1. Dator och IT
  2. Programvara: Windows

Reklam poppar upp i Internet Explorer?

Svara
2008-01-21, 01:17
  #13
Folkskygg
Medlem
Folkskyggs avatar
Citat:
Ursprungligen postat av 927
det va ingen trial du scanna med alltså?

jag ana att det kunde va ett rootkit men blacklight hitta inget?

Var trial, men fick tag på keys() så jag kunde ta bort det.

Nej Blacklight hittade ingeting. :/
Citera
2008-01-21, 02:44
  #14
Folkskygg
Medlem
Folkskyggs avatar
Hittade ett program, McAfee Rootkit Detective och scannade med:

Här är loggen, tror du det finns nått mer skumt?

Citat:
McAfee(R) Rootkit Detective 1.1 scan report
On 21-01-2008 at 02:36:26
OS-Version 5.2.3790
Service Pack 2.0
====================================

Object-Type: SSDT-hook
Object-Name: ZwClose
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwCreateKey
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwCreateProcess
Object-Path: C:\WINDOWS\system32\drivers\iksysflt.sys

Object-Type: SSDT-hook
Object-Name: ZwCreateProcessEx
Object-Path: C:\WINDOWS\system32\drivers\iksysflt.sys

Object-Type: SSDT-hook
Object-Name: ZwDeleteKey
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwDeleteValueKey
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwLoadKey2
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwOpenKey
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwOpenProcess
Object-Path: C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.sys

Object-Type: SSDT-hook
Object-Name: ZwQueryValueKey
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwRenameKey
Object-Path: C:\WINDOWS\system32\drivers\iksysflt.sys

Object-Type: SSDT-hook
Object-Name: ZwReplaceKey
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwRestoreKey
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwSetValueKey
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwTerminateProcess
Object-Path: C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.sys

Object-Type: SSDT-hook
Object-Name: ZwWriteVirtualMemory
Object-Path: C:\WINDOWS\system32\drivers\iksysflt.sys

Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_SYSTEM_CONTROL
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_POWER
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_CLEANUP
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_SHUTDOWN
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_INTERNAL_DEVICE_CONTROL
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_DEVICE_CONTROL
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_FLUSH_BUFFERS
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_WRITE
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_READ
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_CREATE
Object-Path:

Object-Type: Registry-key
Object-Name: 19659239224E364682FA4BAF72C53EA4sflt.sys
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Hidden

Object-Type: Registry-key
Object-Name: 00000001ontrolSet002\Services\sptd\Cfg\19659239224 E364682FA4BAF72C53EA4
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Status: Hidden

Object-Type: Registry-key
Object-Name: 0Jf40M\ControlSet002\Services\sptd\Cfg\19659239224 E364682FA4BAF72C53EA4\00000001
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\ 0Jf40
Status: Hidden

Object-Type: Registry-key
Object-Name: 0Jf41M\ControlSet002\Services\sptd\Cfg\19659239224 E364682FA4BAF72C53EA4\00000001\0Jf40
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\ 0Jf41
Status: Hidden

Object-Type: Registry-key
Object-Name: 0Jf42M\ControlSet002\Services\sptd\Cfg\19659239224 E364682FA4BAF72C53EA4\00000001\0Jf41
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\ 0Jf42
Status: Hidden

Object-Type: Registry-key
Object-Name: 0Jf43M\ControlSet002\Services\sptd\Cfg\19659239224 E364682FA4BAF72C53EA4\00000001\0Jf42
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\ 0Jf43
Status: Hidden

Object-Type: Registry-value
Object-Name: ThreadingModel
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5645C8C 2-E277-11CF-8FDA-00AA00A14F93}\InprocServer32
Status: Registy value-data mismatch

Object-Type: IAT/EAT-hook
PID: 2168
Details: Export : Function : USER32.dll!SetWindowsHookExW =>
Object-Path:
Status: Hooked

Object-Type: IAT/EAT-hook
PID: 2168
Details: Export : Function : USER32.dll!SetWindowsHookExA =>
Object-Path:
Status: Hooked

Object-Type: Process
Object-Name: nSvcLog.exe
Pid: 1332
Object-Path: C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
Status: Visible

