|
-
June 26th, 2012, 09:54 PM
#1
[Inactive] Malware on XP and Win 7 machine, infecting FTP
Hi, I got suspicious when AntiVir on my XP machine started to block a lot of processes last week.. Then on of my client (I'm a web developer) informed me that his FTP server got infected (.htaccess manipulation to a site called "www.couchtarts[DOT]com" - you better don't open). I then checked on my other FTP servers and they all seem to be affected. I changed passwords from another machine and it seems to be fine as of now. I never experienced something like that before.. Needless to say, I want to prevent more attacks so I greatly appreaciate your help.
As for my computers:
My XP is running on normal user (not administrator) usually and I try to keep up with XP and virus definition updates as good as possible. In order to emulate the Windows UAC (run as administrator mode) I installed the tool called "surun" which worked fine but - thinking about it now - might have played an important role in letting the malware in.
The other machine is on Win 7 Pro, "restricted" user too.
I started researching after the "attack" and followed your instructions in the "Read Me"-thread. I am gonna post both the XP and Win 7 logfiles. Generally, I set up the Win 7 system in December '11 and the XP home is running since 2008 already. As I'm planning on putting a SSD into the XP laptop, I will get rid of XP soon anyway, so I'm a little more concerned about the Win 7 installation and that I might include infected files in a backup of the XP PC.
Another thing, I installed a new router last week to improve the performance of my home network (I have a pretty good line to the internet 1Gbit/s, reaching max speeds of ca. 300Mbit/s for both down- and upload). Don't know if there could be a connection, though.
As for the software -
I'm running Avira Free and the standard Windows Firewall, Defender disabled on both systems (XP/Win7)
Ok, let's do this..
Thanks in advance for taking your time. Help is greatly appreciated.
STEP 1 - MALWAREBYTES
XP: 5 founds in quick mode, removed all
W7: 17 founds, removed all of them
STEP 2 -GMER
XP: not quite finished, but very long list already -will post comment soon
W7:
Code:
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158315a310
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158315a310@8400d269e582 0x6B 0xCE 0xCA 0x86 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001f81000830
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158315a310 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158315a310@8400d269e582 0x6B 0xCE 0xCA 0x86 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001f81000830 (not active ControlSet)
Will keep you updated on the XP.
STEP 3:
Win 7:
Code:
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-27 03:02:39
-----------------------------
03:02:39.555 OS Version: Windows x64 6.1.7601 Service Pack 1
03:02:39.555 Number of processors: 2 586 0x170A
03:02:39.555 ComputerName: DS-PC UserName:
03:02:40.227 Initialize success
03:03:54.654 AVAST engine defs: 12062601
03:04:06.427 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-4
03:04:06.427 Disk 0 Vendor: MAXTOR_STM3160215AS 4.AAB Size: 152627MB BusType: 3
03:04:06.427 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-5
03:04:06.427 Disk 1 Vendor: WDC_WD10EADS-00L5B1 01.01A01 Size: 953869MB BusType: 3
03:04:06.443 Disk 0 MBR read successfully
03:04:06.443 Disk 0 MBR scan
03:04:06.474 Disk 0 Windows 7 default MBR code
03:04:06.474 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100962 MB offset 63
03:04:06.521 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 51663 MB offset 206772224
03:04:06.568 Disk 0 scanning C:\Windows\system32\drivers
03:04:21.005 Service scanning
03:05:00.601 Modules scanning
03:05:00.601 Disk 0 trace - called modules:
03:05:01.044 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
03:05:01.060 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80033e26d0]
03:05:01.060 3 CLASSPNP.SYS[fffff8800199f43f] -> nt!IofCallDriver -> [0xfffffa800316b520]
03:05:01.060 5 ACPI.sys[fffff88000f537a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T1L0-4[0xfffffa8003290060]
03:05:01.638 AVAST engine scan C:\Windows
03:05:03.728 AVAST engine scan C:\Windows\system32
03:08:53.789 AVAST engine scan C:\Windows\system32\drivers
