I'm having a very annoying malware/virus of some sort. Avast keeps finding new malware about every 10th minute. It's (allmost or every time) a svchost.exe process thats infected,located in the windows\temp folder. Different file everytime, moved to the Chest and then I can delete them. I have made a bootscan and didn't find anything.
Sometimes I also get redirected to different webbpages, but Avast shuts down the connection.
Malwarebytes' Anti-Malware logg, OTL logs are attached as file to the post.
Gmer log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-16 22:39:27
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\Fredrik\AppData\Local\Temp\kfroauob.sys
---- System - GMER 1.0.15 ----
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C34AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C34104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C343F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1CFB4
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C341DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C34958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C346F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C34F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C351A8
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x8FCD050A]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x8FCD032E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x8FCD0468]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!ZwSaveKeyEx + 13B1 8284F8E9 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8286F3D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntoskrnl.exe!ZwLoadDriver 829BB124 7 Bytes JMP 8FCD046C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 829FBDF7 5 Bytes JMP 8FCCC4AA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!RtlCompareUnicodeStrings + 50C 82A231AA 5 Bytes JMP 8FCCD9E4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection 82A6CED5 7 Bytes JMP 8FCD0332 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 82AEB7C8 7 Bytes JMP 8FCD050E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9000B000, 0x267978, 0xE8000020]
.text peauth.sys 8FF54C9D 28 Bytes [D5, CA, ED, D3, E6, D9, 17, ...]
.text peauth.sys 8FF54CC1 28 Bytes [D5, CA, ED, D3, E6, D9, 17, ...]
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[1024] ntdll.dll!NtProtectVirtualMemory 76E65360 5 Bytes JMP 0021000A
.text C:\Windows\system32\svchost.exe[1024] ntdll.dll!NtWriteVirtualMemory 76E65EE0 5 Bytes JMP 0022000A
.text C:\Windows\system32\svchost.exe[1024] ntdll.dll!KiUserExceptionDispatcher 76E66448 5 Bytes JMP 001B000A
.text C:\Windows\Explorer.EXE[1588] ntdll.dll!NtProtectVirtualMemory 76E65360 5 Bytes JMP 002A000A
.text C:\Windows\Explorer.EXE[1588] ntdll.dll!NtWriteVirtualMemory 76E65EE0 5 Bytes JMP 002B000A
.text C:\Windows\Explorer.EXE[1588] ntdll.dll!KiUserExceptionDispatcher 76E66448 5 Bytes JMP 0029000A
.text C:\Program Files\Firefox\firefox.exe[3884] ntdll.dll!NtProtectVirtualMemory 76E65360 5 Bytes JMP 0039000A
.text C:\Program Files\Firefox\firefox.exe[3884] ntdll.dll!NtWriteVirtualMemory 76E65EE0 5 Bytes JMP 0048000A
.text C:\Program Files\Firefox\firefox.exe[3884] ntdll.dll!KiUserExceptionDispatcher 76E66448 5 Bytes JMP 0037000A
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device -> \Driver\atapi \Device\Harddisk0\DR0 8567BAC8
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7B2F737E-77F0-4842-9816-C8D07ADF84B6}
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7B2F737E-77F0-4842-9816-C8D07ADF84B6}
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7B2F737E-77F0-4842-9816-C8D07ADF84B6}@Path \Microsoft\Windows Defender\MP Scheduled Scan
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7B2F737E-77F0-4842-9816-C8D07ADF84B6}@Triggers 0x15 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7B2F737E-77F0-4842-9816-C8D07ADF84B6}@DynamicInfo 0x03 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows Defender\MP Scheduled Scan@Id {7B2F737E-77F0-4842-9816-C8D07ADF84B6}
---- Files - GMER 1.0.15 ----
File C:\Windows\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
This is a log from Avast FileSystemShield:
* avast! Realtidsskydd Skanningsrapport
* Denna fil har genererats automatiskt
*
* Startade: den 12 april 2010 23:13:30
*
*
* avast! Realtidsskydd Skanningsrapport
* Denna fil har genererats automatiskt
*
* Startade: den 13 april 2010 01:47:42
*
*
* avast! Realtidsskydd Skanningsrapport
* Denna fil har genererats automatiskt
*
* Startade: den 13 april 2010 09:36:37
*
2010-04-13 09:41:23 C:\Windows\Temp\ovxe.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 09:46:30 C:\Windows\Temp\iiqo.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 09:47:10 C:\Windows\Temp\Igp.exe [L] Win32:Crypt-GDV [Trj] (0)
Filen flyttad till karantän...
2010-04-13 09:47:21 C:\Windows\Temp\Igp.exe [L] Win32:Crypt-GDV [Trj] (0)
Filen flyttad till karantän...
2010-04-13 09:47:24 C:\Windows\Temp\Igp.exe [L] Win32:Rootkit-gen [Rtk] (0)
Filen flyttad till karantän...
2010-04-13 09:47:29 C:\Windows\Temp\Igp.exe [L] Win32:Rootkit-gen [Rtk] (0)
Filen flyttad till karantän...
2010-04-13 09:47:32 C:\Windows\Temp\Igp.exe [L] Win32:Crypt-GDV [Trj] (0)
Filen flyttad till karantän...
2010-04-13 09:47:36 C:\Windows\Temp\Igp.exe [L] Win32:Crypt-GDV [Trj] (0)
Filen flyttad till karantän...
2010-04-13 09:52:01 C:\Windows\Temp\oyqg.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 09:57:08 C:\Windows\Temp\bgdn.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:02:18 C:\Windows\Temp\dwbi.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:07:25 C:\Windows\Temp\pfox.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:12:34 C:\Windows\Temp\rbri.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:17:43 C:\Windows\Temp\mwxj.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:22:50 C:\Windows\Temp\fhfd.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:28:10 C:\Windows\Temp\ounl.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:33:41 C:\Windows\Temp\nhxw.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:38:49 C:\Windows\Temp\gcpp.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:43:59 C:\Windows\Temp\qyxr.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:49:06 C:\Windows\Temp\lmjj.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:54:13 C:\Windows\Temp\lkny.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:59:19 C:\Windows\Temp\uiit.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:04:28 C:\Windows\Temp\ogds.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:09:38 C:\Windows\Temp\evra.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:14:47 C:\Windows\Temp\bxxt.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:19:53 C:\Windows\Temp\xuyh.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:24:59 C:\Windows\Temp\qakm.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:30:06 C:\Windows\Temp\mlpy.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:35:13 C:\Windows\Temp\fipu.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:40:27 C:\Windows\Temp\rara.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:45:35 C:\Windows\Temp\onhb.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:50:42 C:\Windows\Temp\nuuh.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:55:52 C:\Windows\Temp\rycs.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 12:01:05 C:\Windows\Temp\xijs.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 12:06:12 C:\Windows\Temp\kmhf.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 12:11:19 C:\Windows\Temp\vqdf.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 12:16:28 C:\Windows\Temp\dlck.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 12:21:34 C:\Windows\Temp\cqto.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
If anyone wounders it's in swedish.
Translation: "Filen flyttad till karantän"= File moved to chest.
Hope anyone can help me out here.
Best regards
Fredrik Hultman