rootkit

Zpráva

novotna · #1 Příspěvek od **novotna** » 12 led 2010 16:34

prosim pomoc vyskakuje mi pořad okenko "byl nalezen rootkit!" uz jsem ho nekolikrat smazala ,ale je tu porad jak se ho zbavit ? jm. souboru mi pise:C:\WINDOWS\System32\Drivers\fvcblggg.sys
a cis. vzorku: Win32:Rootkit-gen [Rtk] dik za radu

pitimir · #2 Příspěvek od **pitimir** » 12 led 2010 18:58

Ahoj, vitaj na fore

1) Stiahni DDS. Uloz na plochu, ukonci vsetky spustene programy a spust ho. Po skonceni scanu sa otvoria vysledky v 2 oknach - DDS.txt a Attach.txt. Obsah oboch by som rad videl.

2) Stiahni Avenger. Spust ho a suhlas s podmienkami atd.
Do bieleho pola v strede programu vloz skript:

Kód: Vybrat vše

Files to delete:
C:\WINDOWS\System32\Drivers\fvcblggg.sys 

Drivers to delete:
fvcblggg

Stlac "Execute" -> "Yes". Restart a vloz log.

novotna · #3 Příspěvek od **novotna** » 15 led 2010 16:28

Ahoj radce ,dik za tvou radu pokusila jsem se udelat tak jak si napsal. Doufam ,že bude vše ok.
Nejsem moc zrucna na PC da se rict ze se porad ucim sama.Chtel si poslat poznamkovy blok z DDS ,to co mi to vypsalo ,zde je a jeste jednou dik

DDS (Ver_09-12-01.01) - NTFSx86
Run by User at 16:07:11,59 on p 15.01.2010
Internet Explorer: 7.0.5730.13
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.511.137 [GMT 1:00]

AV: avast! antivirus 4.8.1368 [VPS 100115-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\4E7H75HC\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.centrum.cz/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {7c5c0f58-e061-457d-9033-77307f5ed00c} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [sysgif32] c:\windows\temp\~TM10.tmp
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\nabdka~1\programy\posput~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\nabdka~1\programy\posput~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\nabdka~1\programy\posput~1\rychls~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236460550515
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236472865546
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
TCP: {79FEE982-BE44-44F5-B0CE-41191C241810} = 62.77.89.100,62.77.89.101
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-10 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-10 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-4-10 138680]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-4-10 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-4-10 352920]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2006-3-2 69120]
S3 2c417;2c417;c:\windows\system32\2c417.sys [2010-1-7 54624]
S3 TVICHW32;TVICHW32;c:\windows\system32\drivers\TVICHW32.SYS [2009-3-8 23600]

=============== Created Last 30 ================

2010-01-07 16:50:56 128352 ----a-w- c:\windows\system32\2c417.dll
2010-01-07 16:50:52 709632 ----a-w- c:\windows\system32\a7618.tmp
2010-01-07 16:50:51 54624 ----a-w- c:\windows\system32\2c417.sys
2010-01-07 16:50:42 2335270 ----a-w- c:\windows\system32\9d716.mht
2010-01-03 10:36:04 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-19 16:08:03 763904 ----a-w- c:\windows\system32\drivers\fvcblggg.sys
2009-12-19 16:07:26 4 ----a-w- c:\docume~1\user\dataap~1\avdrn.dat

==================== Find3M ====================

2009-12-09 12:13:57 83742 ----a-w- c:\windows\system32\perfc005.dat
2009-12-09 12:13:57 441086 ----a-w- c:\windows\system32\perfh005.dat
2009-10-29 07:45:32 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:45:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:45:29 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:40:39 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:40:39 25088 ----a-w- c:\windows\system32\httpapi.dll

============= FINISH: 16:07:56,56 ===============

pitimir · #4 Příspěvek od **pitimir** » 15 led 2010 17:32

Krok s Avengerom nebol spraveny, nevadi. Zmazeme to inak:

Stiahni ComboFix, najlepsie na plochu. Vypni vsetky otvorene aplikacie, ako aj rezidenty antiviru, antispywaru a firewall. Spust program cez ucet s administratorskymi pravami a postupuj podla instrukcii. Cely sken bude trvat cca 10 minut. Pocas neho moze byt PC restartovane. Log, ktory ComboFix vytvori, najdes na adrese "C:\ComboFix.txt".
Ten vloz sem.

Pozor: Kym ComboFix nevytvori log, na nic neklikat, nic nestlacat !!

novotna · #5 Příspěvek od **novotna** » 16 led 2010 17:58

hm , ten krok s Avangerem jsem provedla tak jak si napsal ,pak se mi restartoval PC a po restartu tam bylo okenko a ja jej jaksi zavrela takze jsem ti ho neposlala. No a zatim to vypada OK- ROOTKIT se neukazal. mooc diky

pitimir · #6 Příspěvek od **pitimir** » 16 led 2010 18:01

Dobre teda, smejda tam ale stale vidim...sprav ComboFix, budeme mudrejsi

VIRY.CZ

rootkit

rootkit

Re: rootkit

Re: rootkit

Re: rootkit

Re: rootkit

Re: rootkit