Załapałam coś takiego: w C:\System Volume Information
Win32: Rootkit-gen [Rtk]
nazwa Rootkit
Win32:Kavos [Trj]koń trojański
wersja VPS: 090505-0, 2009-05-05
Jak mam się tego pozbyć? Ściągnęłam ComboFixa > może ktoś przejrzeć co mi po przeskanowaniu tym programem wygenerowało? Jestem kobietą , próbuje sama coś zrobić ale nie wiem czy dam sobie z tym radę. Będę wdzięczna za każdą radę.
ComboFix 09-05-05.04 - lhuulu 2009-05-06 13:03.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.48.1045.18.1023.620 [GMT 2:00]
Uruchomiony z: c:\documents and settings\lhuulu\Pulpit\ComboFix.exe
Użyto następujących komend :: c:\documents and settings\lhuulu\Pulpit\CFScript.txt.txt
AV: avast! antivirus 4.8.1335 [VPS 090505-0] *On-access scanning disabled* (Updated)
.
((((((((((((((((((((((((( Pliki utworzone od 2009-04-06 do 2009-05-06 )))))))))))))))))))))))))))))))
.
2009-04-17 04:16 . 2009-04-17 04:16 -------- d-----w c:\documents and settings\lhuulu.gstreamer-0.10
2009-04-17 04:13 . 2009-04-17 04:13 -------- d-----w c:\program files\Nowe Gadu-Gadu
2009-04-16 03:50 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 03:50 . 2009-03-06 14:22 285696 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 03:50 . 2009-02-09 11:25 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 03:50 . 2009-02-09 10:53 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 03:50 . 2009-02-09 10:53 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 03:50 . 2009-02-09 10:53 686592 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 03:50 . 2009-02-09 10:53 731136 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 03:50 . 2009-02-09 10:53 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 03:50 . 2009-02-09 10:53 722944 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 03:48 . 2008-04-21 21:16 218112 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 09:31 . 2009-04-28 05:26 -------- d-----w c:\documents and settings\lhuulu\Dane aplikacji\Nowe Gadu-Gadu
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-06 10:40 . 2006-11-14 16:20 -------- d-----w c:\program files\lg_fwupdate
2009-05-01 09:54 . 2009-03-19 20:23 -------- d-----w c:\program files\Odkurzacz
2009-04-16 12:05 . 2004-08-04 12:00 68334 ----a-w c:\windows\system32\perfc015.dat
2009-04-16 12:05 . 2004-08-04 12:00 439194 ----a-w c:\windows\system32\perfh015.dat
2009-03-19 20:40 . 2006-11-19 09:27 -------- d-----w c:\program files\QuickTime
2009-03-19 20:17 . 2006-11-19 09:27 -------- d-----w c:\program files\Common Files\Nikon
2009-03-19 19:51 . 2009-03-19 19:51 -------- d-----w c:\program files\ToniArts
2009-03-19 19:51 . 2006-11-14 15:15 -------- d–h--w c:\program files\InstallShield Installation Information
2009-03-16 21:15 . 2006-11-14 16:19 -------- d-----w c:\program files\Common Files\Adobe
2009-03-08 22:20 . 2007-03-25 17:54 -------- d-----w c:\program files\Google
2009-03-06 14:22 . 2004-08-04 12:00 285696 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:10 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 17:13 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 14:07 . 2004-08-04 12:00 1847040 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:26 . 2004-08-04 00:39 2025472 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:26 . 2004-08-04 12:00 2146816 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:25 . 2004-08-04 12:00 111104 ----a-w c:\windows\system32\services.exe
2009-02-09 10:53 . 2004-08-04 12:00 731136 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:53 . 2004-08-04 12:00 686592 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:53 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:53 . 2004-08-04 12:00 722944 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2004-10-01 14:00 . 2006-11-14 16:10 40960 ----a-w c:\program files\Uninstall_CDS.exe
