Rootkit funnet på maskinen: a0k6v39g.SYS

[RogueAlien]

Jeg oppdaget denne filen da jeg søkte med AVG Anti-Rootkit Free: a0k6v39g.SYS i Windows/System32/Drivers.

Jeg har Windows XP Pro SP2. Noen andre som har fått denne og som vet om det er trygt eller nødvendig og fjerne den?

 

Jeg hadde tenkt og prøve men når jeg trykker "Remove Selected Items" så gir den meg en advarsel om at og fjerne slike filer kan ha ødeleggende konsekvenser på systemet. Jeg vet ikke helt hva jeg skal gjøre. Jeg prøvde og søke på google med filnavnet men fikk ikke opp noe.

 

Dilemma: Redd for og ødelegge systemet og redd for at denne filen kan lage faenskap i maskina mi.

[norbat]

Det er ikke utenkelig at fila tilhører brannmuren din, men du kunne ha sjekket fila på http://virusscan.jotti.org/

 

Du kunne også ha postet en combofix-logg:

 

Hent Combofix, og legg det på skrivebordet

 

Kjør combofix.exe, og følg veiledningen.

 

Post loggfilen fra combofix (c:\combofix.txt)

Endret 3. februar 2008 av norbat

[RogueAlien]

Unnskyld meg men jeg vet ikke hva dette er. Kan du forklare litt?

 

EDIT: Jeg får ikke lastet opp filen på den viruscan.jotti.org siden fordi jeg finner jo ikke filen manuelt uten rootkit-scanneren og scanneren gir meg ikke så veldig mange alternativer. Får ikke copy & paste altså.

Endret 3. februar 2008 av RougeAlien

[snippsat]

Min datamaskin

Verktøy->mappealternativer->vis->vis skjulte filer og mapper

Gå til jotti finn fil scan.

[RogueAlien]

Min datamaskin

Verktøy->mappealternativer->vis->vis skjulte filer og mapper

Gå til jotti finn fil scan.

 

Jeg har den krysset av fra før av. Slike rootkits ligger nok såpass skjult at det ikke er så lett og fjerne dem uten et verktøy. Jeg finner den ikke manuelt i hvertfall, bare med AVG Anti-Rootkit.

[snippsat]

AVG Anti-Rootkit kan ha fjernet den eller lagd den i karantene.

Post combofix så får vi mere info.

Gjerne en hjt-logg og

http://www.trendsecure.com/portal/en-US/to...ckthis/download

Endret 4. februar 2008 av SNIPPSAT

[RogueAlien]

Jeg synes dette virker suspekt. Jeg får denne beskjeden da jeg kjører ComboFix: "Roughly 1/100 machines failed to make it through the disinfection process!" "Are you sure you want to do this?"

 

Jeg valgte i første omgang og trykke "No" og da forsvant hele fila jeg hadde lastet ned. Hva slags program er dette?

 

EDIT: Jeg brukte HijackTHis da og her er loggfilen:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 03:11:02, on 04.02.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\M-AudioTaskBarIcon.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Comodo\Firewall\cfp.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE

C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe

C:\Program Files\ASUS\AASP\1.00.32\aaCenter.exe

C:\WINDOWS\ATKKBService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Comodo\Firewall\cmdagent.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1

O4 - HKLM\..\Run: [EPSON Stylus D68 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /O6 "USB001" /M "Stylus D68"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [EPSON Stylus D68 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /M "Stylus D68" /EF "HKCU"

O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"

O4 - HKCU\..\Run: [RivaTunerStatisticsServer] "C:\Program Files\RivaTuner v2.06\Tools\RivaTunerStatisticsServer\RivaTunerStatisticsServer.exe" /s

O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: M-Audio USB Installer (MAudioUSBService) - M-Audio - C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

 

--

End of file - 8439 bytes

Endret 4. februar 2008 av RougeAlien

[snippsat]

Bare trykk yes du.

 

Comobfix er et programm som gir en detaliert logg,og fjerner

grums som du ikke skal ha.

 

Se litt på postene til norbat så skjønner du at du får hjelp.

Endret 4. februar 2008 av SNIPPSAT

[RogueAlien]

Jeg kjørte ComboFix programmet og den lagde en logg. Men den fant ingen rootkits. Foressten så kjørte jeg AVG Anti-Rootkit igjen i sted og da kom det opp en rootkit men den hadde skiftet navn. Så kanskje det er brannmuren min.

[snippsat]

Du må poste combofix loggen

[RogueAlien]

Javel, her er ComboFix loggen:

 

ComboFix 08-02.03.1 - Lars 2008-02-04 3:20:23.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1594 [GMT 1:00]

Running from: E:\Programs\ComboFix.exe

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))

.