03:09:10.216 AVAST engine scan C:\Users\Daniel
03:15:12.420 AVAST engine scan C:\ProgramData
03:15:57.090 Scan finished successfully
03:29:30.578 Disk 0 MBR has been saved successfully to "C:\Users\Daniel\Desktop\MBR.dat"
03:29:30.578 The log file has been saved successfully to "C:\Users\Daniel\Desktop\aswMBR.txt"
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-27 03:02:39
-----------------------------
03:02:39.555 OS Version: Windows x64 6.1.7601 Service Pack 1
03:02:39.555 Number of processors: 2 586 0x170A
03:02:39.555 ComputerName: DS-PC UserName:
03:02:40.227 Initialize success
03:03:54.654 AVAST engine defs: 12062601
03:04:06.427 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-4
03:04:06.427 Disk 0 Vendor: MAXTOR_STM3160215AS 4.AAB Size: 152627MB BusType: 3
03:04:06.427 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-5
03:04:06.427 Disk 1 Vendor: WDC_WD10EADS-00L5B1 01.01A01 Size: 953869MB BusType: 3
03:04:06.443 Disk 0 MBR read successfully
03:04:06.443 Disk 0 MBR scan
03:04:06.474 Disk 0 Windows 7 default MBR code
03:04:06.474 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100962 MB offset 63
03:04:06.521 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 51663 MB offset 206772224
03:04:06.568 Disk 0 scanning C:\Windows\system32\drivers
03:04:21.005 Service scanning
03:05:00.601 Modules scanning
03:05:00.601 Disk 0 trace - called modules:
03:05:01.044 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
03:05:01.060 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80033e26d0]
03:05:01.060 3 CLASSPNP.SYS[fffff8800199f43f] -> nt!IofCallDriver -> [0xfffffa800316b520]
03:05:01.060 5 ACPI.sys[fffff88000f537a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T1L0-4[0xfffffa8003290060]
03:05:01.638 AVAST engine scan C:\Windows
03:05:03.728 AVAST engine scan C:\Windows\system32
03:08:53.789 AVAST engine scan C:\Windows\system32\drivers
03:09:10.216 AVAST engine scan C:\Users\Daniel
03:15:12.420 AVAST engine scan C:\ProgramData
03:15:57.090 Scan finished successfully
03:29:30.578 Disk 0 MBR has been saved successfully to "C:\Users\Daniel\Desktop\MBR.dat"
03:29:30.578 The log file has been saved successfully to "C:\Users\Daniel\Desktop\aswMBR.txt"
03:41:19.955 Disk 0 MBR has been saved successfully to "C:\Users\Daniel\Desktop\MBR.dat"
03:41:19.958 The log file has been saved successfully to "C:\Users\Daniel\Desktop\aswMBR.txt"
XP: not there yet, will post a comment once ready - I'm curious for that
Step 4- DDS
Code:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
Run by Daniel at 3:09:35 on 2012-06-27
Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.3071.1539 [GMT 2:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Icecast2 Win32\icecastService.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\REALTEK\RTL8187 Wireless LAN Utility\RtlService.exe
C:\Program Files (x86)\REALTEK\RTL8187 Wireless LAN Utility\RtWlan.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\Ulead Systems\AutoDetector\Monitor.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Opera x64\opera.exe
Q:\140061.deu\Office14\MSOSYNC.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\Daniel\Desktop\bu8xtwog.exe
C:\Users\Daniel\Desktop\aswMBR.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID-Anmelde-Hilfsprogramm: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [AdobeBridge]
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [loxyc] rundll32.exe "C:\Users\Daniel\AppData\Roaming\loxyc.dll",UlStripWhitespace
uRun: [OfficeSyncProcess] "C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE" /quietlaunch "MSOSYNC 9014006104070000"
mRun: [DelReg] C:\Program Files (x86)\MSI\DualCoreCenter\DelReg.exe
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Ulead AutoDetector v2] C:\Program Files (x86)\Common Files\Ulead Systems\AutoDetector\monitor.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [BrStsWnd] C:\Program Files (x86)\Brownie\BrstsW64.exe Autorun
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
StartupFolder: C:\Users\Daniel\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{0206216C-B5D5-414F-9191-77F73EF40EA7}\E4544574541425 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{3DF6BCD6-1255-41C3-9034-29FEC4B9E0B4} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{949D905B-7AD2-4CFC-A3FE-FF004324CBC5} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{FEA498BE-989B-4ABC-B2BF-D2F33639EC35} : DhcpNameServer = 192.168.42.129
