Koneella Win32:Rootkit-gen[Rtk] +HJT-logi

Yksityisviestit

Luo uusi yksityisviesti

Kaikki uudet viestit

Ilman vastauksia olevat viestiketjut

Hae viestejä

perjantai 31.1.2025 / 07:04

Hae keskustelualueilta:

afterdawn.com > keskustelu > yleistä keskustelua tietokoneista > virukset ja haittaohjelmat - hijackthis -logit > koneella win32:rootkit-gen[rtk] +hjt-logi

Aiheet

Keskustelualueet

Vastaa

Aloita uusi viestiketju

Koneella Win32:Rootkit-gen[Rtk] +HJT-logi

Siirry:

Kirjoittaja

Viesti

Dermian

Junior Member

20. joulukuuta 2009 @ 21:41

Linkki tähän viestiin

Tuollaisia viruksia Avast löysi tänään useampiakin (Mm. Photshopin, Javan, Mozillan, Adobe Readrin ja lukuisien muiden ohjelmien .exe:istä). Avast ehdotti tekemään boot skannauksen ja senhän minä tein, lukuisia Win32:Rootkit-gen[Rtk]viruksia pistin sitten karanteeniin. Joka tapauksessa, tämän skannauksen jälkeen pistin Malwarebytes Anti-Malwaren läpi ja tälläinen löytyi.

Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.2180

20.12.2009 21:36:05
mbam-log-2009-12-20 (21-36-01).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 209125
Time elapsed: 4 hour(s), 16 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Sitten vielä HJT-logi.
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 21:37:34, on 20.12.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
F:\Avast\aswUpdSv.exe
F:\Avast\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Option\GlobeTrotter Connect\GtDetectSc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
F:\Avast\ashMaiSv.exe
F:\Avast\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
F:\Avast\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
F:\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
G:\Steam\steam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\uTorrent\uTorrent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dnainternet.fi/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = dna Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://paivitys.dnainternet.fi/yhteys/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - F:\SnagIt 9\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - F:\SnagIt 9\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avast!] F:\Avast\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [EA Core] "F:\EADM\Core.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: V&ie Microsoft Exceliin - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsof...b?1218711156946
O20 - AppInit_DLLs:
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Protection Technology - C:\WINDOWS\System32\appdrvrem01.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Avast\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Tapahtumaloki (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GtDetectSc - OptionNV - C:\Program Files\Option\GlobeTrotter Connect\GtDetectSc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CD-levyjen kirjoittamisen IMAPI COM -palvelu (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NetMeeting etätyöpöydän jakaminen (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Etätyöpöydän ohjeen istunnonhallinta (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)
O23 - Service: Älykortti (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Resurssilokit ja -hälytykset (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Aseman tilannevedos (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: WMI resurssisovitin (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Windows Media Playerin verkkojakamispalvelu (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

--
End of file - 9523 bytes

[ + lainaa]

Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 20. joulukuuta 2009 @ 21:45

Dermian

Junior Member

21. joulukuuta 2009 @ 17:01

Linkki tähän viestiin

Tässä uusi HJT logi viruksen saastuttamien ohjelmien poiston ja uuden boot skannauksen jälkeen Avastilla.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 16:59:39, on 21.12.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
F:\Avast\aswUpdSv.exe
F:\Avast\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
F:\Avast\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Option\GlobeTrotter Connect\GtDetectSc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
F:\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
F:\Avast\ashMaiSv.exe
F:\Avast\ashWebSv.exe
F:\WinRAR\WinRAR.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dnainternet.fi/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = dna Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://paivitys.dnainternet.fi/yhteys/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - F:\SnagIt 9\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - F:\SnagIt 9\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avast!] F:\Avast\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] "F:\EADM\Core.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: V&ie Microsoft Exceliin - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsof...b?1218711156946
O20 - AppInit_DLLs:
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Protection Technology - C:\WINDOWS\System32\appdrvrem01.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Avast\ashWebSv.exe
O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Tapahtumaloki (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GtDetectSc - OptionNV - C:\Program Files\Option\GlobeTrotter Connect\GtDetectSc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CD-levyjen kirjoittamisen IMAPI COM -palvelu (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NetMeeting etätyöpöydän jakaminen (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Etätyöpöydän ohjeen istunnonhallinta (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)
O23 - Service: Älykortti (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Resurssilokit ja -hälytykset (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Aseman tilannevedos (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: WMI resurssisovitin (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Windows Media Playerin verkkojakamispalvelu (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

