Trojan Win32:Patched-HO

[lukas89x]

Komputer zainfekowany podaje log z OTL

OTL.Txt

Extras.Txt

[picasso]

Obowiązkowym logiem jest też GMER. Wysil się z opisem. Podajesz nazwę zagrożenia, nie podajesz w jakim pliku. Po uzyskaniu tych danych ustosunkuję się do problemu i raportów.

[lukas89x]

Dadaje liste zarażonych plików:

 

 

Nie moge dodać logu z GMER wiec wkleje go tutaj:

 

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2012-12-08 10:34:24

Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e FUJITSU_MHW2120BH rev.00930013

Running: 57fepinq.exe; Driver: C:\DOCUME~1\praca\USTAWI~1\Temp\ffxyipog.sys

 

 

---- System - GMER 1.0.15 ----

 

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xA68724BA]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xA6947C22]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xA6872ED6]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xA68B4811]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xA687DFA8]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xA687DFF4]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xA687E176]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xA68B41C5]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xA687DF16]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xA687E038]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xA687DF5E]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0xA687311C]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xA687E130]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0xA687393E]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xA6872508]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xA68B4ED7]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xA68B518D]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xA68771C2]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA68B4D42]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA68B4BAD]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xA6947CEA]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xA6872170]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xA6872556]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xA6877534]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xA68743A6]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xA687DFD2]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xA687E016]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xA687E19A]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xA68B4521]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xA687DF3C]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xA6876C3E]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xA687E0BA]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xA687DF86]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xA6876F14]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xA687E154]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xA6947E4A]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xA68B4A28]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xA6874272]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xA68B487A]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0xA6873DD4]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xA69547D2]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xA68B3838]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xA68725A4]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xA68725F2]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0xA68737BE]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xA68721FA]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xA68723AA]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xA68B4FDE]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xA6872350]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0xA6873AF8]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0xA6873C54]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xA687241A]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateProcess [0xA68734D4]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0xA6873636]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0xA694641C]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xA6872640]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwWriteVirtualMemory [0xA6872F1A]

 

---- Kernel code sections - GMER 1.0.15 ----

 

.text ntkrnlpa.exe!ZwCallbackReturn + 2D10 8050459C 4 Bytes [EA, 7C, 94, A6]

.text ntkrnlpa.exe!ZwCallbackReturn + 2F10 8050479C 12 Bytes [A4, 25, 87, A6, F2, 25, 87, ...] {MOVSB ; AND EAX, 0x25f2a687; XCHG [ESI-0x5978c842], ESP}

.text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504844 12 Bytes [F8, 3A, 87, A6, 54, 3C, 87, ...] {CLC ; CMP AL, [EDI-0x78c3ab5a]; CMPSB ; SBB AH, [EDI+EAX*4]; CMPSB }

PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A648C 4 Bytes CALL A6874A77 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text C:\WINDOWS\system32\drivers\oreans32.sys section is writeable [0xBA2B8280, 0x7B1C, 0xE8000020]

.text win32k.sys!EngFreeUserMem + 674 BF809FDF 5 Bytes JMP A6878B4C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngFreeUserMem + 3625 BF80CF90 5 Bytes JMP A6878A3C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngDeleteSurface + 45 BF8138FE 5 Bytes JMP A68789F6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 320C BF81E743 5 Bytes JMP A6877688 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngMulDiv + 199A BF820E6C 5 Bytes JMP A68780A8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngSetLastError + 7657 BF82868B 5 Bytes JMP A68777C4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCreateBitmap + 698 BF838560 5 Bytes JMP A6878CB6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCreateBitmap + BB6 BF838A7E 5 Bytes JMP A68788FC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCreateBitmap + 3605 BF83B4CD 5 Bytes JMP A6878EBE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCreateBitmap + D9AB BF845873 5 Bytes JMP A6877834 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCreateBitmap + 113C6 BF84928E 5 Bytes JMP A6878090 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngMultiByteToWideChar + 2E60 BF852720 5 Bytes JMP A687816A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngMultiByteToWideChar + 2F20 BF8527E0 5 Bytes JMP A6877670 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngMultiByteToWideChar + 84B4 BF857D74 5 Bytes JMP A6878E1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!XLATEOBJ_iXlate + 23AD BF873983 5 Bytes JMP A6878BFE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngStretchBlt + 37BB BF87882D 5 Bytes JMP A6878A86 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngGetCurrentCodePage + 3617 BF88FFB6 5 Bytes JMP A6877CDE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngGetCurrentCodePage + 413A BF890AD9 5 Bytes JMP A6877E9E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngGetLastError + 1606 BF8ADD61 5 Bytes JMP A6878182 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngGradientFill + 4B52 BF8B3770 5 Bytes JMP A6877C1E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngGradientFill + 4BDD BF8B37FB 5 Bytes JMP A6877EE4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngAlphaBlend + 9286 BF8C31E7 5 Bytes JMP A6877944 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!PATHOBJ_bCloseFigure + 19CE BF8ED991 5 Bytes JMP A687756A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!PATHOBJ_bCloseFigure + 9006 BF8F4FC9 5 Bytes JMP A68780C0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!PATHOBJ_bCloseFigure + D4C6 BF8F9489 5 Bytes JMP A6877A1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!PATHOBJ_bCloseFigure + D746 BF8F9709 5 Bytes JMP A6877B48 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCreateClip + 1994 BF912612 5 Bytes JMP A6877760 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCreateClip + 2568 BF9131E6 5 Bytes JMP A68778F0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCreateClip + 4F29 BF915BA7 5 Bytes JMP A6877FFE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngPlgBlt + 1931 BF9438F8 5 Bytes JMP A6878D74 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

