piekarz Opublikowano 19 Lutego 2009 Zgłoś Opublikowano 19 Lutego 2009 (edytowane) Avast wykrył u mnie rootkita, usuniecie nic nie daje co robic ?? Oto log z ComboFix : » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - " " ComboFix 09-02-17.02 - Krzysiek 2009-02-18 20:32:34.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.511.235 [GMT 1:00] Running from: C:\Documents and Settings\Krzysiek\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\Krzysiek\Pulpit\WinXP_PL_PRO_BF.EXE AV: avast! antivirus 4.8.1229 [VPS 090207-0] *On-access scanning enabled* (Outdated) * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\1utbfd.bat C:\autorun.inf C:\WINDOWS\system32\nmdfgds0.dll C:\WINDOWS\system32\olhrwef.exe D:\1utbfd.bat D:\Autorun.inf E:\1utbfd.bat E:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2009-01-18 to 2009-02-18 ))))))))))))))))))))))))))))))) . 2009-02-18 20:30 . 2009-02-18 20:31 <DIR> d-------- C:\32788R22FWJFW 2009-02-14 19:46 . 2009-02-14 19:46 7,680 --a------ C:\WINDOWS\system32\drivers\RKL15.tmp.sys 2009-02-14 16:28 . 2009-02-14 16:28 <DIR> d-------- C:\Documents and Settings\Krzysiek\Dane aplikacji\Nowe Gadu-Gadu 2009-02-14 08:19 . 2009-02-14 08:19 <DIR> d-------- C:\Documents and Settings\LocalService\Pulpit 2009-02-14 08:08 . 2009-02-14 14:41 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft 2009-02-03 18:13 . 2009-02-03 18:13 <DIR> d-------- C:\Program Files\DAEMON Tools Lite 2009-02-03 15:41 . 2005-03-03 20:32 86,094 --a------ C:\WINDOWS\system32\ImageDrive.cpl 2009-01-20 12:48 . 2009-01-20 12:48 <DIR> d--h----- C:\Documents and Settings\All Users\Dane aplikacji\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646} . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-18 19:38 --------- d-----w C:\Documents and Settings\Krzysiek\Dane aplikacji\Skype 2009-02-18 19:37 --------- d-----w C:\Program Files\neostrada tp 2009-02-18 17:14 --------- d-----w C:\Documents and Settings\Krzysiek\Dane aplikacji\skypePM 2009-02-08 08:12 --------- d-----w C:\Documents and Settings\Krzysiek\Dane aplikacji\Azureus 2009-02-05 19:21 --------- d-----w C:\Documents and Settings\Krzysiek\Dane aplikacji\Hamachi 2009-02-03 17:13 --------- d-----w C:\Program Files\DAEMON Tools Toolbar 2008-12-23 07:10 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2008-12-23 07:09 --------- d-----w C:\Documents and Settings\Krzysiek\Dane aplikacji\DAEMON Tools 2008-12-22 11:56 --------- d-----w C:\Program Files\Skype 2008-12-22 11:55 --------- d-----w C:\Program Files\Common Files\Skype 2008-12-22 11:55 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Skype 2008-12-21 18:13 --------- d-----w C:\Program Files\ivo 2008-12-09 18:46 1,700,352 ----a-w C:\WINDOWS\system32\gdiplus.dll 2008-04-02 18:14 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat 2008-10-10 06:31 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012008101020081011\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 18:21 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-18 14:14 68856] "Skype"="E:\Program Files\Skype\Phone\Skype.exe" [2008-11-07 14:31 21633320] "Eraser"="E:\Program Files\Eraser\eraser.exe" [2007-12-23 00:03 916240] "DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-07-24 16:02 490952] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056] "Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 15:38 78008] "WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2004-08-23 14:49 20480] "WOOTASKBARICON"="C:\PROGRA~1\NEOSTR~1\GestMaj.exe" [2004-10-14 16:55 32768] "AdslTaskBar"="stmctrl.dll" [2006-06-02 10:01 151552 C:\WINDOWS\system32\stmctrl.dll] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 18:21 15360] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-08-26 15:27:32 113664] Adobe Reader Speed Launch.lnk - E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.iv31"= C:\WINDOWS\system32\ir32_32.dll "vidc.iv32"= C:\WINDOWS\system32\ir32_32.dll "VIDC.FFDS"= ffdshow.ax [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "E:\\Program Files\\Azureus\\Azureus.