 

2008-02-04 03:09 . 2008-02-04 03:09 <DIR> d-------- C:\Program Files\Trend Micro

2008-01-30 11:06 . 2006-06-14 13:44 12,288 -ra------ C:\WINDOWS\system32\drivers\EIO_XP.sys

2008-01-30 11:04 . 2008-01-30 11:04 12,288 --a------ C:\WINDOWS\system32\drivers\EIO64_xp.sys

2008-01-29 22:49 . 2008-01-29 22:49 <DIR> d--hs---- C:\WINDOWS\ftpcache

2008-01-29 14:54 . 2008-01-29 22:42 165,628 --a------ C:\WINDOWS\system32\nvapps.xml

2008-01-29 14:53 . 2008-01-29 22:41 <DIR> d-------- C:\WINDOWS\nview

2008-01-29 14:53 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE

2008-01-29 14:53 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe

2008-01-29 14:53 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu

2008-01-29 05:04 . 2008-02-03 04:13 <DIR> d-------- C:\Program Files\JkDefrag

2008-01-13 03:05 . 2008-01-13 03:05 <DIR> d-------- C:\Program Files\Western Digital Technologies

2008-01-08 02:16 . 2008-01-08 02:16 630,784 --a------ C:\WINDOWS\system32\divxdec.ax

2008-01-04 22:59 . 2008-01-04 22:59 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe

2008-01-04 22:59 . 2008-01-04 22:59 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb

2008-01-04 22:58 . 2008-01-04 22:58 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll

2008-01-04 22:58 . 2008-01-04 22:58 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll

2008-01-04 22:58 . 2008-01-04 22:58 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll

2008-01-04 22:56 . 2008-01-04 22:56 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe

2008-01-04 22:56 . 2008-01-04 22:56 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-03 19:36 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-02-03 19:35 --------- d-----w C:\Program Files\GameFlood

2008-02-01 19:56 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys

2008-02-01 19:54 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe

2008-01-31 01:58 --------- d-----w C:\Program Files\RivaTuner v2.06

2008-01-31 00:30 --------- d-----w C:\Documents and Settings\Lars\Application Data\Vidalia

2008-01-31 00:28 --------- d-----w C:\Documents and Settings\Lars\Application Data\tor

2008-01-30 10:04 --------- d-----w C:\Program Files\ASUS

2008-01-29 21:55 --------- d-----w C:\Documents and Settings\Lars\Application Data\My Games

2008-01-28 17:05 --------- d-----w C:\Program Files\PeerGuardian2

2008-01-28 04:15 --------- d-----w C:\Program Files\BitComet

2008-01-23 13:34 --------- d-----w C:\Program Files\X Plugin Manager

2008-01-10 18:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-01-10 18:00 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe

2008-01-10 14:20 --------- d-----w C:\Program Files\DivX

2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll

2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll

2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll

2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll

2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll

2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll

2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll

2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll

2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll

2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll

2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll

2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll

2007-12-27 21:01 --------- d-----w C:\Documents and Settings\Lars\Application Data\DAEMON Tools

2007-12-27 12:05 --------- d-----w C:\Program Files\DAEMON Tools Lite

2007-12-27 12:02 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2007-12-27 11:50 --------- d-----w C:\Program Files\MagicDisc

