This topic is locked
- I certainly have rootkit on another laptop and I had shared USB-drives between them.
- The laptop feels pretty slow at startup and in general use.
So I did the following things:
- Remove any unused programs to make more space on C:\.
- Run a full scan with AVG, which did not report anything.
- Run a scan with GMER, which did report rootkit activity.
Two items were marked red in the GMER report. They were related to OpenOffice.org. I uninstalled OOO shortly before. Could this be some leftover? Or do I need to worry? Thanks alot, Ralph.
Here is the DDS log:
CODE
DDS (Ver_09-12-01.01) - NTFSx86
Run by hab at 19:38:10,48 on 28.02.2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.1271.558 [GMT 8:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\basfipm.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Programme\Dell\QuickSet\quickset.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\D-Tools\daemon.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\Digital Line Detect\DLG.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Programme\AVG\AVG9\avgwdsvc.exe
C:\Programme\AVG\AVG9\avgnsx.exe
C:\Programme\AVG\AVG9\avgemc.exe
C:\Programme\AVG\AVG9\avgcsrvx.exe
C:\Programme\AVG\AVG9\avgchsvx.exe
C:\Programme\AVG\AVG9\avgrsx.exe
C:\Programme\AVG\AVG9\avgcsrvx.exe
C:\Programme\AVG\AVG9\avgtray.exe
C:\Programme\Mozilla Firefox\firefox.exe
d:\emacs-21.3\bin\emacs.exe
D:\Downloads\ngjxq1gr.exe
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Dokumente und Einstellungen\hab\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
uDefault_Page_URL = hxxp://www.euro.dell.com/countries/at/dea/gen/default.htm
uInternet Connection Wizard,ShellNext = hxxp://www.euro.dell.com/countries/at/dea/gen/default.htm
uInternet Settings,ProxyOverride = fritz.box
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\programme\avg\avg9\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\programme\messenger\msmsgs.exe" /background
uRun: [updateMgr] "c:\programme\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
uRun: [Skype] "c:\programme\skype\phone\Skype.exe" /nosplash /minimized
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Dell QuickSet] c:\programme\dell\quickset\quickset.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] c:\programme\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [SynTPLpr] c:\programme\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\programme\synaptics\syntp\SynTPEnh.exe
mRun: [DAEMON Tools-1033] "c:\programme\d-tools\daemon.exe" -lang 1033
mRun: [DXM6Patch_981116] c:\windows\p_981116.exe /Q:A
mRun: [ElbyCheckElbyCDFL] "c:\programme\elaborate bytes\clonecd\ElbyCheck.exe" /L ElbyCDFL
mRun: [NeroFilterCheck] c:\programme\gemeinsame dateien\ahead\lib\NeroCheck.exe
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [MSKDetectorExe] c:\programme\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [QuickTime Task] "c:\programme\quicktime\QTTask.exe" -atboottime
mRun: [CarboniteSetupLite] "c:\programme\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Picasa Media Detector] c:\programme\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\adobeg~1.lnk - c:\programme\gemeinsame dateien\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\digita~1.lnk - c:\programme\digital line detect\DLG.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Nach Microsoft &Excel exportieren - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\programme\gemeinsame dateien\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\programme\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: IntelWireless - c:\programme\intel\wireless\bin\LgNotify.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\programme\gemeinsame dateien\lightscribe\LSRunOnce.exe"
================= FIREFOX ===================
FF - ProfilePath - c:\dokume~1\hab\anwend~1\mozilla\firefox\profiles\029gokbv.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:de-DE:official
FF - component: c:\programme\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\programme\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2005-7-3 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2005-7-3 5248]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-28 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-28 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-28 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\programme\avg\avg9\avgemc.exe [2010-2-28 906520]
R2 avg9wd;AVG Free WatchDog;c:\programme\avg\avg9\avgwdsvc.exe [2010-2-28 285392]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S3 AVMUNET;AVM FRITZ!Box;c:\windows\system32\drivers\avmunet.sys [2005-11-21 15104]
S3 maxidemo;Maxi_Vista_Demo_Driver;c:\windows\system32\drivers\maxidemo.sys --> c:\windows\system32\drivers\maxidemo.sys [?]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
=============== Created Last 30 ================
==================== Find3M ====================
2010-02-27 10:50:47 99344 ----a-w- c:\windows\system32\perfc007.dat
2010-02-27 10:50:47 498532 ----a-w- c:\windows\system32\perfh007.dat
2010-01-19 16:52:45 63111 -c--a-w- c:\windows\fonts\AdobeFnt.lst
2010-01-19 13:04:44 33512 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-08 22:42:58 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 19:05:02 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-21 19:05:02 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-12-21 19:05:02 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-12-21 19:05:01 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-12-21 19:05:00 5942784 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-12-21 19:05:00 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-12-21 19:04:56 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-21 19:04:56 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-21 19:04:55 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-12-21 19:04:54 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-12-21 19:04:53 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-21 19:04:53 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-12-21 19:04:52 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-12-21 19:04:49 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-12-21 13:18:55 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-17 07:40:01 346624 ----a-w- c:\windows\system32\mspaint.exe
