Spywarefri Forum | Rootkit på min PC

1 af 2

Rootkit på min PC

[ Ignorer ] jepdue1973
30.01.2008 00:40:31 Antal indlæg: 18	Hejsa I går gjorde jeg den store fejl at dobbeltklikke på en ukendt fil. Herefter gik min pc i “blå skærm” og da den genstartede startede antivirus (Mcafee) ikke op som normalt. I Mcafee loggen kunne jeg se en ændring vedr. filen Wintems.exe som jeg efterfølgende har fundet ud af vist nok er et rootkit. Jeg har forsøgt at scanne med mcafee som godt nok finder virus men de bliver ikke fjernet. Jeg kan ikke afslutte wintems.exe som process da jeg får meddelelsen “adgang nægtet”. Jeg har forsøgt forskellige værktøjer her fra siden men uden held. Kan i hjælpe? Med venlig hilsen Jesper
[ Ignorer ] [ # 1 ] jepdue1973
30.01.2008 00:43:19 Antal indlæg: 18	Ups - jeg har lige set at alm. brugere ikke må oprette tråde her.. Kan i overføre til andet forum? Sorry
[ Ignorer ] [ # 2 ] Magic Emeritus
30.01.2008 03:50:10 Administrator Supporter Emeritus Antal indlæg: 29613	Hej og velkommen Er hermed gjort, og ingen grund til at undskylde Følg venligst hele denne vejledning: http://www.spywarefri.dk/forum/links/hjtanv.htm Vi vil gerne se logs fra AVG Antispyware, rootchk, ComboFix, og herefter en log fra HijackThis.
[ Ignorer ] [ # 3 ] jepdue1973
30.01.2008 10:22:03 Antal indlæg: 18	Hej Her er hvad jeg oplever: 1. Jeg kan ikke installere ccleaner. Jeg kan heller ikke starte den version op som allerede var installeret. 2. Jeg kan ikke starte AVG antispyware 3. Når jeg genstarter i fejlsikret tilstand får jeg blå skærm. Jeg forsøger med combofix nu og vender tilbage. Mvh Jesper
[ Ignorer ] [ # 4 ] Magic Emeritus
30.01.2008 10:33:47 Administrator Supporter Emeritus Antal indlæg: 29613	Vi venter spændt
[ Ignorer ] [ # 5 ] jepdue1973
30.01.2008 10:42:07 Antal indlæg: 18	Når jeg dobbeltklikker på combofix sker der ingenting ??? Vindue fra spywarefri “not responding”
[ Ignorer ] [ # 6 ] jepdue1973
30.01.2008 10:44:41 Antal indlæg: 18	samme historie med hijackthis
[ Ignorer ] [ # 7 ] jepdue1973
30.01.2008 10:50:39 Antal indlæg: 18	jeg kan f.eks. flytte swf_vejl… dokumentet men hvis jeg rører ved hijackthis så fryser vinduet og handlingen bliver ikke fuldført
[ Ignorer ] [ # 8 ] jepdue1973
30.01.2008 10:51:40 Antal indlæg: 18	har disablet netværk skal det enables?
[ Ignorer ] [ # 9 ] Magic Emeritus
30.01.2008 10:54:18 Administrator Supporter Emeritus Antal indlæg: 29613	Prøv at systemgendanne til før problemet opstod
[ Ignorer ] [ # 10 ] jepdue1973
30.01.2008 11:10:19 Antal indlæg: 18	samme resultat :-(
[ Ignorer ] [ # 11 ] Magic Emeritus
30.01.2008 11:19:14 Administrator Supporter Emeritus Antal indlæg: 29613	Ok. Så klik her: http://download.bleepingcomputer.com/sUBs/ComboFix.exe Du skal så vælge - Kør - hvergang. Så burde den, når scanningen er færdig, lave en log der hedder C: combofix txt. Kopier den herind. Du kan lave samme procedure med hjackthis
[ Ignorer ] [ # 12 ] jepdue1973
30.01.2008 11:40:36 Antal indlæg: 18	yes combofix.exe er igang. Har du et link til hijackthis også?