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\SopCast\\SopCast.exe"= "C:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "D:\\Program Files\\Counter Strike 1.6 - www.lagownia.pl\\hl.exe"= "E:\\Program Files\\TVAnts\\Tvants.exe"= "C:\\WINDOWS\\system32\\dpvsetup.exe"= "C:\\Program Files\\Gadu-Gadu\\gg.exe"= "C:\\Program Files\\Gadu-Gadu\\ggphone\\ggphone.exe"= "C:\\Program Files\\VALVe\\Counter-Strike Source\\hl2.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\WINDOWS\\system32\\dplaysvr.exe"= "C:\\Documents and Settings\\Krzysiek\\Pulpit\\nhl2004.exe"= "E:\\Program Files\\Hamachi\\hamachi.exe"= "E:\\fifa\\FIFA 09\\FIFA 09\\FIFA09.exe"= "E:\\Program Files\\Aspyr\\Tony Hawks Pro Skater 4\\Game\\Skate4.exe"= "D:\\Program Files\\GameSpy Arcade\\Aphex.exe"= "E:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8461:TCP"= 8461:TCP:GoD High Port "8462:TCP"= 8462:TCP:GoD Low Port R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\viasraid.sys [2008-01-04 19:56:35 77312] R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-08-08 16:56:43 78416] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\drivers\aswFsBlk.sys [2008-08-08 16:56:43 20560] R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\system32\drivers\stmatm.sys [2008-01-05 12:55:10 60255] R3 TaurusUsb;ADSL Modem USB Service;C:\WINDOWS\system32\drivers\torususb.sys [2008-01-05 12:55:10 684265] S3 MEMSWEEP2;MEMSWEEP2;\??\C:\WINDOWS\system32\2.tmp --> C:\WINDOWS\system32\2.tmp [?] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{056de808-c6bf-11dd-a52b-0011d8ddc139}] \Shell\AutoRun\command - H:\1utbfd.bat \Shell\open\Command - H:\1utbfd.bat [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c85a451a-7dad-11dd-a40d-0011d8ddc139}] \Shell\AutoRun\command - G:\autorun.exe . Contents of the 'Scheduled Tasks' folder 2009-02-14 C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job - C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [] 2008-06-25 C:\WINDOWS\Tasks\Norton Security Scan.job - C:\Program Files\Norton Security Scan\Nss.exe [2008-01-09 04:08] . - - - - ORPHANS REMOVED - - - - HKCU-Run-cdoosoft - C:\WINDOWS\system32\olhrwef.exe . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://www.google.pl/ uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to AMV Convert Tool... - E:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html IE: E&ksport do programu Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: MediaManager tool grab multimedia file - E:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html IE: { - C:\Program Files\Messenger\msmsgs.exe FF - ProfilePath - C:\Documents and Settings\Krzysiek\Dane aplikacji\Mozilla\Firefox\Profiles\ppp0yjuu.default\ FF - prefs.js: browser.search.selectedEngine - DAEMON Search FF - prefs.js: browser.startup.homepage - hxxp://www.google.pl/ FF - component: C:\Program Files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll FF - plugin: C:\Program Files\Java\j2re1.4.0_03\bin\NPJava11.dll FF - plugin: C:\Program Files\Java\j2re1.4.0_03\bin\NPJava12.dll FF - plugin: C:\Program Files\Java\j2re1.4.0_03\bin\NPJava13.dll FF - plugin: C:\Program Files\Java\j2re1.4.0_03\bin\NPJava32.dll FF - plugin: C:\Program Files\Java\j2re1.4.0_03\bin\NPJPI140_03.dll FF - plugin: C:\Program Files\Java\j2re1.4.0_03\bin\NPOJI610.dll FF - plugin: C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll . Edytowane 20 Lutego 2009 przez piekarz Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
Kolobos Opublikowano 19 Lutego 2009 Zgłoś Opublikowano 19 Lutego 2009 Uzyj EDYTUJ i daj CALY log z combofix w SPOILERZE. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