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [DelReg] C:\Program Files (x86)\MSI\DualCoreCenter\DelReg.exe
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Ulead AutoDetector v2] C:\Program Files (x86)\Common Files\Ulead Systems\AutoDetector\monitor.exe
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [BrStsWnd] C:\Program Files (x86)\Brownie\BrstsW64.exe Autorun
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Daniel\AppData\Roaming\Mozilla\Firefox\Profiles\d4sfb0kh.default\
FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;C:\Windows\system32\DRIVERS\avkmgr.sys --> C:\Windows\system32\DRIVERS\avkmgr.sys [?]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 AntiVirSchedulerService;Avira Planer;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-12-25 86224]
R2 AntiVirService;Avira Echtzeit Scanner;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-12-25 110032]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 Icecast-trunk;Icecast-trunk Streaming Media Server;C:\Program Files (x86)\Icecast2 Win32\icecastService.exe [2012-6-9 417792]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-6-27 654408]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-12-25 2253120]
R2 Realtek87B;Realtek87B;C:\Program Files (x86)\REALTEK\RTL8187 Wireless LAN Utility\RtlService.exe [2011-12-25 40960]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 RDPDISPM;RDPDISPM;C:\Windows\system32\DRIVERS\rdpdispm.sys --> C:\Windows\system32\DRIVERS\rdpdispm.sys [?]
R3 RTL8167;Realtek 8167 NT-Treiber;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-3-30 250056]
S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\rtl8187.sys --> C:\Windows\system32\DRIVERS\rtl8187.sys [?]
S3 StorSvc;Speicherdienst;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WSDPrintDevice;WSD-Druckunterstützung durch UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
S3 WSDScan;WSD-Scanunterstützung durch UMB;C:\Windows\system32\DRIVERS\WSDScan.sys --> C:\Windows\system32\DRIVERS\WSDScan.sys [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-06-26 22:24:26 -------- d-----w- C:\Users\Daniel\AppData\Roaming\Malwarebytes
2012-06-26 22:24:04 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-06-26 22:24:04 -------- d-----w- C:\ProgramData\Malwarebytes
2012-06-26 22:24:04 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-24 23:13:11 -------- d-----r- C:\Users\Daniel\AppData\Roaming\Brother
2012-06-24 23:12:47 77824 ------w- C:\Windows\SysWow64\brlmw03a.dll
2012-06-24 23:12:47 -------- d-----w- C:\Program Files (x86)\Brownie
2012-06-24 23:12:11 24223 ----a-w- C:\Windows\SysWow64\BRLM03A.DLL
2012-06-24 23:12:11 176128 ----a-w- C:\Windows\SysWow64\BROSNMP.DLL
2012-06-24 23:12:11 111928 ----a-w- C:\Windows\SysWow64\BRRBTOOL.EXE
2012-06-24 23:12:10 200704 ------w- C:\Windows\SysWow64\Pdrvinst.dll
2012-06-24 23:11:40 69715 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\ctor.dll
2012-06-24 23:11:40 266240 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iscript.dll
2012-06-24 23:11:40 172032 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iuser.dll
2012-06-24 23:11:39 733184 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iKernel.dll
2012-06-24 23:11:39 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\DotNetInstaller.exe
2012-06-24 23:11:38 303236 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\setup.dll
2012-06-24 23:11:38 180356 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iGdi.dll
2012-06-22 23:33:24 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-22 23:32:59 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-22 23:32:41 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-22 23:32:41 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-17 20:11:02 -------- d-----w- C:\Users\Daniel\AppData\Local\Macromedia
2012-06-15 22:30:23 -------- d-----w- C:\Users\Daniel\AppData\Local\ZaraRadio
2012-06-15 22:30:04 -------- d-----w- C:\Program Files (x86)\ZaraSoft
2012-06-14 23:54:52 -------- d-----w- C:\Users\Daniel\AppData\Local\Microsoft Help
2012-06-14 23:00:37 -------- d-----w- C:\Program Files (x86)\Opera x64