[ Ignorer ] [ # 13 ] jepdue1973
30.01.2008 11:59:19 Antal indlæg: 18	combofix skriver at jeg ikke må starte programmer før den er færdig, men der starter jo forskellige ting op i systemtray…er det et problem? Har du et direkte link til hijackthis?
[ Ignorer ] [ # 14 ] jepdue1973
30.01.2008 12:05:16 Antal indlæg: 18	Log fra combofix ComboFix 08-01-30.6 - Jesper 2008-01-30 9:42:44.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1463 [GMT 1:00] Running from: C:\Documents and Settings\Jesper\Local Settings\Temporary Internet Files\Content.IE5\C1QFGTU7\ComboFix[1].exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\drivers\hldrrr.exe C:\WINDOWS\system32\drivers\srosa.sys C:\WINDOWS\system32\mdelk.exe C:\WINDOWS\system32\wintems.exe C:\WINDOWS\system32\drivers\down C:\WINDOWS\system32\drivers\down\1117593.exe.ren C:\WINDOWS\system32\drivers\down\1131437.exe.ren C:\WINDOWS\system32\drivers\down\1138046.exe.ren C:\WINDOWS\system32\drivers\down\1138656.exe.ren C:\WINDOWS\system32\drivers\down\1175015.exe.ren C:\WINDOWS\system32\drivers\down\1178625.exe.ren C:\WINDOWS\system32\drivers\down\1201859.exe.ren C:\WINDOWS\system32\drivers\down\1225968.exe.ren C:\WINDOWS\system32\drivers\down\1227109.exe.ren C:\WINDOWS\system32\drivers\down\1232093.exe.ren C:\WINDOWS\system32\drivers\down\1236281.exe.ren C:\WINDOWS\system32\drivers\down\1237640.exe.ren C:\WINDOWS\system32\drivers\down\1260609.exe.ren C:\WINDOWS\system32\drivers\down\1262140.exe.ren C:\WINDOWS\system32\drivers\down\1272578.exe.ren C:\WINDOWS\system32\drivers\down\1278296.exe.ren C:\WINDOWS\system32\drivers\down\1278625.exe.ren C:\WINDOWS\system32\drivers\down\1281875.exe.ren C:\WINDOWS\system32\drivers\down\1285453.exe.ren C:\WINDOWS\system32\drivers\down\1289265.exe.ren C:\WINDOWS\system32\drivers\down\1293171.exe.ren C:\WINDOWS\system32\drivers\down\1323734.exe.ren C:\WINDOWS\system32\drivers\down\1343796.exe.ren C:\WINDOWS\system32\drivers\down\1349375.exe.ren C:\WINDOWS\system32\drivers\down\14750984.exe.ren C:\WINDOWS\system32\drivers\down\14768828.exe.ren C:\WINDOWS\system32\drivers\down\14771812.exe.ren C:\WINDOWS\system32\drivers\down\14779125.exe.ren C:\WINDOWS\system32\drivers\down\14788312.exe.ren C:\WINDOWS\system32\drivers\down\14798468.exe.ren C:\WINDOWS\system32\drivers\down\14852046.exe.ren C:\WINDOWS\system32\drivers\down\14852078.exe.ren C:\WINDOWS\system32\drivers\down\14868437.exe.ren C:\WINDOWS\system32\drivers\down\14873718.exe.ren C:\WINDOWS\system32\drivers\down\14878984.exe.ren C:\WINDOWS\system32\drivers\down\14882531.exe.ren C:\WINDOWS\system32\drivers\down\14886484.exe.ren C:\WINDOWS\system32\drivers\down\14901265.exe.ren C:\WINDOWS\system32\drivers\down\14912390.exe.ren C:\WINDOWS\system32\drivers\down\14913375.exe.ren C:\WINDOWS\system32\drivers\down\14914656.exe.ren C:\WINDOWS\system32\drivers\down\14916093.exe.ren C:\WINDOWS\system32\drivers\down\14920390.exe.ren C:\WINDOWS\system32\drivers\down\14924687.exe.ren C:\WINDOWS\system32\drivers\down\14953171.exe.ren C:\WINDOWS\system32\drivers\down\14961250.exe.ren C:\WINDOWS\system32\drivers\down\14972125.exe.ren C:\WINDOWS\system32\drivers\down\162875.exe.ren C:\WINDOWS\system32\drivers\down\172500.exe C:\WINDOWS\system32\drivers\down\186812.exe C:\WINDOWS\system32\drivers\down\197390.exe.ren C:\WINDOWS\system32\drivers\down\199593.exe.ren C:\WINDOWS\system32\drivers\down\207781.exe.ren