--
End of file - 8216 bytes

[ + lainaa]

kalminen

AfterDawn Addict

21. joulukuuta 2009 @ 17:59

Linkki tähän viestiin

Tarkistetaan koneesi rootkittien varalta RootRepealilla

* Lataa RootRepeal yhdestä seuraavista linkeistä ja tallenna työpöydällesi.
* Suora lataus (Suositeltava)
* Ensisijainen linkki
* Toissijainen linkki

* Zip -pakattu (Suositeltavaa jos hidas internet yhteys tai jos suora lataus ei toimi)

* Ensisijainen linkki
* Toissijainen linkki

* Rar -pakattu (Suositeltavaa jos hidas internet yhteys / muut eivät toimi ja pystyt purkamaan Rar tiedostoja)

* Ensisijainen linkki
* Toissijainen linkki

* Pura RootRepeal.exe pakatusta tiedostosta, jos et käyttänyt suoraa latausta.
* Avaa

työpöydältäsi.
* Klikkaa

välilehteä.
* Klikkaa

nappia.
* Merkkaa kaikki seitsemän laatikkoa:

* Paina ok.
* Merkkaa asemasi kohdalla oleva laatikko (Yleensä C: ), ja paina Ok.
* Anna RootRepealin skannata koneesi. Skannus voi kestää.
* Skannauksen valmistuttua, paina

nappia. Tallenna raportti työpöydälle esim. RootRepeal.txt.

=> Postita tämä raportti seuraavassa viestissäsi.
.

[ + lainaa]

(:)

Dermian

Junior Member

21. joulukuuta 2009 @ 19:13

Linkki tähän viestiin

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/12/21 18:24
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAC228000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA618000 Size: 8192 File Visible: No Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xBA671000 Size: 1664 File Visible: No Signed: -
Status: -

Name: PCI_PNP5374
Image Path: \Driver\PCI_PNP5374
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA82FE000 Size: 49152 File Visible: No Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xBA5AE000 Size: 5248 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spwu.sys
Image Path: spwu.sys
Address: 0xB9EA7000 Size: 1048576 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\jose\application data\mozilla\firefox\profiles\3fgbri2p.default\sessionstore.js
Status: Size mismatch (API: 55439, Raw: 55441)

Path: C:\Documents and Settings\Jose\Application Data\Macromedia\Flash Player\#SharedObjects\F6XZCC9B\load.tubemogul.com\InPlayCounts.sol
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Jose\Local Settings\Application Data\Microsoft\Messenger\johea7@hotmail.com\SharingMetadata\ramonzzzzz@gmail.com\DFSR\Staging\CS{8D8EB745-9DC2-B2C7-59EC-E4A02759EAD4}\26\10025-{2FA9FB34-8A8D-45C0-9686-F3DC1524F729}-v26-{E8611619-8E83-4DBB-9F27-3CCBBC43447C}-v10025-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Jose\Local Settings\Application Data\Microsoft\Messenger\johea7@hotmail.com\SharingMetadata\ramonzzzzz@gmail.com\DFSR\Staging\CS{8D8EB745-9DC2-B2C7-59EC-E4A02759EAD4}\37\6686-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac767bcc

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac5906b8

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac7671aa

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac767832

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac590574

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76708c

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76905c

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac7692f4

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac766c52

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac767fb6

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac590a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac59014c

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spwu.sys" at address 0xb9ec6ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spwu.sys" at address 0xb9ec7030

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac768cde

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76742e

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac767a0e

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac59064e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac59008c

