win32:rootkit-gen [rtk]

[kojot-77]

Witam kilka dni temu avast wykrył na moiom kompie Win32:Rootkit-gen [Rtk]
Mimo przeniecienia plików do kwarantanny już dwukrotnie sie odrodził

Oto log z combofix

ComboFix 08-06-03.4 - a 2008-06-04 21:14:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.502 [GMT 2:00]
Running from: C:\Documents and Settings\a\Moje dokumenty\mariusz.reszka@neostrada.pl\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\cmds.txt
C:\WINDOWS\system32\cs.dat
C:\WINDOWS\system32\ds.dat
C:\WINDOWS\system32\ps1.dat
C:\WINDOWS\system32\rc.dat
C:\WINDOWS\system32\swin32.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-05-27 16:54 . 2008-05-27 16:54 <DIR> d-------- C:\Program Files\Thomson
2008-05-27 16:39 . 2008-06-04 21:11 <DIR> d-------- C:\Program Files\Neostrada TP
2008-05-27 15:51 . 2008-05-27 15:51 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-05-27 15:43 . 2008-05-27 15:43 1,117 --a------ C:\WINDOWS\Active Setup Log.BAK
2008-05-27 15:39 . 2008-05-27 16:51 <DIR> d-------- C:\WINDOWS\kswiat
2008-05-27 15:39 . 2008-05-27 15:39 <DIR> d-------- C:\Program Files\Niezbędnik
2008-05-27 14:57 . 2008-05-27 15:50 <DIR> d-------- C:\WINDOWS\system32\pl-pl
2008-05-27 14:56 . 2001-10-26 17:27 68,608 --a------ C:\WINDOWS\system32\plugin.ocx
2008-05-27 14:56 . 2001-10-26 17:27 68,608 --a------ C:\WINDOWS\system32\dllcache\plugin.ocx
2008-05-27 14:55 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-05-27 14:54 . 2008-05-27 14:54 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-27 12:06 . 2008-06-03 11:33 10,118 --a------ C:\Documents and Settings\a\mpr2.dat
2008-05-27 12:06 . 2008-06-03 11:33 10,118 --a------ C:\Documents and Settings\a\mpr.dat
2008-05-27 12:06 . 2008-05-27 12:06 108 --a------ C:\Documents and Settings\a\cs.dat
2008-05-24 16:29 . 2008-05-24 16:29 <DIR> d-------- C:\Documents and Settings\a\Dane aplikacji\JLC's Software
2008-05-24 16:28 . 2008-05-24 16:28 <DIR> d-------- C:\Program Files\JLC's Software
2008-05-23 19:16 . 2008-05-23 19:16 1 --a------ C:\WINDOWS\system32\cookie1.dat
2008-05-20 19:46 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-05-19 12:51 . 2008-05-19 12:51 <DIR> d-------- C:\Documents and Settings\a\Dane aplikacji\CyberLink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 14:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-03 11:23 --------- d-----w C:\Program Files\Borland
2008-04-04 18:42 --------- d-----w C:\Program Files\Java
2008-04-04 18:38 --------- d-----w C:\Program Files\Common Files\Java
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL" [2003-10-06 15:16 49152]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-04 13:32 68856]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]
"WITaj!"="rem -- Anulowane uruchamianie programu WITaj! 2000" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 14:48 1388544]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\system32\nwiz.exe]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38 866816]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-19 11:39 35328]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-03 21:30 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"WooCnxMon"="C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [2003-10-16 18:07 24576]
"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2003-10-16 18:07 20480]
"WOOTASKBARICON"="C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" [2003-10-16 18:07 53248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65bf343a-e52b-11dc-82f4-e4c4a7a3c3a9}]
\Shell\AutoRun\command - setupSNK.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 21:19:31
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-04 21:20:58
ComboFix-quarantined-files.txt 2008-06-04 19:20:54

Pre-Run: 7,121,530,880 bajtów wolnych
Post-Run: 7,880,552,448 bajtów wolnych

105

Może mi ktoś pomóc ?

[Okocza]

otwórz notatnik i wklej:

Kod: Zaznacz wszystko

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65bf343a-e52b-11dc-82f4-e4c4a7a3c3a9}]

w notatniku u góry>>>plik zapisz jako>>>Zmien rozszerzenie z TXT na Wszystkie pliki *.* >>> Zapisz pod nazwą FIX.REG

Klikasz dwa razy na powstały plik fix i dodajesz go do rejestru....


potem nowyu log z CF

[kojot-77]

Gdy uruchamiam combofix po wyświetleniu logu resetuje mi sie komputer

[ Dodano: Dzisiaj o 22:32 ]
Udało mi się szybko zapisać /choć nie wiem czemu te restarty/

Kod: Zaznacz wszystko

ComboFix 08-06-03.4 - a 2008-06-04 22:10:33.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.509 [GMT 2:00]
Running from: C:\Documents and Settings\a\Moje dokumenty\mariusz.reszka@neostrada.pl\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((   Files Created from 2008-05-04 to 2008-06-04  )))))))))))))))))))))))))))))))
.