C:\WINDOWS\system32\drivers\down\217125.exe.ren C:\WINDOWS\system32\drivers\down\218156.exe C:\WINDOWS\system32\drivers\down\230843.exe C:\WINDOWS\system32\drivers\down\245375.exe.ren C:\WINDOWS\system32\drivers\down\246312.exe.ren C:\WINDOWS\system32\drivers\down\247796.exe C:\WINDOWS\system32\drivers\down\252812.exe.ren C:\WINDOWS\system32\drivers\down\265546.exe.ren C:\WINDOWS\system32\drivers\down\265843.exe.ren C:\WINDOWS\system32\drivers\down\270828.exe.ren C:\WINDOWS\system32\drivers\down\273359.exe.ren C:\WINDOWS\system32\drivers\down\276421.exe.ren C:\WINDOWS\system32\drivers\down\280265.exe.ren C:\WINDOWS\system32\drivers\down\288625.exe.ren C:\WINDOWS\system32\drivers\down\290265.exe C:\WINDOWS\system32\drivers\down\291109.exe C:\WINDOWS\system32\drivers\down\29396609.exe.ren C:\WINDOWS\system32\drivers\down\29410828.exe.ren C:\WINDOWS\system32\drivers\down\29413593.exe.ren C:\WINDOWS\system32\drivers\down\29424078.exe.ren C:\WINDOWS\system32\drivers\down\29436687.exe.ren C:\WINDOWS\system32\drivers\down\29503531.exe.ren C:\WINDOWS\system32\drivers\down\29503796.exe.ren C:\WINDOWS\system32\drivers\down\29522031.exe.ren C:\WINDOWS\system32\drivers\down\29529359.exe.ren C:\WINDOWS\system32\drivers\down\29535078.exe.ren C:\WINDOWS\system32\drivers\down\29539500.exe.ren C:\WINDOWS\system32\drivers\down\29545593.exe.ren C:\WINDOWS\system32\drivers\down\295468.exe.ren C:\WINDOWS\system32\drivers\down\29561062.exe.ren C:\WINDOWS\system32\drivers\down\29571093.exe.ren C:\WINDOWS\system32\drivers\down\29572515.exe.ren C:\WINDOWS\system32\drivers\down\29574765.exe.ren C:\WINDOWS\system32\drivers\down\29576953.exe.ren C:\WINDOWS\system32\drivers\down\29583484.exe.ren C:\WINDOWS\system32\drivers\down\29588703.exe.ren C:\WINDOWS\system32\drivers\down\29611312.exe.ren C:\WINDOWS\system32\drivers\down\29616562.exe.ren C:\WINDOWS\system32\drivers\down\29625875.exe.ren C:\WINDOWS\system32\drivers\down\296703.exe.ren C:\WINDOWS\system32\drivers\down\300281.exe.ren C:\WINDOWS\system32\drivers\down\300875.exe.ren C:\WINDOWS\system32\drivers\down\302312.exe.ren C:\WINDOWS\system32\drivers\down\306078.exe.ren C:\WINDOWS\system32\drivers\down\307156.exe.ren C:\WINDOWS\system32\drivers\down\310812.exe.ren C:\WINDOWS\system32\drivers\down\311031.exe C:\WINDOWS\system32\drivers\down\315281.exe C:\WINDOWS\system32\drivers\down\323062.exe C:\WINDOWS\system32\drivers\down\325781.exe C:\WINDOWS\system32\drivers\down\333500.exe C:\WINDOWS\system32\drivers\down\345015.exe C:\WINDOWS\system32\drivers\down\350625.exe C:\WINDOWS\system32\drivers\down\354625.exe C:\WINDOWS\system32\drivers\down\355625.exe C:\WINDOWS\system32\drivers\down\357015.exe C:\WINDOWS\system32\drivers\down\361953.exe.ren C:\WINDOWS\system32\drivers\down\365734.exe C:\WINDOWS\system32\drivers\down\369687.exe C:\WINDOWS\system32\drivers\down\370578.exe.ren C:\WINDOWS\system32\drivers\down\386093.exe C:\WINDOWS\system32\drivers\down\391500.exe.ren C:\WINDOWS\system32\drivers\down\392718.exe C:\WINDOWS\system32\drivers\down\402578.exe C:\WINDOWS\system32\drivers\down\404187.exe.ren C:\WINDOWS\system32\drivers\down\409218.exe.ren C:\WINDOWS\system32\drivers\down\419578.exe.ren C:\WINDOWS\system32\drivers\down\426953.exe.ren C:\WINDOWS\system32\drivers\down\458328.exe.ren C:\WINDOWS\system32\drivers\down\459250.exe.ren C:\WINDOWS\system32\drivers\down\464296.exe.ren