Gmer raporu:
*************************************************************************************
Anyway, here is teh GMER log after initialization (maybe this is some help):
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-07-08 05:56:04
Windows 5.1.2600 Service Pack 3
Running: wmiis2sv.exe; Driver: C:\DOCUME~1\Cathy\LOCALS~1\Temp\pwtdapog.sys
---- Disk sectors - GMER 1.0.15 ----
Disk\Device\Harddisk0\DR0 sector 00: rootkit-like behavior;
Disk\Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk\Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk\Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk\Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
*************************************************************************************
ComboFix log:
*************************************************************************************
ComboFix 10-07-19.01 - xxxxxx 07/19/2010 19:51:58.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.567 [GMT -7:00]
Running from: c:\documents and settings\xxxxxx\Desktop\cccccFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))
.
2010-07-05 01:46 . 2010-07-05
01:46 -------- d-----w- c:\documents and settings\Cathy\Local
Settings\Application Data\Temp
2010-06-28
21:21 . 2010-06-28 21:21 503808 ----a-w- c:\documents and
settings\Cathy\Application
Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6abd2c46-n\msvcp71.dll
2010-06-28
21:21 . 2010-06-28 21:21 499712 ----a-w- c:\documents and
settings\Cathy\Application
Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6abd2c46-n\jmc.dll
2010-06-28
21:21 . 2010-06-28 21:21 348160 ----a-w- c:\documents and
settings\Cathy\Application
Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6abd2c46-n\msvcr71.dll
2010-06-28
21:21 . 2010-06-28 21:21 61440 ----a-w- c:\documents and
settings\Cathy\Application
Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1a86379d-n\decora-sse.dll
2010-06-28
21:21 . 2010-06-28 21:21 12800 ----a-w- c:\documents and
settings\Cathy\Application
Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1a86379d-n\decora-d3d.dll
2010-06-28 21:20 . 2010-04-13 00:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-28 21:02 . 2010-06-28 21:02 -------- d-----w- C:\Inetpub
2010-06-24 01:17 . 2010-06-24 01:17 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-06-24 01:17 . 2010-03-16 01:16 15 ----a-w- c:\documents and settings\HelpAssistant\settings.dat
2010-06-24 01:17 . 2010-06-24 01:17 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-06-24 01:14 . 2010-06-24 01:28 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-06-24 01:14 . 2010-06-24 01:14 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-05
01:29 . 2007-05-05 19:46 -------- d-----w- c:\documents and
settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-05 01:27 . 2006-12-13 13:55 -------- d-----w- c:\program files\Google
2010-07-05 01:23 . 2006-12-13 13:50 -------- d-----w- c:\program files\Common Files\AOL
2010-07-05 01:23 . 2006-12-13 13:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-07-05 01:20 . 2005-08-17 02:54 -------- d-----w- c:\program files\GemMaster
2010-07-05 01:15 . 2008-12-25 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-07-05 01:15 . 2006-12-28 17:08 -------- d-----w- c:\program files\Yahoo!
2010-07-05 00:54 . 2006-12-13 14:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-04
16:46 . 2010-03-14 03:05 117760 ----a-w- c:\documents and
settings\Cathy\Application
Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-04 04:00 . 2009-11-22 01:51 -------- d-----w- c:\program files\CCleaner
2010-07-04 03:14 . 2007-05-05 19:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-28 21:22 . 2006-12-13 13:42 -------- d-----w- c:\program files\Common Files\Java
2010-06-28 21:20 . 2006-12-13 13:42 -------- d-----w- c:\program files\Java
2010-06-26 02:15 . 2010-03-13 20:37 -------- d-----w- c:\program files\McAfee
2010-06-24 01:10 . 2006-12-28 17:16 36830 ----a-w- c:\documents and settings\Cathy\Application Data\wklnhst.dat
2010-05-06 10:41 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 11:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2009-11-22 19:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-11-22 19:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google
Update"="c:\documents and settings\Cathy\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe" [2010-07-05 136176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-13 98304]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-14 172032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-01-14 49152]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-10 44544]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-13 24576]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"5675:TCP"= 5675:TCP:Services
"9850:TCP"= 9850:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"8008:TCP"= 8008:TCP:Services
"8009:TCP"= 8009:TCP:Services
"6489:TCP"= 6489:TCP:Services
"6490:TCP"= 6490:TCP:Services
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2
McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program
files\McAfee\SiteAdvisor\McSACore.exe [3/13/2010 1:40 PM 93320]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
.
