Ekrn.exe 100% RAM + Rootkit Win32 Rootkit-gen

Masaj · 13 Luty 2010 19:38

Witam,

mam problem z zawieszaniem się komputera które objawia się gdy chce włączyć jakikolwiek plik Avi,flv… (pliki sprawne)ogólnie film , wygląda to tak,ze po kliknięciu otwórz (czasem otwórz za pomocą - okno wyboru pojawia się i gdy chce wybrać program zawiesza się całkowicie) system się cały blokuje - w menedżerze zadań użycie 100% RAM -512MB i procesy ekrn.exe - 64000- 86.0000 , gdy mam włączona przeglądarkę FF 3.6 dochodzi jeszcze 114- 136.000 od FF

Nie mogę niczego z tym zrobić bo od razu mam zablokowany cały system - nie pomaga szybkie wyłączenie procesu z MZ , oczyszczenie kompa CCleanerem i ASC bo zaraz powrotem jest to samo .

Przeskanowałem kompa trzema programami AV i ASpy , ale niczego nie znalazły - wczoraj dorzuciłem jeszcze skan -myśląc,że to może rootkit

Sophos,MBR , i HJT+ CF i OTL , ale jest czysto .

Zastanawia mnie tylko jedna rzecz dlaczego pojawiają mi się pliki w temp i czasem w systemie Windows typu .bat (których ja sam nie stworzyłem, nie scigąnąłem) zawierające (pliki w tempach mają komendy : delete now, shutdown now abort - pliku w C:\Windows , C:\Windows\system 32 , który miał coś wykonać i zniknąć- pojawiło się to odkąd raz nie zgodziłem się na ruch wychodzący w zaporze Av procesu svchost.exe- Microsft Generic Host i Synchroziation process ).

Dołączam LOGI:

http://wklej.to/OTov/html

Mój problem jest bardzo podobny do opisanego tu , ale niestety tamte rozwiązania nie działają

http://www.elektroda.pl/rtvforum/topic916002.html

Windows Xp Pro SP3 Eset Nod32 SS

Problemy zaczęły się 10.02.2010r.,tj.w dniu,w którym pojawiła się ostatnia aktualizacja systemów Windows pobrana stąd:http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=pl .

Nie mam ekranu BSOD- nie dotyczy.

LOG z Virus Total skan C:\Windows 32\drivers\atapi

http://www.virustotal.com/pl/analisis/b … 1266085094 :!:

Dotyczy mnie ten artykuł http://www.hcsl.pl/2010/02/oto-szkodnik … blemy.html

Skan Sophosem AR

Skan Root Repeal

Drivers:

