Re: PC - klient odmítá kryptovací funkce, přepisuje %systemr
Napsal: 16 srp 2010 15:03
Log soubor 2:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-16 15:59:56
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fwdoipog.sys
---- System - GMER 1.0.15 ----
SSDT oaRegMgr.sys (OptimAccess® Driver/SODATSW) ZwClose [0xF765B3D8]
SSDT oaRegMgr.sys (OptimAccess® Driver/SODATSW) ZwCreateKey [0xF765AFFC]
SSDT oaFile.sys (OptimAccess® Driver/SODATSW) ZwCreateSection [0xF75093FE]
SSDT oaRegMgr.sys (OptimAccess® Driver/SODATSW) ZwDeleteKey [0xF765B18E]
SSDT oaRegMgr.sys (OptimAccess® Driver/SODATSW) ZwDeleteValueKey [0xF765B212]
SSDT oaRegMgr.sys (OptimAccess® Driver/SODATSW) ZwOpenKey [0xF765AEB2]
SSDT oaRegMgr.sys (OptimAccess® Driver/SODATSW) ZwSetValueKey [0xF765B2E2]
---- Kernel code sections - GMER 1.0.15 ----
init C:\WINDOWS\System32\Drivers\GTwinUSB.sys entry point in "init" section [0xF76F3CB0]
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs oaFile.sys (OptimAccess® Driver/SODATSW)
AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
Device \FileSystem\Fastfat \Fat EDE1ED20
AttachedDevice \FileSystem\Fastfat \Fat oaFile.sys (OptimAccess® Driver/SODATSW)
AttachedDevice \FileSystem\Fastfat \Fat amon.sys (Amon monitor/Eset )
---- EOF - GMER 1.0.15 ----
Zajímalo by mě, co zajišťuje v systému32 soubor f00e16d7.sys
Antivirákem byl označen jako napadený WIN32/Rustock.NJX Trojský kůň
Tak jsem ho vyhodil.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-16 15:59:56
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fwdoipog.sys
---- System - GMER 1.0.15 ----
SSDT oaRegMgr.sys (OptimAccess® Driver/SODATSW) ZwClose [0xF765B3D8]
SSDT oaRegMgr.sys (OptimAccess® Driver/SODATSW) ZwCreateKey [0xF765AFFC]
SSDT oaFile.sys (OptimAccess® Driver/SODATSW) ZwCreateSection [0xF75093FE]
SSDT oaRegMgr.sys (OptimAccess® Driver/SODATSW) ZwDeleteKey [0xF765B18E]
SSDT oaRegMgr.sys (OptimAccess® Driver/SODATSW) ZwDeleteValueKey [0xF765B212]
SSDT oaRegMgr.sys (OptimAccess® Driver/SODATSW) ZwOpenKey [0xF765AEB2]
SSDT oaRegMgr.sys (OptimAccess® Driver/SODATSW) ZwSetValueKey [0xF765B2E2]
---- Kernel code sections - GMER 1.0.15 ----
init C:\WINDOWS\System32\Drivers\GTwinUSB.sys entry point in "init" section [0xF76F3CB0]
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs oaFile.sys (OptimAccess® Driver/SODATSW)
AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
Device \FileSystem\Fastfat \Fat EDE1ED20
AttachedDevice \FileSystem\Fastfat \Fat oaFile.sys (OptimAccess® Driver/SODATSW)
AttachedDevice \FileSystem\Fastfat \Fat amon.sys (Amon monitor/Eset )
---- EOF - GMER 1.0.15 ----
Zajímalo by mě, co zajišťuje v systému32 soubor f00e16d7.sys
Antivirákem byl označen jako napadený WIN32/Rustock.NJX Trojský kůň
Tak jsem ho vyhodil.