Object-Type: Process
Object-Name: System Idle Process
Pid: 0
Object-Path:
Status: Visible

Object-Type: Process
Object-Name: nTuneService.ex
Pid: 1396
Object-Path: C:\Program\NVIDIA Corporation\nTune\nTuneService.exe
Status: Visible

Object-Type: Process
Object-Name: firefox.exe
Pid: 404
Object-Path: C:\Program\Mozilla Firefox\firefox.exe
Status: Visible

Object-Type: Process
Object-Name: msnmsgr.exe
Pid: 3568
Object-Path: C:\Program\Windows Live\Messenger\msnmsgr.exe
Status: Visible

Object-Type: Process
Object-Name: System
Pid: 4
Object-Path:
Status: Visible

Object-Type: Process
Object-Name: Apache.exe
Pid: 1616
Object-Path: C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
Status: Visible

Object-Type: Process
Object-Name: daemon.exe
Pid: 2360
Object-Path: C:\Program\DAEMON Tools\daemon.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 904
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 688
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 812
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: nvsvc32.exe
Pid: 1464
Object-Path: C:\WINDOWS\system32\nvsvc32.exe
Status: Visible

Object-Type: Process
Object-Name: egui.exe
Pid: 2332
Object-Path: C:\Program\ESET\ESET Smart Security\egui.exe
Status: Visible

Object-Type: Process
Object-Name: SimpPro.exe
Pid: 2704
Object-Path: C:\Program\Secway\SimpPro 2.2\SimpPro.exe
Status: Visible

Object-Type: Process
Object-Name: wmiprvse.exe
Pid: 3200
Object-Path: C:\WINDOWS\system32\wbem\wmiprvse.exe
Status: Visible

Object-Type: Process
Object-Name: lsass.exe
Pid: 504
Object-Path: C:\WINDOWS\system32\lsass.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 2984
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: Rootkit_Detecti
Pid: 2736
Object-Path: H:\#Appz\Säkerhet\McafeeRootkitDetective\Rootkit_D etective.exe
Status: Visible

Object-Type: Process
Object-Name: csrss.exe
Pid: 412
Object-Path: C:\WINDOWS\system32\csrss.exe
Status: Visible

Object-Type: Process
Object-Name: winlogon.exe
Pid: 444
Object-Path: C:\WINDOWS\system32\winlogon.exe
Status: Visible

Object-Type: Process
Object-Name: pctsAuxs.exe
Pid: 1560
Object-Path: C:\Program\Spyware Doctor\pctsAuxs.exe
Status: Visible

Object-Type: Process
Object-Name: usnsvc.exe
Pid: 2304
Object-Path: C:\Program\Windows Live\Messenger\usnsvc.exe
Status: Visible

Object-Type: Process
Object-Name: Apache.exe
Pid: 1252
Object-Path: C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 1224
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: pctsTray.exe
Pid: 2340
Object-Path: C:\Program\Spyware Doctor\pctsTray.exe
Status: Visible

Object-Type: Process
Object-Name: ctfmon.exe
Pid: 2372
Object-Path: C:\WINDOWS\system32\ctfmon.exe
Status: Visible

Object-Type: Process
Object-Name: alg.exe
Pid: 3116
Object-Path: C:\WINDOWS\System32\alg.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 3024
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: Ventrilo.exe
Pid: 4080
Object-Path: C:\Program\Ventrilo\Ventrilo.exe
Status: Visible

Object-Type: Process
Object-Name: msdtc.exe
Pid: 1044
Object-Path: C:\WINDOWS\system32\msdtc.exe
Status: Visible

Object-Type: Process
Object-Name: uTorrent.exe
Pid: 424
Object-Path: C:\Program\uTorrent\uTorrent.exe
Status: Visible

Object-Type: Process
Object-Name: ekrn.exe
Pid: 1200
Object-Path: C:\Program\ESET\ESET Smart Security\ekrn.exe
Status: Visible

Object-Type: Process
Object-Name: hamachi.exe
Pid: 4052
Object-Path: C:\Program\Hamachi\hamachi.exe
Status: Visible