ROOTREPEAL (c) AD, 2007-2009

==================================================

Scan Start Time: 2010/02/13 21:33

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================


Drivers

-------------------

Name: A3AB.sys

Image Path: C:\WINDOWS\system32\DRIVERS\A3AB.sys

Address: 0xF71B7000	Size: 547744	File Visible: -	Signed: -

Status: -


Name: ACPI.sys

Image Path: ACPI.sys

Address: 0xF844F000	Size: 188544	File Visible: -	Signed: -

Status: -


Name: ACPI_HAL

Image Path: \Driver\ACPI_HAL

Address: 0x804D7000	Size: 2190592	File Visible: -	Signed: -

Status: -


Name: afd.sys

Image Path: C:\WINDOWS\System32\drivers\afd.sys

Address: 0xB2EE6000	Size: 138496	File Visible: -	Signed: -

Status: -


Name: amdk7.sys

Image Path: C:\WINDOWS\system32\DRIVERS\amdk7.sys

Address: 0xF85CF000	Size: 41856	File Visible: -	Signed: -

Status: -


Name: ANIO.SYS

Image Path: C:\WINDOWS\system32\ANIO.SYS

Address: 0xF8857000	Size: 28128	File Visible: -	Signed: -

Status: -


Name: atapi.sys

Image Path: atapi.sys

Address: 0xF83E1000	Size: 96512	File Visible: -	Signed: -

Status: -


Name: ati2cqag.dll

Image Path: C:\WINDOWS\System32\ati2cqag.dll

Address: 0xBFA1C000	Size: 286720	File Visible: -	Signed: -

Status: -


Name: ati2dvag.dll

Image Path: C:\WINDOWS\System32\ati2dvag.dll

Address: 0xBF9D9000	Size: 274432	File Visible: -	Signed: -

Status: -


Name: ati2mtag.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

Address: 0xF700D000	Size: 1744896	File Visible: -	Signed: -

Status: -


Name: ati3duag.dll

Image Path: C:\WINDOWS\System32\ati3duag.dll

Address: 0xBFAA6000	Size: 2375680	File Visible: -	Signed: -

Status: -


Name: atikvmag.dll

Image Path: C:\WINDOWS\System32\atikvmag.dll

Address: 0xBFA62000	Size: 278528	File Visible: -	Signed: -

Status: -


Name: ativvaxx.dll

Image Path: C:\WINDOWS\System32\ativvaxx.dll

Address: 0xBFCEA000	Size: 2355200	File Visible: -	Signed: -

Status: -


Name: ATMFD.DLL

Image Path: C:\WINDOWS\System32\ATMFD.DLL

Address: 0xBFFA0000	Size: 286720	File Visible: -	Signed: -

Status: -


Name: audstub.sys

Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys

Address: 0xF8B23000	Size: 3072	File Visible: -	Signed: -

Status: -


Name: Beep.SYS

Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS

Address: 0xF89C3000	Size: 4224	File Visible: -	Signed: -

Status: -


Name: BOOTVID.dll

Image Path: C:\WINDOWS\system32\BOOTVID.dll

Address: 0xF88AF000	Size: 12288	File Visible: -	Signed: -

Status: -


Name: Cdfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS

Address: 0xF86EF000	Size: 63744	File Visible: -	Signed: -

Status: -


Name: cdrom.sys

Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys

Address: 0xF860F000	Size: 62976	File Visible: -	Signed: -

Status: -


Name: CLASSPNP.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Address: 0xF84EF000	Size: 53248	File Visible: -	Signed: -

Status: -


Name: disk.sys

Image Path: disk.sys

Address: 0xF84DF000	Size: 36352	File Visible: -	Signed: -

Status: -


Name: dmio.sys

Image Path: dmio.sys

Address: 0xF83F9000	Size: 153856	File Visible: -	Signed: -

Status: -


Name: dmload.sys

Image Path: dmload.sys

Address: 0xF89A3000	Size: 5888	File Visible: -	Signed: -

Status: -


Name: drmk.sys

Image Path: C:\WINDOWS\system32\drivers\drmk.sys

Address: 0xF854F000	Size: 61440	File Visible: -	Signed: -

Status: -


Name: Dxapi.sys

Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys

Address: 0xF898F000	Size: 12288	File Visible: -	Signed: -

Status: -


Name: dxg.sys

Image Path: C:\WINDOWS\System32\drivers\dxg.sys

Address: 0xBF9C7000	Size: 73728	File Visible: -	Signed: -

Status: -


Name: dxgthk.sys

Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys

Address: 0xF8B86000	Size: 4096	File Visible: -	Signed: -

Status: -


Name: eamon.sys

Image Path: C:\WINDOWS\system32\DRIVERS\eamon.sys

Address: 0xB06E8000	Size: 835584	File Visible: -	Signed: -

Status: -


Name: ehdrv.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ehdrv.sys

Address: 0xB2FA7000	Size: 118784	File Visible: -	Signed: -

Status: -


Name: epfw.sys

Image Path: C:\WINDOWS\system32\DRIVERS\epfw.sys

Address: 0xB069D000	Size: 143360	File Visible: -	Signed: -

Status: -


Name: Epfwndis.sys

Image Path: C:\WINDOWS\system32\DRIVERS\Epfwndis.sys

Address: 0xF864F000	Size: 45056	File Visible: -	Signed: -

Status: -


Name: epfwtdi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\epfwtdi.sys

Address: 0xB2F08000	Size: 77824	File Visible: -	Signed: -

Status: -


Name: Fastfat.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS

Address: 0xB03F9000	Size: 143744	File Visible: -	Signed: -

Status: -


Name: fdc.sys

Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys

Address: 0xF878F000	Size: 27392	File Visible: -	Signed: -

Status: -


Name: Fips.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS

Address: 0xF852F000	Size: 44672	File Visible: -	Signed: -

Status: -


Name: flpydisk.sys

Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys

Address: 0xF87F7000	Size: 20480	File Visible: -	Signed: -

Status: -


Name: fltMgr.sys

Image Path: fltMgr.sys

Address: 0xF829C000	Size: 129792	File Visible: -	Signed: -

Status: -


Name: Fs_Rec.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS

Address: 0xF89C1000	Size: 7936	File Visible: -	Signed: -

Status: -


Name: ftdisk.sys

Image Path: ftdisk.sys

Address: 0xF841F000	Size: 125568	File Visible: -	Signed: -

Status: -


Name: hal.dll

Image Path: C:\WINDOWS\system32\hal.dll

Address: 0x806EE000	Size: 131840	File Visible: -	Signed: -

Status: -


Name: HIDCLASS.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS

Address: 0xF86AF000	Size: 36864	File Visible: -	Signed: -

Status: -


Name: HIDPARSE.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS

Address: 0xF51D3000	Size: 28672	File Visible: -	Signed: -

Status: -


Name: hidusb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys

Address: 0xF3762000	Size: 10368	File Visible: -	Signed: -

Status: -


Name: HSFBS2S2.sys

Image Path: C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys

Address: 0xF807B000	Size: 220032	File Visible: -	Signed: -

Status: -


Name: HSFCXTS2.sys

Image Path: C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys

Address: 0xF7EB1000	Size: 685056	File Visible: -	Signed: -

Status: -


Name: HSFDPSP2.sys

Image Path: C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys

Address: 0xF7F59000	Size: 1041536	File Visible: -	Signed: -

Status: -


Name: HTTP.sys

Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys

Address: 0xAFE46000	Size: 265728	File Visible: -	Signed: -

Status: -


Name: i8042prt.sys

Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys

Address: 0xF863F000	Size: 53248	File Visible: -	Signed: -

Status: -


Name: imapi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys

Address: 0xF85FF000	Size: 42112	File Visible: -	Signed: -

Status: -


Name: ipnat.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys

Address: 0xB2DFD000	Size: 152832	File Visible: -	Signed: -

Status: -


Name: ipsec.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys

Address: 0xB2F74000	Size: 75264	File Visible: -	Signed: -

Status: -


Name: isapnp.sys

Image Path: isapnp.sys

Address: 0xF849F000	Size: 37632	File Visible: -	Signed: -

Status: -


Name: kbdclass.sys

Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys

Address: 0xF8797000	Size: 24960	File Visible: -	Signed: -

Status: -


Name: KDCOM.DLL

Image Path: C:\WINDOWS\system32\KDCOM.DLL

Address: 0xF899F000	Size: 8192	File Visible: -	Signed: -

Status: -


Name: ks.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys

Address: 0xF8058000	Size: 143360	File Visible: -	Signed: -

Status: -


Name: KSecDD.sys

Image Path: KSecDD.sys

Address: 0xF8273000	Size: 92928	File Visible: -	Signed: -

Status: -


Name: mdmxsdk.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

Address: 0xB050D000	Size: 11840	File Visible: -	Signed: -

Status: -


Name: mnmdd.SYS

Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS

Address: 0xF89C5000	Size: 4224	File Visible: -	Signed: -

Status: -


Name: Modem.SYS

Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS

Address: 0xF8787000	Size: 30208	File Visible: -	Signed: -

Status: -


Name: mouclass.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys

Address: 0xF87BF000	Size: 23296	File Visible: -	Signed: -

Status: -


Name: mouhid.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys

Address: 0xF894F000	Size: 12160	File Visible: -	Signed: -

Status: -


Name: MountMgr.sys

Image Path: MountMgr.sys

Address: 0xF84AF000	Size: 42368	File Visible: -	Signed: -

Status: -


Name: mrxsmb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

Address: 0xB2E23000	Size: 456832	File Visible: -	Signed: -

Status: -


Name: Msfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS

Address: 0xF51BB000	Size: 19072	File Visible: -	Signed: -

Status: -


Name: msgpc.sys

Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys

Address: 0xF868F000	Size: 35072	File Visible: -	Signed: -

Status: -


Name: mssmbios.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys

Address: 0xF894B000	Size: 15488	File Visible: -	Signed: -

Status: -


Name: Mup.sys

Image Path: Mup.sys

Address: 0xF819F000	Size: 105344	File Visible: -	Signed: -

Status: -


Name: NDIS.sys

Image Path: NDIS.sys

Address: 0xF81B9000	Size: 182656	File Visible: -	Signed: -

Status: -


Name: ndistapi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys

Address: 0xF8977000	Size: 10112	File Visible: -	Signed: -

Status: -


Name: ndisuio.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys

Address: 0xB07DC000	Size: 14592	File Visible: -	Signed: -

Status: -


Name: ndiswan.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys

Address: 0xF6F5A000	Size: 91520	File Visible: -	Signed: -

Status: -


Name: NDProxy.SYS

Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS

Address: 0xF6F39000	Size: 40576	File Visible: -	Signed: -

Status: -


Name: netbios.sys

Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys

Address: 0xF870F000	Size: 34688	File Visible: -	Signed: -

Status: -


Name: netbt.sys

Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys

Address: 0xB064D000	Size: 162816	File Visible: -	Signed: -

Status: -


Name: Npfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS

Address: 0xF87EF000	Size: 30848	File Visible: -	Signed: -

Status: -


Name: Ntfs.sys

Image Path: Ntfs.sys

Address: 0xF81E6000	Size: 574976	File Visible: -	Signed: -

Status: -


Name: ntoskrnl.exe

Image Path: C:\WINDOWS\system32\ntoskrnl.exe

Address: 0x804D7000	Size: 2190592	File Visible: -	Signed: -

Status: -


Name: Null.SYS

Image Path: C:\WINDOWS\System32\Drivers\Null.SYS

Address: 0xF8B16000	Size: 2944	File Visible: -	Signed: -

Status: -


Name: nv_agp.sys

Image Path: nv_agp.sys

Address: 0xF872F000	Size: 18688	File Visible: -	Signed: -

Status: -


Name: nvapu.sys

Image Path: C:\WINDOWS\system32\drivers\nvapu.sys

Address: 0xF0791000	Size: 286976	File Visible: -	Signed: -

Status: -


Name: nvarm.sys

Image Path: C:\WINDOWS\system32\drivers\nvarm.sys

Address: 0xF067E000	Size: 69632	File Visible: -	Signed: -

Status: -


Name: nvax.sys

Image Path: C:\WINDOWS\system32\drivers\nvax.sys

Address: 0xF876F000	Size: 30336	File Visible: -	Signed: -

Status: -


Name: NVENET.sys

Image Path: C:\WINDOWS\system32\DRIVERS\NVENET.sys

Address: 0xF80B1000	Size: 80896	File Visible: -	Signed: -

Status: -


Name: nvmcp.sys

Image Path: C:\WINDOWS\system32\drivers\nvmcp.sys

Address: 0xF068F000	Size: 909312	File Visible: -	Signed: -

Status: -


Name: parport.sys

Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys

Address: 0xF6F71000	Size: 80256	File Visible: -	Signed: -

Status: -


Name: PartMgr.sys

Image Path: PartMgr.sys

Address: 0xF8727000	Size: 19712	File Visible: -	Signed: -

Status: -


Name: ParVdm.SYS

Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS

Address: 0xF89E3000	Size: 6912	File Visible: -	Signed: -

Status: -


Name: pci.sys

Image Path: pci.sys

Address: 0xF843E000	Size: 68608	File Visible: -	Signed: -

Status: -


Name: pciide.sys

Image Path: pciide.sys

Address: 0xF8A67000	Size: 3456	File Visible: -	Signed: -

Status: -


Name: PCIIDEX.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Address: 0xF871F000	Size: 28672	File Visible: -	Signed: -

Status: -


Name: PnpManager

Image Path: \Driver\PnpManager

Address: 0x804D7000	Size: 2190592	File Visible: -	Signed: -

Status: -


Name: portcls.sys

Image Path: C:\WINDOWS\system32\drivers\portcls.sys

Address: 0xF076D000	Size: 147456	File Visible: -	Signed: -

Status: -


Name: psched.sys

Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys

Address: 0xF6F49000	Size: 69120	File Visible: -	Signed: -

Status: -


Name: ptilink.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys

Address: 0xF889F000	Size: 17792	File Visible: -	Signed: -

Status: -


Name: rasacd.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys

Address: 0xF376E000	Size: 8832	File Visible: -	Signed: -

Status: -


Name: rasl2tp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

Address: 0xF865F000	Size: 51328	File Visible: -	Signed: -

Status: -


Name: raspppoe.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys

Address: 0xF866F000	Size: 41472	File Visible: -	Signed: -

Status: -


Name: raspptp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys

Address: 0xF867F000	Size: 48384	File Visible: -	Signed: -

Status: -


Name: raspti.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys

Address: 0xF51FB000	Size: 16512	File Visible: -	Signed: -

Status: -


Name: RAW

Image Path: \FileSystem\RAW

Address: 0x804D7000	Size: 2190592	File Visible: -	Signed: -

Status: -


Name: rdbss.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys

Address: 0xB2E93000	Size: 175744	File Visible: -	Signed: -

Status: -


Name: RDPCDD.sys

Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys

Address: 0xF89D1000	Size: 4224	File Visible: -	Signed: -

Status: -


Name: rdpdr.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys

Address: 0xF087B000	Size: 196224	File Visible: -	Signed: -

Status: -


Name: redbook.sys

Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys

Address: 0xF861F000	Size: 58880	File Visible: -	Signed: -

Status: -


Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB0485000	Size: 49152	File Visible: No	Signed: -

Status: -


Name: SCDEmu.SYS

Image Path: C:\WINDOWS\System32\Drivers\SCDEmu.SYS

Address: 0xF856F000	Size: 55904	File Visible: -	Signed: -

Status: -


Name: SCSIPORT.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS

Address: 0xF83B1000	Size: 98304	File Visible: -	Signed: -

Status: -


Name: serenum.sys

Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys

Address: 0xF8973000	Size: 15744	File Visible: -	Signed: -

Status: -


Name: serial.sys

Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys

Address: 0xF862F000	Size: 65280	File Visible: -	Signed: -

Status: -


Name: Si3112.sys

Image Path: Si3112.sys

Address: 0xF84CF000	Size: 62336	File Visible: -	Signed: -

Status: -


Name: SI3112r.sys

Image Path: SI3112r.sys

Address: 0xF83C9000	Size: 97408	File Visible: -	Signed: -

Status: -


Name: Si3114r5.sys

Image Path: Si3114r5.sys

Address: 0xF837D000	Size: 212992	File Visible: -	Signed: -

Status: -


Name: Si3124.sys

Image Path: Si3124.sys

Address: 0xF836C000	Size: 69248	File Visible: -	Signed: -

Status: -


Name: Si3132.sys

Image Path: Si3132.sys

Address: 0xF835B000	Size: 67712	File Visible: -	Signed: -

Status: -


Name: Si3132r5.sys

Image Path: Si3132r5.sys

Address: 0xF8324000	Size: 225280	File Visible: -	Signed: -

Status: -


Name: Si3531.sys

Image Path: Si3531.sys

Address: 0xF82EE000	Size: 221184	File Visible: -	Signed: -

Status: -


Name: SiWinAcc.sys

Image Path: SiWinAcc.sys

Address: 0xF88B3000	Size: 10240	File Visible: -	Signed: -

Status: -


Name: sr.sys

Image Path: sr.sys

Address: 0xF828A000	Size: 73472	File Visible: -	Signed: -

Status: -


Name: srv.sys

Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys

Address: 0xB00B7000	Size: 353792	File Visible: -	Signed: -

Status: -


Name: swenum.sys

Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys

Address: 0xF89B7000	Size: 4352	File Visible: -	Signed: -

Status: -


Name: sysaudio.sys

Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys

Address: 0xF5439000	Size: 60800	File Visible: -	Signed: -

Status: -


Name: tcpip.sys

Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys

Address: 0xB2F1B000	Size: 361600	File Visible: -	Signed: -

Status: -


Name: TDI.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS

Address: 0xF879F000	Size: 20480	File Visible: -	Signed: -

Status: -


Name: termdd.sys

Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys

Address: 0xF525B000	Size: 40704	File Visible: -	Signed: -

Status: -


Name: ulsata2.sys

Image Path: ulsata2.sys

Address: 0xF82BC000	Size: 204800	File Visible: -	Signed: -

Status: -


Name: update.sys

Image Path: C:\WINDOWS\system32\DRIVERS\update.sys

Address: 0xF081D000	Size: 384768	File Visible: -	Signed: -

Status: -


Name: USBD.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS

Address: 0xF89BD000	Size: 8192	File Visible: -	Signed: -

Status: -


Name: usbehci.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys

Address: 0xF8767000	Size: 30208	File Visible: -	Signed: -

Status: -


Name: usbhub.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys

Address: 0xF857F000	Size: 59520	File Visible: -	Signed: -

Status: -


Name: usbohci.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys

Address: 0xF875F000	Size: 17152	File Visible: -	Signed: -

Status: -


Name: USBPORT.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS

Address: 0xF80C5000	Size: 147456	File Visible: -	Signed: -

Status: -


Name: vga.sys

Image Path: C:\WINDOWS\System32\drivers\vga.sys

Address: 0xF883F000	Size: 20992	File Visible: -	Signed: -

Status: -


Name: VIDEOPRT.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS

Address: 0xF6F85000	Size: 81920	File Visible: -	Signed: -

Status: -


Name: VolSnap.sys

Image Path: VolSnap.sys

Address: 0xF84BF000	Size: 52864	File Visible: -	Signed: -

Status: -


Name: wanarp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys

Address: 0xF6EC9000	Size: 34560	File Visible: -	Signed: -

Status: -


Name: watchdog.sys

Image Path: C:\WINDOWS\System32\watchdog.sys

Address: 0xF87D7000	Size: 20480	File Visible: -	Signed: -

Status: -


Name: wdmaud.sys

Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys

Address: 0xB03E4000	Size: 83072	File Visible: -	Signed: -

Status: -


Name: Win32k

Image Path: \Driver\Win32k

Address: 0xBF800000	Size: 1863680	File Visible: -	Signed: -

Status: -


Name: win32k.sys

Image Path: C:\WINDOWS\System32\win32k.sys

Address: 0xBF800000	Size: 1863680	File Visible: -	Signed: -

Status: -


Name: WMILIB.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS

Address: 0xF89A1000	Size: 8192	File Visible: -	Signed: -

Status: -


Name: WMIxWDM

Image Path: \Driver\WMIxWDM

Address: 0x804D7000	Size: 2190592	File Visible: -	Signed: -

Status: -

Skan w zakładce Files oraz Hidden Service spowodował trzykrotny samoczynny restart (2x w pierwszym i raz w drugim przypadku0, poza tym po powtórnym skanie Drivers pliki z “No” zamieniły sie na inne.

Log z ComboFix : http://www.wklejto.pl/57613

deFco247 · 14 Luty 2010 10:43

Zawartość logów wklejasz na wklej.org, wklej.to lub nopaste.pl, a w poście dajesz link.

SystemLook się używa tylko, gdy trzeba sprawdzić istnienie jakiegoś pliku w systemie, jego sumy MD5, rozmiar itd.

Nie rozumiem dlaczego wkleiłeś w niego coś takiego:

Skryptów w każdym przypadku się nie bierze z cudzych przypadków.

Co do problemu. Żadnego rootkita tutaj nie ma, a skan na Virustotal nie wskazuje, by ten plik był zainfekowany.

Rozmiar tego pliku też wskazuje na to, gdyż jest on prawidłowy (96512 bajtów).

Zastosuj OTC.

Masaj · 14 Luty 2010 15:39

Co mam zrobić z tymi plikami

_iu14D2N.tmp ~DF1C92.tmp

Object: Hidden Code [ETHREAD] Process: System Address: 0x814c0930 Size: 1000

Ok dobra , ale ten wynik to chyba nie uwazasz, ze jest pomyłka czy co gorsza jest prawiłowy

eSafe 7.0.17.0 2010.02.11 Win32.Rootkit

OTC - zrobiłem .