C:\WINDOWS\system32\drivers\down\467359.exe.ren C:\WINDOWS\system32\drivers\down\469375.exe.ren C:\WINDOWS\system32\drivers\down\471531.exe.ren C:\WINDOWS\system32\drivers\down\476500.exe.ren C:\WINDOWS\system32\drivers\down\485203.exe.ren C:\WINDOWS\system32\drivers\down\489062.exe.ren C:\WINDOWS\system32\drivers\down\489718.exe.ren C:\WINDOWS\system32\drivers\down\490484.exe.ren C:\WINDOWS\system32\drivers\down\491031.exe.ren C:\WINDOWS\system32\drivers\down\493500.exe.ren C:\WINDOWS\system32\drivers\down\497687.exe.ren C:\WINDOWS\system32\drivers\down\525984.exe.ren C:\WINDOWS\system32\drivers\down\561796.exe.ren C:\WINDOWS\system32\drivers\down\567328.exe.ren C:\WINDOWS\system32\drivers\hldrrr.exe C:\WINDOWS\system32\drivers\srosa.sys C:\WINDOWS\system32\mdelk.exe C:\WINDOWS\system32\wintems.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . ———-\LEGACY_SROSA ———-\srosa ((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 ))))))))))))))))))))))))))))))) . 2008-01-30 09:56 . 2008-01-30 09:56 <DIR> d————C:\WINDOWS\system32\drivers\down 2008-01-30 08:14 . 2007-05-30 13:10 10,872—a———C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-01-29 22:32 . 2008-01-30 09:49 3,968—a———C:\WINDOWS\system32\drivers\AvgArCln.sys 2008-01-29 22:29 . 2008-01-30 02:09 102,800—a———C:\WINDOWS\system32\drivers\tmcomm.sys 2008-01-28 22:38 . 2008-01-28 22:47 <DIR> d————C:\Program Files\Panda Security 2008-01-28 22:12 . 2008-01-28 22:12 <DIR> d————C:\Documents and Settings\Administrator\Application Data\VMware 2008-01-28 22:12 . 2008-01-28 22:12 <DIR> d————C:\Documents and Settings\Administrator\Application Data\SiteAdvisor 2008-01-26 06:41 . 2008-01-26 06:41 <DIR> d————C:\Program Files\DVD Shrink 2008-01-26 06:41 . 2008-01-26 06:41 <DIR> d————C:\Documents and Settings\All Users\Application Data\DVD Shrink 2008-01-18 16:32 . 2008-01-27 16:10 <DIR> d————C:\Documents and Settings\Maibritt\Application Data\VMware 2008-01-18 16:32 . 2008-01-22 20:12 <DIR> d————C:\Documents and Settings\Maibritt\Application Data\SiteAdvisor 2008-01-17 00:06 . 2008-01-17 00:06 <DIR> d————C:\Program Files\FolderSize 2008-01-14 22:29 . 2008-01-14 22:29 <DIR> d————C:\Program Files\ErgoTools 2008-01-14 15:42 . 2008-01-14 15:42 <DIR> d————C:\Documents and Settings\All Users\Application Data\ZoneFiveSoftware 2008-01-14 15:41 . 2008-01-14 15:41 <DIR> d————C:\Program Files\Zone Five Software 2008-01-14 15:28 . 2008-01-14 15:28 <DIR> d————C:\Documents and Settings\Jesper\Application Data\GARMIN 2008-01-14 15:08 . 2008-01-14 15:08 <DIR> d————C:\Program Files\Polar 2008-01-14 14:41 . 2008-01-14 14:44 <DIR> d————C:\Program Files\CyclingPeaks22WKO+ 2008-01-14 11:15 . 2008-01-23 18:30 <DIR> d————C:\Documents and Settings\Kirstine\Application Data\VMware 2008-01-14 11:15 . 2008-01-14 11:15 <DIR> d————C:\Documents and Settings\Kirstine\Application Data\SiteAdvisor 2008-01-14 11:14 . 2006-12-04 18:17 <DIR> d————C:\Documents and Settings\Kirstine\Bluetooth Software 2008-01-14 11:14 . 2006-12-04 18:16 <DIR> d————C:\Documents and Settings\Kirstine\Application Data\Intel 2008-01-14 11:14 . 2006-12-04 18:19 <DIR> d————C:\Documents and Settings\Kirstine\Application Data\ATI 2008-01-14 09:42 . 2008-01-14 14:36 <DIR> d————C:\Program Files\CyclingPeaks WKO+ 2008-01-14 09:28 . 2008-01-14 09:28 <DIR> d————C:\Program Files\TrainingPeaks, LLC 2008-01-14 09:28 . 