hacktool.rootkit problem+PROŹBA O SPRAWDZENIE LOGA

mam ogrąmną prośbe mógł by mi ktoś powiedzieć czy istnieje jakiś sposób zeby pozbyć się hacktool.rookita. już 2 razy formatowałem dyski a on jeszcze gdzieś tam musi siedzieć bo norton mi nadal wyświetla informacje o nim :cry:

PROSZE POMÓZCIE
dołańczam log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:15, on 2008-01-30
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\NEOSTR~1\CnxMon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe
C:\PROGRA~1\NEOSTR~1\ComComp.exe
C:\PROGRA~1\NEOSTR~1\Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6882574C-5D9F-4E35-8230-6FF61234CA36}: NameServer = 194.204.159.1 217.98.63.164
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Harmonogram automatycznej usługi LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 5703 bytes

Log z Gmera. http://www.gmer.net/index.php?lang=pl

skopiowałem to z zakladki rootki/malwere jest to skanowanie z tysku c bo chyba pozaostałej partycji nie musiałem skanować??

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-01-30 17:38:43
Windows 5.1.2600 Dodatek Service Pack 2

---- System - GMER 1.0.14 ----

SSDT 898DDBB0 ZwAlertResumeThread
SSDT 898DF8B8 ZwAlertThread
SSDT 897BB140 ZwAllocateVirtualMemory
SSDT 8954D728 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xAEE1CEE0]
SSDT 897AD0E0 ZwCreateMutant
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xAEF21794]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0xAEF21F1E]
SSDT 8953E728 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xAEE1D160]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAEE1D6C0]
SSDT 897E70E0 ZwFreeVirtualMemory
SSDT 8999D2A8 ZwImpersonateAnonymousToken
SSDT 89A7DEF8 ZwImpersonateThread
SSDT 89541728 ZwMapViewOfSection
SSDT 89975AB8 ZwOpenEvent
SSDT 89913140 ZwOpenProcessToken
SSDT 8997E9B0 ZwOpenThreadToken
SSDT 8981D070 ZwResumeThread
SSDT 898E1490 ZwSetContextThread
SSDT 897B90E0 ZwSetInformationProcess
SSDT 897EC0E0 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAEE1D910]
SSDT 899682F8 ZwSuspendProcess
SSDT 898E0400 ZwSuspendThread
SSDT 897811A8 ZwTerminateProcess
SSDT 898E0C30 ZwTerminateThread
SSDT 898E1F30 ZwUnmapViewOfSection
SSDT 897E40E0 ZwWriteVirtualMemory

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Ac
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Ac@Order 0x08 0x00 0x00 0x00 ...

---- EOF - GMER 1.0.14 ----

Pełny scan? Jeżeli masz rootkita, powinen być komunikat.

wydaje mi się ze pełny skan zostal zrobiony. prwdopodomnie problem zniknoł bo norton nie wyświetla już informacj o rootkicie

. Dzięki za zainteresownai tematem. A mam jeszcze pytanie czy istnieje jakis program ktory by blokowal tego typu problemy jak rootkit??

DLA PENOŚCI ZROBIE JESZCZE RAZ FORMAT BO SŁYSZAŁEM ZE MA TENDENCJE DO UKRYWANIEA SIE I ZOBACZE CZY NAPRWADE ZNIKNOŁ.

http://www.searchengines.pl/index.php?showtopic=29842

zrobiłem jescze raz skanowanie gmerem i wyskoczyl mi komunikat ze znalazł plik który może byc rootkitem :sad:

. to jest log z tego skanowania

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-02-01 00:36:48
Windows 5.1.2600 Dodatek Service Pack 2

---- System - GMER 1.0.14 ----

SSDT 893156C8 ZwAlertResumeThread
SSDT 893166C8 ZwAlertThread
SSDT 897A18A8 ZwAllocateVirtualMemory
SSDT 893686D8 ZwConnectPort
SSDT 8932A7F8 ZwCreateMutant
SSDT \??\C:\WINDOWS\system32\wincab.sys ZwEnumerateKey [0xB6775AB0]
SSDT \??\C:\WINDOWS\system32\wincab.sys ZwEnumerateValueKey [0xB67759A4]
SSDT 891F0928 ZwFreeVirtualMemory
SSDT 893136C8 ZwImpersonateAnonymousToken
SSDT 893146C8 ZwImpersonateThread
SSDT 89AE6370 ZwMapViewOfSection
SSDT 893126C8 ZwOpenEvent
SSDT \??\C:\WINDOWS\system32\wincab.sys ZwOpenProcess [0xB67757D2]
SSDT 8978E738 ZwOpenProcessToken
SSDT 89330880 ZwOpenThreadToken
SSDT 8978D820 ZwSetInformationThread
SSDT 893116C8 ZwSuspendProcess
SSDT 893186C8 ZwTerminateThread
SSDT 8931A6C8 ZwUnmapViewOfSection

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\wincab.sys Nie można odnaleźć określonego pliku. !

