Asus n50vn rootkit

mario81 · 7 Grudnia 2014

Witam . Mam problem , mój laptop ASUS n50vn został zrootowany. Od dobrych kilku miesięcy próbuję sobie z tym poradzić , ale żaden z moich zabiegów nie działa . Zdecydowałem się poprosić o pomoc . Odkryłem to na początku tego roku , windows 7 , reset CMOS , twardy dysk wyzerowany i zainstalowany Linux Mint . Radość nie trwała długo , okazało się, że jest jak po staremu.Koncepcj rootkita dlatego że ma największe prawa wyłącza program lub np niebieski ekran śmierci, cofa czas systemowy i datę jeśli go czymś zaskoczę, bardo dużo zajętych portów(netstat), antywirus malwarebytes wyświetlił komunikat po skanie że rootkit i abym szukał pomocy.Dużo plików ukrytych, np plik w 15 folderach appdata . gmera muszę wkleić. Proszę przejrzeć dziennik ComboFix

ComboFix 14-12-07.01 - Mariusz 2014-12-07 11:47:42.2.2 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1250.48.1045.18.4095.2067 [GMT 1:00]
Uruchomiony z: c:\users\Mariusz\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Recycler
.
.
(((((((((((((((((((((((((   Pliki utworzone od 2014-11-07 do 2014-12-07 )))))))))))))))))))))))))))))))
.
.
2014-12-07 10:53 . 2014-12-07 10:53   --------   d-----w-   c:\users\Default\AppData\Local\temp
2014-12-07 10:41 . 2014-10-01 10:20   93400   ----a-w-   c:\windows\system32\drivers\is-GJ4SP.tmp
2014-12-07 10:41 . 2014-12-07 10:41   --------   d-----w-   C:\Program Files )
2014-12-07 10:41 . 2014-10-01 10:20   25816   ----a-w-   c:\windows\system32\drivers\is-HRU1D.tmp
2014-12-07 08:01 . 2014-12-07 08:01   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2014-12-07 07:48 . 2014-12-07 08:27   --------   d-----w-   c:\programdata\Spybot - Search & Destroy
2014-12-07 07:44 . 2014-12-07 07:44   --------   d-----w-   c:\programdata\HitmanPro
2014-12-07 03:23 . 2014-12-07 03:23   --------   d-----w-   c:\program files\WinRAR
2014-12-06 19:43 . 2014-12-06 19:43   --------   d-----w-   c:\program files (x86)\Mozilla Maintenance Service
2014-12-06 19:43 . 2014-12-06 19:43   --------   d-----w-   c:\program files\Nightly
2014-12-06 17:44 . 2014-12-06 17:44   --------   d-----w-   c:\programdata\GlassWire
2014-12-06 17:44 . 2014-11-05 05:41   33296   ----a-w-   c:\windows\system32\drivers\gwdrv.sys
2014-12-06 17:44 . 2014-12-06 17:44   --------   d-----w-   c:\program files (x86)\GlassWire
2014-12-06 17:33 . 2014-11-17 01:08   11632448   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{9840109A-ACB0-46A3-8ED1-C7A31D26BED5}\mpengine.dll
2014-12-06 17:15 . 2014-12-06 17:18   --------   d-----w-   c:\windows\system32\catroot2
2014-12-06 16:26 . 2014-12-06 17:05   --------   d-----w-   c:\windows\SysWow64\wbem\Performance
2014-12-06 16:18 . 2014-12-06 16:18   --------   d-----w-   C:\RegBackup
2014-12-06 15:58 . 2014-12-06 15:58   --------   d-----w-   c:\program files (x86)\WinDirStat
2014-12-06 15:49 . 2014-12-06 15:49   --------   d-----w-   c:\program files (x86)\Secunia
2014-12-06 15:48 . 2014-12-06 15:48   --------   d-----w-   c:\program files (x86)\Tweaking.com
2014-12-06 15:44 . 2014-12-07 10:40   --------   d-----w-   c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-12-06 15:36 . 2014-12-06 15:36   --------   d-----w-   c:\program files (x86)\Zemana AntiLogger Free
2014-12-06 15:36 . 2014-12-06 15:36   --------   d-----w-   c:\program files (x86)\KeyCryptSDK
2014-12-06 15:36 . 2014-11-28 11:15   71400   ----a-w-   c:\windows\system32\drivers\KeyCrypt64.sys
2014-12-06 15:32 . 2014-12-06 15:32   --------   d-----w-   c:\programdata\InstallMate
2014-12-06 15:32 . 2014-12-06 15:32   --------   d-----w-   c:\program files (x86)\Ruiware
2014-12-06 15:21 . 2014-12-07 10:29   --------   d-----w-   c:\programdata\Malwarebytes Anti-Exploit
2014-12-06 15:21 . 2014-12-06 15:21   --------   d-----w-   c:\program files (x86)\Malwarebytes Anti-Exploit
2014-12-06 12:50 . 2014-12-06 12:50   129752   ----a-w-   c:\windows\system32\drivers\06E03FF8.sys
2014-12-05 19:08 . 2014-12-06 17:21   --------   d-----w-   c:\programdata\Skype