2007-12-27 11:16 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys

2007-12-18 18:55 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe

2007-12-18 18:55 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll

2007-12-18 18:55 1,073,152 ----a-w C:\WINDOWS\system32\nvcpluir.dll

2007-12-05 00:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll

2007-12-05 00:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll

2007-12-05 00:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll

2007-12-05 00:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys

2007-12-05 00:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll

2007-12-05 00:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll

2007-12-05 00:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll

2007-12-05 00:41 5,611,520 ----a-w C:\WINDOWS\system32\nvdispsr.dll

2007-12-05 00:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll

2007-12-05 00:41 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll

2007-12-05 00:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll

2007-12-05 00:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe

2007-12-05 00:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe

2007-12-05 00:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll

2007-12-05 00:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll

2007-12-05 00:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll

2007-12-05 00:41 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll

2007-12-05 00:41 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll

2007-12-05 00:41 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll

2007-12-05 00:41 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll

2007-12-05 00:41 327,680 ----a-w C:\WINDOWS\system32\nvrshe.dll

2007-12-05 00:41 327,680 ----a-w C:\WINDOWS\system32\nvrsar.dll

2007-12-05 00:41 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll

2007-12-05 00:41 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll

2007-12-05 00:41 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll

2007-12-05 00:41 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll

2007-12-05 00:41 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll

2007-12-05 00:41 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll

2007-12-05 00:41 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll

2007-12-05 00:41 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll

2007-12-05 00:41 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll

2007-12-05 00:41 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll

2007-12-05 00:41 3,715,072 ----a-w C:\WINDOWS\system32\nvvitvsr.dll

2007-12-05 00:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll

2007-12-05 00:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll

2007-12-05 00:41 3,334,144 ----a-w C:\WINDOWS\system32\nvgamesr.dll

2007-12-05 00:41 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll

2007-12-05 00:41 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll

2007-12-05 00:41 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll

2007-12-05 00:41 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll

2007-12-05 00:41 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll

2007-12-05 00:41 290,816 ----a-w C:\WINDOWS\system32\nvwrsth.dll

2007-12-05 00:41 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll

2007-12-05 00:41 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll

2007-12-05 00:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll

2007-12-05 00:41 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll

2007-12-05 00:41 282,624 ----a-w C:\WINDOWS\system32\nvrsfr.dll

2007-12-05 00:41 282,624 ----a-w C:\WINDOWS\system32\nvrses.dll

2007-12-05 00:41 282,624 ----a-w C:\WINDOWS\system32\nvrsel.dll

2007-12-05 00:41 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll

2007-12-05 00:41 278,528 ----a-w C:\WINDOWS\system32\nvrsit.dll

2007-12-05 00:41 278,528 ----a-w C:\WINDOWS\system32\nvrsde.dll

2007-12-05 00:41 274,432 ----a-w C:\WINDOWS\system32\nvrspt.dll

2007-12-05 00:41 274,432 ----a-w C:\WINDOWS\system32\nvrsnl.dll

2007-12-05 00:41 274,432 ----a-w C:\WINDOWS\system32\nvrsesm.dll

2007-12-05 00:41 270,336 ----a-w C:\WINDOWS\system32\nvrsru.dll

2007-12-05 00:41 266,240 ----a-w C:\WINDOWS\system32\nvrsptb.dll

2007-12-05 00:41 266,240 ----a-w C:\WINDOWS\system32\nvrsja.dll

2007-12-05 00:41 258,048 ----a-w C:\WINDOWS\system32\nvrstr.dll

2007-12-05 00:41 258,048 ----a-w C:\WINDOWS\system32\nvrssl.dll

2007-12-05 00:41 258,048 ----a-w C:\WINDOWS\system32\nvrssk.dll

2007-12-05 00:41 258,048 ----a-w C:\WINDOWS\system32\nvrsko.dll

2007-12-05 00:41 258,048 ----a-w C:\WINDOWS\system32\nvrshu.dll

2007-12-05 00:41 253,952 ----a-w C:\WINDOWS\system32\nvrsth.dll

2007-12-05 00:41 253,952 ----a-w C:\WINDOWS\system32\nvrssv.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]

"EPSON Stylus D68 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.exe" [2005-01-25 06:00 98304]

"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [ ]

"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-19 21:13 486856]

"RivaTunerStartupDaemon"="" []

"RivaTunerStatisticsServer"="C:\Program Files\RivaTuner v2.06\Tools\RivaTunerStatisticsServer\RivaTunerStatisticsServer.exe" [2007-10-30 19:05 57344]

"ASUS SmartDoctor"="C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe" [2007-12-14 10:40 1122304]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 14:21 61952 C:\WINDOWS\system32\HdAShCut.exe]

"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [2005-12-13 09:39 91136]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

"Launch PC Probe II"="C:\Program Files\ASUS\PC Probe II\Probe2.exe" [2007-05-09 09:38 2130432]

"EPSON Stylus D68 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.exe" [2005-01-25 06:00 98304]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\cfp.exe" [2007-11-24 16:40 1481984]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]

"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Privoxy.lnk - C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 15:30:54 250368]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveSearch"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

 

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-11-24 16:40]

R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-11-24 16:40]

R1 EIO_XP;EIO_XP;C:\WINDOWS\system32\drivers\EIO_XP.sys [2006-06-14 13:44]

R2 MAudioUSBService;M-Audio USB Installer;C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe [2005-12-02 08:20]

R3 MAUSB;Service for M-Audio Fast Track Pro Driver (WDM);C:\WINDOWS\system32\DRIVERS\mausb.sys [2005-12-13 09:39]

 

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-04 03:32:26

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINDOWS\system32\winlogon.exe

-> C:\WINDOWS\system32\guard32.dll

 

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]

-> C:\WINDOWS\system32\guard32.dll

.

Completion time: 2008-02-04 3:32:49

.

2008-01-09 13:52:06 --- E O F ---

[norbat]

Kunne du ha prøvd en annen rootkit-scanner: Blacklight, og sett om den finner det samme?

[RogueAlien]

Jeg lastet ned og kjørte BlackLight men den fant ingenting. Så da kan jeg vel avskrive at det kan være noen rootkits på maskina mi da.

[norbat]

Hvis du lager deg et gjenopprettingspunkt (tilbehør->systemverktøy->systemgjenoppretting) og deretter velger å fjerne fila vha. AVG Rootkit, restarter pc og tar en ny scan for å sjekke om det kommer opp noe mer, så ser vi hva som skjer. Blir det noe rot, så kjører du bare systemgjenoppretting til før slettingen. Grunnen til dette er at jeg ikke kan garantere at dette IKKE er noe rusk. Greit å sjekke.

[RogueAlien]

Hver gang jeg kjører AVG Anti-Rootkit Free så kommer det opp en rootkit av "Hidden Driver File" typen på samme sted men med et nytt navn hver gang med unntak at den ender på .SYS og begynner på "a".