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\zxsderfb \Device\zxsderfb wincab.sys

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.14 ----

Module (noname) (*** hidden *** ) 00400000-0071F000 (3272704 bytes)

---- Registry - GMER 1.0.14 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Ac
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Ac@Order 0x08 0x00 0x00 0x00 ...

---- EOF - GMER 1.0.14 ----

a gmer sam usówa te rootkity czy trzeba zrobić to ręcznie?? bo zrobilem odrazu drugi raz skanowanie i nic nie wykrył, zauawżylem jeszcze że nie moge odsłonić plików ukrytch w narzędziach/opcjach folderów samo się odrazu przestawia na nie pokazuj plikow ukrytch może to powodować ten rootki. jak by co to dołacze jeszcze log z tego drugiego skanowania

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-02-01 00:46:13
Windows 5.1.2600 Dodatek Service Pack 2

---- System - GMER 1.0.14 ----

SSDT 893156C8 ZwAlertResumeThread
SSDT 893166C8 ZwAlertThread
SSDT 897A18A8 ZwAllocateVirtualMemory
SSDT 893686D8 ZwConnectPort
SSDT 8932A7F8 ZwCreateMutant
SSDT \??\C:\WINDOWS\system32\wincab.sys ZwEnumerateKey [0xB6775AB0]
SSDT \??\C:\WINDOWS\system32\wincab.sys ZwEnumerateValueKey [0xB67759A4]
SSDT 891F0928 ZwFreeVirtualMemory
SSDT 893136C8 ZwImpersonateAnonymousToken
SSDT 893146C8 ZwImpersonateThread
SSDT 89AE6370 ZwMapViewOfSection
SSDT 893126C8 ZwOpenEvent
SSDT \??\C:\WINDOWS\system32\wincab.sys ZwOpenProcess [0xB67757D2]
SSDT 8978E738 ZwOpenProcessToken
SSDT 89330880 ZwOpenThreadToken
SSDT 8978D820 ZwSetInformationThread
SSDT 893116C8 ZwSuspendProcess
SSDT 893186C8 ZwTerminateThread
SSDT 8931A6C8 ZwUnmapViewOfSection

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\wincab.sys Nie można odnaleźć określonego pliku. !

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\zxsderfb \Device\zxsderfb wincab.sys
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Ac
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Ac@Order 0x08 0x00 0x00 0x00 ...

---- EOF - GMER 1.0.14 ----

rano odpalilem kompa i do tego wczorajszego doszedł mi jeszcze komunikat przy włączaniu komputera o amvo.exe :cry:

log z combofix

ComboFix 08-01-30.6 - Czechu 2008-02-01 12:35:26.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.1643 [GMT 1:00]
Running from: C:\Documents and Settings\Czechu\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf . . . . failed to delete
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
D:\Autorun.inf . . . . failed to delete
E:\Autorun.inf . . . . failed to delete
F:\Autorun.inf . . . . failed to delete
G:\Autorun.inf . . . . failed to delete
H:\Autorun.inf . . . . failed to delete
C:\Autorun.inf . . . . failed to delete
D:\Autorun.inf . . . . failed to delete
E:\Autorun.inf . . . . failed to delete
F:\Autorun.inf . . . . failed to delete
G:\Autorun.inf . . . . failed to delete
H:\Autorun.inf . . . . failed to delete
.
---- Previous Run -------
.
C:\Autorun.inf
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
D:\Autorun.inf . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-31 16:47 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-31 16:47 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-31 16:47 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-30 22:55 . 2008-01-30 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-01-30 22:12 . 2008-01-31 15:47 <DIR> d-------- C:\WINDOWS\system32\pl-pl
2008-01-30 20:38 . 2008-02-01 12:34 514 -rahs---- C:\autorun.inf
2008-01-30 17:35 . 2008-01-30 17:35 <DIR> d-------- C:\gmer
2008-01-30 17:12 . 2008-02-01 00:43 315 --a------ C:\WINDOWS\gmer.ini
2008-01-30 14:14 . 2008-01-30 14:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-30 13:45 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-30 13:23 . 2006-05-05 10:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-01-30 12:29 . 2008-01-31 11:07 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-30 00:01 . 2008-01-30 00:01 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-30 00:01 . 2008-01-30 00:01 <DIR> d-------- C:\Documents and Settings\Czechu\Dane aplikacji\PC Tools
2008-01-30 00:01 . 2008-01-30 00:05 <DIR> d-a------ C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-01-30 00:01 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-30 00:01 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-30 00:01 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-30 00:01 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-30 00:00 . 2008-01-30 00:01 <DIR> d-------- C:\Program Files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 11:35 --------- d-----w C:\Program Files\Neostrada TP
2008-02-01 11:27 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Symantec
2008-01-31 15:49 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-30 21:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-30 16:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-29 21:33 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-29 21:33 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-29 21:33 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-29 21:33 --------- d-----w C:\Program Files\Symantec
2008-01-29 21:16 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-01-29 21:08 --------- d-----w C:\Program Files\Thomson
2008-01-29 21:07 --------- d-----w C:\Program Files\Java
2008-01-29 21:07 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-29 20:56 --------- d-----w C:\Program Files\C-Media 6501 Sound
2008-01-29 20:55 --------- d-----w C:\Program Files\DIFX
2008-01-29 20:53 --------- d--h--w C:\Program Files\Uninstall Information
2008-01-29 20:50 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-29 20:49 --------- d-----w C:\Program Files\Usługi online
2008-01-23 16:05 107,528 --sh--r C:\awda2.exe
2007-12-05 00:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-30 00:01 171448]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C6501Sound"="c6501.cpl" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 01:04 84640]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 19:22 26248]
"WooCnxMon"="C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [2003-10-16 18:07 24576]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38 866816]
"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2003-10-16 18:07 20480]
"WOOTASKBARICON"="C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" [2003-10-16 18:07 53248]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 11:22 517768]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe" [2006-09-13 14:54 100032]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