2009-12-17 07:40:01 346624 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:20 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:20 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-09 10:06:03 2191488 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-09 10:06:03 2191488 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-09 10:06:03 2068352 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-09 10:06:03 2068352 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-09 10:05:52 2147840 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-09 10:05:51 2026496 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-09 05:53:44 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll
2009-12-08 09:23:28 474624 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2005-07-25 19:45:30 421888 ----a-w- c:\programme\putty.exe
============= FINISH: 19:39:23,60 ===============
Run by hab at 19:38:10,48 on 28.02.2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.1271.558 [GMT 8:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\basfipm.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Programme\Dell\QuickSet\quickset.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\D-Tools\daemon.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\Digital Line Detect\DLG.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Programme\AVG\AVG9\avgwdsvc.exe
C:\Programme\AVG\AVG9\avgnsx.exe
C:\Programme\AVG\AVG9\avgemc.exe
C:\Programme\AVG\AVG9\avgcsrvx.exe
C:\Programme\AVG\AVG9\avgchsvx.exe
C:\Programme\AVG\AVG9\avgrsx.exe
C:\Programme\AVG\AVG9\avgcsrvx.exe
C:\Programme\AVG\AVG9\avgtray.exe
C:\Programme\Mozilla Firefox\firefox.exe
d:\emacs-21.3\bin\emacs.exe
D:\Downloads\ngjxq1gr.exe
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Dokumente und Einstellungen\hab\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
uDefault_Page_URL = hxxp://www.euro.dell.com/countries/at/dea/gen/default.htm
uInternet Connection Wizard,ShellNext = hxxp://www.euro.dell.com/countries/at/dea/gen/default.htm
uInternet Settings,ProxyOverride = fritz.box
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\programme\avg\avg9\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\programme\messenger\msmsgs.exe" /background
uRun: [updateMgr] "c:\programme\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
uRun: [Skype] "c:\programme\skype\phone\Skype.exe" /nosplash /minimized
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Dell QuickSet] c:\programme\dell\quickset\quickset.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] c:\programme\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [SynTPLpr] c:\programme\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\programme\synaptics\syntp\SynTPEnh.exe
mRun: [DAEMON Tools-1033] "c:\programme\d-tools\daemon.exe" -lang 1033
mRun: [DXM6Patch_981116] c:\windows\p_981116.exe /Q:A
mRun: [ElbyCheckElbyCDFL] "c:\programme\elaborate bytes\clonecd\ElbyCheck.exe" /L ElbyCDFL
mRun: [NeroFilterCheck] c:\programme\gemeinsame dateien\ahead\lib\NeroCheck.exe
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [MSKDetectorExe] c:\programme\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [QuickTime Task] "c:\programme\quicktime\QTTask.exe" -atboottime
mRun: [CarboniteSetupLite] "c:\programme\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Picasa Media Detector] c:\programme\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\adobeg~1.lnk - c:\programme\gemeinsame dateien\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\digita~1.lnk - c:\programme\digital line detect\DLG.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Nach Microsoft &Excel exportieren - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\programme\gemeinsame dateien\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\programme\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: IntelWireless - c:\programme\intel\wireless\bin\LgNotify.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\programme\gemeinsame dateien\lightscribe\LSRunOnce.exe"
================= FIREFOX ===================
FF - ProfilePath - c:\dokume~1\hab\anwend~1\mozilla\firefox\profiles\029gokbv.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:de-DE:official
FF - component: c:\programme\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\programme\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2005-7-3 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2005-7-3 5248]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-28 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-28 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-28 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\programme\avg\avg9\avgemc.exe [2010-2-28 906520]
R2 avg9wd;AVG Free WatchDog;c:\programme\avg\avg9\avgwdsvc.exe [2010-2-28 285392]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S3 AVMUNET;AVM FRITZ!Box;c:\windows\system32\drivers\avmunet.sys [2005-11-21 15104]
S3 maxidemo;Maxi_Vista_Demo_Driver;c:\windows\system32\drivers\maxidemo.sys --> c:\windows\system32\drivers\maxidemo.sys [?]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
=============== Created Last 30 ================
==================== Find3M ====================
2010-02-27 10:50:47 99344 ----a-w- c:\windows\system32\perfc007.dat
2010-02-27 10:50:47 498532 ----a-w- c:\windows\system32\perfh007.dat
2010-01-19 16:52:45 63111 -c--a-w- c:\windows\fonts\AdobeFnt.lst