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac7676be

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac5900f0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spwu.sys" at address 0xb9ec7108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac59076e

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac768712

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76963a

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac59072e

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac768a7a

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac767db2

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac768e8c

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xac5908ae

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac7673c8

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac7675b2

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac766f56

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac766e24

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8ae501f8 Size: 121

Object: Hidden Code [Driver: Reg, IRP_MJ_CREATE]
Process: System Address: 0x89d98500 Size: 121

Object: Hidden Code [Driver: Reg, IRP_MJ_CLOSE]
Process: System Address: 0x89d98500 Size: 121

Object: Hidden Code [Driver: Reg, IRP_MJ_READ]
Process: System Address: 0x89d98500 Size: 121

Object: Hidden Code [Driver: Reg, IRP_MJ_WRITE]
Process: System Address: 0x89d98500 Size: 121

Object: Hidden Code [Driver: Reg, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89d98500 Size: 121

Object: Hidden Code [Driver: Reg, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89d98500 Size: 121

Object: Hidden Code [Driver: Reg, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89d98500 Size: 121

Object: Hidden Code [Driver: Reg, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89d98500 Size: 121

Object: Hidden Code [Driver: Reg, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89d98500 Size: 121

Object: Hidden Code [Driver: Reg, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89d98500 Size: 121

Object: Hidden Code [Driver: Reg, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89d98500 Size: 121

Object: Hidden Code [Driver: Reg, IRP_MJ_CLEANUP]
Process: System Address: 0x89d98500 Size: 121

Object: Hidden Code [Driver: Reg, IRP_MJ_PNP]
Process: System Address: 0x89d98500 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x8ade21f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x8ade21f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ade21f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x8ade21f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ade21f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x8ade21f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x89dda500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x89dda500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x89dda500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x89dda500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89dda500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89dda500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89dda500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89dda500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x89dda500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89dda500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x89dda500 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8ae521f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8ae521f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8ae521f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8ae521f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ae521f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ae521f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ae521f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ae521f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8ae521f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ae521f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8ae521f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x89eab348 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x89eab348 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89eab348 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89eab348 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x89eab348 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89eab348 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x89eab348 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8ade31f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8ade31f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8ade31f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ade31f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ade31f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ade31f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ade31f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8ade31f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8ade31f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ade31f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8ade31f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x88f211f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x88f211f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88f211f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x88f211f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x88f211f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x88f211f8 Size: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_CREATE]
Process: System Address: 0x8ae511f8 Size: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_CLOSE]
Process: System Address: 0x8ae511f8 Size: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ae511f8 Size: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ae511f8 Size: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_POWER]
Process: System Address: 0x8ae511f8 Size: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ae511f8 Size: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_PNP]
Process: System Address: 0x8ae511f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x89e4f500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x89e4f500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89e4f500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89e4f500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x89e4f500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89e4f500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x89e4f500 Size: 121

Object: Hidden Code [Driver: au1lmekwЅఉ瑎捦܉@考, IRP_MJ_CREATE]
Process: System Address: 0x89ea71f8 Size: 121

Object: Hidden Code [Driver: au1lmekwЅఉ瑎捦܉@考, IRP_MJ_CLOSE]
Process: System Address: 0x89ea71f8 Size: 121

Object: Hidden Code [Driver: au1lmekwЅఉ瑎捦܉@考, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ea71f8 Size: 121

Object: Hidden Code [Driver: au1lmekwЅఉ瑎捦܉@考, IRP_MJ_POWER]
Process: System Address: 0x89ea71f8 Size: 121

Object: Hidden Code [Driver: au1lmekwЅఉ瑎捦܉@考, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89ea71f8 Size: 121

Object: Hidden Code [Driver: au1lmekwЅఉ瑎捦܉@考, IRP_MJ_PNP]
Process: System Address: 0x89ea71f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x88f121f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅక浗灩, IRP_MJ_CREATE]
Process: System Address: 0x89d93500 Size: 121

