Just nu i M3-nätverket
Jump to content

Hjälp - Klickde på bild MSN = Virus?


IngelaPingela

Recommended Posts

IngelaPingela

Min dotter klickade på en bild som hon fått via MSN. Efter det så bootar datorn om hela tiden. Det fungerar dock att logga in i felsäkert läge (med nätverk) och hittade en massa konstigt med Ewido, och det hade även lagt sig en del filer på skrivbordet inkl en JPG-fil. Tyvärr tog jag bort dem utan att skriva upp vad de hette.

 

Har sett på andra trådar här att man bifoga en HaiJack logg. Vore evigt tacksam om någon tog sig tid och kollade på den.

 

Tack på förhand!

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 19:34:15, on 2006-10-09

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Program\Webroot\Spy Sweeper\SpySweeper.exe

C:\Windows\Explorer.EXE

C:\Program\Webroot\Spy Sweeper\SafeSweeper.exe

C:\PROGRAM\MOZILL~1\FIREFOX.EXE

C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://playahead.se'>http://playahead.se

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/041D/bl8.asp

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://playahead.se

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Program\VeriSign\i-Nav\i-nav_4_2_1.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll

O2 - BHO: i-Nav IDN Resolver - {CE000992-A58C-4441-8938-744CD72AB27F} - C:\Program\VeriSign\i-Nav\i-nav_4_2_1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx

O4 - HKLM\..\Run: [smapp] C:\Program\Analog Devices\SoundMAX\Smtray.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\COMPAQ\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [ChkAdmin] C:\Program\Compaq\COMPAQ~1\CHKADMIN.EXE

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [spySweeper] "C:\Program\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\Windows\System32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NetBackup Professional Client.lnk = ?

O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?

O9 - Extra button: i-Nav – hjälp - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp'>http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)

O9 - Extra 'Tools' menuitem: i-Nav – hjälp - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)

O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program\VeriSign\i-Nav\i-nav_4_2_1.dll

O9 - Extra 'Tools' menuitem: i-Nav - alternativ - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program\VeriSign\i-Nav\i-nav_4_2_1.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail.pulsen.se/iNotes6W.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.hotmail.msn.com/resources/MsnPUpld.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ftpdom.intra

O17 - HKLM\Software\..\Telephony: DomainName = ftpdom.intra

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ftpdom.intra

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WRNotifier - C:\Windows\SYSTEM32\WRLogonNTF.dll

O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program\Network Associates\VirusScan\Avsynmgr.exe

O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program\Compaq\Compaq Management Agents\cpqalert.exe

O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe

O23 - Service: cpqdmi - Compaq Computer Corporation - C:\Program\Compaq\COMPAQ~1\cpqdmi.exe

O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\Program\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe

O23 - Service: VeriSign Updater (navi) - VeriSign, Inc. - C:\Program\VeriSign\NAVI\naviagent.exe

O23 - Service: VERITAS NetBackup Professional Client Service (NBPClientSvc) - VERITAS Software Corporation - C:\Program\VERITAS NetBackup Professional\System\NBPClientSvcush.exe

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe

O23 - Service: VERITAS NetBackup Professional Persistent Change Journal Service (VChangeLogSvc) - VERITAS Software Corporation - C:\Program\Delade filer\VERITAS Shared\ChangeLog\VChangeLogSvcu.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program\Webroot\Spy Sweeper\SpySweeper.exe

O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

[/log]

 

 

Link to comment
Share on other sites

IngelaPingela

Här kommer loggen från Combofix :)

 

[log]Administrat”r - 06-10-09 23:00:55,09 Service Pack 1

ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Administrat”r\Skrivbord"

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\dfndrff_e24.exe

C:\nwnmff_e24.exe

C:\Program\Delade filer\{38C46BB3-0702-1053-0528-02032620002e}

C:\Program\Delade filer\{F8C46BB3-0702-1053-0528-02032620002e}

 

 

((((((((((((((((((((((((((((((( Files Created from 2006-09-09 to 2006-10-09 ))))))))))))))))))))))))))))))))))

