Rootkit - C:\Windows\System32\drivers\rmesth.sys

[poharka]

dala som zo zvedavosti testov explorer.exe na virustotal a nic nenasiel, nijake viry.

[motji]

Zkuste ten combofix spustit znovu
Co Vám to píše k té mozille, když ji spouštíte?
Budu tu ted nakukovat

[poharka]

neviem presne co to pise, idem do normal rezimu a napisem vam. potom spustim combofix.

[poharka]

to je uplne divne, teraz som v normalnom rezime a spustilo mi to firefox normalne. uz nevypisuje nic...
idem zase do sage modu a spustim combofix.

[poharka]

alebo ho uz nemam spustat?

[motji]

Spustte ho ještě jednou, at máme jistotu, že soubory jsou opravdu čisté. už můžete v normálním režimu

[poharka]

ale co s tym a avastom? ked to spustim v normalnom rezime?

[motji]

Pustte ho tedy v nouzovém

[poharka]

ComboFix 11-01-04.01 - Saga . 01. 2011 13:50:15.3.2 - x86 NETWORK
Microsoft Windows 7 Professional 6.1.7600.0.1250.421.1051.18.2046.1677 [GMT 1:00]
Running from: c:\users\Saga\Desktop\motyka.com.exe
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-12-06 to 2011-01-06 )))))))))))))))))))))))))))))))
.

2011-01-06 12:54 . 2011-01-06 12:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-05 21:28 . 2011-01-05 21:28 -------- d-----w- C:\_OTL
2010-12-22 19:30 . 2010-12-22 19:30 -------- d-----w- C:\rsit
2010-12-14 06:16 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1C0A2001-82AB-40AE-A99B-63432606EA37}\mpengine.dll
2010-12-13 20:08 . 2011-01-03 17:56 -------- d-----w- c:\programdata\Kaspersky Lab
2010-12-12 10:54 . 2010-12-12 10:54 -------- d-----w- c:\users\Saga\AppData\Roaming\Malwarebytes
2010-12-12 10:54 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-12 10:54 . 2010-12-12 10:54 -------- d-----w- c:\programdata\Malwarebytes
2010-12-12 10:54 . 2011-01-02 21:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-12 10:54 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-11 21:41 . 2010-12-22 19:30 -------- d-----w- c:\program files\trend micro
2010-12-11 21:31 . 2010-12-11 21:31 -------- d-----w- c:\users\Saga\Pavark
2010-12-11 20:13 . 2010-12-11 20:13 -------- d-----w- c:\program files\Sophos
2010-12-11 11:32 . 2010-12-11 11:32 -------- d-----w- c:\users\Saga\Bluetooth Software
2010-12-11 11:29 . 2010-12-11 11:29 -------- d-----w- c:\program files\WIDCOMM
2010-12-11 11:24 . 2010-12-11 11:24 -------- d-----w- c:\users\Saga\AppData\Roaming\Dell
2010-12-11 11:24 . 2010-12-11 11:24 -------- d-----w- c:\program files\Cisco
2010-12-11 11:21 . 2009-01-20 14:36 87328 ----a-w- c:\windows\system32\bcmwlcoi.dll
2010-12-11 11:21 . 2009-01-20 14:36 1207288 ----a-w- c:\windows\system32\drivers\BCMWL6.SYS
2010-12-11 11:21 . 2009-01-20 14:36 3489792 ----a-w- c:\windows\system32\bcmihvui.dll
2010-12-11 11:21 . 2009-01-20 14:36 3829760 ----a-w- c:\windows\system32\bcmihvsrv.dll
2010-12-11 11:21 . 2010-12-11 11:21 -------- d-----w- c:\program files\Dell
2010-12-11 11:21 . 2010-12-11 11:21 -------- d-----w- c:\users\Saga\AppData\Roaming\InstallShield
2010-12-11 07:58 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-12-11 07:58 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-12-11 07:58 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-12-11 07:58 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-12-11 07:58 . 2010-09-07 15:47 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-12-11 07:58 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-12-11 07:58 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-20 3563520]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

R1 aswSP;aswSP; [x]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-20 73728]
R2 aswFsBlk;aswFsBlk; [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

.
.
------- Supplementary Scan -------
.
uStart Page =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Saga\AppData\Roaming\Mozilla\Firefox\Profiles\egogpyjf.default\
FF - prefs.js: browser.search.selectedEngine -
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-01-06 13:56:30
ComboFix-quarantined-files.txt 2011-01-06 12:56
ComboFix2.txt 2011-01-06 11:02

Pre-Run: 8 587 767 808 bytes free
Post-Run: 8 514 273 280 bytes free

- - End Of File - - 765A3C0C9F82902FEC95952F93D2337A

[motji]

Fajn, vypadá to, že rootkita jsme ukopali motykou .
Jak se chová počítač?

[poharka]

zatial v pohode, lebo je v nudzovom rezime

cim ho mam tesotvat? alebo ako mam zistit ze je ok? staci mi na to hlbkove skenovanie cez avast? alebo nieco lepsie?

[motji]

Běžte do běžného režimu a trochu pc vyzkoušejte. Můžete ho zkontrolovat i Avastem

[poharka]

testuem avastom, ale uz pri 20% kotroly naslo 1 infikovany subor To sa toho nikdy uz nezbavim? keby som aspon vedela, z coho to mam

Mam nieco otesotvat este na virustotal?

[motji]

Jaký soubor?
Zatím ne

[poharka]

este to furt skenuje, ale ked dokonci tak dam vediet