2012-06-14 23:00:36 -------- d-----w- C:\Program Files\Opera x64
2012-06-13 21:03:51 -------- d-----w- C:\Windows\SysWow64\QuickTime
2012-06-13 21:03:14 -------- d-----w- C:\Program Files (x86)\Common Files\TechSmith Shared
2012-06-13 11:35:40 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-06-09 23:23:50 -------- d-----w- C:\Users\Daniel\AppData\Local\{A7B25938-7411-4F4E-BAC8-63269A331221}
2012-06-09 23:23:49 -------- d-----w- C:\Users\Daniel\AppData\Local\{896A2587-5B7F-4757-93D7-E249AA4952A5}
2012-06-08 22:07:54 -------- d-----w- C:\Program Files (x86)\Icecast2 Win32
2012-06-08 22:04:55 -------- d-----w- C:\Program Files (x86)\edcast
2012-05-29 22:16:46 15128 ----a-w- C:\Users\Daniel\AppData\Roaming\Microsoft\IdentityCRL\production\ppcrlconfig.dll
.
==================== Find3M ====================
.
2012-06-23 00:13:09 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-23 00:13:09 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-05-23 23:19:50 466456 ----a-w- C:\Windows\System32\wrap_oal.dll
2012-05-23 23:19:50 444952 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2012-05-23 23:19:50 122904 ----a-w- C:\Windows\System32\OpenAL32.dll
2012-05-23 23:19:50 109080 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2012-05-18 02:06:48 2311680 ----a-w- C:\Windows\System32\jscript9.dll
2012-05-18 01:59:14 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-05-18 01:58:39 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-05-18 01:55:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-05-18 01:51:30 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-05-17 22:45:37 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-05-15 01:32:33 3146752 ----a-w- C:\Windows\System32\win32k.sys
2012-05-10 17:04:55 98848 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-05-01 05:40:20 209920 ----a-w- C:\Windows\System32\profsvc.dll
2012-04-28 03:55:21 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-04-26 05:41:56 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-04-26 05:41:55 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-04-24 05:37:37 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-04-24 05:37:37 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2012-04-24 05:37:36 1462272 ----a-w- C:\Windows\System32\crypt32.dll
2012-04-24 04:36:42 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-04-24 04:36:42 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-04-24 04:36:42 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2012-04-10 20:59:22 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2012-04-07 12:31:40 3216384 ----a-w- C:\Windows\System32\msi.dll
2012-04-07 11:26:29 2342400 ----a-w- C:\Windows\SysWow64\msi.dll
2012-03-30 11:35:47 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys
.
============= FINISH: 3:10:29,60 ===============
I ran the AntiMalware-tool from Step 1 in complete mode on my Win 7 system but on the netbook it will probably take days.. you think that is neccesary?
-
June 26th, 2012, 10:59 PM
#2
Here is the GMER log file from the XP system:
Code:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-06-27 03:45:25
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD80 rev.04.0
Running: tz4dxvp7.exe; Driver: C:\DOKUME~1\Admin\LOKALE~1\Temp\fgtdapog.sys
---- System - GMER 1.0.15 ----
SSDT BA7FEE24 ZwClose
SSDT BA7FEDDE ZwCreateKey
SSDT BA7FEE2E ZwCreateSection
SSDT BA7FEDD4 ZwCreateThread
SSDT BA7FEDE3 ZwDeleteKey
SSDT BA7FEDED ZwDeleteValueKey
SSDT BA7FEE1F ZwDuplicateObject
SSDT speq.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT speq.sys ZwEnumerateValueKey [0xB9EC7030]
SSDT BA7FEDF2 ZwLoadKey
SSDT speq.sys ZwOpenKey [0xB9EA80C0]
SSDT BA7FEDC0 ZwOpenProcess
SSDT BA7FEDC5 ZwOpenThread
SSDT speq.sys ZwQueryKey [0xB9EC7108]
SSDT BA7FEE47 ZwQueryValueKey
SSDT BA7FEDFC ZwReplaceKey
SSDT BA7FEE38 ZwRequestWaitReplyPort
SSDT BA7FEDF7 ZwRestoreKey
SSDT BA7FEE33 ZwSetContextThread
SSDT BA7FEE3D ZwSetSecurityObject
SSDT BA7FEDE8 ZwSetValueKey
SSDT BA7FEE42 ZwSystemDebugControl
SSDT BA7FEDCF ZwTerminateProcess
INT 0x63 ? 8AF93BF8
INT 0x83 ? 8A493BF8
INT 0xA4 ? 8A493BF8
INT 0xB4 ? 8A493BF8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504870 4 Bytes CALL 930AC862 \SystemRoot\system32\drivers\RtkHDAud.sys (Realtek(r) High Definition Audio Function Driver/Realtek Semiconductor Corp.)