2008-01-14 09:28 <DIR> d————C:\Documents and Settings\Jesper\Application Data\TrainingPeaks 2008-01-13 22:22 . 2008-01-13 22:22 <DIR> d————C:\Documents and Settings\All Users\Application Data\IntelliCoach.ca 2008-01-13 20:07 . 2008-01-14 09:37 <DIR> d————C:\Program Files\Intellicoach 2008-01-09 19:37 . 2008-01-09 19:37 <DIR> d————C:\Documents and Settings\Jesper\Application Data\TACX 2008-01-09 18:12 . 2004-10-11 12:25 316,192 -ra———C:\WINDOWS\system32\drivers\windrvr6.sys 2008-01-09 18:09 . 1999-05-05 21:22 10,134—a———C:\WINDOWS\FortiusRemove.ico 2008-01-09 18:08 . 2008-01-09 18:08 <DIR> d————C:\WINDOWS\system32\cvirte 2008-01-09 18:08 . 2008-01-23 08:29 <DIR> d————C:\Program Files\TacxFortius 2008-01-09 18:08 . 2003-07-29 09:00 2,056,192—a———C:\WINDOWS\system32\cvirte.dll 2008-01-09 18:08 . 2003-07-29 09:00 413,770—a———C:\WINDOWS\system32\cviauto.dll 2008-01-09 18:08 . 2005-11-17 14:23 133,120—a———C:\WINDOWS\system32\TacxUSB.dll 2008-01-09 18:08 . 2003-07-29 09:00 131,072—a———C:\WINDOWS\system32\dataskt.dll 2008-01-09 18:08 . 2003-07-29 09:00 45,056—a———C:\WINDOWS\system32\cvirt.dll 2008-01-09 18:08 . 2005-09-14 09:55 19,892—a———C:\WINDOWS\system32\FortiusSWPID1942Renum.hex 2007-12-27 23:25 . 2007-12-27 23:25 <DIR> d————C:\Program Files\OpenAL 2007-12-27 23:25 . 2006-12-14 19:47 782,336 -ra———C:\WINDOWS\system32\tmp3C8.tmp 2007-12-18 08:40 . 2007-12-18 08:40 <DIR> d————C:\Program Files\Microsoft CAPICOM 2.1.0.2 2007-12-17 17:52 . 2007-07-30 19:19 271,224—a———C:\WINDOWS\system32\mucltui.dll 2007-12-17 17:52 . 2007-07-30 19:19 207,736—a———C:\WINDOWS\system32\muweb.dll 2007-12-17 17:52 . 2007-07-30 19:19 30,072—a———C:\WINDOWS\system32\mucltui.dll.mui 2007-12-16 22:06 . 2007-12-18 22:56 <DIR> d————C:\Documents and Settings\Jesper\Contacts 2007-12-16 22:05 . 2007-12-16 22:05 <DIR> d————C:\Program Files\Microsoft SQL Server Compact Edition 2007-12-16 21:56 . 2007-12-16 22:05 <DIR> d————C:\Program Files\Windows Live 2007-12-16 21:56 . 2007-12-16 22:02 <DIR> d—hsc—- C:\Program Files\Common Files\WindowsLiveInstaller 2007-12-16 21:56 . 2007-12-16 21:56 <DIR> d————C:\Documents and Settings\All Users\Application Data\WLInstaller 2007-12-13 23:18 . 2007-05-16 16:45 3,497,832—a———C:\WINDOWS\system32\d3dx9_34.dll 2007-12-13 23:18 . 2007-05-16 16:45 1,124,720—a———C:\WINDOWS\system32\D3DCompiler_34.dll 2007-12-13 23:18 . 2007-05-16 16:45 443,752—a———C:\WINDOWS\system32\d3dx10_34.dll 2007-12-13 23:18 . 2007-05-31 19:30 266,088—a———C:\WINDOWS\system32\xactengine2_8.dll 2007-12-13 23:18 . 2007-05-31 19:29 18,280—a———C:\WINDOWS\system32\x3daudio1_2.dll 2007-12-13 23:17 . 2007-12-13 23:17 319—a———C:\WINDOWS\game.ini 2007-12-13 22:58 . 2007-12-13 22:58 <DIR> d————C:\Program Files\Activision 2007-12-07 21:18 . 2007-12-07 21:25 2,240—a———C:\WINDOWS\system32\esnecil.nlp 2007-12-07 21:18 . 2007-12-12 20:35 2,240—a———C:\WINDOWS\system32\esnecil.ind 2007-12-07 21:16 . 2007-12-07 21:16 <DIR> d————C:\Program Files\FitCentric Products 2007-12-07 21:16 . 1999-06-18 21:49 165,888—a———C:\WINDOWS\Ckconfig.exe 2007-12-07 21:16 . 2000-06-29 09:45 52,224—a———C:\WINDOWS\system32\Crypserv.exe 2007-12-07 21:16 . 1996-05-03 17:21 27,648 -ra———C:\WINDOWS\Setup_ck.exe 2007-12-07 21:16 . 2000-02-03 20:53 24,608—a———C:\WINDOWS\system32\Ckldrv.sys 2007-12-07 21:16 . 1996-05-03 15:36 18,432—a———C:\WINDOWS\Setup_ck.dll 2007-12-07 21:16 . 