2014-11-28 12:02 . 2014-11-28 12:02   18456   ----a-w-   c:\windows\system32\drivers\psi_mf_amd64.sys
2014-11-25 18:39 . 2014-05-14 16:23   44512   ----a-w-   c:\windows\system32\wups2.dll
2014-11-25 18:39 . 2014-05-14 16:23   58336   ----a-w-   c:\windows\system32\wuauclt.exe
2014-11-25 18:39 . 2014-05-14 16:23   2477536   ----a-w-   c:\windows\system32\wuaueng.dll
2014-11-25 18:39 . 2014-05-14 16:21   2620928   ----a-w-   c:\windows\system32\wucltux.dll
2014-11-25 18:39 . 2014-05-14 16:23   38880   ----a-w-   c:\windows\system32\wups.dll
2014-11-25 18:39 . 2014-05-14 16:23   36320   ----a-w-   c:\windows\SysWow64\wups.dll
2014-11-25 18:39 . 2014-05-14 16:23   700384   ----a-w-   c:\windows\system32\wuapi.dll
2014-11-25 18:39 . 2014-05-14 16:23   581600   ----a-w-   c:\windows\SysWow64\wuapi.dll
2014-11-25 18:39 . 2014-05-14 16:20   97792   ----a-w-   c:\windows\system32\wudriver.dll
2014-11-25 18:39 . 2014-05-14 16:17   92672   ----a-w-   c:\windows\SysWow64\wudriver.dll
2014-11-25 18:38 . 2014-05-14 08:23   198600   ----a-w-   c:\windows\system32\wuwebv.dll
2014-11-25 18:38 . 2014-05-14 08:23   179656   ----a-w-   c:\windows\SysWow64\wuwebv.dll
2014-11-25 18:38 . 2014-05-14 08:20   36864   ----a-w-   c:\windows\system32\wuapp.exe
2014-11-25 18:38 . 2014-05-14 08:17   33792   ----a-w-   c:\windows\SysWow64\wuapp.exe
2014-11-25 14:22 . 2014-11-25 14:22   --------   d-----w-   c:\programdata\Package Cache
2014-11-25 14:21 . 2014-11-25 14:21   --------   d-----w-   c:\program files (x86)\Seagate
2014-11-25 14:17 . 2014-11-25 14:17   --------   d-----w-   c:\program files (x86)\Microsoft.NET
2014-11-25 14:08 . 2014-10-31 22:26   103374192   ----a-w-   c:\windows\system32\MRT.exe
2014-11-25 13:51 . 2014-11-25 13:51   --------   d-----w-   C:\TDSSKiller_Quarantine
2014-11-25 13:45 . 2014-12-06 20:11   71344   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-11-25 13:45 . 2014-12-06 20:11   701104   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2014-11-25 13:45 . 2014-11-25 13:45   --------   d-----w-   c:\windows\SysWow64\Macromed
2014-11-25 13:45 . 2014-11-25 13:45   --------   d-----w-   c:\windows\system32\Macromed
2014-11-25 13:26 . 2014-12-07 10:39   135384   ----a-w-   c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-11-25 13:26 . 2014-12-07 07:27   --------   d-----w-   c:\programdata\Malwarebytes
2014-11-25 13:26 . 2014-12-06 17:29   96472   ----a-w-   c:\windows\system32\drivers\mbamchameleon.sys
2014-11-25 13:26 . 2014-12-06 15:28   --------   d-----w-   c:\program files (x86)\Malwarebytes Anti-Malware
2014-11-25 13:26 . 2014-11-21 05:14   25816   ----a-w-   c:\windows\system32\drivers\mbam.sys
2014-11-25 13:26 . 2014-10-01 10:20   63704   ----a-w-   c:\windows\system32\drivers\mwac.sys
2014-11-25 13:19 . 2014-12-06 13:21   --------   d-----w-   c:\program files (x86)\Opera
2014-11-25 13:16 . 2009-06-25 23:38   57856   ----a-w-   c:\windows\system32\drivers\rixdpx64.sys
2014-11-25 13:16 . 2007-07-25 19:48   172032   ----a-w-   c:\windows\system32\rixdicon.dll
2014-11-25 13:16 . 2009-06-26 00:04   67584   ----a-w-   c:\windows\system32\drivers\rimmpx64.sys
2014-11-25 13:16 . 2009-06-25 23:13   55296   ----a-w-   c:\windows\system32\drivers\rimspx64.sys
2014-11-25 13:16 . 2004-09-04 10:00   90112   ----a-w-   c:\windows\system32\snymsico.dll
2014-11-25 13:13 . 2014-11-25 13:14   --------   d-----w-   c:\programdata\NVIDIA
2014-11-25 13:12 . 2009-05-11 10:49   81952   ----a-w-   c:\windows\system32\drivers\nvhda64v.sys
2014-11-25 13:12 . 2009-05-11 10:49   62976   ----a-w-   c:\windows\system32\nvapo64v.dll
2014-11-25 13:12 . 2009-05-11 10:48   22528   ----a-w-   c:\windows\system32\nvhdap64.dll
2014-11-25 13:12 . 2009-05-08 14:50   159232   ----a-w-   c:\windows\system32\nvcohda6.dll
2014-11-25 13:12 . 2009-05-08 14:50   506400   ----a-w-   c:\windows\system32\nvuhda6.exe
2014-11-25 13:11 . 2009-06-11 09:09   508448   ----a-w-   c:\windows\system32\nvudisp.exe
2014-11-25 13:11 . 2009-06-22 11:28   539168   ----a-w-   c:\windows\system32\NVUNINST.EXE
2014-11-25 13:06 . 2009-07-20 16:29   15416   ----a-w-   c:\windows\system32\drivers\kbfiltr.sys