Object: Hidden Code [Driver: Cdfsȅక浗灩, IRP_MJ_CLOSE]
Process: System Address: 0x89d93500 Size: 121

Object: Hidden Code [Driver: Cdfsȅక浗灩, IRP_MJ_READ]
Process: System Address: 0x89d93500 Size: 121

Object: Hidden Code [Driver: Cdfsȅక浗灩, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89d93500 Size: 121

Object: Hidden Code [Driver: Cdfsȅక浗灩, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89d93500 Size: 121

Object: Hidden Code [Driver: Cdfsȅక浗灩, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89d93500 Size: 121

Object: Hidden Code [Driver: Cdfsȅక浗灩, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89d93500 Size: 121

Object: Hidden Code [Driver: Cdfsȅక浗灩, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89d93500 Size: 121

Object: Hidden Code [Driver: Cdfsȅక浗灩, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89d93500 Size: 121

Object: Hidden Code [Driver: Cdfsȅక浗灩, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89d93500 Size: 121

Object: Hidden Code [Driver: Cdfsȅక浗灩, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89d93500 Size: 121

Object: Hidden Code [Driver: Cdfsȅక浗灩, IRP_MJ_CLEANUP]
Process: System Address: 0x89d93500 Size: 121

Object: Hidden Code [Driver: Cdfsȅక浗灩, IRP_MJ_PNP]
Process: System Address: 0x89d93500 Size: 121

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76b352

#: 122 Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76ba76

#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76b486

#: 233 Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76b936

#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76b5c6

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76b6fa

#: 310 Function Name: NtUserBlockInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76b1d2

#: 319 Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76a424

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76aea2

#: 389 Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76b834

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76ac10

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76ad52

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76a8f4

#: 465 Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76a15c

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76a5a6

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76a752

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76aff2

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76aab6

#: 509 Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76b0e8

#: 529 Function Name: NtUserSetParent
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76a2cc

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76badc

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac76bd10

==EOF==

Itseäni vielä mietityttää tämä Ad-Aware joka löysi rekisteristä tällaista:

Windows Object Recognized!
Type : RegData
Data : "regedit.exe" "%1"
TAC Rating : 3
Category : Vulnerability
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : regfile\shell\open\command
Value :
Data : "regedit.exe" "%1"

Samalla kysyisin että mitä teen näillä Avastin löytämillä viruksilla? Osa näyttäisi olevan tärkeitä Windowsin tiedostoja.

[ + lainaa]

kalminen

AfterDawn Addict

22. joulukuuta 2009 @ 15:35

Linkki tähän viestiin

Syytä tutkia sijainti sopimaton =>

Lataa SystemLook by. jpshortstuff TÄÄLTÄ. ja tallenna se työpöydälle.

Tupla-klikkaa SystemLook.exe ajaaksesi sen.

Kopioi(CTRL+C) alla olevasta laatikosta kaikki teksti, tekstialueeseen.

:regfind

spwu.sys

khalmnpr.exe

regedit.exe

alcmtr.exe

R2trainer.exe.exe



:filefind 

spwu.sys

khalmnpr.exe

regedit.exe

alcmtr.exe

R2trainer.exe.exe



:dir

C:\WINDOWS\system32\drivers\etc /s

Klikkaa nappulaa Look aloittaaksesi skannauksen.

Kun skannaus on valmis avautuu muistio joka sisältää lokitiedot
Klikkaa lokia hiiren oikealla painikkeella ja valitse "Valitse kaikki"
Kopio ja liitä se seuraavaan viestiisi.
(Loki löytyy myös työpöydältäsi nimellä SystemLook.txt)

*******************************************************************************

Ole hyvä ja lataa Combofix yhdestä alla olevista linkeistä:

Linkki 1
Linkki 2
Linkki 3

* TÄRKEÄÄ !!! Tallenna ComboFix.exe työpöydällesi

* Sulje/ota pois päältä kaikki virustorjunta- ja haittaohjelmien poisto-ohjelmat, jotta ne eivät häiritse ComboFixin ajoa.