1995-07-04 18:33 11,776—a———C:\WINDOWS\Ckrfresh.exe 2007-12-07 21:16 . 2007-12-07 21:16 86—a———C:\WINDOWS\Crypkey.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-30 08:57————- d——-w C:\Documents and Settings\LocalService\Application Data\VMware 2008-01-30 08:57————- d——-w C:\Documents and Settings\All Users\Application Data\VMware 2008-01-30 08:56————- d——-w C:\Documents and Settings\Jesper\Application Data\VMware 2008-01-30 08:48 5,632——a-w C:\WINDOWS\system32\drivers\avgarkt.sys 2008-01-30 07:21————- d——-w C:\Program Files\McAfee 2008-01-29 07:56————- d——-w C:\Documents and Settings\Jesper\Application Data\SiteAdvisor 2008-01-28 21:37————- d——-w C:\Program Files\DIGStream 2008-01-28 21:31————- d——-w C:\Program Files\eMule 2008-01-19 12:49————- d——-w C:\Program Files\Google 2008-01-15 21:23————- d——-w C:\Program Files\PCMEdit 2008-01-15 21:16————- d—h—w C:\Program Files\InstallShield Installation Information 2008-01-15 21:16————- d——-w C:\Program Files\CyberLink 2007-12-21 13:55————- d——-w C:\Program Files\SiteAdvisor 2007-12-02 07:40————- d——-w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor 2007-10-23 16:49 586,240——a-w C:\WINDOWS\WLXPGSS.SCR 2007-01-09 09:22 20—-h—w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT 2005-09-09 18:55 7,155,864——a-w C:\Program Files\NGhost10.msi 2005-09-09 18:55 4,588,454——a-w C:\Program Files\setup.exe 2005-09-09 18:55 37,766,164——a-w C:\Program Files\Data1.cab 2005-09-09 18:55 35——a-w C:\Program Files\SCSSDist.ini 2006-12-21 20:42 88—sh—r C:\WINDOWS\system32\70CF886882.sys 2006-12-21 20:43 3,140—sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-10 06:00 15360] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2005-09-05 02:06 711678] “HuaWeiEVDO.exe”=“C:\Program Files\Huawei technologies\Mobile Connect\Mobile Connect.exe” [ ] “gStart”=“C:\Garmin\gStart.exe” [2007-08-23 05:58 1891416] “AGEIA PhysX SysTray”=“C:\Program Files\AGEIA Technologies\bin\TrayIcon.exe” [2007-04-20 06:57 345640] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ehTray”=“C:\WINDOWS\ehome\ehtray.exe” [2005-09-29 15:01 67584] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 00:11 132496] “ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [2006-01-02 18:41 45056] “SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2006-03-08 19:48 761947] “Dell QuickSet”=“C:\Program Files\Dell\QuickSet\quickset.exe” [2006-08-03 19:51 1032192] “dla”=“C:\WINDOWS\system32\dla\tfswctrl.exe” [2004-12-06 02:05 127035] “ISUSPM Startup”=“C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe” [2004-07-27 17:50 221184] “ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2004-07-27 17:50 81920] “{0228e555-4f9c-4e35-a3ec-b109a192b4c2}”=“C:\Program Files\Google\Gmail Notifier\gnotify.exe” [2005-07-15 22:48 479232] “ccApp”=“C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [2008-01-30 09:49 58984] “Norton Ghost 10.0”=“C:\Program Files\Norton Ghost\Agent\GhostTray.exe” [2005-09-09 19:09 1537648] “DAEMON Tools”=“C:\Program Files\DAEMON Tools\daemon.exe” [2006-11-12 11:48 157592] “MskAgentexe”=“C:\Program Files\McAfee\MSK\MskAgent.exe” [2007-01-17 17:30 152144] “SiteAdvisor”=“C:\Program Files\SiteAdvisor\6253\SiteAdv.exe” [2007-03-05 20:10 36904] “CloneCDTray”=“C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” [2006-09-28 20:21 57344] “Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe” [ ] “vmware-tray”=“C:\Program Files\VMware\VMware Workstation\vmware-tray.exe” [2007-05-01 21:52 68400] “VMware hqtray”=“C:\Program Files\VMware\VMware Workstation\hqtray.exe” [2007-05-01 21:52 56112] “SigmatelSysTrayApp”=“stsystra.exe” [2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe] “!