? rkdwphc.sys Das System kann die angegebene Datei nicht finden. !
? speq.sys Das System kann die angegebene Datei nicht finden. !
.text USBPORT.SYS!DllUnload B82BF8AC 5 Bytes JMP 8A4931D8
.text aiywevw7.SYS B823A386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text aiywevw7.SYS B823A3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text aiywevw7.SYS B823A3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text aiywevw7.SYS B823A3C9 1 Byte [2E]
.text aiywevw7.SYS B823A3C9 11 Bytes [2E, 00, 00, 00, 5A, 02, 00, ...]
.text ...
.text C:\WINDOWS\system32\drivers\ACEDRV07.sys section is writeable [0x8DF8E000, 0x328BA, 0xE8000020]
.pklstb C:\WINDOWS\system32\drivers\ACEDRV07.sys entry point in ".pklstb" section [0x8DFD2000]
.relo2 C:\WINDOWS\system32\drivers\ACEDRV07.sys unknown last section [0x8DFEE000, 0x8E, 0x42000040]
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB9048] speq.sys
IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!KfAcquireSpinLock] C0840CEC
IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!READ_PORT_UCHAR] 053C0D74
IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!KeGetCurrentIrql] 57B80974
IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!KfRaiseIrql] 8B000000
IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!KfLowerIrql] 56C35DE5
IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!HalGetInterruptVector] 8D08758B
IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!HalTranslateBusAddress] 8D51FC4D
IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!KeStallExecutionProcessor] 8D52FD55
IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!KfReleaseSpinLock] 8D51FE4D
IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 8D52FF55
IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!READ_PORT_USHORT] 8D51F84D
IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 5052F455
IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!WRITE_PORT_UCHAR] EACAE856
IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[WMILIB.SYS!WmiSystemControl] 0FC08520
IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[WMILIB.SYS!WmiCompleteRequest] 0001B185
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Programme\Cisco Systems\VPN Client\cvpnd.exe[260] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [00F52BC8] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)
IAT C:\Programme\Cisco Systems\VPN Client\cvpnd.exe[260] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!UnhandledExceptionFilter] [00F52CE9] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)
IAT C:\Programme\Cisco Systems\VPN Client\cvpnd.exe[260] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!TerminateProcess] [00F52CB8] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)
IAT C:\WINDOWS\system32\services.exe[944] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] [10004780] C:\WINDOWS\SuRunExt.dll (Shell extension for SuRun/http://kay-bruns.de)
IAT C:\WINDOWS\system32\services.exe[944] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [10004780] C:\WINDOWS\SuRunExt.dll (Shell extension for SuRun/http://kay-bruns.de)
IAT C:\WINDOWS\system32\services.exe[944] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [10004780] C:\WINDOWS\SuRunExt.dll (Shell extension for SuRun/http://kay-bruns.de)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8AF921F8
Device \FileSystem\Fastfat \FatCdrom 89C2B500
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
Device \Driver\usbehci \Device\USBPDO-0 8A4661F8
Device \Driver\usbuhci \Device\USBPDO-1 8A494500
Device \Driver\usbuhci \Device\USBPDO-2 8A494500
Device \Driver\usbuhci \Device\USBPDO-3 8A494500
Device \Driver\usbuhci \Device\USBPDO-4 8A494500
Device \Driver\NetBT \Device\NetBT_Tcpip_{DB3E04D1-8DE6-4C50-BB55-69359C5007EC} 8947E1F8
Device \Driver\sptd \Device\2299846978 speq.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 8B0041F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
Device \Driver\PCI_PNP1978 \Device\00000064 speq.sys