 

---- User code sections - GMER 1.0.15 ----

 

.text C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\system32\spoolsv.exe[172] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text F:\57fepinq.exe[412] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text F:\57fepinq.exe[412] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\Program Files\DellTPad\Apoint.exe[476] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\Program Files\DellTPad\Apoint.exe[476] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\OEM13Mon.exe[500] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\OEM13Mon.exe[500] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\system32\igfxtray.exe[516] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\system32\igfxtray.exe[516] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\system32\hkcmd.exe[548] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\system32\hkcmd.exe[548] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\system32\igfxpers.exe[564] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\system32\igfxpers.exe[564] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\system32\WLTRAY.exe[616] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\system32\WLTRAY.exe[616] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\system32\igfxsrvc.exe[672] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\system32\igfxsrvc.exe[672] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\RTHDCPL.EXE[692] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\RTHDCPL.EXE[692] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\Program Files\AVAST Software\Avast\avastUI.exe[724] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\Program Files\AVAST Software\Avast\avastUI.exe[724] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\Program Files\DellTPad\ApMsgFwd.exe[840] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\Program Files\DellTPad\ApMsgFwd.exe[840] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\System32\smss.exe[848] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\system32\csrss.exe[912] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\system32\csrss.exe[912] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\system32\winlogon.exe[936] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\system32\winlogon.exe[936] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\system32\services.exe[980] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\system32\services.exe[980] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\system32\lsass.exe[992] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\system32\lsass.exe[992] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\System32\svchost.exe[1268] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\Program Files\DellTPad\HidFind.exe[1348] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\Program Files\DellTPad\HidFind.exe[1348] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\Program Files\DellTPad\Apntex.exe[1368] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\Program Files\DellTPad\Apntex.exe[1368] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\system32\ctfmon.exe[1396] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\system32\ctfmon.exe[1396] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1416] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\system32\crypserv.exe[1476] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\system32\crypserv.exe[1476] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\system32\DRIVERS\o2flash.exe[1584] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\system32\DRIVERS\o2flash.exe[1584] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\System32\WLTRYSVC.EXE[1696] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\System32\WLTRYSVC.EXE[1696] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\System32\bcmwltry.exe[1708] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1756] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1756] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1756] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\srntservice.exe[1784] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\srntservice.exe[1784] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1864] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\Explorer.EXE[1980] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\Explorer.EXE[1980] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\System32\alg.exe[2152] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\System32\alg.exe[2152] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\WINDOWS\system32\wscntfy.exe[2168] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\WINDOWS\system32\wscntfy.exe[2168] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

.text C:\Documents and Settings\praca\Moje dokumenty\Pobieranie\OTL.exe[3536] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]

.text C:\Documents and Settings\praca\Moje dokumenty\Pobieranie\OTL.exe[3536] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]

 

---- User IAT/EAT - GMER 1.0.15 ----

 

IAT C:\Program Files\AVAST Software\Avast\avastUI.exe[724] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)

IAT C:\WINDOWS\system32\services.exe[980] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002

IAT C:\WINDOWS\system32\services.exe[980] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000

IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1756] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)

 

---- Devices - GMER 1.0.15 ----

 

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

 

---- Registry - GMER 1.0.15 ----

 

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{71306B4D-C743-1FA9-17DC-A55E4F9052BC}

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{993A7AF1-8CBB-4D75-25B0-4DA1ECDC27F0}

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{993A7AF1-8CBB-4D75-25B0-4DA1ECDC27F0}@iamkmacfbglpaajkol 0x63 0x61 0x62 0x6A ...

