Powolne działanie systemu, rootkit, inne

[heymen]

Witam!

Po pewnej nieobecności wróciłem do domu. Po włączeniu stacjonarnego komputera zauważyłem jego powolne działanie (bardzo powolne uruchamianie się różnych aplikacji). Nie dało się uruchomić antywirusów (skanerów online czy też normalnie przez exe). Chcąc sprawdzić gmerem w pierwszej części szukania (automatycznej) wykazuje komunikat:

Kod: Zaznacz wszystko

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-06-11 17:18:56
Windows 5.0.2195 Service Pack 4 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2 WDC_WD400BB-00DGA0 rev.05.03E05
Running: w5869cm9.exe; Driver: C:\DOCUME~1\Grzesik\USTAWI~1\Temp\kxldqpow.sys


---- Services - GMER 1.0.15 ----

Service  C:\WINNT\system32\MSTask.exe? (*** hidden *** )  [AUTO] Schedule   <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Chcąc włączyć drugie szukanie (dokładnie i długie) po niecałej minucie pojawia się niebieski ekran (mniej więcej coś o pamięci), a następnie komputer się restartuje. Więc skanowanie gmerem odpada póki co. Oczywiście deamon toolsów nie mam, a także plików sptd.

OTL:
- otl - http://www.wklej.org/id/544656/
- extras - http://www.wklej.org/id/544658/

[wojtas]

spróbuj skasować te pliki: do kosza ręcznie

[2009-02-10 22:50:02 | 000,000,000 | ---- | M] ()(C:\WINNT\?) -- C:\WINNT\὚
[2009-02-10 22:50:02 | 000,000,000 | ---- | C] ()(C:\WINNT\?) -- C:\WINNT\὚

ten plik/i :

C:\WINNT\System32\internat.exe

przeskanuj tu
http://virusscan.jotti.org/
i tu :
http://www.virustotal.com/

i daj raporty ze skanu w następnym poście

Uruchom OTL i w sekcji własne opcje skanowania / skrypt wklej:

:OTL
O3 - HKU\S-1-5-21-1715567821-1770027372-839522115-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1715567821-1770027372-839522115-1000\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O16 - DPF: {31564D57-0000-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/wmvax.cab (Reg Error: Key error.)
O16 - DPF: {32564D57-0000-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/wmv8ax.cab (Reg Error: Key error.)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/buxus/docs/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38228.9570833333 (Reg Error: Key error.)
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
@Alternate Data Stream - 6900 bytes -> C:\Documents and Settings\Grzesik\Pulpit\70be1d7dfc.jpeg:Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 176 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:0CE7F3C9
@Alternate Data Stream - 13164 bytes -> C:\Documents and Settings\Grzesik\Pulpit\dowod.JPG:Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:BC359956

:Files
C:\WINNT\system32\MSTask.exe?

:Services
Schedule

:Commands
[emptytemp]
[emptyflash]

Kliknij wykonaj skrypt. I potwierdź reset komputera .

Następnie uruchamiasz OTL z opcją skanuj. Pokazujesz nowy log OTL.txt oraz raport z czyszczenia (zawartość notatnika, która otworzy się po restarcie). + Gmer ( spróbuj cały skan wykonać ) , może w awaryjnym się uda

[heymen]

Kod: Zaznacz wszystko

[ArcaVir]    
2011-06-12 Nic nie znaleziono
   [F-Secure Anti-Virus]    
2011-06-12 Nic nie znaleziono
[Avast! antivirus]    
2011-06-12 Nic nie znaleziono
   [G DATA]    
2011-06-12 Nic nie znaleziono
[Grisoft AVG Anti-Virus]    
2011-06-12 Nic nie znaleziono
   [Ikarus]    
2011-06-12 Nic nie znaleziono
[Avira AntiVir]    
2011-06-11 Nic nie znaleziono
   [Kaspersky Anti-Virus]    
2011-06-12 Nic nie znaleziono
[Softwin BitDefender]    
2011-06-12 Nic nie znaleziono
   [ESET NOD32]    
2011-06-11 Nic nie znaleziono
[ClamAV]    
2011-06-12 Nic nie znaleziono
   [Panda Antivirus]    
2011-06-10 Nic nie znaleziono
[CPsecure]    
2011-06-12 Nic nie znaleziono
   [Quick Heal]    
2011-06-12 Nic nie znaleziono
[Dr.Web]    
2011-06-08 Nic nie znaleziono
   [Sophos]    
2011-06-12 Nic nie znaleziono
[Emsisoft Anti-Malware]    
2011-06-12 Nic nie znaleziono
   [VirusBlokAda VBA32]    
2011-06-09 Nic nie znaleziono
[Frisk F-Prot Antivirus]    
2011-06-11 Nic nie znaleziono
   [VirusBuster]    
2011-06-11 Nic nie znaleziono