R2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-09-13 14:54]
R3 cm102u32;C-Media CM6501 Like Sound Interface;C:\WINDOWS\system32\drivers\c6501.sys [2006-09-05 10:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa507a9a-cf6a-11dc-b6a8-806d6172696f}]
\Shell\AutoRun\command - G:\awda2.exe
\Shell\explore\Command - G:\awda2.exe
\Shell\open\Command - G:\awda2.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8c8e0b0-d00b-11dc-b6ae-000e50db3759}]
\Shell\AutoRun\command - I:\awda2.exe
\Shell\explore\Command - I:\awda2.exe
\Shell\open\Command - I:\awda2.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-29 21:04:39 C:\WINDOWS\Tasks\Norton AntiVirus - Uruchom pełne skanowanie systemu - Czechu.job"

O jezu, zagubił mi się ten post... :oops:

Wklej do Notatnika:

File::
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\awda2.exe
I:\awda2.exe
G:\awda2.exe

Registry::

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8c8e0b0-d00b-11dc-b6ae-000e50db3759}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa507a9a-cf6a-11dc-b6a8-806d6172696f}]

>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe)
– podobnie jak na tym obrazku -->

(jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: \Qoobox.
Po tym nowy log z Combo

31 Mar 2008, 08:48

Witam. Jestem tu nowy. Złapałem HACKTOOL ROOTKIT. Prosze o porade jak się tego pozbyć. Proszę o wyjaśnienie wszystkiego krok po kroku. Proszę o odpowiedź i pozdrawiam.

31 Mar 2008, 11:19

Ściągnąłem GMER-a 1.0.1.4

teraz wklejam wszystkie logi, bo nie wiem co będzie potrzebne:

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-03-31 11:19:50
Windows 5.1.2600 Dodatek Service Pack 2

---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xF7740AC8]
SSDT sptd.sys ZwEnumerateKey [0xF7740C22]
SSDT sptd.sys ZwEnumerateValueKey [0xF7740F9A]
SSDT sptd.sys ZwOpenKey [0xF774098E]
SSDT sptd.sys ZwQueryKey [0xF7741064]
SSDT sptd.sys ZwQueryValueKey [0xF7740EFC]
SSDT sptd.sys ZwSetValueKey [0xF77410EC]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces.
? C:\WINDOWS\System32\Drivers\SPTD2029.SYS Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces.
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 EF3BE4F0 16 Bytes [ 0D, 3F, 5C, 1A, 10, 4D, 26, ... ]
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 EF3BE501 31 Bytes [ D0, 3B, EF, 41, 12, D4, 1D, ... ]
? C:\WINDOWS\System32\Drivers\dtscsi.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces.