* Tuplaklikkaa Combofix.exe ja noudata ohjeita.

* Osana skannausta Combofix tarkistaa onko palautuskonsoli asennettuna. Nykypäivän haittaohjelmien takia on erittäin suositeltua olla asennettuna palautuskonsoli ennen haittaohjelmien poistoa. Windowsin palautuskonsoli mahdollistaa käynnistyksen erityiseen palautustilaan. Palautuskonsolin kautta voimme auttaa sinua helpommin mikäli haittaohjelmien poiston yhteydessä ilmenee ongelmia.

* Seuraa ohjeita ja salli Combofixin ladata ja asentaa Microsoftin palautuskonsoli, ja kun pyydetään, hyväksy ohjelman takuuehdot asentaaksesi palautuskonsolin.

**Huomaa: Jos palautuskonsoli on jo asennettuna, Combofix jatkaa eteenpäin.

Kun Microsoftin palautuskonsoli on asennettu, sinun pitäisi nähdä seuraava viesti:

Klikkaa Kyllä jatkaaksesi skannausta.

Kun ComboFix on valmis, se luo raportin. Ole hyvä ja kopioi/liitä seuraavat raportit vastaukseesi:
C:\ComboFix.txt
Uusi HijackThis-loki

Varoitus: ÄLÄ aja ComboFixia ilman valvontaa. Se ei ole lelu ja sitä ei tule käyttää rutiininomaisesti päivittäin.

Jos tarvitset apua, katso yksityiskohtaisempi ohje:
http://www.bleepingcomputer.com/combofix/fi/combofixin-kayttoohje

Lähetä =>
C:\ComboFix.txt
SystemLook.txt
Uusi HijackThis-loki
.

[ + lainaa]

(:)

Dermian

Junior Member

28. joulukuuta 2009 @ 10:37

Linkki tähän viestiin

Tässä tämä SystemLook logi näin alkupaloiksi, koska ComboFixin ja Hijackin juoksuttelu on aikaavievää ja juuri nyt minulla on tekemistä.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 09:52 on 28/12/2009 by Jose (Administrator - Elevation successful)

========== regfind ==========

Searching for "spwu.sys"
No data found.

Searching for "khalmnpr.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy\53\Rules\0\Allowed\0]
"Filename"="C:\WINDOWS\KHALMNPR.Exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy\53\Rules\0\Allowed\0]
"Filename"="C:\WINDOWS\KHALMNPR.Exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy\54\Rules\0\Allowed\0]
"Filename"="C:\WINDOWS\KHALMNPR.Exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy\54\Rules\0\Allowed\0]
"Filename"="C:\WINDOWS\KHALMNPR.Exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy\55\Rules\0\Allowed\0]
"Filename"="C:\WINDOWS\KHALMNPR.Exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy\55\Rules\0\Allowed\0]
"Filename"="C:\WINDOWS\KHALMNPR.Exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy\65\Rules\1\Allowed\0]
"Filename"="C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy\65\Rules\1\Allowed\0]
"Filename"="C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy\66\Rules\1\Allowed\0]
"Filename"="C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy\66\Rules\1\Allowed\0]
"Filename"="C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy\67\Rules\1\Allowed\0]
"Filename"="C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy\67\Rules\1\Allowed\0]
"Filename"="C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy\68\Rules\1\Allowed\0]
"Filename"="C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy\68\Rules\1\Allowed\0]
"Filename"="C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe"

Searching for "regedit.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\regedit.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regedit\shell\open\command]
@="regedit.exe %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Regedit.Document\shell\open\command]
@="regedit.exe "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\DefaultIcon]
@="%SystemRoot%\regedit.exe,1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command]
@=""regedit.exe" "%1""

Searching for "alcmtr.exe"
No data found.

Searching for "R2trainer.exe.exe"
No data found.

========== filefind ==========

Searching for "spwu.sys"
No files found.