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 10:25 6731312] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-10 06:00 15360] “Picasa Media Detector”=“C:\Program Files\Picasa2\PicasaMediaDetector.exe” [2007-09-28 02:17 443968] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 23:07:32 81920] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] “InstallVisualStyle”= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles “InstallTheme”= C:\WINDOWS\Resources\Themes\Royale.theme “EnableLUA”= 0 (0x0) SafeBoot registry key needs repairs. This machine cannot enter Safe Mode. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system] @=“Driver Group” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys] @=“Driver” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}] @=“DiskDrive” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}] @=“Hdc” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}] @=“Keyboard” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}] @=“Mouse” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}] @=“System” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}] @=“Volume” R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys [2006-07-05 13:46] R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\cinemsup.sys [2002-07-19 08:10] R2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver;C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys [2007-04-09 12:55] R3 vmkbd;VMware kbd;C:\WINDOWS\system32\drivers\VMkbd.sys [2007-05-01 21:52] S2 gupdate1c8515c9647505a;Google Update Service (gupdate1c8515c9647505a);“C:\Program Files\Google\Update\1.0.103.0\GoogleUpdate.exe” [2008-01-12 17:38] S3 iBurst;iBurst Modem;C:\WINDOWS\system32\DRIVERS\iBurst.sys [] S3 TridDev;Freecom USB Hybrid TV Device;C:\WINDOWS\system32\DRIVERS\Triddev.sys [2005-04-26 22:01] S3 TridVid;Freecom USB Hybrid TV Receiver;C:\WINDOWS\system32\DRIVERS\TridVid.sys [2006-07-14 10:39] S3 ufad-ws60;VMware Agent Service;“C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe” -d “C:\Program Files\VMware\VMware Workstation\\” [] S3 ZFTHO;ZFTHO;C:\DOCUME~1\Jesper\LOCALS~1\Temp\ZFTHO.exe [] S4 viaagp;VIA AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\viaagp.sys [2004-08-04 00:07] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1bb11b68-b6ee-11db-a32a-0016cfd93e96}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32989800-b5b9-11db-a325-0016cfd93e96}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32989801-b5b9-11db-a325-0016cfd93e96}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32989803-b5b9-11db-a325-0016cfd93e96}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32989804-b5b9-11db-a325-0016cfd93e96}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32989806-b5b9-11db-a325-0016cfd93e96}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5cf6a45a-b534-11db-a31c-0016cfd93e96}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7508353e-d00c-11db-a349-00188ba87fb9}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{75083540-d00c-11db-a349-00188ba87fb9}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