Rookit w kompie

[kerli]

Witam posiadam rookita.
Gmer.

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-04 19:57:06
Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\00000060 WDC_WD1600JS-55MHB1 rev.10.02E01
Running: mqgotij9.exe; Driver: C:\DOCUME~1\MONIA&~1\USTAWI~1\Temp\afayifog.sys


---- System - GMER 1.0.15 ----

SSDT spxc.sys ZwEnumerateKey [0xF73FDE4C]
SSDT spxc.sys ZwEnumerateValueKey [0xF73FE1DA]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 867D91F8

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] hikhixw <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

OLT: http://wklej.org/id/470160/
extras: http://wklej.org/id/470162/

[wojtas]

log z Gmera robiony w Pre Scanie popraw w nastepnym poście :
Uruchom OTL i w sekcji własne opcje skanowania / skrypt wklej:

:OTL
IE - HKU\S-1-5-21-57989841-515967899-682003330-1004\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-57989841-515967899-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/home?AF=15627
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.defaulturl: "http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=15627"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..keyword.URL: "http://search.avg.com/route/?d=4c80a141&v=6.011.025.001&i=26&tp=ab&iy=&ychte=us&lng=pl&q="
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-57989841-515967899-682003330-1004\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O33 - MountPoints2\{23a33aa7-c32c-11df-92b8-001731380b46}\Shell - "" = AutoRun
O33 - MountPoints2\{23a33aa7-c32c-11df-92b8-001731380b46}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL lDvOh.ExE
O33 - MountPoints2\{3fbb01a2-046d-11e0-bb26-001731380b46}\Shell - "" = AutoRun
O33 - MountPoints2\{3fbb01a2-046d-11e0-bb26-001731380b46}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O33 - MountPoints2\{76c09f28-b729-11df-97d9-001731380b46}\Shell - "" = AutoRun
O33 - MountPoints2\{76c09f28-b729-11df-97d9-001731380b46}\Shell\AutoRun\command - "" = H:\SETUP.EXE
O33 - MountPoints2\{76c09f28-b729-11df-97d9-001731380b46}\Shell\configure\command - "" = H:\SETUP.EXE
O33 - MountPoints2\{76c09f28-b729-11df-97d9-001731380b46}\Shell\install\command - "" = H:\SETUP.EXE

:Files
C:\Documents and Settings\Monia&Kinga\Dane aplikacji\AVG10
C:\Documents and Settings\Monia&Kinga\Dane aplikacji\BabylonToolbar
C:\Documents and Settings\All Users\Dane aplikacji\AVG10
C:\Documents and Settings\All Users\Dane aplikacji\avg9
C:\WINDOWS\System32\cjozaf.dll
C:\WINDOWS\System32\drivers\sals.sys
C:\Documents and Settings\Monia&Kinga\Dane aplikacji\Mozilla\Firefox\Profiles\uqzyj740.default\searchplugins\gfxtbsearch.xml

:Reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

:Services
hikhixw

:Commands
[emptytemp]
[emptyflash]

Kliknij wykonaj skrypt. I potwierdź reset komputera .

Następnie uruchamiasz OTL z opcją skanuj. Pokazujesz nowy log OTL.txt oraz raport z czyszczenia (zawartość notatnika, która otworzy się po restarcie). + Gmer