Searching for "khalmnpr.exe"
C:\Program Files\Common Files\Logishrd\CDDRV2\KHALMNPR.EXE --a--- 76304 bytes [00:12 29/02/2008] [00:12 29/02/2008] E6A9F68D26A094FB78B98180A40A29FC
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe --a--- 76304 bytes [23:40 01/05/2008] [23:40 01/05/2008] 19E0D28FE38F55CA4C63F77D3657959A
C:\WINDOWS\KHALMNPR.Exe --a--- 76304 bytes [00:12 29/02/2008] [00:12 29/02/2008] E6A9F68D26A094FB78B98180A40A29FC

Searching for "regedit.exe"
C:\WINDOWS\regedit.exe --a--- 146944 bytes [13:12 14/09/2004] [13:12 14/09/2004] 3664EF59268F2879FE34A3DD5692ECDE
C:\WINDOWS\SoftwareDistribution\Download\91671d33fbb0a8b5168be907aaf53cb2\backup\regedit.exe ------ 146944 bytes [11:05 14/08/2008] [13:12 14/09/2004] 3664EF59268F2879FE34A3DD5692ECDE
C:\WINDOWS\system32\dllcache\regedit.exe --a--- 146944 bytes [11:12 14/08/2008] [13:12 14/09/2004] 3664EF59268F2879FE34A3DD5692ECDE

Searching for "alcmtr.exe"
C:\Program Files\Realtek\Audio\Drivers\WDM\Alcmtr.exe ------ 64032 bytes [22:42 19/12/2009] [16:00 10/12/2009] 78665C05A4B3553D5CFA4E95DD5CA7DF
C:\Program Files\Realtek\Audio\InstallShield\Alcmtr.exe ------ 69632 bytes [09:39 14/08/2008] [18:43 03/05/2005] 8B4CBBA1EA526830C7F97E7822E2493A
C:\RECYCLER\S-1-5-21-842925246-1580818891-839522115-1003\Dc36\WDM_R239\WDM\Alcmtr.exe --a--- 64032 bytes [21:18 19/12/2009] [16:00 10/12/2009] 78665C05A4B3553D5CFA4E95DD5CA7DF
C:\WINDOWS\ALCMTR.EXE --a--- 64032 bytes [09:39 14/08/2008] [16:00 10/12/2009] 78665C05A4B3553D5CFA4E95DD5CA7DF
C:\WINDOWS\system32\ReinstallBackups\0026\DriverFiles\ALCMTR.EXE -ra--- 69632 bytes [22:43 19/12/2009] [18:43 03/05/2005] 8B4CBBA1EA526830C7F97E7822E2493A

Searching for "R2trainer.exe.exe"
No files found.

========== dir ==========

C:\WINDOWS\system32\drivers\etc - Parameters: "/s"

---Files---
hosts --a--- 1147 bytes [12:00 09/10/2001] [13:33 20/09/2009]
lmhosts.sam --a--- 3705 bytes [12:00 09/10/2001] [12:00 09/10/2001]
networks --a--- 416 bytes [12:00 09/10/2001] [12:00 09/10/2001]
protocol --a--- 829 bytes [12:00 09/10/2001] [12:00 09/10/2001]
services --a--- 7151 bytes [12:00 09/10/2001] [12:00 09/10/2001]

No folders found.

-=End Of File=-

[ + lainaa]

Mainos

kalminen

AfterDawn Addict

28. joulukuuta 2009 @ 13:46

Linkki tähän viestiin

Nuo mitkä on Dokuments and settings kansiossa
Avastin Qaranteenissa voit poistaa.

Ajele se Combo vielä.
.

[ + lainaa]

(:)

Vastaa

Aloita uusi viestiketju

afterdawn.com > keskustelu > yleistä keskustelua tietokoneista > virukset ja haittaohjelmat - hijackthis -logit > koneella win32:rootkit-gen[rtk] +hjt-logi


		Käyttäjä	Salasana

		Puuttuuko tunnus? Liity jäseneksi nyt!. Salasana hukassa? Klikkaa tästä.