Kod: Zaznacz wszystko

Antivirus    Version    Last Update    Result
AhnLab-V3    2011.01.16.00    2011.01.16    -
AntiVir    7.11.1.146    2011.01.16    -
Antiy-AVL    2.0.3.7    2011.01.17    -
Avast    4.8.1351.0    2011.01.16    -
Avast5    5.0.677.0    2011.01.16    -
AVG    10.0.0.1190    2011.01.17    -
BitDefender    7.2    2011.01.17    -
CAT-QuickHeal    11.00    2011.01.17    -
ClamAV    0.96.4.0    2011.01.17    -
Command    5.2.11.5    2011.01.16    -
Comodo    7415    2011.01.17    -
DrWeb    5.0.2.03300    2011.01.17    -
Emsisoft    5.1.0.1    2011.01.17    -
eSafe    7.0.17.0    2011.01.13    -
eTrust-Vet    36.1.8100    2011.01.14    -
F-Prot    4.6.2.117    2011.01.16    -
F-Secure    9.0.16160.0    2011.01.17    -
Fortinet    4.2.254.0    2011.01.16    -
GData    21    2011.01.17    -
Ikarus    T3.1.1.97.0    2011.01.17    -
Jiangmin    13.0.900    2011.01.17    -
K7AntiVirus    9.75.3548    2011.01.14    -
Kaspersky    7.0.0.125    2011.01.17    -
McAfee    5.400.0.1158    2011.01.17    -
McAfee-GW-Edition    2010.1C    2011.01.16    -
Microsoft    1.6402    2011.01.17    -
NOD32    5792    2011.01.16    -
Norman    6.06.12    2011.01.16    -
nProtect    2011-01-16.01    2011.01.16    -
Panda    10.0.2.7    2011.01.16    -
PCTools    7.0.3.5    2011.01.17    -
Prevx    3.0    2011.01.17    -
Rising    22.83.00.00    2011.01.17    -
Sophos    4.61.0    2011.01.17    -
SUPERAntiSpyware    4.40.0.1006    2011.01.17    -
Symantec    20101.3.0.103    2011.01.17    -
TheHacker    6.7.0.1.115    2011.01.14    -
TrendMicro    9.120.0.1004    2011.01.17    -
TrendMicro-HouseCall    9.120.0.1004    2011.01.17    -
VBA32    3.12.14.2    2011.01.14    -
VIPRE    8096    2011.01.17    -
ViRobot    2011.1.17.4257    2011.01.17    -
VirusBuster    13.6.149.0    2011.01.16    -
Additional information
MD5   : 1763d4c030f742a6b4e09f4adddb9d8f
SHA1  : 631253027786250ca5dbff8cc1b91ff21209647a
SHA256: 05514e926980fc9da8b3eaab3d23daeadbad9ceaa2ad98c4cac3f237908c13fc
ssdeep: 384:/oKb+sAV6Hh+N6lKoRws2FuwPrNkBgYqu2cFAfoG5/V2W3:/KsAC+m52FuArWaYqu2cFs/5
File size : 20752 bytes
First seen: 2009-04-09 12:25:46
Last seen : 2011-01-17 06:11:29
Magic: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID:
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: Copyright (C) Microsoft Corp. 1994-1999
product......: System operacyjny Microsoft(R) Windows (R) 2000
description..: Aplikacja wska_nika j_zyka klawiatury
original name: INTERNAT.EXE
internal name: INTERNAT
file version.: 5.00.2920.0000
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD: -
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x409F
timedatestamp....: 0x37ECAF14 (Sat Sep 25 11:16:36 1999)
machinetype......: 0x14C (Intel I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x3D60, 0x3E00, 6.25, f1a1efe90dedae5260a7d668160e66e7
.data, 0x5000, 0x26C, 0x200, 2.67, d16560892bdeb628785dff762f0ff5e4
.rsrc, 0x6000, 0x1000, 0xA00, 3.88, fa09844f22649dc63e46ccfc6c5c07a8