2014-11-25 13:05 . 2009-08-23 04:24   5435904   ----a-w-   c:\windows\system32\drivers\NETw5v64.sys
2014-11-25 13:04 . 2014-11-25 13:53   --------   d-----w-   c:\program files\ATKGFNEX
2014-11-25 13:04 . 2014-11-25 13:04   --------   d-----w-   c:\program files (x86)\InstallShield Installation Information
2014-11-25 13:03 . 2014-11-25 13:04   --------   d-----w-   c:\program files (x86)\ASUS
2014-11-25 13:02 . 2014-12-05 19:08   --------   d-sh--w-   c:\windows\Installer
2014-11-25 12:56 . 2014-11-25 12:57   --------   d-----w-   c:\users\Mariusz
2014-11-25 12:49 . 2014-11-25 12:56   --------   d-----w-   c:\windows\Panther
.
.
.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-11-24 13:04 . 2010-11-21 03:27   275080   ------w-   c:\windows\system32\MpSigStub.exe
.
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="c:\users\Mariusz\Desktop\HijackThis\HijackThis.exe" [2011-04-11 1306624]
"SUPERAntiSpyware"="c:\users\Mariusz\Desktop\SuperAntiSpyware\PROGRAM64.COM" [2011-10-17 5500800]
"HW_OPENEYE_OUC_blueconnect"="c:\program files (x86)\blueconnect\UpdateDog\ouc.exe" [2011-03-26 116064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Exploit"="c:\program files (x86)\Malwarebytes Anti-Exploit\mbae.exe" [2014-12-04 2558776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys;c:\windows\SYSNATIVE\DRIVERS\ew_hwusbdev.sys [x]
R3 nmwcdnsux64;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsux64.sys;c:\windows\SYSNATIVE\drivers\nmwcdnsux64.sys [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf_amd64.sys;c:\windows\SYSNATIVE\DRIVERS\psi_mf_amd64.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R4 GlassWire;GlassWire Control Service;c:\program files (x86)\GlassWire\GWCtlSrv.exe;c:\program files (x86)\GlassWire\GWCtlSrv.exe [x]
R4 HWDeviceService64.exe;HWDeviceService64.exe;c:\programdata\DatacardService\HWDeviceService64.exe;c:\programdata\DatacardService\HWDeviceService64.exe [x]
R4 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe;c:\program files (x86)\Secunia\PSI\PSIA.exe [x]
R4 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe;c:\program files (x86)\Secunia\PSI\sua.exe [x]
S1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae64.sys;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [x]
S1 gwdrv;GlassWire Driver;c:\windows\system32\DRIVERS\gwdrv.sys;c:\windows\SYSNATIVE\DRIVERS\gwdrv.sys [x]
S1 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
S1 SASDIFSV;SASDIFSV;c:\users\Mariusz\Desktop\SuperAntiSpyware\SASDIFSV64.SYS;c:\users\Mariusz\Desktop\SuperAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\users\Mariusz\Desktop\SuperAntiSpyware\SASKUTIL64.SYS;c:\users\Mariusz\Desktop\SuperAntiSpyware\SASKUTIL64.SYS [x]
S2 ASMMAP64;ASMMAP64;c:\program files\ATKGFNEX\ASMMAP64.sys;c:\program files\ATKGFNEX\ASMMAP64.sys [x]
S2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [x]
S3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys;c:\windows\SYSNATIVE\DRIVERS\ew_jucdcacm.sys [x]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys;c:\windows\SYSNATIVE\DRIVERS\ew_jubusenum.sys [x]
S3 keycrypt;keycrypt;c:\windows\system32\DRIVERS\KeyCrypt64.sys;c:\windows\SYSNATIVE\DRIVERS\KeyCrypt64.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
S3 RTL8167;Sterownik Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
--- Inne Usługi/Sterowniki w Pamięci ---
.
*NewlyCreated* - MBAMSWISSARMY
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files (x86)\Ruiware\WinPatrol\winpatrol.exe" [2014-07-21 1154112]
.
------- Skan uzupełniający -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.msn.com
mLocal Page = c:\windows\SYSTEM32\blank.htm
FF - ProfilePath - c:\users\Mariusz\AppData\Roaming\Mozilla\Firefox\Profiles\qq6gtik4.default\
.
- - - - USUNIĘTO PUSTE WPISY - - - -
.
SafeBoot-41186125.sys
.
.
.
Czas ukończenia: 2014-12-07 11:55:17
ComboFix-quarantined-files.txt 2014-12-07 10:55
.
Przed: 476 243 406 848 bajtów wolnych
Po: 476 322 066 432 bajtów wolnych
.
- - End Of File - - 5D4B5A8100FE671EBB2AA40024FF2FCE
A36C5E4F47E84449FF07ED3517B43A31