 

---- EOF - GMER 1.0.15 ----

 

Dotychczas trojan nie wyrządził jakichkolwiek szkód. Jedynie została wykryta infekcja w wielu plikach.

[picasso]

Dotychczas trojan nie wyrządził jakichkolwiek szkód. Jedynie została wykryta infekcja w wielu plikach.

 

Jeśli to żaden fałszywy alarm, Avast wykrył infekcję w plikach wykonywalnych i nie wiadomo czy to infekcja w toku (zarażanie sukcesywnie kolejnych programów + plików Windows). Ależ wyrządził, zainfekował pliki (= zepsuł je). Określone pliki należało poddać leczeniu a nie usuwać (chodzi mi konkretnie o katalogi C:\Dell ze sterownikami + C:\MSOCache z lokalnym źródłem instalacyjnym Office). Instalki aplikacji to bez żalu do wyrzucenia, wszystko z System Volume Information (katalog Przywracania systemu) nieważne, bo to izolowany magazyn i będzie czyszczony zbiorowo na końcu. Określone ścieżki w skanerze są zaś nieczytelne, nie widzę dokąd kierują.

 

Wg OTL działa tu infekcja uruchamiana z Kosza (to co Avast wykrył pod nazwą Win32:Rootkit-gen [Rtk]) oraz jest adware v9. Przeprowadź następujące działania:

 

1. Przez Dodaj/Usuń programy odinstaluj V9 Homepage Uninstaller.

 

2. Wyczyść Firefox z adware v9: menu Pomoc > Informacje dla pomocy technicznej > Zresetuj program Firefox.

 

3. Uruchom OTL i w sekcji Własne opcje skanowania / skrypt wklej:

 

:OTL
O20 - HKLM Winlogon: TaskMan - (C:\RECYCLER\S-1-5-21-4857677061-9984085168-053549017-4787\sysinfo.exe) - C:\RECYCLER\S-1-5-21-4857677061-9984085168-053549017-4787\sysinfo.exe ()
 
:Files
RECYCLER /alldrives
C:\Program Files\mozilla firefox\searchplugins\v9.xml
 
:Reg
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
 
:Commands
[emptytemp]

 

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

 

Klik w Wykonaj skrypt. Zatwierdź restart systemu.

 

4. Zrób nowy log OTL z opcji Skanuj (już bez Extras) + USBFix z opcji Listing.

 

 

 

.

[lukas89x]

1. Zrobione

2. Zrobione

3. Zrobione

4.OTL.Txt i UsbFix.txt

[picasso]

Zadania wykonane. Kolejna porcja czynności:

 

1. Przez SHIFT+DEL skasuj plik C:\WINDOWS\explorer.exe.local. Ominęłam go przypadkiem.

 

2. Porządki po narzędziach: odinstaluj USBFix, w OTL uruchom Sprzątanie, przez SHIFT+DEL skasuj z Pulpitu folder Stare dane programu Firefox.

 

3. Wyczyść foldery Przywracania systemu: KLIK.

 

4. Zrób nowy pełny skan Avastem i przedstaw wyniki czy nadal coś wykrywa.

 

 

 

.

[lukas89x]

1. Zrobione

2. Zrobione

3. Zrobione

4. Avast nadal wykrywa infekcje

[picasso]

Nie prosiłam Cię o nowy log OTL (usuwam). Ta część ukończona.

 

 

4. Avast nadal wykrywa infekcje

 

Czy te pliki na pewno zostały poddane kwarantannie? Jakie akcje dla nich oferuje Avast poza kwarantanną, czy tam jest może operacja typu "leczenie"? Czy Avast ma na pewno zaktualizowane definicje? I sprawdź co widzi alternatywny program, tzn. zrób też pełny skan w Kaspersky Virus Removal Tool. W konfiguracji skanera zaznacz wszystkie obszary do skanu. Jeśli będą tu jakieś wyniki typu "Detected" (inne typy mnie nie interesują), to je przeklej.

 

 

.

Edytowane 1 Lutego 2013 przez picasso
1.02.2013 - Temat zostaje zamknięty z powodu braku odpowiedzi. //picasso