 

 

2006-10-09 18:56 15,360 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys

2006-10-09 18:56 14,848 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys

2006-10-09 18:56 13,824 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys

2006-10-09 18:56 117,248 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys

2006-10-06 19:52 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys

2006-10-06 19:52 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys

2006-10-06 19:52 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys

2006-10-06 19:52 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys

2006-10-06 19:52 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys

2006-10-06 19:51 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr

2006-10-06 19:51 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe

2006-10-06 19:51 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll

2006-10-06 19:51 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll

2006-10-06 19:51 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll

2006-10-06 18:47 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2006-10-06 17:44 76,288 --a------ C:\ccreenfd.exe

2006-10-06 17:44 1,233 --a------ C:\WINDOWS\system32\kng6a06f.sys

2006-10-02 18:45 21,760 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS

2006-10-01 15:56 66,048 --a------ C:\WINDOWS\system32\drivers\EAPPkt.sys

2006-10-01 15:56 196,608 --a------ C:\WINDOWS\system32\WG1v2Lib.dll

2006-10-01 15:56 167,808 --a------ C:\WINDOWS\system32\drivers\wg111v2.sys

2006-10-01 15:56 155,648 --a------ C:\WINDOWS\system32\IpLib.dll

2006-10-01 15:56 13,532 --a------ C:\WINDOWS\system32\drivers\SjyPkt.sys

2006-10-01 15:56 114,688 -ra------ C:\WINDOWS\system32\EnumDev111.dll

2006-09-30 22:40 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe

2006-09-29 15:19 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll

2006-09-29 15:19 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll

2006-09-29 15:19 331,776 --a------ C:\WINDOWS\system32\winhttp.dll

2006-09-29 15:19 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll

2006-09-29 15:15 465,176 --a------ C:\WINDOWS\system32\wuapi.dll

2006-09-29 15:15 41,240 --a------ C:\WINDOWS\system32\wups.dll

2006-09-29 15:15 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll

2006-09-29 15:15 173,536 --a------ C:\WINDOWS\system32\wuweb.dll

2006-09-29 15:15 173,336 --a------ C:\WINDOWS\system32\wuauclt1.exe

2006-09-29 15:15 127,768 --a------ C:\WINDOWS\system32\wucltui.dll

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

Rootkit driver pe386 is present. A rootkit scan is required

 

2006-10-09 23:01 -------- d-------- C:\Program\Delade filer

2006-10-09 22:56 -------- d-------- C:\Program\Mozilla Firefox

2006-10-09 19:50 -------- d-------- C:\Program\Hijackthis

2006-10-09 18:56 -------- d-------- C:\Program\Webroot

2006-10-06 19:51 -------- d-------- C:\Program\Alwil Software

2006-10-06 19:39 -------- d-------- C:\Documents and Settings\Administrat”r\Application Data\Mozilla

2006-10-06 19:29 -------- d-------- C:\Program\MSN Messenger

2006-10-06 18:47 -------- d-------- C:\Program\Grisoft

2006-10-06 18:33 -------- d-------- C:\Documents and Settings\Administrat”r\Application Data\U3

2006-10-06 18:19 -------- d-------- C:\Documents and Settings\Administrat”r\Application Data\Webroot

2006-10-06 09:23 -------- d---s---- C:\Documents and Settings\Administrat”r\Application Data\Microsoft

2006-10-05 14:34 -------- d-------- C:\Program\Windows Media Player

2006-10-04 15:41 -------- d-------- C:\Documents and Settings\Administrat”r\Application Data\Adobe

2006-10-01 15:56 -------- d--h----- C:\Program\InstallShield Installation Information

2006-10-01 15:56 -------- d-------- C:\Program\NETGEAR

2006-10-01 15:55 -------- d-------- C:\Program\Delade filer\InstallShield

2006-09-29 15:15 -------- d--h----- C:\Program\WindowsUpdate

2006-09-28 19:29 -------- d-------- C:\Program\Delade filer\Microsoft Shared

2006-09-28 19:22 -------- d--h----- C:\Program\Uninstall Information

2006-09-28 19:22 -------- d-------- C:\Program\Outlook Express

2006-09-28 19:22 -------- d-------- C:\Program\Internet Explorer

2006-09-12 09:12 -------- d-------- C:\Documents and Settings\Administrat”r\Application Data\Macromedia