2007-01-29 13:11 . 2007-01-29 13:08 848 --sha-w c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-05-06_04.58.13 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-05-06 10:40 . 2009-05-06 10:40 16384 c:\windows\Temp\Perflib_Perfdata_5e8.dat
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Skype”=“c:\program files\Skype\Phone\Skype.exe” [2006-10-13 19975208]
“MSMSGS”=“c:\program files\Messenger\msmsgs.exe” [2008-04-14 1695232]
“Odkurzacz-MCD”=“c:\program files\Odkurzacz\odk_mcd.exe” [2008-08-16 264704]
“ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360]
“Nowe Gadu-Gadu”=“c:\program files\Nowe Gadu-Gadu\gg.exe” [2009-02-27 9339496]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ATICCC”=“c:\program files\ATI Technologies\ATI.ACE\cli.exe” [2006-01-02 45056]
“RemoteControl”=“c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2004-11-02 32768]
“LGODDFU”=“c:\program files\lg_fwupdate\fwupdate.exe” [2007-04-06 249856]
“HP Software Update”=“c:\program files\HP\HP Software Update\HPWuSchd2.exe” [2007-05-08 54840]
“ISUSPM Startup”=“c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe” [2004-08-09 221184]
“ISUSScheduler”=“c:\program files\Common Files\InstallShield\UpdateService\issch.exe” [2005-06-10 81920]
“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2009-02-05 81000]
“RTHDCPL”=“RTHDCPL.EXE” - c:\windows\RTHDCPL.EXE [2006-04-04 16120832]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-14 15360]
[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Action Manager 32.lnk]
path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Action Manager 32.lnk
backup=c:\windows\pss\Action Manager 32.lnkCommon Startup
[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Image Zone - szybkie uruchamianie.lnk]
path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\HP Image Zone - szybkie uruchamianie.lnk
backup=c:\windows\pss\HP Image Zone - szybkie uruchamianie.lnkCommon Startup
[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup
[HKLM~\startupfolder\C:^Documents and Settings^lhuulu^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
path=c:\documents and settings\lhuulu\Menu Start\Programy\Autostart\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“c:\Program Files\BearShare Applications\BearShare\BearShare.exe”=
“c:\Program Files\EuroPlus+ Angielski z Cambridge\data\fscommand\flchk.exe”=
“c:\Program Files\Messenger\msmsgs.exe”=
“c:\Program Files\Nowe Gadu-Gadu\gg.exe”=
“c:\Program Files\Skype\Phone\Skype.exe”=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-05 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-05 20560]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{09bfdf74-f4f4-11dd-9419-00161777d0d6}]
\Shell\AutoRun\command - F:\m0vnonh.bat
\Shell\open\Command - F:\m0vnonh.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{2cfb6ee3-c639-11dd-9330-00161777d0d6}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e76ecc32-8aa7-11db-ae16-00161777d0d6}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Zawartość folderu ‘Zaplanowane zadania’
2009-05-03 c:\windows\Tasks\HPpromotions journeysoftware.job
- c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 16:36]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.interia.pl/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
FF - ProfilePath - c:\documents and settings\lhuulu\Dane aplikacji\Mozilla\Firefox\Profiles\osfrmocf.default\
FF - prefs.js: browser.startup.homepage - www.interia.pl
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 13:04
Windows 5.1.2600 Dodatek Service Pack 3 NTFS
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
skanowanie ukrytych plików …
**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
-
-
-
-
-
-
- > ‘winlogon.exe’(696)
-
-
-
-
-
c:\windows\system32\Ati2evxx.dll
.
Czas ukończenia: 2009-05-06 13:07
ComboFix-quarantined-files.txt 2009-05-06 11:06
ComboFix2.txt 2009-05-06 05:00
ComboFix3.txt 2009-02-07 22:48
Przed: 12 808 355 840 bajtów wolnych
Po: 12 796 559 360 bajtów wolnych
149 — E O F — 2009-04-29 05:31