ac4ec8a-b55c-11db-a322-00188ba87fb9}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ac4ec8b-b55c-11db-a322-00188ba87fb9}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5b83c8e-b670-11db-a327-0016cfd93e96}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5b83c8f-b670-11db-a327-0016cfd93e96}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5b83c90-b670-11db-a327-0016cfd93e96}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5b83c92-b670-11db-a327-0016cfd93e96}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a63b5e26-b6f1-11db-a32c-0016cfd93e96}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6d239c8-bd84-11db-a336-00188ba87fb9}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6dc5b0c-b524-11db-a31b-0016cfd93e96}] \Shell\AutoRun\command - F:\AutoRun.exe . Contents of the ‘Scheduled Tasks’ folder “2008-01-28 17:00:08 C:\WINDOWS\Tasks\Billeder incremental.job” - C:\WINDOWS\system32\ntbackup.exeLbackup “2008-01-28 17:00:10 C:\WINDOWS\Tasks\Dokumenter baerbar.job” - C:\WINDOWS\system32\ntbackup.exe?backup “2008-01-30 08:56:30 C:\WINDOWS\Tasks\GoogleUpdateTask.job” - C:\Program Files\Google\Update\1.0.103.0\GoogleUpdate.exe “2008-01-20 18:26:01 C:\WINDOWS\Tasks\Incremental baerbar.job” - C:\WINDOWS\system32\ntbackup.exeIbackup “2007-03-17 14:52:51 C:\WINDOWS\Tasks\McDefragTask.job” - c:\program files\mcafee\mqc\QcConsol.exe’ “2007-03-17 14:52:50 C:\WINDOWS\Tasks\McQcTask.job” - c:\program files\mcafee\mqc\QcConsol.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-30 09:57:02 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ————————————Other Running Processes———————————— . c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe C:\Program Files\Google\Update\1.0.103.0\GoogleUpdate.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\crypserv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\FolderSize\FolderSizeSvc.exe C:\WINDOWS\System32\GEARSec.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\Norton Ghost\Agent\GhostTray.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\McAfee\MSK\MskAgent.exe C:\Program Files\SiteAdvisor\6253\SiteAdv.exe C:\Program Files\VMware\VMware Workstation\vmware-tray.exe C:\Program Files\VMware\VMware Workstation\hqtray.exe C:\WINDOWS\stsystra.exe C:\Garmin\gStart.exe C:\Program Files\AGEIA Technologies\bin\TrayIcon.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\McAfee\MPS\mps.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe C:\Program Files\Norton Ghost\Agent\VProSvc.exe C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe C:\Program Files\SiteAdvisor\6253\SAService.exe C:\Program Files\McAfee\MPS\mpsevh.exe C:\Program Files\VMware\VMware Workstation\vmware-authd.exe C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe C:\WINDOWS\system32\vmnat.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\eHome\ehmsas.exe c:\program files\mcafee\msc\mcuimgr.exe . ************************************************************************ . Completion time: 2008-01-30 10:03:44 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-30 09:03:38 . 2008-01-24 08:40:47—- E O F—-
[ Ignorer ] [ # 15 ] Magic Emeritus
30.01.2008 12:05:35 Administrator Supporter Emeritus Antal indlæg: 29613	Bare lad combofix køre færdig, tag dig ikke af dem der starter i systemtray Her -> http://danborg.org/spy/hjt/alternativ.exe

1 af 2

Næste