LockBreaker Skrevet 17. august 2009 Del Skrevet 17. august 2009 (endret) Hei. Jeg har nylig fått noen seige beist inn på pc'en som nekter å gi slipp på harddisken min. Dette uønskede programmet det dreier seg om er en Rootkit, nærmere bestemt Rootkit.Agent/Gen-Rx. Operativsystemet jeg benytter meg av er Vista Ultimate 64-bit. Combofix kunne jeg derfor ikke benytte meg av. Det var SAS som gjorde funnet av de aktuelle rootkitene. SAS kjører fortsatt, så når den er ferdig skal jeg poste loggen fra den også. Her er logg fra Hijackthis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:22:17, on 17.08.2009 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18813) Boot mode: Normal Running processes: C:\Program Files (x86)\CyberLink\Power2Go\Power2GoExpress.exe C:\Program Files (x86)\Steam\Steam.exe C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files (x86)\LG Soft India\forteManager\bin\Monitor.exe C:\Program Files (x86)\CyberLink\Shared Files\brs.exe C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files (x86)\CyberLink\InstantBurn\Win2K\IBurn.exe C:\Program Files (x86)\lg_fwupdate\fwupdate.exe C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE C:\Program Files (x86)\iTunes\iTunesHelper.exe C:\Program Files (x86)\Java\jre6\bin\jusched.exe C:\Program Files (x86)\ROCCAT\Kone Mouse\osd.exe C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe C:\Program Files (x86)\Opera\opera.exe C:\Users\John Ola Haugom\Downloads\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=userinit.exe O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~2\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll O4 - HKLM\..\Run: [bDRegion] "C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe" O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [instantBurn] C:\PROGRA~2\CYBERL~1\INSTAN~1\Win2K\IBurn.exe O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files (x86)\lg_fwupdate\fwupdate.exe" blrun O4 - HKLM\..\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files (x86)\Norton 360 Online\osCheck.exe" O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" O4 - HKLM\..\Run: [Kone] "C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files (x86)\CyberLink\Power2Go\Power2GoExpress.exe" /Startup O4 - HKCU\..\Run: [iSUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETTVERKSTJENESTE') O4 - Global Startup: forteManager.lnk = ? O4 - Global Startup: Logitech SetPoint.lnk = ? O13 - Gopher Prefix: O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll O23 - Service: McAfee Application Installer Cleanup (0325361245324293) (0325361245324293mcinstcleanup) - Unknown owner - C:\Users\JOHNOL~1\AppData\Local\Temp32536~1.EXE (file missing) O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing) O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Statustjeneste for ASP.NET (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: Automatisk LiveUpdate-planlegging (Automatic LiveUpdate Scheduler) - Symantec Corporation - C:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing) O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~2\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 10944 bytes Jeg er rimelig fortvilet akkurat nå, for de ser ikke ut til å gå vekk. Har nå søkt gjennom 4-5 ganger og prøvd å fjerne viruset, men det går desverre ikke. Jeg setter pris på all hjelp jeg kan få. Her er logg fra SAS: SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 08/17/2009 at 09:33 PM Application Version : 4.27.1000 Core Rules Database Version : 4059 Trace Rules Database Version: 1999 Scan type : Complete Scan Total Scan Time : 00:46:32 Memory items scanned : 433 Memory threats detected : 0 Registry items scanned : 5386 Registry threats detected : 6 File items scanned : 41661 