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2014-12-07 17:19:04
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545050KTA300 rev.BKFOC60G 465,76GB
Running: m57g1hli.exe; Driver: C:\Users\Mariusz\AppData\Local\Temp\pwriafoc.sys

---- User code sections - GMER 2.1 ----

.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!GetSysColor                                          0000000076526c3c 5 bytes JMP 000000010045b9d0
.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!GetSysColorBrush                                     00000000765335a4 5 bytes JMP 000000010045ba30
.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!GetScrollInfo                                        0000000076534018 7 bytes JMP 000000010045b810
.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!SetScrollInfo                                        00000000765340cf 7 bytes JMP 000000010045b8c0
.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!ShowScrollBar                                        0000000076534162 5 bytes JMP 000000010045b990
.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!GetScrollPos                                         0000000076534234 5 bytes JMP 000000010045b850
.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!SetScrollPos                                         00000000765387a5 5 bytes JMP 000000010045b900
.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!EnableScrollBar                                      0000000076538d3a 7 bytes JMP 000000010045b7d0
.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!GetScrollRange                                       00000000765390c4 5 bytes JMP 000000010045b880
.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!SetScrollRange                                       000000007654d50b 5 bytes JMP 000000010045b940
.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                             0000000076851465 2 bytes [85, 76]
.text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                            00000000768514bb 2 bytes [85, 76]
.text ...                                                                                                                                          * 2
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                          00000000772b7a90 13 bytes {MOV R11, 0x7fef8a8b0c0; JMP R11}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile                                                          00000000772e1370 13 bytes {MOV R11, 0x7feea7f6a68; JMP R11}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                         00000000772e1390 13 bytes {MOV R11, 0x7feea7f7c70; JMP R11}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                             00000000772e1490 6 bytes {JMP QWORD [RIP+0x8e7eba0]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFileGather                                                   00000000772e14c0 13 bytes {MOV R11, 0x7feeadfadf8; JMP R11}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtReadFileScatter                                                   00000000772e15f0 13 bytes {MOV R11, 0x7feeadfad3c; JMP R11}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtFlushBuffersFile                                                  00000000772e17c0 13 bytes {MOV R11, 0x7feea99338c; JMP R11}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                              00000000772e1810 6 bytes {JMP QWORD [RIP+0x8e9e820]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                        00000000772e1860 13 bytes {MOV R11, 0x7feea7f785c; JMP R11}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile                                           00000000772e2470 13 bytes {MOV R11, 0x7feea7f67e0; JMP R11}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CopyFileW                                                        00000000770792d0 6 bytes JMP 8d4d2024
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter                                      0000000077089b70 13 bytes {MOV R11, 0x7feeab1ee50; JMP R11}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                           000000007708e7b0 6 bytes JMP 0
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessW                                                   0000000077091bb0 6 bytes JMP 60d0000
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!GetThreadSelectorEntry                                           00000000770c0d10 6 bytes {JMP QWORD [RIP+0x907f320]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!MoveFileW                                                        00000000770ff7f0 6 bytes JMP 0
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!MoveFileA                                                        00000000770ff950 6 bytes JMP 938
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CopyFileA                                                        0000000077105620 6 bytes JMP 6
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessInternalA                                           0000000077107b70 6 bytes JMP 8d0060
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessA                                                   0000000077108840 6 bytes JMP 120
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!WinExec                                                          0000000077108d80 6 bytes JMP 0
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc                                                   000007fefd501950 6 bytes {JMP QWORD [RIP+0x189e6e0]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408                                           000007fefd50a058 3 bytes CALL 32f50000
