Trojany i rootkit

**Posty:** 44 · przez **adamo88** 28 Kwi 2011, 00:52

Dziś niespodziewanie usunęły mi się stery od karty muzycznej - zainstalowałem na nowo. Jednak później odcięto mi internet - prowider napisał, że wirusy, trojany, rootkit. Coś mam napewno, proszę o pomoc w usunięciu. Działam na win7, a te wirusy zostały na winXP - choć raz się przydał drugi system :]
logi:

Kod: Zaznacz wszystko: GMER 1.0.15.15570 - http://www.gmer.net Rootkit scan 2011-04-28 00:35:09 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-10 ST3500320AS rev.SD15 Running: gmer.exe; Driver: C:\DOCUME~1\adamo88\USTAWI~1\Temp\kgtdypog.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xB831AB30] SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xB831A6F0] SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xB831A470] SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xB831AC50] SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xB831A990] SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xB831A8D0] SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xB831AD60] ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB75D1360, 0x3D46A5, 0xE8000020] .text tcpip.sys!IPTransmit + 10FC B4CD1D3A 6 Bytes CALL B7DF2E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) .text tcpip.sys!IPTransmit + 2A52 B4CD3690 6 Bytes CALL B7DF2E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) .text tcpip.sys!IPRegisterProtocol + 8A7 B4CE9480 6 Bytes CALL B7DF2E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) .text wanarp.sys B827D3FD 4 Bytes CALL B7DF2FA0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) .text wanarp.sys B827D402 2 Bytes [90, 90] {NOP ; NOP } .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xB4138400, 0x87EE2, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB41DC620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB41DC620] .protect˙˙˙˙hardlockunknown last code section [0xB41DC400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xB41DC400, 0x5126, 0xE0000020] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\System32\svchost.exe[1160] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes JMP 02369DC2 .text C:\WINDOWS\System32\svchost.exe[1160] NETAPI32.dll!NetpwPathCanonicalize 6FF4A3A9 5 Bytes JMP 02369D62 .text C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes JMP 00859DC2 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [B7DF3C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [B7DF3BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [B7DF3B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [B7DF38E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B7DF38E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B7DF3BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B7DF3C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B7DF3B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B7DF3B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B7DF38E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B7DF3BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B7DF3C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B7DF38E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B7DF3B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B7DF3C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B7DF3BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B7DF3C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B7DF3BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B7DF38E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisRegisterProtocol] [B7DF38E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisDeregisterProtocol] [B7DF3B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisCloseAdapter] [B7DF3C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisOpenAdapter] [B7DF3BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B7DF3B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B7DF38E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B7DF3BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B7DF3C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B7DF38E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B7DF3B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B7DF3C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B7DF3BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.) ---- Devices - GMER 1.0.15 ---- Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] rugzxztq <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\rugzxztq@DisplayName Support Network Reg HKLM\SYSTEM\CurrentControlSet\Services\rugzxztq@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\rugzxztq@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\rugzxztq@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\rugzxztq@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\rugzxztq@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\rugzxztq@Description Zapewnia rejestracj? nazw DDNS i automatyczne po??czenia protoko?em IPv6 przez sie? IPv4. Je?li ta us?uga zostanie zatrzymana, dost?p do innych komputer?w wed?ug nazw mo?e nie by? mo?liwy i komputer b?dzie mia? tylko mo?liwo?? po??cze? protoko?em IPv6, je?li jest po??czony z sieci? macierzyst? IPv6. Je?li ta us?uga zostanie wy??czona, wszelkie us?ugi jawnie od niej zale?ne przestan? si? uruchamia?. Reg HKLM\SYSTEM\CurrentControlSet\Services\rugzxztq\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\rugzxztq\Parameters@ServiceDll C:\WINDOWS\system32\adfnltft.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9E 0x33 0xAD 0x82 ... Reg HKLM\SYSTEM\ControlSet002\Services\rugzxztq@DisplayName Support Network Reg HKLM\SYSTEM\ControlSet002\Services\rugzxztq@Type 32 Reg HKLM\SYSTEM\ControlSet002\Services\rugzxztq@Start 2 Reg HKLM\SYSTEM\ControlSet002\Services\rugzxztq@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet002\Services\rugzxztq@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet002\Services\rugzxztq@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\Services\rugzxztq@Description Zapewnia rejestracj? nazw DDNS i automatyczne po??czenia protoko?em IPv6 przez sie? IPv4. Je?li ta us?uga zostanie zatrzymana, dost?p do innych komputer?w wed?ug nazw mo?e nie by? mo?liwy i komputer b?dzie mia? tylko mo?liwo?? po??cze? protoko?em IPv6, je?li jest po??czony z sieci? macierzyst? IPv6. Je?li ta us?uga zostanie wy??czona, wszelkie us?ugi jawnie od niej zale?ne przestan? si? uruchamia?. Reg HKLM\SYSTEM\ControlSet002\Services\rugzxztq\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\rugzxztq\Parameters@ServiceDll C:\WINDOWS\system32\adfnltft.dll Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9E 0x33 0xAD 0x82 ... ---- EOF - GMER 1.0.15 ----

http://wklej.org/id/520201/
http://wklej.org/id/520203/

**Posty:** 18165 · przez **wojtas** 28 Kwi 2011, 17:14

Uruchom OTL i w sekcji własne opcje skanowania / skrypt wklej:

:OTL
O20 - HKU\S-1-5-21-1214440339-1614895754-1935655697-1003 Winlogon: Shell - (C:\Documents and Settings\adamo88\Dane aplikacji\nlwyet.exe) - C:\Documents and Settings\adamo88\Dane aplikacji\nlwyet.exe ()
O20 - HKU\S-1-5-21-1214440339-1614895754-1935655697-1003 Winlogon: Shell - (C:\Documents and Settings\adamo88\utre.exe) - File not found
O33 - MountPoints2\{954c554c-e80e-11de-ac28-000e2e3ab0f1}\Shell\AutoRun\command - "" = I:\DOTAKNEM\kvrcaj.exe
O33 - MountPoints2\{954c554c-e80e-11de-ac28-000e2e3ab0f1}\Shell\explore\command - "" = I:\DOTAKNEM\\kvrcaj.exe
O33 - MountPoints2\{954c554c-e80e-11de-ac28-000e2e3ab0f1}\Shell\Install\command - "" = I:\DOTAKNEM\\kvrcaj.exe
O33 - MountPoints2\{954c554c-e80e-11de-ac28-000e2e3ab0f1}\Shell\open\command - "" = I:\DOTAKNEM\\kvrcaj.exe
O20 - HKLM Winlogon: TaskMan - (C:\Documents and Settings\adamo88\Dane aplikacji\nlwyet.exe) - C:\Documents and Settings\adamo88\Dane aplikacji\nlwyet.exe ()

:Files
C:\WINDOWS\system32\adfnltft.dll
C:\Documents and Settings\adamo88\Dane aplikacji\nlwyet.exe

:Reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"SuperHidden"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000001
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"TaskMan"=-

:Services
rugzxztq

:Commands
[emptytemp]
[emptyflash]

Kliknij wykonaj skrypt. I potwierdź reset komputera .

Następnie uruchamiasz OTL z opcją skanuj. Pokazujesz nowy log OTL.txt oraz raport z czyszczenia (zawartość notatnika, która otworzy się po restarcie). + Gmer + Przy podpiętym urządzeniu przenośnym (pendrive, telefon - to co jest podłączane do komputera) , uruchom USBFIX z opcji Listing i pokaż raport na forum.