2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\\Windows\\System32\\ctfmon.exe"

"msnmsgr"="\"C:\\Program\\MSN Messenger\\msgr.exe\" /background"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Smapp"="C:\\Program\\Analog Devices\\SoundMAX\\Smtray.exe"

"CPQEASYACC"="C:\\Program\\COMPAQ\\Easy Access Button Support\\StartEAK.exe"

"PROMon.exe"="PROMon.exe"

"ChkAdmin"="C:\\Program\\Compaq\\COMPAQ~1\\CHKADMIN.EXE"

"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74, 65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

"!AVG Anti-Spyware"="\"C:\\Program\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

"avast!"="C:\\Program\\ALWILS~1\\Avast4\\ashDisp.exe"

"SpySweeper"="\"C:\\Program\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"NoChange"="1"

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]

"CPQDFWAG"="C:\\Windows\\Cpqdiag\\CpqDfwAg.exe"

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000001

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Min aktuella startsida"

"Flags"=dword:00000002

"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00, 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00

"CurrentState"=hex:04,00,00,40

"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff, ff,ff,04,00,00,00

"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00, 00,00,01,00,00,00

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\\Windows\\System32\\CTFMON.EXE"

 

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\\Windows\\System32\\CTFMON.EXE"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders

securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

 

Completion time: 2006-10-09 23:01:25.84

ComboFix.txt

[/log]

 

 

[inlägget ändrat 2006-10-10 20:55:05 av Anders N]

Link to comment
Share on other sites

 

Ladda ner gmer på skrivbordet och unzippa den där

 

http://www.gmer.net/

 

sen kopiera raden nedan och klistra in i Kör fältet och klicka ok

 

gmer -del service pe386

 

ta bort denna fil = C:\ccreenfd.exe

scanna dessa filer en i taget här och kopiera resulta och skicka hit

 

C:\WINDOWS\system32\kng6a06f.sys

C:\WINDOWS\system32\EnumDev111.dll

 

http://www.virustotal.com/en/indexf.html

 

Link to comment
Share on other sites

IngelaPingela

Har tagit bort "ccreenfd.exe". Skannade sedan hela datorn med GMER!?

 

Menade du att jag skulle skanna bara

C:\WINDOWS\system32\kng6a06f.sys

C:\WINDOWS\system32\EnumDev111.dll

var för sig med GMER? Osäker hur man gör för att skanna specifika filer.

 

Eller skulle jag skanna dom på

http://www.virustotal.com/en/indexf.html

 

Puh... Här kommer loggen från GMER

 

Tack och tack igen!

-------------------------------------------------------------------

 

[log]GMER 1.0.11.11390 - http://www.gmer.net

Rootkit 2006-10-10 18:37:10

Windows 5.1.2600 Service Pack 1

 

 

---- System - GMER 1.0.11 ----

 

SYSENTER ? F910D099

 

---- Services - GMER 1.0.11 ----

 

Service C:\Windows\System32:lzx32.sys (*** hidden *** ) [sYSTEM] pe386 <-- ROOTKIT !!!

 

---- Registry - GMER 1.0.11 ----

 

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ImagePath \??\C:\Windows\System32:lzx32.sys

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@DisplayName Win23 lzx files loader

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ExtParam 0x70 0xFF 0x12 0x86 ...

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Checked 1

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ImagePath \??\C:\Windows\System32:lzx32.sys

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@DisplayName Win23 lzx files loader

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ExtParam 0x70 0xFF 0x12 0x86 ...

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Checked 1

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386\Security

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ImagePath \??\C:\Windows\System32:lzx32.sys

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@DisplayName Win23 lzx files loader

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ExtParam 0x70 0xFF 0x12 0x86 ...

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Checked 1

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386\Enum

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ImagePath \??\C:\Windows\System32:lzx32.sys

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@DisplayName Win23 lzx files loader

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ExtParam 0x70 0xFF 0x12 0x86 ...

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Checked 1

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath \??\C:\Windows\System32:lzx32.sys

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 lzx files loader

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x70 0xFF 0x12 0x86 ...

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath \??\C:\Windows\System32:lzx32.sys

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 lzx files loader

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x70 0xFF 0x12 0x86 ...

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386\Security

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath \??\C:\Windows\System32:lzx32.sys

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 lzx files loader

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x70 0xFF 0x12 0x86 ...

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\Windows\System32:lzx32.sys

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x70 0xFF 0x12 0x86 ...

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\Windows\System32:lzx32.sys

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x70 0xFF 0x12 0x86 ...

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Security

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\Windows\System32:lzx32.sys

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x70 0xFF 0x12 0x86 ...

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Enum

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\Windows\System32:lzx32.sys

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x70 0xFF 0x12 0x86 ...

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1

 

---- Files - GMER 1.0.11 ----

 

ADS C:\Documents and Settings\Administratör\Lokala inställningar\Application Data\Microsoft\Messenger\millan_cutie@hotmail.com\SharingMetadata\zandra920313@hotmail.com\DFSR\Staging\CS{ACD4B6BA-FDF9-7E57-8C4D-85950702B8B2}\01\10-{ACD4B6BA-FDF9-7E57-8C4D-85950702B8B2}-v1-{75D7E5EC-51BE-4603-BD0A-C881843D0C89}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\Administratör\Lokala inställningar\Application Data\Microsoft\Messenger\millan_cutie@hotmail.com\SharingMetadata\zandra920313@hotmail.com\DFSR\Staging\CS{ACD4B6BA-FDF9-7E57-8C4D-85950702B8B2}\63\63-{2F32ED92-8E5B-4981-838A-136CAEAA2EF1}-v63-{2F32ED92-8E5B-4981-838A-136CAEAA2EF1}-v63-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

ADS C:\Documents and Settings\Administratör\Lokala inställningar\Application Data\Microsoft\Messenger\millan_cutie@hotmail.com\SharingMetadata\zandra920313@hotmail.com\DFSR\Staging\CS{ACD4B6BA-FDF9-7E57-8C4D-85950702B8B2}\63\63-{2F32ED92-8E5B-4981-838A-136CAEAA2EF1}-v63-{2F32ED92-8E5B-4981-838A-136CAEAA2EF1}-v63-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\Administratör\Lokala inställningar\Application Data\Microsoft\Messenger\millan_cutie@hotmail.com\SharingMetadata\zandra920313@hotmail.com\DFSR\Staging\CS{ACD4B6BA-FDF9-7E57-8C4D-85950702B8B2}\64\64-{2F32ED92-8E5B-4981-838A-136CAEAA2EF1}-v64-{2F32ED92-8E5B-4981-838A-136CAEAA2EF1}-v64-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\Administratör\Lokala inställningar\Application Data\Microsoft\Messenger\millan_cutie@hotmail.com\SharingMetadata\zandra920313@hotmail.com\DFSR\Staging\CS{ACD4B6BA-FDF9-7E57-8C4D-85950702B8B2}\65\65-{2F32ED92-8E5B-4981-838A-136CAEAA2EF1}-v65-{2F32ED92-8E5B-4981-838A-136CAEAA2EF1}-v65-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\Administratör\Lokala inställningar\Application Data\Microsoft\Messenger\millan_cutie@hotmail.com\SharingMetadata\zandra920313@hotmail.com\DFSR\Staging\CS{ACD4B6BA-FDF9-7E57-8C4D-85950702B8B2}\66\66-{2F32ED92-8E5B-4981-838A-136CAEAA2EF1}-v66-{2F32ED92-8E5B-4981-838A-136CAEAA2EF1}-v66-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\Administratör\Lokala inställningar\Application Data\Microsoft\Messenger\millan_cutie@hotmail.com\SharingMetadata\zandra920313@hotmail.com\DFSR\Staging\CS{ACD4B6BA-FDF9-7E57-8C4D-85950702B8B2}\67\67-{2F32ED92-8E5B-4981-838A-136CAEAA2EF1}-v67-{2F32ED92-8E5B-4981-838A-136CAEAA2EF1}-v67-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\Administratör\Lokala inställningar\Application Data\Microsoft\Messenger\millan_cutie@hotmail.com\SharingMetadata\zandra920313@hotmail.com\DFSR\Staging\CS{ACD4B6BA-FDF9-7E57-8C4D-85950702B8B2}\68\68-{2F32ED92-8E5B-4981-838A-136CAEAA2EF1}-v68-{2F32ED92-8E5B-4981-838A-136CAEAA2EF1}-v68-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\Administratör\Lokala inställningar\Application Data\Microsoft\Messenger\millan_cutie@hotmail.com\SharingMetadata\zandra920313@hotmail.com\DFSR\Staging\CS{ACD4B6BA-FDF9-7E57-8C4D-85950702B8B2}\69\69-{2F32ED92-8E5B-4981-838A-136CAEAA2EF1}-v69-{2F32ED92-8E5B-4981-838A-136CAEAA2EF1}-v69-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\Administratör\Lokala inställningar\Application Data\Microsoft\Messenger\millan_cutie@hotmail.com\SharingMetadata\zandra920313@hotmail.com\DFSR\Staging\CS{ACD4B6BA-FDF9-7E57-8C4D-85950702B8B2}\70\70-{2F32ED92-8E5B-4981-838A-136CAEAA2EF1}-v70-{2F32ED92-8E5B-4981-838A-136CAEAA2EF1}-v70-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS ...

