ?_unknown_code_page_? Address: 0x88AFF7A8 Size: 2136 bytes Driver: ?_unknown_code_page_? Address: 0x89633800 Size: 2048 bytes Driver: ?_unknown_code_page_? Address: 0x89647878 Size: 1928 bytes Driver: ?_unknown_code_page_? Address: 0x89463980 Size: 1664 bytes Driver: ?_unknown_code_page_? Address: 0x89779B20 Size: 1248 bytes Driver: ?_unknown_code_page_? Address: 0x89735BC8 Size: 1080 bytes Driver: ?_unknown_code_page_? Address: 0x89722C90 Size: 880 bytes Driver: ?_unknown_code_page_? Address: 0x89621F00 Size: 256 bytes ============================================== >Files Suspect File: C:\$Extend\$UsnJrnl:$J:$DATA Status: Opened for exclusive access by other app or by System Suspect File: C:\$Extend\$UsnJrnl:$Max:$DATA Status: Opened for exclusive access by other app or by System Suspect File: D:\$Extend\$UsnJrnl:$J:$DATA Status: Opened for exclusive access by other app or by System Suspect File: D:\$Extend\$UsnJrnl:$Max:$DATA Status: Opened for exclusive access by other app or by System Suspect File: D:\System Volume Information\catalog.wci\00010001.ci Status: Hidden Suspect File: D:\System Volume Information\catalog.wci\00010001.dir Status: Hidden Suspect File: D:\System Volume Information\catalog.wci\CiFLfffd.000 Status: Hidden Suspect File: D:\System Volume Information\catalog.wci\CiFLfffd.001 Status: Hidden Suspect File: D:\System Volume Information\catalog.wci\CiFLfffd.002 Status: Hidden Suspect File: E:\$Extend\$UsnJrnl:$J:$DATA Status: Opened for exclusive access by other app or by System Suspect File: E:\$Extend\$UsnJrnl:$Max:$DATA Status: Opened for exclusive access by other app or by System ============================================== >Hooks tcpip.sys+0x00003CFA, Type: Inline - RelativeCall at address 0xB6C29CFA hook handler located in [Teefer.sys] tcpip.sys+0x0000544E, Type: Inline - RelativeCall at address 0xB6C2B44E hook handler located in [Teefer.sys] tcpip.sys+0x0000A4E0, Type: Inline - RelativeCall at address 0xB6C304E0 hook handler located in [Teefer.sys] tcpip.sys—>ndis.sys—>NdisCloseAdapter, Type: IAT modification at address 0xB6C64F28 hook handler located in [Teefer.sys] tcpip.sys—>ndis.sys—>NdisOpenAdapter, Type: IAT modification at address 0xB6C64F54 hook handler located in [Teefer.sys] tcpip.sys—>ndis.sys—>NdisRegisterProtocol, Type: IAT modification at address 0xB6C64F60 hook handler located in [Teefer.sys] wanarp.sys+0x000053FD, Type: Inline - RelativeCall at address 0xF74873FD hook handler located in [Teefer.sys] wanarp.sys—>ndis.sys—>NdisCloseAdapter, Type: IAT modification at address 0xF7487B4C hook handler located in [Teefer.sys] wanarp.sys—>ndis.sys—>NdisDeregisterProtocol, Type: IAT modification at address 0xF7487B1C hook handler located in [Teefer.sys] wanarp.sys—>ndis.sys—>NdisOpenAdapter, Type: IAT modification at address 0xF7487B3C hook handler located in [Teefer.sys] wanarp.sys—>ndis.sys—>NdisRegisterProtocol, Type: IAT modification at address 0xF7487B28 hook handler located in [Teefer.sys]
[ Ignorer ] [ # 14 ] Ejvindh
23.02.2007 09:49:58 Redaktør Team Spywarefri Antal indlæg: 6048	Det ser meget fornuftigt ud. Rootkittet ser ud til at være slået ned. Hvordan går det med AVG nu?
[ Ignorer ] [ # 15 ] Keld Gartner
24.02.2007 11:45:34 Antal indlæg: 17	Avg er installeret og virker SAS scanner også fint.antivirus scanningen fandt en masse worm\bagel hvor går jeg hen hvis jeg vil vide mere om rootkit. Mange tak for hjælpen

1 af 2

Næste