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1                                                 000007fefd50b9a1 5 bytes {JMP QWORD [RIP+0x1934690]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!VirtualProtect                                                 000007fefd5131e0 6 bytes {JMP QWORD [RIP+0x18ace50]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx                                               000007fefd513210 6 bytes {JMP QWORD [RIP+0x18ece20]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx                                                 000007fefd5330c0 6 bytes {JMP QWORD [RIP+0x18acf70]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                             000007fefd5330f0 6 bytes {JMP QWORD [RIP+0x18ecf40]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WS2_32.dll!WSAStartup                                                         000007fefe824980 6 bytes {JMP QWORD [RIP+0x42b6b0]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\SHELL32.dll!ShellExecuteW                                                     000007fefd99983c 6 bytes {JMP QWORD [RIP+0xf667f4]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!InternetReadFile                                                  000007fefd863914 6 bytes {JMP QWORD [RIP+0x148c71c]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!InternetOpenUrlA                                                  000007fefd86ba68 6 bytes {JMP QWORD [RIP+0x14645c8]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpSendRequestW                                                  000007fefd873b6c 2 bytes [FF, 25]
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpSendRequestW + 3                                              000007fefd873b6f 3 bytes [C4, 4B, 01]
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpOpenRequestW                                                  000007fefd88355c 6 bytes {JMP QWORD [RIP+0x13ecad4]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpOpenRequestA                                                  000007fefd883910 6 bytes {JMP QWORD [RIP+0x140c720]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpSendRequestExW                                                000007fefd8868d8 6 bytes {JMP QWORD [RIP+0x14e9758]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!InternetOpenUrlW                                                  000007fefd8b2c74 6 bytes {JMP QWORD [RIP+0x13fd3bc]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!InternetReadFileExW + 1                                           000007fefd8b2dc1 5 bytes {JMP QWORD [RIP+0x145d270]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpSendRequestA                                                  000007fefd8cf600 6 bytes {JMP QWORD [RIP+0x1480a30]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpSendRequestExA                                                000007fefd8cf694 6 bytes {JMP QWORD [RIP+0x14c099c]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLDownloadToFileW                                                 000007fefd7695e4 6 bytes {JMP QWORD [RIP+0x11b6a4c]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW + 1                                        000007fefd7696c5 5 bytes {JMP QWORD [RIP+0x11f696c]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamW                                             000007fefd7698b0 6 bytes {JMP QWORD [RIP+0x14a6780]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLOpenStreamW                                                     000007fefd76999c 6 bytes {JMP QWORD [RIP+0x1466694]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLDownloadToFileA                                                 000007fefd769b10 6 bytes {JMP QWORD [RIP+0x11d6520]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA + 1                                        000007fefd769ca1 5 bytes {JMP QWORD [RIP+0x1216390]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamA                                             000007fefd769e10 6 bytes {JMP QWORD [RIP+0x14c6220]}
.text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLOpenStreamA + 1                                                 000007fefd769f01 5 bytes {JMP QWORD [RIP+0x1486130]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread                                     00000000772e13e0 16 bytes [50, 48, B8, 54, BF, 03, 3F, ...]
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                    00000000772e1490 6 bytes JMP ec2b40b8
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken                                          00000000772e1550 16 bytes [50, 48, B8, 78, BF, 03, 3F, ...]
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                              00000000772e1570 32 bytes [50, 48, B8, 40, C1, 03, 3F, ...]
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx                                        00000000772e1600 32 bytes [50, 48, B8, 9C, BF, 03, 3F, ...]
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                 00000000772e1640 16 bytes [50, 48, B8, 40, C0, 03, 3F, ...]
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile                                      00000000772e16e0 16 bytes [50, 48, B8, 74, C0, 03, 3F, ...]
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                     00000000772e1810 6 bytes JMP 73e16e0
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                               00000000772e1860 16 bytes [50, 48, B8, CC, BF, 03, 3F, ...]
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                                         00000000772e22d0 16 bytes [50, 48, B8, 64, C1, 03, 3F, ...]
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                               00000000772e2320 16 bytes [50, 48, B8, 1C, C1, 03, 3F, ...]