ADS C:\WINDOWS\system32:lzx32.sys <-- ROOTKIT !!!

 

---- EOF - GMER 1.0.11 ----

 

[/log]

 

Lagt in LOG-taggar

Cecilia - Moderator för Virus - Antivirus

 

[inlägget ändrat 2007-05-28 15:27:05 av Cecilia]

Link to comment
Share on other sites

 

> Eller skulle jag skanna dom på

http://www.virustotal.com/en/indexf.html <

 

Ja du ska scanna dom 2 filer i länken.

 

[log]Ladda ner Avenger på skrivbordet och unzippa den där

 

http://swandog46.geekstogo.com/avenger.zip

 

Sen kopiera all text nedan

 

 

Drivers to unload:

pe386

 

Files to delete:

C:\WINDOWS\system32\lzx32.sys

 

 

 

Sen öppna Avenger

Bocka i "Input Script Manually".

Klicka på förstorningsglas och i "View/edit script" fönster klistra in texten du kopiera.

Klicka på Done.

Sen klicka på gröna ljuset och svara Ja på frågor.

Datorn startar om och du ser en dos fönster och sen ska loggen öppnas fram.

Skicka hit den loggen loggen.

 

Öppna Hijack

Open the Misc Tools section

Open ADS Spy..

 

sen scanna och spara loggen och skicka hit.[/log]

 

Link to comment
Share on other sites

IngelaPingela

Nu startar datorn som den ska i windows standard läge, verkar som Avenger gjorde susen, här komer loggen,

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\bwrgxeek

 

*******************

 

Script file located at: \??\C:\dmborrsk.txt

Script file opened successfully.

 

Script file read successfully

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

Driver pe386 unloaded successfully.

 

 

File C:\WINDOWS\system32\lzx32.sys not found!

Deletion of file C:\WINDOWS\system32\lzx32.sys failed!

 

Could not process line:

C:\WINDOWS\system32\lzx32.sys

Status: 0xc0000034

 

 

Completed script processing.

 

*******************

 

Finished! Terminate.

 

Link to comment
Share on other sites

IngelaPingela

Har nu kört HiJack enligt dina instr. Loggen visar dock inget. Den scannar c\\:windows sen säger den att den är klar. Är det enligt sin ordning?

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...