Device \Driver\Ftdisk \Device\HarddiskVolume2 8B0041F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
Device \Driver\Cdrom \Device\CdRom0 89FE11F8
Device \Driver\iaStor \Device\Ide\iaStor0 [B9DAD580] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [B9DAD580] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 8947E1F8
Device \Driver\NetBT \Device\NetbiosSmb 8947E1F8
Device \Driver\usbuhci \Device\USBFDO-0 8A494500
Device \Driver\usbuhci \Device\USBFDO-1 8A494500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 894631F8
Device \Driver\usbuhci \Device\USBFDO-2 8A494500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 894631F8
Device \Driver\usbuhci \Device\USBFDO-3 8A494500
Device \Driver\usbehci \Device\USBFDO-4 8A4661F8
Device \Driver\Ftdisk \Device\FtControl 8B0041F8
Device \Driver\aiywevw7 \Device\Scsi\aiywevw71 8A4011F8
Device \Driver\aiywevw7 \Device\Scsi\aiywevw71Port1Path0Target0Lun0 8A4011F8
Device \FileSystem\Fastfat \Fat 89C2B500
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs 89E37500
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009dd508fcb
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a2b7
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a2b7@00234507d7b2 0x62 0x9E 0x6E 0x90 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a2b7@6c0e0dc8b9f2 0xCC 0x3F 0x33 0x6D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a310
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a310@6c0e0dc8b9f2 0x08 0xC3 0x82 0x05 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f81000830
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f81000830@6c0e0dc8b9f2 0xD5 0xD3 0x93 0x61 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x8D 0xDC 0xAD 0x25 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x73 0x83 0x43 0x0A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5D 0xF0 0xBE 0x2E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x12 0xFD 0x00 0xCC ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0009dd508fcb (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158315a2b7 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158315a2b7@00234507d7b2 0x62 0x9E 0x6E 0x90 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158315a2b7@6c0e0dc8b9f2 0xCC 0x3F 0x33 0x6D ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158315a310 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158315a310@6c0e0dc8b9f2 0x08 0xC3 0x82 0x05 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001f81000830 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001f81000830@6c0e0dc8b9f2 0xD5 0xD3 0x93 0x61 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x8D 0xDC 0xAD 0x25 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x73 0x83 0x43 0x0A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5D 0xF0 0xBE 0x2E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x12 0xFD 0x00 0xCC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}@y!s!\24!r!s!`!\30!y!\24!\24!t!\30!c!y!s!d! 19583823
---- Files - GMER 1.0.15 ----
File C:\Dokumente und Einstellungen\Konto\Anwendungsdaten\Macromedia\Flash Player\#SharedObjects\HFXJENE8\www.iheartradio.com.\CCBRadioStationFavorites_008.sol 1285 bytes
File C:\Dokumente und Einstellungen\Konto\Anwendungsdaten\Macromedia\Flash Player\#SharedObjects\HFXJENE8\www.iheartradio.com.\s_br.sol 35 bytes
File C:\Dokumente und Einstellungen\Konto\Anwendungsdaten\Macromedia\Flash Player\#SharedObjects\HFXJENE8\www.island985.com.\s_br.sol 35 bytes
File C:\Dokumente und Einstellungen\Konto\Anwendungsdaten\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.iheartradio.com.\settings.sol 90 bytes
File C:\Dokumente und Einstellungen\Konto\Anwendungsdaten\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.island985.com.\settings.sol 88 bytes
-
June 26th, 2012, 11:19 PM
#3
Read the instructions. It says copy and paste into the thread. Try again.
-
June 26th, 2012, 11:45 PM
#4
On a top of it....one computer per topic.
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