Contents of the 'Scheduled Tasks' folder
2010-07-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3574078424-1724843296-1314016094-1006Core.job
- c:\documents and settings\Cathy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-05 01:45]
2010-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3574078424-1724843296-1314016094-1006UA.job
- c:\documents and settings\Cathy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-05 01:45]
2010-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-03-13 19:22]
2010-05-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-03-13 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Cathy\Application Data\Mozilla\Firefox\Profiles\8cbox40l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-yff3&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-yff3&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Cathy\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF
- HiddenExtension: XULRunner: {B1126C16-CD90-4C6A-82FA-A310CE2636F5} -
c:\windows\system32\config\systemprofile\Local Settings\Application
Data\{B1126C16-CD90-4C6A-82FA-A310CE2636F5}\
---- FIREFOX POLICIES ----
FF
- user.js: yahoo.homepage.dontask - truec:\program files\Mozilla
Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program
files\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref",
true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program
files\Mozilla Firefox\defaults\pref\firefox.js -
pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",
"chrome://browser/locale/browser.properties");
c:\program
files\Mozilla Firefox\defaults\pref\firefox.js -
pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description",
"chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-19 20:02
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85A6E78A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7634f28
\Driver\ACPI -> ACPI.sys @ 0xf74c7cb8
\Driver\atapi -> ntkrnlpa.exe @ 0x80586e11
\Driver\iaStor -> iaStor.sys @ 0xf73bcf78
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel® 82562V 10/100 Network Connection -> SendCompleteHandler -> 0x85ad4b60
PacketIndicateHandler -> NDIS.sys @ 0xf726fa0d
SendHandler -> NDIS.sys @ 0xf7283b40
copy of MBR has been found in sector 0x012A050FC
malicious code @ sector 0x012A050FF !
PE file found in sector at 0x012A05115 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(2580)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\stsystra.exe
.
**************************************************************************
.
Completion time: 2010-07-19 20:08:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-20 03:08
ComboFix2.txt 2010-03-16 03:40
Pre-Run: 136,339,488,768 bytes free
Post-Run: 136,288,616,448 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
- - End Of File - - 17D2D8645715E88C49EBCCF7558811F1*************************************************************************************
Gördüğümüz gibi rootkit'in temizlenmesi için, kullanıcıya çözümü de, esasında gösteriyor yazılım: Use: "mbr.exe -f" to fix
ÇÖZÜM:
HelpAsst_mebroot_fix.exe dosyasını masaüstüne indirin.
- Tüm açık dosya ve klasörlerinizi kapatın.
- Aktif güvenlik yazılımlarının kapalı olduğundan emin olun.
- Yazılıma sağ tık > Yönetici olarak çalıştır deyin. (Vista,Win7/8 için)
- Eğer yazılım zararlıyı tesbit ederse MBR - f çalıştırarak sistemi yeniden başlatın.
- 5 dakika kadar bekledikten sonra aşağıdaki işlemi yapın.
- helpasst ve - mbrt arasında bir boşluk olmasına dikkat edin !
- İşlem tamamlandığında bir rapor verecektir. Bu raporu gönderin.
- Eğer yukarıdaki işlemde zararlı tesbit edilemez ve komut çalışmazsa aşağıdaki işlemi yapın.
- mbr -f
- Sistem yeniden başlamazsa, sistemi kapatın. Birkaç dakika bekledikten sonra yeniden başlatın.
- Sistem açıldığında 5 dakika bekleyin.
- Başlat> Çalıştır 'a tıklayın ve aşağıdaki kalın komutu yazın, sonra Enter tuşuna basın.
- helpasst ve - mbrt arasında bir boşluk olmasına dikkat edin !
- İşlem tamamlandığında bir rapor verecektir. Bu raporu gönderin.
İyi günler
Hiç yorum yok:
Yorum Gönder