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile                                  00000000772e2470 16 bytes [50, 48, B8, 88, C0, 03, 3F, ...]
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CopyFileW                                               00000000770792d0 6 bytes JMP 0
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                  000000007708e7b0 6 bytes JMP ec2b0b70
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CreateProcessW                                          0000000077091bb0 6 bytes JMP 0
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!GetThreadSelectorEntry                                  00000000770c0d10 6 bytes JMP 907e6f0
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!MoveFileW                                               00000000770ff7f0 6 bytes JMP 8f9ec80
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!MoveFileA                                               00000000770ff950 6 bytes JMP ec2b40b8
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CopyFileA                                               0000000077105620 6 bytes JMP 8ffaa28
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CreateProcessInternalA                                  0000000077107b70 6 bytes JMP 6d0065
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CreateProcessA                                          0000000077108840 6 bytes JMP 6d0075
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!WinExec                                                 0000000077108d80 6 bytes JMP eccdfff8
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc                                          000007fefd501950 6 bytes {JMP QWORD [RIP+0x189e6e0]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408                                  000007fefd50a058 3 bytes [b2, 5F, 06]
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1                                        000007fefd50b9a1 5 bytes {JMP QWORD [RIP+0x1934690]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!VirtualProtect                                        000007fefd5131e0 6 bytes {JMP QWORD [RIP+0x18ace50]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx                                      000007fefd513210 6 bytes {JMP QWORD [RIP+0x18ece20]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx                                        000007fefd5330c0 6 bytes {JMP QWORD [RIP+0x18acf70]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                    000007fefd5330f0 6 bytes {JMP QWORD [RIP+0x18ecf40]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WS2_32.dll!WSAStartup                                                000007fefe824980 6 bytes {JMP QWORD [RIP+0x42b6b0]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!InternetReadFile                                         000007fefd863914 6 bytes {JMP QWORD [RIP+0x148c71c]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!InternetOpenUrlA                                         000007fefd86ba68 6 bytes {JMP QWORD [RIP+0x14645c8]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpSendRequestW                                         000007fefd873b6c 2 bytes [FF, 25]
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpSendRequestW + 3                                     000007fefd873b6f 3 bytes [C4, 4B, 01]
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpOpenRequestW                                         000007fefd88355c 6 bytes {JMP QWORD [RIP+0x13ecad4]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpOpenRequestA                                         000007fefd883910 6 bytes {JMP QWORD [RIP+0x140c720]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpSendRequestExW                                       000007fefd8868d8 6 bytes {JMP QWORD [RIP+0x14e9758]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!InternetOpenUrlW                                         000007fefd8b2c74 6 bytes {JMP QWORD [RIP+0x13fd3bc]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!InternetReadFileExW + 1                                  000007fefd8b2dc1 5 bytes {JMP QWORD [RIP+0x145d270]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpSendRequestA                                         000007fefd8cf600 6 bytes {JMP QWORD [RIP+0x1480a30]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpSendRequestExA                                       000007fefd8cf694 6 bytes {JMP QWORD [RIP+0x14c099c]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLDownloadToFileW                                        000007fefd7695e4 6 bytes {JMP QWORD [RIP+0x11b6a4c]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW + 1                               000007fefd7696c5 5 bytes {JMP QWORD [RIP+0x11f696c]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamW                                    000007fefd7698b0 6 bytes {JMP QWORD [RIP+0x14a6780]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLOpenStreamW                                            000007fefd76999c 6 bytes {JMP QWORD [RIP+0x1466694]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLDownloadToFileA                                        000007fefd769b10 6 bytes {JMP QWORD [RIP+0x11d6520]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA + 1                               000007fefd769ca1 5 bytes {JMP QWORD [RIP+0x1216390]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamA                                    000007fefd769e10 6 bytes {JMP QWORD [RIP+0x14c6220]}
.text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLOpenStreamA + 1                                        000007fefd769f01 5 bytes {JMP QWORD [RIP+0x1486130]}

---- Registry - GMER 2.1 ----

Reg    HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{30290E5E-2966-4B51-A598-09BC403E4AE1}\Connection@Name isatap.{8B89C5E6-5A1C-4B5B-AF23-768569CBDACB}
Reg    HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind     \Device\{438839EC-1992-453E-9190-63067853E229}?\Device\{30290E5E-2966-4B51-A598-09BC403E4AE1}?\Device\{8D5A3030-F062-46DD-BF61-3603F2F15F7F}?\Device\{B794C836-2181-4DD2-8B9B-B1357A4EF5F2}?\Device\{B3C15D4D-1BE4-47BF-884B-96463BFFC39F}?
Reg    HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route    "{438839EC-1992-453E-9190-63067853E229}"?"{30290E5E-2966-4B51-A598-09BC403E4AE1}"?"{8D5A3030-F062-46DD-BF61-3603F2F15F7F}"?"{B794C836-2181-4DD2-8B9B-B1357A4EF5F2}"?"{B3C15D4D-1BE4-47BF-884B-96463BFFC39F}"?
Reg    HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export   \Device\TCPIP6TUNNEL_{438839EC-1992-453E-9190-63067853E229}?\Device\TCPIP6TUNNEL_{30290E5E-2966-4B51-A598-09BC403E4AE1}?\Device\TCPIP6TUNNEL_{8D5A3030-F062-46DD-BF61-3603F2F15F7F}?\Device\TCPIP6TUNNEL_{B794C836-2181-4DD2-8B9B-B1357A4EF5F2}?\Device\TCPIP6TUNNEL_{B3C15D4D-1BE4-47BF-884B-96463BFFC39F}?
Reg    HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{30290E5E-2966-4B51-A598-09BC403E4AE1}@InterfaceName                       isatap.{8B89C5E6-5A1C-4B5B-AF23-768569CBDACB}
Reg    HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{30290E5E-2966-4B51-A598-09BC403E4AE1}@ReusableType                        0
Reg    HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch                                                                              391
Reg    HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch                                                                             104