2010-01-19 13:04:44 33512 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-08 22:42:58 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 19:05:02 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-21 19:05:02 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-12-21 19:05:02 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-12-21 19:05:01 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-12-21 19:05:00 5942784 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-12-21 19:05:00 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-12-21 19:04:56 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-21 19:04:56 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-21 19:04:55 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-12-21 19:04:54 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-12-21 19:04:53 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-21 19:04:53 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-12-21 19:04:52 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-12-21 19:04:49 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-12-21 13:18:55 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-17 07:40:01 346624 ----a-w- c:\windows\system32\mspaint.exe
2009-12-17 07:40:01 346624 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:20 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:20 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-09 10:06:03 2191488 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-09 10:06:03 2191488 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-09 10:06:03 2068352 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-09 10:06:03 2068352 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-09 10:05:52 2147840 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-09 10:05:51 2026496 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-09 05:53:44 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll
2009-12-08 09:23:28 474624 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2005-07-25 19:45:30 421888 ----a-w- c:\programme\putty.exe
============= FINISH: 19:39:23,60 ===============
And here is the GMER log:
CODE
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-28 19:24:31
Windows 5.1.2600 Service Pack 3
Running: ngjxq1gr.exe; Driver: C:\DOKUME~1\hab\LOKALE~1\Temp\pxtdipow.sys
---- System - GMER 1.0.15 ----
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xF75BD818]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreateKey [0xF75BD7D0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF75B22A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF75BD910]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xF75BD794]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF75B22C8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xF75BD866]
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8A4BE3B8
Device \FileSystem\Fastfat \FatCdrom 8A1B01C8
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \FileSystem\Rdbss \Device\FsWrap 89837290
Device \FileSystem\Srv \Device\LanmanServer 8A19B7A8
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89834D38
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89834D38
Device \FileSystem\Npfs \Device\NamedPipe 89836A58
Device \FileSystem\Msfs \Device\Mailslot 898A3850
Device \FileSystem\Fastfat \Fat 8A1B01C8
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 8A394380
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 8A394380
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 8A394380
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 8A394380
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 8A394380
---- Processes - GMER 1.0.15 ----
Library C:\Programme\OpenOffice.org (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [2356] 0x61310000
Library C:\Programme\OpenOffice.org (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [2356] 0x60E20000
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41@hj34z0 0xBC 0x6B 0xA0 0xA5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42@hj34z0 0x8A 0xE3 0x1E 0xED ...
---- EOF - GMER 1.0.15 ----
Rootkit scan 2010-02-28 19:24:31
Windows 5.1.2600 Service Pack 3
Running: ngjxq1gr.exe; Driver: C:\DOKUME~1\hab\LOKALE~1\Temp\pxtdipow.sys
---- System - GMER 1.0.15 ----
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xF75BD818]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreateKey [0xF75BD7D0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF75B22A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF75BD910]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xF75BD794]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF75B22C8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xF75BD866]
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8A4BE3B8
Device \FileSystem\Fastfat \FatCdrom 8A1B01C8
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \FileSystem\Rdbss \Device\FsWrap 89837290
Device \FileSystem\Srv \Device\LanmanServer 8A19B7A8
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89834D38
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89834D38
Device \FileSystem\Npfs \Device\NamedPipe 89836A58
Device \FileSystem\Msfs \Device\Mailslot 898A3850
Device \FileSystem\Fastfat \Fat 8A1B01C8
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 8A394380
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 8A394380
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 8A394380
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 8A394380
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 8A394380
---- Processes - GMER 1.0.15 ----
Library C:\Programme\OpenOffice.org (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [2356] 0x61310000
Library C:\Programme\OpenOffice.org (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [2356] 0x60E20000
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41@hj34z0 0xBC 0x6B 0xA0 0xA5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42@hj34z0 0x8A 0xE3 0x1E 0xED ...
---- EOF - GMER 1.0.15 ----
Back to top