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F774989E] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F775FD86] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F7749E24] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F7749D28] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IofCallDriver] [F7749EF4] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IofCallDriver] [F7749EF4] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F7749E24] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F7749D28] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F775F1AE] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoDetachDevice] [F7749A5A] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IofCompleteRequest] [F775F04A] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F77498F2] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F773CAD2] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F773CC0E] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F773CB96] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F773D76C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F773D642] sptd.sys
IAT disk.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F775FE4A] sptd.sys
IAT \WINDOWS\system32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IoDetachDevice] [F774E8C6] sptd.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IofCompleteRequest] [F775F04A] sptd.sys
IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F775FE4A] sptd.sys
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IofCallDriver] [F7749CC6] sptd.sys
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IofCallDriver] [F7749CC6] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 867C90E8

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Fastfat \FatCdrom 8622C0E8

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

Device \Driver\dmio \Device\DmControl\DmIoDaemon 867CAEB0
Device \Driver\dmio \Device\DmControl\DmConfig 867CAEB0
Device \Driver\dmio \Device\DmControl\DmPnP 867CAEB0
Device \Driver\dmio \Device\DmControl\DmInfo 867CAEB0

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume1 867CA0E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 867CA0E8
Device \FileSystem\Rdbss \Device\FsWrap 861A40E8
Device \Driver\Ftdisk \Device\HarddiskVolume3 867CA0E8
Device \Driver\Ftdisk \Device\HarddiskVolume4 867CA0E8
Device \Driver\Ftdisk \Device\HarddiskVolume5 867CA0E8
Device \Driver\Ftdisk \Device\HarddiskVolume6 867CA0E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 862250E8
Device \Driver\00000049 \Device\0000004b sptd.sys
Device \Driver\NetBT \Device\NetbiosSmb 862250E8

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

Device \Driver\Disk \Device\Harddisk0\DR0 867CA550

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

Device \Driver\Disk \Device\Harddisk1\DR1 867CA550
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 861991F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector 861991F0
Device \FileSystem\Npfs \Device\NamedPipe 860EC0E8
Device \Driver\Ftdisk \Device\FtControl 867CA0E8
Device \FileSystem\Msfs \Device\Mailslot 8623E4A8
Device \Driver\NetBT \Device\NetBT_Tcpip_{644A76CD-8340-4A6F-9AA2-CF8E6D5D5A0F} 862250E8
Device \Driver\nvidesm \Device\Scsi\nvidesm1Port1Path1Target1Lun0 867CA808
Device \Driver\si3112r \Device\Scsi\si3112r1Port0Path0Target0Lun0 867CAA40
Device \Driver\nvidesm \Device\Scsi\nvidesm1 867CA808
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 8619E0E8
Device \Driver\nvidesm \Device\Scsi\nvidesm1Port1Path1Target0Lun0 867CA808
Device \Driver\si3112r \Device\Scsi\si3112r1 867CAA40
Device \Driver\dtscsi \Device\Scsi\dtscsi1 8619E0E8
Device \FileSystem\Fastfat \Fat 8622C0E8

AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Cdfs \Cdfs 861542E0

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 -1274768246
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 108390011
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -150616131
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x70 0x5F 0xB4 0x42 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x02 0x37 0x96 0x6F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x69 0xD4 0x25 0x8F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x70 0x5F 0xB4 0x42 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x02 0x37 0x96 0x6F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x69 0xD4 0x25 0x8F ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Ac
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Ac@Order 0x08 0x00 0x00 0x00 ...

---- Files - GMER 1.0.14 ----

File C:\RECYCLER\NPROTECT 0 bytes
File C:\RECYCLER\NPROTECT\00000000.MOZ 3093 bytes
File C:\RECYCLER\NPROTECT\00000001.MOZ 166165 bytes
File C:\RECYCLER\NPROTECT\00000002.MOZ 166163 bytes
File C:\RECYCLER\NPROTECT\NPROTECT.LOG 646528 bytes
File D:\RECYCLER\NPROTECT 0 bytes
File D:\RECYCLER\NPROTECT\NPROTECT.LOG 646528 bytes
File E:\RECYCLER\NPROTECT 0 bytes
File E:\RECYCLER\NPROTECT\NPROTECT.LOG 646528 bytes
File F:\RECYCLER\NPROTECT 0 bytes
File F:\RECYCLER\NPROTECT\NPROTECT.LOG 646528 bytes
File H:\RECYCLER\NPROTECT 0 bytes
File H:\RECYCLER\NPROTECT\NPROTECT.LOG 646528 bytes
File I:\RECYCLER\NPROTECT 0 bytes
File I:\RECYCLER\NPROTECT\NPROTECT.LOG 646528 bytes

---- EOF - GMER 1.0.14 ----

hacktool.rootkit problem+PROŹBA O SPRAWDZENIE LOGA

Regulamin forum

hacktool.rootkit problem+PROŹBA O SPRAWDZENIE LOGA