---- EOF - GMER 2.1 ----

picasso · 7 Grudnia 2014

Na temat używania ComboFix: KLIK. Log już zostaw, by było wiadomo co robił. Zasady działu: KLIK. Czyli: proszę opisać skąd tu koncepcja "rootkita" (co go pokazuje) oraz dostarczyć wszystkie obowiązujące logi (FRST, OTL i GMER). Logi mają być w postaci załączników forum a nie wklejane w poście.

picasso · 10 Grudnia 2014

Uzupełniłeś dane, więc mogę przejść do analizy:

antywirus malwarebytes wyświetlił komunikat po skanie że rootkit i abym szukał pomocy

Zaprezentuj raport z narzędzia - w czym (ścieżka dostępu) jest widziany rootkit i jak narzędzie go nazywa.

Dużo plików ukrytych, np plik w 15 folderach appdata

O jakim ukrytym pliku mowa? Wyjaśnij o co Ci chodzi. Dodatkowo objaśnij "15 folderów Appdata" - czy przypadkim nie chodzi o to: KLIK?

Jeśli chodzi o dostarczone logi:

- Widzę że stosowałeś jak szalony rozmaite oprogramowanie do skanów i resetów. HijackThis: zapomnij o tym narzędziu. Masz system 64-bit, HijackThis to program 32-bit, nie ma żadnej zgodności z systemem 64-bit (brak dostępu do natywnie 64-bitowej wersji) i pokazuje głupoty (fałszywe "file missing"). Próbując coś nim "naprawiać" można uszkodzić system.

- Nie ma żadnych oznak czynnej infekcji. Do korekty tylko sztuczne obiekty dorobione przez ComboFix, odpadki określonych skanerów oraz usunięcie folderu C:\Recycled (taki folder Kosza nie powinien występować na Windows 7). Otwórz Notatnik i wklej w nim:

CloseProcesses:
U3 catchme; \??\C:\ComboFix\catchme.sys [X]
HKU\S-1-5-21-2376877967-2081922626-2068000606-1000\...\Run: [HijackThis startup scan] => C:\Users\Mariusz\Desktop\HijackThis\HijackThis.exe [1306624 2011-04-11] (Trend Micro Inc.)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction 
HKU\S-1-5-21-2376877967-2081922626-2068000606-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction 
HKU\S-1-5-21-2376877967-2081922626-2068000606-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\system32\urlmon.dll (Microsoft Corporation)
C:\Recycled
C:\ProgramData\Spybot - Search & Destroy
C:\Windows\system32\Drivers\etc\hosts.*.backup
C:\Windows\system32\Drivers\is-GJ4SP.tmp
C:\Windows\system32\Drivers\is-HRU1D.tmp
Reg: reg delete "HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main" /f
EmptyTemp:

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Fix. Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, nastąpi restart. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt. Przedstaw go.

.

Zaloguj się

Asus n50vn rootkit

Rekomendowane odpowiedzi

mario81

Odnośnik do komentarza

picasso

Odnośnik do komentarza

picasso

Odnośnik do komentarza

Jeśli chcesz dodać odpowiedź, zaloguj się lub zarejestruj nowe konto

Zarejestruj nowe konto

Zaloguj się

Ostatnio przeglądający 0 użytkowników

Przeglądaj

Cała aktywność