Jeg finner ikke viruset.

[Adversary]

Det skulle jeg gjerne gjort, men jeg kan ikke fordi jeg ikke finner filen, hjelper ikke å skru på "vis sjulte filer og mapper" heller.

Kan heller ikke skrive inn C:\WINDOWS\system32\drivers\ah9jc24i.SYS og trykke på send file.

[norbat]

Fjern også merket framfor "Skjul beskyttede operativsystemfiler" og se om du da finner fila.

[Adversary]

Nei, fant ikke fila da heller.

[Adversary]

Siden jeg ikke får feilmeldinger på stasjonæren satser jeg på at den funker som den skal.

Her er problemet jeg har på bærbaren, det popper opp i ny og ne, og alltid når jeg prøver å logge på msn.

 

hijack this

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:06:15, on 11.01.2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe

C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Acer\Empowering Technology\admServ.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Programfiler\AVG\AVG8\avgcsrvx.exe

C:\Programfiler\Java\jre6\bin\jqs.exe

C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Acer\Empowering Technology\admtray.exe

C:\Acer\Empowering Technology\ePower\ePower_DMC.exe

C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Programfiler\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programfiler\DAEMON Tools Lite\daemon.exe

C:\Programfiler\OpenOffice.org 3\program\soffice.exe

C:\Programfiler\OpenOffice.org 3\program\soffice.bin

C:\DOCUME~1\Rolfie\LOKALE~1\Temp\RtkBtMnt.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Programfiler\MSN Messenger\msnmsgr.exe

C:\Programfiler\AVG\AVG8\avgdiagex.exe

C:\Programfiler\AVG\AVG8\avgdiagex.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Programfiler\Opera\Opera.exe

C:\Programfiler\AVG\AVG8\avgcsrvx.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.92.1:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 1.1.1.1;localhost;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programfiler\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programfiler\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [AzMixerSel] C:\Programfiler\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"

O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe

O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot

O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programfiler\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: OpenOffice.org 3.0.lnk = C:\Programfiler\OpenOffice.org 3\program\quickstart.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1226510457640

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1226512246937

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programfiler\Java\jre6\bin\jqs.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programfiler\WinPcap\rpcapd.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

 

--

End of file - 6943 bytes

 

 

 

combofix

 

ComboFix 09-01-09.03 - Rolfie 2009-01-11 14:28:25.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1044.18.1014.498 [GMT 1:00]

Kjører fra: c:\documents and settings\Rolfie\Skrivebord\ComboFix.exe

* Opprettet nytt gjenopprettingspunkt

.

 

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\Desktop_.ini

c:\windows\system32\drivers\npf.sys

c:\windows\system32\packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\WanPacket.dll

c:\windows\system32\wpcap.dll

 

.

((((((((((((((((((((((((((((((((((((((( Drivere/Tjenester )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_NPF

-------\Service_AVG

-------\Service_NPF

 

 

((((((((((((((((((((((((((( Filer Opprettet Fra 2008-12-11 til 2009-01-11 )))))))))))))))))))))))))))))))))

.

 

2009-01-10 17:32 . 2009-01-10 17:32 <DIR> d-------- c:\programfiler\Malwarebytes' Anti-Malware

2009-01-10 17:32 . 2009-01-10 17:32 <DIR> d-------- c:\documents and settings\Rolfie\Programdata\Malwarebytes

2009-01-10 17:32 . 2009-01-10 17:32 <DIR> d-------- c:\documents and settings\All Users\Programdata\Malwarebytes

2009-01-10 17:32 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-10 17:32 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-10 12:59 . 2009-01-10 13:02 <DIR> d--h----- C:\$AVG8.VAULT$

2009-01-08 09:17 . 2009-01-08 09:17 <DIR> d-------- C:\UbiSoft

2009-01-08 09:16 . 2009-01-08 09:18 <DIR> d-------- c:\windows\UbiSoft

2009-01-01 22:56 . 2009-01-10 12:47 <DIR> dr-h----- c:\documents and settings\Rolfie\Siste

2008-12-16 12:12 . 2008-12-16 12:12 21,840 --a------ c:\windows\system32\SIntfNT.dll

2008-12-16 12:12 . 2008-12-16 12:12 17,212 --a------ c:\windows\system32\SIntf32.dll

2008-12-16 12:12 . 2008-12-16 12:12 12,067 --a------ c:\windows\system32\SIntf16.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-10 14:29 --------- d-----w c:\documents and settings\All Users\Programdata\avg8

2009-01-08 09:30 324,872 ----a-w c:\windows\system32\drivers\avgldx86.sys

2009-01-08 09:30 12,552 ----a-w c:\windows\system32\drivers\avgrkx86.sys

2009-01-08 09:30 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys

2009-01-08 08:12 --------- d--h--w c:\programfiler\InstallShield Installation Information

2009-01-08 08:11 --------- d-----w c:\programfiler\Final Fantasy VII

2008-12-09 12:02 --------- d-----w c:\documents and settings\Rolfie\Programdata\Autodesk

2008-12-09 11:59 --------- d-----w c:\programfiler\Fellesfiler\Autodesk Shared

2008-12-09 11:59 --------- d-----w c:\programfiler\Autodesk

2008-12-09 11:57 --------- d-----w c:\documents and settings\Rolfie\Programdata\U3

2008-12-08 11:29 --------- d-----w c:\programfiler\WorldOfGoo

2008-12-08 10:03 --------- d-----w c:\documents and settings\All Users\Programdata\2DBoy

2008-12-08 08:21 --------- d-----w c:\programfiler\Square Soft, Inc

2008-12-08 07:55 --------- d-----w c:\programfiler\Java

2008-11-21 09:56 --------- d-----w c:\programfiler\Google

2008-11-21 07:36 --------- d-----w c:\programfiler\DAEMON Tools Lite

2008-11-21 07:27 717,296 ----a-w c:\windows\system32\drivers\sptd.sys

2008-11-21 07:26 --------- d-----w c:\documents and settings\Rolfie\Programdata\DAEMON Tools

2008-11-20 07:16 --------- d-----w c:\programfiler\Synaptics

2008-11-15 16:07 --------- d-----w c:\programfiler\MSN Messenger

2008-11-15 15:44 --------- dcsh--w c:\programfiler\Fellesfiler\WindowsLiveInstaller

2008-11-15 15:43 --------- d-----w c:\documents and settings\All Users\Programdata\WLInstaller

2008-11-13 15:19 --------- d-----w c:\documents and settings\Rolfie\Programdata\Intel

2008-11-12 21:38 --------- d-----w c:\programfiler\CONEXANT

2008-11-12 20:25 --------- d-----w c:\programfiler\Windows Desktop Search

2008-11-12 19:38 --------- d-----w c:\programfiler\MSXML 4.0

2008-11-12 19:07 --------- d-----w c:\programfiler\Windows Media Connect 2

.

 

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))

.

.

*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"SUPERAntiSpyware"="c:\programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-27 1576176]

"DAEMON Tools Lite"="c:\programfiler\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AzMixerSel"="c:\programfiler\Realtek\InstallShield\AzMixerSel.exe" [2006-08-16 53248]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-11-11 1236992]

"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]

"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-04-14 344064]

"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-01-20 3080192]

"SynTPEnh"="c:\programfiler\Synaptics\SynTP\SynTPEnh.exe" [2005-07-20 729177]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-08 1601304]

"SunJavaUpdateSched"="c:\programfiler\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

"RTHDCPL"="RTHDCPL.EXE" [2006-08-16 c:\windows\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-08-16 c:\windows\SkyTel.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

c:\documents and settings\Rolfie\Start-meny\Programmer\Oppstart\

OpenOffice.org 3.0.lnk - c:\programfiler\OpenOffice.org 3\program\quickstart.exe [2008-10-04 393216]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-07-23 15:28 352256 c:\programfiler\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-01-08 10:30 10520 c:\windows\system32\avgrsstx.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Programfiler\\Messenger\\msmsgs.exe"=

"c:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=

"c:\\Programfiler\\MSN Messenger\\livecall.exe"=

"c:\\Programfiler\\AVG\\AVG8\\avgupd.exe"=

"c:\\Programfiler\\AVG\\AVG8\\avgnsx.exe"=

 

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-11-23 12552]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-23 324872]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-23 107272]

R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2008-10-20 12106]

R1 SASDIFSV;SASDIFSV;c:\programfiler\SUPERAntiSpyware\sasdifsv.sys [2008-08-19 8944]

R1 SASKUTIL;SASKUTIL;c:\programfiler\SUPERAntiSpyware\SASKUTIL.SYS [2008-08-19 55024]

R3 NdisFilt;OSA NdisFilter Protocol;c:\windows\system32\drivers\NdisFilt.sys [2008-10-20 4392]

R3 SASENUM;SASENUM;c:\programfiler\SUPERAntiSpyware\SASENUM.SYS [2008-08-19 7408]

R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-08 298264]

R4 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2008-10-20 4096]

R4 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2008-10-20 78208]

R4 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2008-10-20 7296]

R4 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2008-10-20 4010]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

\Shell\AutoRun\command - H:\LaunchU3.exe -a

.

.

------- Tilleggsskanning -------

.

uInternet Settings,ProxyServer = 192.168.92.1:80

uInternet Settings,ProxyOverride = 1.1.1.1;localhost;<local>

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-11 14:32:06

Windows 5.1.2600 Service Pack 3 NTFS

 

skanner skjulte prosesser ...

 

skanner skjulte autostart-oppføringer ...

 

skanner skjulte filer ...

 

skanning vellykket

skjulte filer: 0

 

**************************************************************************

.

--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

 

- - - - - - - > 'winlogon.exe'(852)

c:\programfiler\SUPERAntiSpyware\SASWINLO.dll

c:\windows\System32\BCMLogon.dll

.

------------------------ Andre Kjørende Prosesser ------------------------

.

c:\programfiler\Intel\Wireless\Bin\EvtEng.exe

c:\programfiler\Intel\Wireless\Bin\S24EvMon.exe

c:\windows\system32\WLTRYSVC.EXE

c:\windows\system32\BCMWLTRY.EXE

c:\acer\Empowering Technology\admServ.exe

c:\programfiler\Java\jre6\bin\jqs.exe

c:\programfiler\Intel\Wireless\Bin\RegSrvc.exe

c:\progra~1\AVG\AVG8\avgam.exe

c:\programfiler\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\programfiler\AVG\AVG8\avgcsrvx.exe

c:\windows\system32\wbem\wmiapsrv.exe

c:\programfiler\OpenOffice.org 3\program\soffice.exe

c:\programfiler\OpenOffice.org 3\program\soffice.bin

c:\windows\system32\wbem\unsecapp.exe

c:\docume~1\Rolfie\LOKALE~1\temp\RtkBtMnt.exe

c:\programfiler\AVG\AVG8\avgcsrvx.exe

.

**************************************************************************

.

Tidspunkt ferdig: 2009-01-11 14:35:01 - maskinen ble startet på nytt

ComboFix-quarantined-files.txt 2009-01-11 13:34:57

 

Pre-Run: 44 395 130 880 byte ledig

Post-Run: 44,397,699,072 byte ledig

 

WindowsXP-KB310994-SP2-Pro-BootDisk-NOR.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS

[operating systems]

d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

179 --- E O F --- 2008-11-12 22:57:15

 

 

 

filen AVG fant

"C:\WINDOWS\System32\Drivers\aj67fkwp.SYS";"Hidden driver";"Object is hidden"

 

Men om det er ett virus i det heletatt er jeg ikke sikker på. Er vel like greit å titte litt på loggene uansett.

[norbat]

Last ned gmer rootkitskanner , og pakk ut programmet til skrivebordet

 

I panelet på høyre side, fjern avmerkingen framfor følgende:

Sections

IAT/EAT

Partisjoner andre enn Systemdrive (C:\)

Show All

 

Klikk på Scan-knappen.

Når skannen er ferdig, klikk på Save-knappen og i filnavn-feltet, skriver du logg.txt. Lagre den på skrivebordet slik at du finner den lett. Kopier og post loggen (evt. last den opp som vedlegg)

 

Uansett hva den finner, ikke foreta deg noe med det den finner.

Endret 11. januar 2009 av norbat

[Adversary]

gmer

 

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-11 23:15:03

Windows 5.1.2600 Service Pack 3

 

 

---- System - GMER 1.0.14 ----

 

SSDT spqx.sys ZwCreateKey [0xF73BE0E0]

SSDT spqx.sys ZwEnumerateKey [0xF73DCCA2]

SSDT spqx.sys ZwEnumerateValueKey [0xF73DD030]

SSDT spqx.sys ZwOpenKey [0xF73BE0C0]

SSDT spqx.sys ZwQueryKey [0xF73DD108]

SSDT spqx.sys ZwQueryValueKey [0xF73DCF88]

SSDT spqx.sys ZwSetValueKey [0xF73DD19A]

SSDT \??\C:\Programfiler\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA763F20]

 

INT 0x62 ? 865D7BF8

INT 0x63 ? 86375BF8

INT 0x82 ? 865D7BF8

INT 0x94 ? 86375BF8

INT 0xB4 ? 86375BF8

 

---- Devices - GMER 1.0.14 ----

 

Device \FileSystem\Ntfs \Ntfs 865D61F8

 

AttachedDevice \FileSystem\Ntfs \Ntfs OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT kjerne og system/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

 

Device \Driver\NetBT \Device\NetBT_Tcpip_{529A547E-70C8-472A-A530-D3D94523BF18} 860ED500

Device \Driver\usbuhci \Device\USBPDO-0 863661F8

Device \Driver\dmio \Device\DmControl\DmIoDaemon 865671F8

Device \Driver\dmio \Device\DmControl\DmConfig 865671F8

Device \Driver\dmio \Device\DmControl\DmPnP 865671F8

Device \Driver\dmio \Device\DmControl\DmInfo 865671F8

Device \Driver\usbuhci \Device\USBPDO-1 863661F8

Device \Driver\usbehci \Device\USBPDO-2 863F91F8

Device \Driver\usbuhci \Device\USBPDO-3 863661F8

Device \Driver\usbuhci \Device\USBPDO-4 863661F8

 

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT kjerne og system/Microsoft Corporation)

 

Device \Driver\Ftdisk \Device\HarddiskVolume1 865D81F8

Device \Driver\Ftdisk \Device\HarddiskVolume2 865D81F8

Device \Driver\Cdrom \Device\CdRom0 OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)

Device \Driver\Cdrom \Device\CdRom0 862F41F8

Device \Driver\Ftdisk \Device\HarddiskVolume3 865D81F8

Device \Driver\Cdrom \Device\CdRom1 OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)

Device \Driver\Cdrom \Device\CdRom1 862F41F8

Device \Driver\NetBT \Device\NetBt_Wins_Export 860ED500

Device \Driver\NetBT \Device\NetbiosSmb 860ED500

Device \Driver\PCI_PNP2988 \Device00004e spqx.sys

Device \Driver\PCI_PNP2988 \Device00004e spqx.sys

 

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT kjerne og system/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT kjerne og system/Microsoft Corporation)

 

Device \Driver\usbuhci \Device\USBFDO-0 863661F8

Device \Driver\usbuhci \Device\USBFDO-1 863661F8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 860D9500

Device \Driver\usbuhci \Device\USBFDO-2 863661F8

Device \FileSystem\MRxSmb \Device\LanmanRedirector 860D9500

Device \Driver\usbuhci \Device\USBFDO-3 863661F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{8DE40C30-FF9B-4332-958B-99A903CD680A} 860ED500

Device \Driver\Ftdisk \Device\FtControl 865D81F8

Device \Driver\usbehci \Device\USBFDO-4 863F91F8

Device \Driver\sptd \Device\4288906738 spqx.sys

Device \Driver\aj67fkwp \Device\Scsi\aj67fkwp1 862A91F8

Device \Driver\aj67fkwp \Device\Scsi\aj67fkwp1Port2Path0Target0Lun0 862A91F8

Device \FileSystem\Cdfs \Cdfs 8616E3C8

 

---- Registry - GMER 1.0.14 ----

 

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programfiler\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD7 0xB7 0x43 0x8F ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001@khjeh 0x3B 0x9B 0x39 0xD7 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001Jf40

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001Jf40@khjeh 0x48 0x68 0xE6 0x56 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programfiler\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD7 0xB7 0x43 0x8F ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001@khjeh 0x3B 0x9B 0x39 0xD7 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001Jf40

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001Jf40@khjeh 0x48 0x68 0xE6 0x56 ...

 

---- EOF - GMER 1.0.14 ----

 

 

[norbat]

Den 'hidden driver' som avg finner er knyttet til Scsi-kontrolleren og er derfor ingen skummel fil

I dette tilfellet varsler bare avg om at den fant en driver som var skjult - noe som er normalt.

[Adversary]

Okay, så jeg har altså ikke noe virus på bærbaren, bare ett problem som må fikses på andre måter. Tusen takk for all hjelp til begge to.

[norbat]

Du kunne ha forsøkt å reinstallert avg for og sett om det ikke løser problemet du opplever med programmet.