Object-Type: Process
Object-Name: smss.exe
Pid: 364
Object-Path: C:\WINDOWS\System32\smss.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 860
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: pctsSvc.exe
Pid: 1604
Object-Path: C:\Program\Spyware Doctor\pctsSvc.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 768
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: nSvcIp.exe
Pid: 1884
Object-Path: C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 1544
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: rundll32.exe
Pid: 2320
Object-Path: C:\WINDOWS\system32\RUNDLL32.EXE
Status: Visible

Object-Type: Process
Object-Name: services.exe
Pid: 492
Object-Path: C:\WINDOWS\system32\services.exe
Status: Visible

Object-Type: Process
Object-Name: spoolsv.exe
Pid: 1020
Object-Path: C:\WINDOWS\system32\spoolsv.exe
Status: Visible

Object-Type: Process
Object-Name: guard.exe
Pid: 1176
Object-Path: C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Status: Visible

Object-Type: Process
Object-Name: explorer.exe
Pid: 2168
Object-Path: C:\WINDOWS\Explorer.EXE
Status: Visible

Scan complete. Hidden registry keys/values: 7
Citera
2008-01-21, 07:17
  #15
927
Medlem
927s avatar
det finns många rootkit scanners, tex panda och avira har om jag minns rätt enkla program.
jag tror loggen är ok, det är ju en sysfil i drivers mappen som återkommer i loggen men den verkar höra till spyware doctor.
kolla om det finns några nyligen skapde filer i
C:\WINDOWS\system32\drivers
Citera
2008-01-21, 13:04
  #16
Homan85
Medlem
Har för mig att det är Daemon Tools som installerar din lilla reklam-plugin. Gratisversionen installerar sånt allafall om man tackar jag...
Citera
2008-01-21, 15:44
  #17
Folkskygg
Medlem
Folkskyggs avatar
Filen verkar inte vilja försvinna ändå, kommer tillbaka tit som tät.
core.cache.dsk
Har följt guider runt om för att ta bort den, men hjälper inte.
Citera
2008-01-21, 16:38
  #18
927
Medlem
927s avatar
vilka program har du använt?
Citera
2008-01-21, 16:53
  #19
Folkskygg
Medlem
Folkskyggs avatar
Citat:
Ursprungligen postat av 927
vilka program har du använt?

Körde med FileASSASSIN men hjälpte inte.
Filen finns inte i felsäkert läge, men finns alltid i normalt läge. Kommer tillbaka direkt och går inte ta bort normalt för den används.
Citera
2008-01-21, 17:15
  #20
Folkskygg
Medlem
Folkskyggs avatar
Körde combofix, som hade fixat problemet för någon annan:
"C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete"

Kanske ska prova det i felsäkert läge?

EDIT: Sen jag startade om efter Combofix har ingen ruta kommit upp, får se vad som händer om det börjar igen.
__________________
Senast redigerad av Folkskygg 2008-01-21 kl. 17:25.
Citera
2008-01-21, 19:29
  #21
927
Medlem
927s avatar
jag tror combofix loggen finns här
C:\ComboFix.txt
Citera
2008-01-21, 20:17
  #22
Folkskygg
Medlem
Folkskyggs avatar
Citat:
Ursprungligen postat av 927
jag tror combofix loggen finns här
C:\ComboFix.txt

Ja, enligt loggen gick det inte ta bort det men verkar som det är borta ändå.
Citera
2008-01-21, 20:50
  #23
927
Medlem
927s avatar
posta den loggen här
Citera
2008-01-21, 23:13
  #24
Folkskygg
Medlem
Folkskyggs avatar
Citat:
Ursprungligen postat av 927
posta den loggen här

Nu efter flera timmar så kom det upp en ruta igen, två gånger efter varandra. Trodde jag hade fått väck problemet.

Loggen var för lång för att postats här, så slänger upp på Pastebin istället:
http://pastebin.com/m231a983a
Citera
Svara

Skapa ett konto eller logga in för att kommentera

Du måste vara medlem för att kunna kommentera

Skapa ett konto

Det är enkelt att registrera ett nytt konto

Bli medlem

Logga in

Har du redan ett konto? Logga in här

Logga in