2008-05-27 16:54 . 2008-05-27 16:54   <DIR>   d--------   C:\Program Files\Thomson
2008-05-27 16:39 . 2008-06-04 22:10   <DIR>   d--------   C:\Program Files\Neostrada TP
2008-05-27 15:51 . 2008-05-27 15:51   230   --a------   C:\WINDOWS\system32\spupdsvc.inf
2008-05-27 15:43 . 2008-05-27 15:43   1,117   --a------   C:\WINDOWS\Active Setup Log.BAK
2008-05-27 15:39 . 2008-05-27 16:51   <DIR>   d--------   C:\WINDOWS\kswiat
2008-05-27 15:39 . 2008-05-27 15:39   <DIR>   d--------   C:\Program Files\Niezbędnik
2008-05-27 14:57 . 2008-05-27 15:50   <DIR>   d--------   C:\WINDOWS\system32\pl-pl
2008-05-27 14:56 . 2001-10-26 17:27   68,608   --a------   C:\WINDOWS\system32\plugin.ocx
2008-05-27 14:56 . 2001-10-26 17:27   68,608   --a------   C:\WINDOWS\system32\dllcache\plugin.ocx
2008-05-27 14:55 . 2006-09-06 17:43   22,752   --a------   C:\WINDOWS\system32\spupdsvc.exe
2008-05-27 14:54 . 2008-05-27 14:54   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2008-05-27 12:06 . 2008-06-03 11:33   10,118   --a------   C:\Documents and Settings\a\mpr2.dat
2008-05-27 12:06 . 2008-06-03 11:33   10,118   --a------   C:\Documents and Settings\a\mpr.dat
2008-05-27 12:06 . 2008-05-27 12:06   108   --a------   C:\Documents and Settings\a\cs.dat
2008-05-24 16:29 . 2008-05-24 16:29   <DIR>   d--------   C:\Documents and Settings\a\Dane aplikacji\JLC's Software
2008-05-24 16:28 . 2008-05-24 16:28   <DIR>   d--------   C:\Program Files\JLC's Software
2008-05-23 19:16 . 2008-05-23 19:16   1   --a------   C:\WINDOWS\system32\cookie1.dat
2008-05-20 19:46 . 2005-05-26 15:34   2,297,552   --a------   C:\WINDOWS\system32\d3dx9_26.dll
2008-05-19 12:51 . 2008-05-19 12:51   <DIR>   d--------   C:\Documents and Settings\a\Dane aplikacji\CyberLink

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 14:54   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-05-03 11:23   ---------   d-----w   C:\Program Files\Borland
2008-04-04 18:42   ---------   d-----w   C:\Program Files\Java
2008-04-04 18:38   ---------   d-----w   C:\Program Files\Common Files\Java
.

(((((((((((((((((((((((((((((   snapshot@2008-06-04_21.20.40,39   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-04 19:12:32   2,048   --s-a-w   C:\WINDOWS\bootstat.dat
+ 2008-06-04 20:07:54   2,048   --s-a-w   C:\WINDOWS\bootstat.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL" [2003-10-06 15:16 49152]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-04 13:32 68856]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]
"WITaj!"="rem -- Anulowane uruchamianie programu WITaj! 2000" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 14:48 1388544]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\system32\nwiz.exe]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38 866816]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-19 11:39 35328]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-03 21:30 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"WooCnxMon"="C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [2003-10-16 18:07 24576]
"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2003-10-16 18:07 20480]
"WOOTASKBARICON"="C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" [2003-10-16 18:07 53248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 22:12:22
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-04 22:13:56
ComboFix-quarantined-files.txt  2008-06-04 20:13:50
ComboFix2.txt  2008-06-04 20:06:58
ComboFix3.txt  2008-06-04 20:00:29
ComboFix4.txt  2008-06-04 19:20:59

Pre-Run: 7,886,372,864 bajtów wolnych
Post-Run: 7,879,360,512 bajtów wolnych

99

[Magik]

siemka

log jest czysty

mozesz przeleciec system i rejestr jaikms "odkurzaczem" Tuneup np

i wszystko

Pozdrawiam