[[ 8 import(s) ]]
advapi32.dll: RegFlushKey, RegQueryValueW, RegOpenKeyW, RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegDeleteValueW
comctl32.dll: -, ImageList_Create, ImageList_Destroy, -, ImageList_ReplaceIcon, -, ImageList_GetIconSize, ImageList_GetIcon, -, ImageList_Draw, ImageList_Remove
gdi32.dll: TranslateCharsetInfo, DeleteDC, DeleteObject, GetTextCharsetInfo, GetStockObject, ExtTextOutW, PatBlt, SetBkColor, SelectObject, SetTextColor, CreateCompatibleBitmap, CreateCompatibleDC, CreateBitmap, GetTextExtentPointW, BitBlt, CreateFontIndirectW, GetObjectW
imm32.dll: ImmAssociateContext, ImmGetDefaultIMEWnd, ImmGetIMEFileNameW, ImmGetDescriptionW, ImmGetProperty
kernel32.dll: lstrlenW, GlobalReAlloc, GlobalLock, lstrcatW, GlobalUnlock, FreeLibrary, lstrcpyW, AddAtomW, IsValidLocale, GlobalFree, DeleteAtom, LoadLibraryW, lstrcmpW, GetProcAddress, LocalAlloc, lstrcpynW, GetLocaleInfoW, GlobalGetAtomNameW, LocalFree, WinExec, GetModuleHandleW, GetStartupInfoW, GetAtomNameW, ExitProcess, GlobalAlloc, lstrcmpiW
setupapi.dll: SetupOpenInfFileW, SetupOpenAppendInfFileW, SetupCloseInfFile, SetupFindFirstLineW, SetupGetStringFieldW
shell32.dll: SHAppBarMessage, ExtractIconExW, Shell_NotifyIconW
user32.dll: RemovePropW, SetPropW, AllowSetForegroundWindow, GetWindow, DestroyMenu, GetPropW, GetDesktopWindow, MapWindowPoints, TrackPopupMenuEx, GetLastActivePopup, GetParent, GetWindowLongW, LoadBitmapW, GetSysColor, DrawTextW, CreateIconIndirect, GetKeyboardLayout, GetKeyboardLayoutList, DestroyIcon, GetWindowThreadProcessId, AttachThreadInput, MessageBeep, GetDC, ReleaseDC, EnumChildWindows, DrawFocusRect, GetSystemMetrics, GetWindowDC, SystemParametersInfoW, wsprintfW, UnloadKeyboardLayout, GetMessageW, TranslateMessage, DispatchMessageW, CreateWindowExW, ShowWindow, LoadStringW, FindWindowW, MessageBoxW, LoadIconW, LoadCursorW, RegisterClassExW, PostMessageW, LoadStringA, WinHelpW, GetProcessDefaultLayout, CreatePopupMenu, InsertMenuW, CheckMenuItem, DestroyWindow, KillTimer, SetTimer, GetMessagePos, InSendMessageEx, GetClassNameW, DefWindowProcW, SetForegroundWindow, IsWindow, SendMessageW, SetActiveWindow, PostQuitMessage, RegisterWindowMessageW, GetClientRect
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 15872
CompanyName: Microsoft Corporation
EntryPoint: 0x409f
FileDescription: Aplikacja wska nika j zyka klawiatury
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 20 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 5.00.2920.0000
FileVersionNumber: 5.0.2920.0
ImageVersion: 5.0
InitializedDataSize: 3072
InternalName: INTERNAT
LanguageCode: Polish
LegalCopyright: Copyright (C) Microsoft Corp. 1994-1999
LinkerVersion: 5.12
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.0
ObjectFileType: Executable application
OriginalFilename: INTERNAT.EXE
PEType: PE32
ProductName: System operacyjny Microsoft(R) Windows (R) 2000
ProductVersion: 5.00.2920.0000
ProductVersionNumber: 5.0.2920.0
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 1999:09:25 13:16:36+02:00
UninitializedDataSize: 0

Kod: Zaznacz wszystko

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-1715567821-1770027372-839522115-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-1715567821-1770027372-839522115-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Starting removal of ActiveX control {31564D57-0000-0010-8000-00AA00389B71}
C:\WINNT\Downloaded Program Files\wmvax.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{31564D57-0000-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31564D57-0000-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{31564D57-0000-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31564D57-0000-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {32564D57-0000-0010-8000-00AA00389B71}
C:\WINNT\Downloaded Program Files\wmv8ax.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{32564D57-0000-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32564D57-0000-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{32564D57-0000-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32564D57-0000-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {56762DEC-6B0D-4AB4-A8AD-989993B5D08B}
C:\WINNT\Downloaded Program Files\OnlineScanner.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINNT\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {9F1C11AA-197B-4942-BA54-47A8489BB47F}
C:\WINNT\Downloaded Program Files\iuctl.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9F1C11AA-197B-4942-BA54-47A8489BB47F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F1C11AA-197B-4942-BA54-47A8489BB47F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9F1C11AA-197B-4942-BA54-47A8489BB47F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F1C11AA-197B-4942-BA54-47A8489BB47F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif\ deleted successfully.
File move failed. C:\WINNT\system32\wzcdlg.dll scheduled to be moved on reboot.
ADS C:\Documents and Settings\Grzesik\Pulpit\70be1d7dfc.jpeg:Q30lsldxJoudresxAaaqpcawXc deleted successfully.
ADS C:\Documents and Settings\All Users\Dane aplikacji\TEMP:0CE7F3C9 deleted successfully.
ADS C:\Documents and Settings\Grzesik\Pulpit\dowod.JPG:Q30lsldxJoudresxAaaqpcawXc deleted successfully.
ADS C:\Documents and Settings\All Users\Dane aplikacji\TEMP:BC359956 deleted successfully.
========== FILES ==========
C:\WINNT\system32\mstask.exe moved successfully.
========== SERVICES/DRIVERS ==========
Service Schedule stopped successfully!
Service Schedule deleted successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Grzesik
->Temp folder emptied: 8538503 bytes
->Temporary Internet Files folder emptied: 30877260 bytes
->Java cache emptied: 112373922 bytes
->FireFox cache emptied: 139561020 bytes
->Opera cache emptied: 2130354 bytes
->Flash cache emptied: 3297856 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1087952 bytes
%systemroot%\System32 .tmp files removed: 2596 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: shell32.dll unable to determine bytes removed.

Total Files Cleaned = 284,00 mb


[EMPTYFLASH]

User: All Users

User: Default User

User: Grzesik
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0,00 mb


OTL by OldTimer - Version 3.2.23.0 log created on 06122011_150448

Files\Folders moved on Reboot...
C:\WINNT\system32\wzcdlg.dll moved successfully.

Registry entries deleted on Reboot...


http://www.wklej.org/id/545101/

http://www.wklej.org/id/545102/

GMER w awaryjnym
http://oi52.tinypic.com/b5h4e8.jpg
http://i51.tinypic.com/a2yxlc.jpg
http://i52.tinypic.com/2pto0ad.jpg
http://i54.tinypic.com/eai3v5.jpg
http://i51.tinypic.com/hs87rs.jpg

[wojtas]

*Uruchom OTL z opcji sprzątanie.
* wykonaj optymalizację Windowsa ( instrukcja dla Windowsa XP, lecz w innych systemach jest podobnie )
* zrób pełny skan Malwarebytes Anti-Malware (zaktualizuj, usuń co znajdzie )
* Skasuj stan przywracania systemu


Zaktualizuj zabezpieczenia:
>>> Adobe Reader (bez Free McAfee® Security Scan Plus)
>>> Internet Explorer 8
>>> Java™ 6

zainstaluj jakiegoś antywirusa i napisz jak sytuacja z kompem