File threats detected : 1 Rootkit.Agent/Gen-Rx HKLM\System\ControlSet001\Services\LGDDCDevice C:\PROGRAM FILES (X86)\LG SOFT INDIA\FORTEMANAGER\BIN\I2CDRIVER.SYS HKLM\System\ControlSet001\Enum\Root\LEGACY_LGDDCDevice HKLM\System\ControlSet002\Services\LGDDCDevice HKLM\System\ControlSet002\Enum\Root\LEGACY_LGDDCDevice HKLM\System\CurrentControlSet\Services\LGDDCDevice HKLM\System\CurrentControlSet\Enum\Root\LEGACY_LGDDCDevice Her er logg fra MBAM: Malwarebytes' Anti-Malware 1.40 Databaseversjon: 2643 Windows 6.0.6002 Service Pack 2 18.08.2009 00:06:52 mbam-log-2009-08-18 (00-06-52).txt Skanntype: Full Skann (C:\|) Objekter skannet: 263023 Tid tilbakelagt: 55 minute(s), 9 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 0 Registerverdier infisert: 0 Registerfiler infisert: 1 Mapper infisert: 0 Filer infisert: 0 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: (Ingen mistenkelige filer funnet) Registerverdier infisert: (Ingen mistenkelige filer funnet) Registerfiler infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: (Ingen mistenkelige filer funnet) Endret 18. august 2009 av LockBreaker Lenke til kommentar
snippsat Skrevet 17. august 2009 Del Skrevet 17. august 2009 C:\PROGRAM FILES (X86)\LG SOFT INDIA\FORTEMANAGER\BIN\I2CDRIVER.SYS Scann denne filen her virustotal Lenke til kommentar
LockBreaker Skrevet 18. august 2009 Forfatter Del Skrevet 18. august 2009 (endret) Skal gjøre det når jeg kommer hjem. Er på skolen nå. Mange takk for tips. Endret 18. august 2009 av LockBreaker Lenke til kommentar
LockBreaker Skrevet 18. august 2009 Forfatter Del Skrevet 18. august 2009 (endret) Litt snodig her akkurat nå. Etter at jeg oppdaterte SAS finner den ikke disse virusene lenger. Driver og skanner den filen du ba meg om å undersøke nå på Virus Total. Kan det være at MBAM løste problemet? SAS fant kun en Tracking Cookie. Hvor lang tid bruker forresten Virus Total på å søke gjennom en fil? Den har drevet på ganske lenge nå. Her er resultater fra Virus Total. Det ser ikke ut til at filen er farlig : a-squared 4.5.0.24 2009.08.18 - AhnLab-V3 5.0.0.2 2009.08.18 - AntiVir 7.9.1.1 2009.08.18 - Antiy-AVL 2.0.3.7 2009.08.18 - Authentium 5.1.2.4 2009.08.18 - Avast 4.8.1335.0 2009.08.17 - AVG 8.5.0.406 2009.08.18 - BitDefender 7.2 2009.08.18 - CAT-QuickHeal 10.00 2009.08.18 - ClamAV 0.94.1 2009.08.18 - Comodo 2010 2009.08.18 - DrWeb 5.0.0.12182 2009.08.18 - eSafe 7.0.17.0 2009.08.17 - eTrust-Vet 31.6.6683 2009.08.18 - F-Prot 4.4.4.56 2009.08.18 - F-Secure 8.0.14470.0 2009.08.18 - Fortinet 3.120.0.0 2009.08.18 - GData 19 2009.08.18 - Ikarus T3.1.1.68.0 2009.08.18 - Jiangmin 11.0.800 2009.08.18 - K7AntiVirus 7.10.820 2009.08.17 - Kaspersky 7.0.0.125 2009.08.18 - McAfee 5712 2009.08.17 - McAfee+Artemis 5712 2009.08.17 - McAfee-GW-Edition 6.8.5 2009.08.18 - Microsoft 1.4903 2009.08.18 - NOD32 4344 2009.08.18 - Norman 6.01.09 2009.08.17 - nProtect 2009.1.8.0 2009.08.18 - Panda 10.0.0.14 2009.08.17 - PCTools 4.4.2.0 2009.08.17 - Prevx 3.0 2009.08.18 - Rising 21.43.13.00 2009.08.18 - Sophos 4.44.0 2009.08.18 - Sunbelt 3.2.1858.2 2009.08.18 - Symantec 1.4.4.12 2009.08.18 - TheHacker 6.3.4.3.383 2009.08.13 - TrendMicro 8.950.0.1094 2009.08.18 - VBA32 3.12.10.9 2009.08.18 - ViRobot 2009.8.18.1889 2009.08.18 - VirusBuster 4.6.5.0 2009.08.17 - Endret 18. august 2009 av LockBreaker Lenke til kommentar
norbat Skrevet 18. august 2009 Del Skrevet 18. august 2009 "Rootkitet" SAS fant, var en falsk positiv (feil melding om malware) og ble ordnet i siste oppdatering. 'Rootkitet' skulle derfor ikke være noe å bekymre seg over Lenke til kommentar
LockBreaker Skrevet 18. august 2009 Forfatter Del Skrevet 18. august 2009 Uansett, mange takk for all hjelp! Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå