Problem z ntkrnlpa, Kernel Mode Rootkit, ZwCreateKey itp

Witam :slight_smile: Prawdopodobnie mam do czynienia z Kernel Mode Rootkit i co się za tym wiąże ze strAAAsznym obciążeniem procesora i zamułą dysku, ale nie mam pojęcia jak to usunąć, dlatego załączam log z HijackThis i proszę o jego sprawdzenie :smiley:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:42:42, on 2008-08-27

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Alwil Software\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\LVComsX.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Windows Live\Mail\wlmail.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKCU…\Run: [New Application] C:\Program Files\Alwil Software\Avast4\ashDisp.exe

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra ‘Tools’ menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll

O9 - Extra ‘Tools’ menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms … b56986.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-U … E_UNO1.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI … b56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me … b56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi … b56986.cab

O23 - Service: a-squared Free Service (a2free) - - (no file)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

End of file - 5612 bytes

i log z ComboFix’a

ComboFix 08-08-26.03 - Ja 2008-08-27 19:48:58.1 - NTFSx86

Running from: C:\Documents and Settings\Ja\Pulpit\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Ja\Dane aplikacji\macromedia\Flash Player#SharedObjects\7A8UPFMM\bin.clearspring.com

C:\Documents and Settings\Ja\Dane aplikacji\macromedia\Flash Player#SharedObjects\7A8UPFMM\bin.clearspring.com\clearspring.sol

C:\Documents and Settings\Ja\Dane aplikacji\macromedia\Flash Player\macromedia.com\support\flashplayer\sys#bin.clearspring.com

C:\Documents and Settings\Ja\Dane aplikacji\macromedia\Flash Player\macromedia.com\support\flashplayer\sys#bin.clearspring.com\settings.sol

C:\WINDOWS\system32\drivers\rkhdrv10.sys

.

((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))

.

2008-08-27 16:29 . 2008-08-27 16:29 67 --a------ C:\Ntf2.tmp

2008-08-27 16:29 . 2008-08-27 16:29 67 --a------ C:\Ntf1.tmp

2008-08-27 15:56 . 2008-08-27 15:56

2008-08-27 15:56 . 2004-05-04 12:53 1,645,320 --a------ C:\WINDOWS\system32\gdiplus.dll

2008-07-29 19:15 . 2008-07-29 19:18

2008-07-29 19:15 . 2008-07-30 21:51

2008-07-29 17:32 . 2008-07-29 17:36

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-23 12:27 --------- d-----w C:\Documents and Settings\Ja\Dane aplikacji\MyPhoneExplorer

2008-07-25 11:51 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\WLInstaller

2008-07-22 20:09 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\FLEXnet

2008-07-22 20:05 --------- d-----w C:\Program Files\Common Files\Adobe

2008-07-22 20:04 --------- d-----w C:\Program Files\Bonjour

2008-07-22 19:53 --------- d-----w C:\Program Files\Common Files\Macrovision Shared

2008-07-22 15:47 --------- d-----w C:\Program Files\Szotgan Software

2008-07-22 12:44 --------- d-----w C:\Program Files\Windows Live Safety Center

2008-07-20 16:04 --------- d-----w C:\Program Files\Yahoo!

2008-07-10 12:00 --------- d-----w C:\Documents and Settings\Ja\Dane aplikacji\Gadu-Gadu

2008-07-10 11:57 --------- d-----w C:\Program Files\Gadu-Gadu

2008-07-08 13:16 --------- d-----w C:\Documents and Settings\Ja\Dane aplikacji\GanymedeNet

2008-07-08 13:00 --------- d-----w C:\Program Files\Ganymede

2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-07-03 19:32 --------- d-----w C:\Program Files\QuickTime Alternative

2008-07-03 19:32 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer

2008-07-02 09:57 --------- d-----w C:\Program Files\WapSter

2008-07-02 09:43 --------- d-----w C:\Program Files\Windows Media Connect 2

2008-07-02 09:43 --------- d-----w C:\Program Files\Windows Live Toolbar

2008-07-02 09:43 --------- d-----w C:\Program Files\SubEdit-Player

2008-07-02 09:43 --------- d-----w C:\Program Files\Real Alternative

2008-07-02 09:37 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-07-02 09:37 --------- d-----w C:\Program Files\CyberLink

2008-07-02 09:36 --------- d-----w C:\Program Files\VS Revo Group

2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-23 16:42 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-06-20 17:42 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll

2007-07-20 10:51 87,608 -c–a-w C:\Documents and Settings\Ja\Dane aplikacji\ezpinst.exe

2007-07-20 10:51 47,360 -c–a-w C:\Documents and Settings\Ja\Dane aplikacji\pcouffin.sys

.

------- Sigcheck -------

2004-08-04 00:44 14336 ba98327e90022dbd6ee76490e0622e2e C:\WINDOWS\system32\svchost.exe

2004-08-04 00:44 14336 ba98327e90022dbd6ee76490e0622e2e C:\WINDOWS\system32\dllcache\svchost.exe

2005-03-02 20:21 578560 6a93565be9b8422eb7538c66ac732d76 C:\WINDOWS$hf_mig$\KB890859\SP2QFE\user32.dll

2007-03-08 17:51 579584 11abdecc02efc1d2b6a6a0fa46c26594 C:\WINDOWS$hf_mig$\KB925902\SP2QFE\user32.dll

2004-08-04 00:44 578560 0c81764f50f32d376e6e4b9e9f4b01a0 C:\WINDOWS$NtUninstallKB890859$\user32.dll

2005-03-02 20:18 578560 b7eeb1a1af740306049241ddf61f21ff C:\WINDOWS$NtUninstallKB925902$\user32.dll

2007-03-08 17:38 579072 a37a4637f84f8dd771274eaf8d17fa65 C:\WINDOWS\system32\user32.dll

2007-03-08 17:38 579072 a37a4637f84f8dd771274eaf8d17fa65 C:\WINDOWS\system32\dllcache\user32.dll

2004-08-04 00:44 82944 ab82237486b727dd7dab36a76f38a3a2 C:\WINDOWS\system32\ws2_32.dll

2004-08-04 00:44 82944 ab82237486b727dd7dab36a76f38a3a2 C:\WINDOWS\system32\dllcache\ws2_32.dll

2004-08-04 00:44 504832 0344407089b08548d4feba62bb0f32d0 C:\WINDOWS\system32\winlogon.exe

2004-08-04 00:44 504832 0344407089b08548d4feba62bb0f32d0 C:\WINDOWS\system32\dllcache\winlogon.exe

2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys

2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-02 20:14 2058240 35d11fdc381536ab95e3005489131f44 C:\WINDOWS$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe

2006-12-19 20:47 2060672 4a447a38f3d164bb634d20d0a2c6833b C:\WINDOWS$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe

2007-02-28 18:09 2060672 2f4a36b1b03d64fb176cb0f3eb597118 C:\WINDOWS$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe

2004-08-04 00:54 2016768 33fdad88eec315ee4cfb147fb19fd2b6 C:\WINDOWS$NtUninstallKB890859$\ntkrnlpa.exe

2005-03-02 20:09 2016768 83736df906f9a381027eda339d782d4b C:\WINDOWS$NtUninstallKB929338$\ntkrnlpa.exe

2006-12-19 20:24 2017280 ceaef80478e5ebf6cc5c4f0e44aad9a4 C:\WINDOWS$NtUninstallKB931784$\ntkrnlpa.exe

2007-02-28 18:04 2058880 2bdc1a6cefe320e9c39fabf1961ebb9d C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe

2007-02-28 18:04 2017280 79a75fd889d9f1ee90582c9d6f70c912 C:\WINDOWS\system32\ntkrnlpa.exe

2007-02-28 18:04 2058880 2bdc1a6cefe320e9c39fabf1961ebb9d C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2005-03-02 20:14 2180864 dba3e4215279c8012b37d2135b531258 C:\WINDOWS$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe

2006-12-19 20:47 2183296 745c1a081aa663ea324e87432c244f70 C:\WINDOWS$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe

2007-02-28 18:09 2183424 c450518ef9acc02a2d799698021e31a8 C:\WINDOWS$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe

2004-08-04 00:38 2149888 a1b8225d45ef88fa294fe1e371bb594a C:\WINDOWS$NtUninstallKB890859$\ntoskrnl.exe

2005-03-02 20:08 2137088 85e7eea3a7934823769a4307d8867084 C:\WINDOWS$NtUninstallKB929338$\ntoskrnl.exe

2006-12-19 20:24 2137600 70a3e8b0661cf028776544c471f9c900 C:\WINDOWS$NtUninstallKB931784$\ntoskrnl.exe

2007-02-28 18:04 2181632 c378be3a1edc5e4421d428655ac4a48c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe

2007-02-28 18:04 2137600 56eb75a8fc9adfe0455c3f44e7b6dc3c C:\WINDOWS\system32\ntoskrnl.exe

2007-02-28 18:04 2181632 c378be3a1edc5e4421d428655ac4a48c C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2007-06-13 15:23 1034752 029a562e81bbee088c61d418bf408f44 C:\WINDOWS\explorer.exe

2007-06-13 15:12 1034752 8db0650b211425b9cdb7d1c4a8f6b482 C:\WINDOWS$hf_mig$\KB938828\SP2QFE\explorer.exe

2004-08-04 00:44 1033728 379098a96e6c165b659de7e4328010ea C:\WINDOWS$NtUninstallKB938828$\explorer.exe

2007-06-13 15:23 1034752 029a562e81bbee088c61d418bf408f44 C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-04 00:44 108544 3da8d964d2cc12ef8e8c342471a37917 C:\WINDOWS\system32\services.exe

2004-08-04 00:44 108544 3da8d964d2cc12ef8e8c342471a37917 C:\WINDOWS\system32\dllcache\services.exe

2004-08-04 00:44 13312 f485fefc8cc4fd29243d800be5d275d1 C:\WINDOWS\system32\lsass.exe

2004-08-04 00:44 13312 f485fefc8cc4fd29243d800be5d275d1 C:\WINDOWS\system32\dllcache\lsass.exe

2004-08-04 00:44 15360 cbfa30492d70ce3938d8a7783d0c0436 C:\WINDOWS\system32\ctfmon.exe

2004-08-04 00:44 15360 cbfa30492d70ce3938d8a7783d0c0436 C:\WINDOWS\system32\dllcache\ctfmon.exe

2005-06-11 02:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS$hf_mig$\KB896423\SP2QFE\spoolsv.exe

2004-08-04 00:44 57856 bebe8a85954ff460374fd5a0cd21e19b C:\WINDOWS$NtUninstallKB896423$\spoolsv.exe

2005-06-11 01:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\system32\spoolsv.exe

2005-06-11 01:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\system32\dllcache\spoolsv.exe

2004-08-04 00:44 25088 bd768099b4c44aa631728cb74eb54396 C:\WINDOWS\system32\userinit.exe

2004-08-04 00:44 25088 bd768099b4c44aa631728cb74eb54396 C:\WINDOWS\system32\dllcache\userinit.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“New Application”=“C:\Program Files\Alwil Software\Avast4\ashDisp.exe” [2008-07-19 16:38 78008]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44 15360]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 09:39 2119104]

“AdobeUpdater”=“C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe” [2007-02-28 23:06 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-06-01 11:22 7618560]

“SmcService”=“C:\PROGRA~1\Sygate\SPF\smc.exe” [2004-10-15 19:40 2577632]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

“{56F9679E-7826-4C84-81F3-532071A8BCC5}”= “C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll” [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“VIDC.AP41”= APmpg4v1.dll

“vidc.yv12”= yv12vfw.dll

“msacm.divxa32”= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

“LogitechVideoTray”=C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

“LogitechVideoRepair”=C:\Program Files\Logitech\Video\ISStart.exe

“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”

“LVCOMSX”=C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\Gadu-Gadu\gg.exe”=

“C:\Program Files\SopCast\SopCast.exe”=

“C:\Documents and Settings\Ja\Dane aplikacji\SopCast\adv\SopAdver.exe”=

“C:\Program Files\Messenger\msmsgs.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe”=

“C:\Program Files\Windows Live\Messenger\msnmsgr.exe”=

“C:\Program Files\Windows Live\Messenger\livecall.exe”=

“C:\Program Files\BearShare Applications\BearShare\BearShare.exe”=

“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”=

“C:\Program Files\Yahoo!\Messenger\YServer.exe”=

“C:\Program Files\Bonjour\mDNSResponder.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

“3154:UDP”= 3154:UDP:Windows Media Format SDK (firefox.exe)

“3155:UDP”= 3155:UDP:Windows Media Format SDK (firefox.exe)

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]

S3 axsaki;axsaki;C:\WINDOWS\system32\DRIVERS\axsaki.sys [2003-03-30 21:38]

S3 axskbus;axskbus;C:\WINDOWS\system32\DRIVERS\axskbus.sys [2003-03-28 11:58]

S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\2F.tmp []

S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS [2005-01-31 12:13]

*Newly Created Service* - CATCHME

*Newly Created Service* - PROCEXP90

*Newly Created Service* - RKHDRV10

*Newly Created Service* - RKREVEAL150

.

Contents of the ‘Scheduled Tasks’ folder

2008-08-27 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job

  • C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

.

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Ja\Dane aplikacji\Mozilla\Firefox\Profiles\ka956kf0.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - http:/onet.pl

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPBILLARD14.dll

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPBILLARD8.dll

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPBILLARD8UK.dll

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPBILLARDT.dll

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPBOARDS.dll

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPCARDS.dll

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npcnmozillainterface.dll

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPFxViewer.dll

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npganymedenet.dll

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPMAHJONG.dll

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPMARBLES.dll

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPNAVY.dll

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPPOKER.dll

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPROULETTE.dll

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPSLOTS70.dll

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPSNOOKER.dll

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPWORDS.dll

FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-27 19:51:44

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]

“ImagePath”="??\C:\WINDOWS\system32\2F.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]

“ImagePath”=""

.

Completion time: 2008-08-27 19:54:16

ComboFix-quarantined-files.txt 2008-08-27 17:54:05

Pre-Run: 34,103,300,096 bajtów wolnych

Post-Run: 34,139,119,616 bajtów wolnych

209 — E O F — 2008-08-26 15:50:37

fix w hiajckthis

Pobierz ComboFix, ale nie uruchamiaj

Otwórz notatnik i wklej do niego:

File::

C:\Ntf2.tmp

C:\Ntf1.tmp


Driver::

a2free

MEMSWEEP2

Plik -> zapisz jako -> CFScript.txt.

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu->

cfscript10uc2.gif

Rozpocznie się usuwanie i powstanie log, który dasz na forum.

Zastosuj MBR.EXE i daj log wygenerowany przez narzędzie.

Logi dajesz na http://wklej.eu lub na http://wklej.org a w poście dajesz tylko link

Wszystko powyżej wykonane :smiley:

A teraz załączam logi z:

A tak na marginesie to co to jest: ZwClose, ZwCreateKey itp…? Bo gdzieś na forum czytałam, że to jest najgrożniejszy :roll: rootkit i trochę mnie strach obleciał, że mi kompa rozwali :smiley:

Pobierz program SDFix

W awaryjnym wszystko już załatwiłam :slight_smile:

Teraz daje logi z :

Proszę o sprawdzenie, czy już wszystko w porządku :slight_smile:

Usuń teraz tylko C:\Sdfix

Prawoklik na Mój Komputer>>>>Właściwości>>Przywracanie systemu>> wyłącz przywracanie systemu na wszystkich dyskach.

Będzie Ok

OK, :slight_smile: Dzięki wielkie za pomoc :slight_smile: