log.txt

Prosze o sprawdzenie loga, problem z otwieraniem dysków

W zalaczniku log z Combofix-a Samo zastosowanie combo juz pomoglo ale prosze rzucic okiem. No i co zrobic zeby zaradzic ponownej infekcji?


ComboFix 09-05-09.05 - TOMEK 11/05/2009 10:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.33.1045.18.3326.2667 [GMT 2:00]
Lancé depuis: G:\ComboFix.exe
* Un nouveau point de restauration a été créé

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\[u]0[/u]xuc.com
C:\autorun.inf
c:\docume~1\TOMEK\USTAWI~1\Temp\tmp1.tmp
c:\docume~1\TOMEK\USTAWI~1\Temp\tmp2.tmp
c:\windows\system32\explorer.exe
c:\windows\system32\nmdfgds0.dll
c:\windows\system32\olhrwef.exe
D:\[u]0[/u]xuc.com
D:\Autorun.inf
E:\[u]0[/u]xuc.com
E:\Autorun.inf

.
((((((((((((((((((((((((((((( Fichiers créés du 2009-04-11 au 2009-05-11 ))))))))))))))))))))))))))))))))))))
.

2009-05-04 07:21 . 2009-04-30 11:13 296448 ----a-w c:\windows\system32\midas.dll
2009-05-04 07:21 . 2009-04-30 11:13 100352 ----a-w c:\windows\system32\plce.dll
2009-05-04 07:21 . 2009-04-30 11:13 110592 ----a-w c:\windows\system32\rscagent.dll
2009-05-04 07:21 . 2009-04-30 11:13 335872 ----a-w c:\windows\system32\zkemkeeper.dll
2009-05-04 07:21 . 2009-04-30 11:13 57344 ----a-w c:\windows\system32\commpro.dll
2009-05-04 07:21 . 2009-04-30 11:13 159744 ----a-w c:\windows\system32\zkemsdk.dll
2009-05-04 07:21 . 2009-04-30 11:13 126976 ----a-w c:\windows\system32\rscomm.dll
2009-05-04 07:21 . 2009-04-30 11:13 45056 ----a-w c:\windows\system32\comms.dll
2009-04-20 13:52 . 2009-04-24 07:04 -------- d-----w c:\program files\EmNetMan
2009-04-15 08:10 . 2009-04-15 08:56 -------- d-----w c:\documents and settings\TOMEK\Dane aplikacji\Aretics
2009-04-15 08:08 . 2009-04-15 08:08 -------- d-----w c:\program files\Aretics

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 11:33 . 2008-07-25 17:06 40856 ----a-w c:\documents and settings\TOMEK\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
2009-04-15 12:58 . 2008-07-28 18:00 952 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-04-15 08:08 . 2004-08-04 12:00 619700 ----a-w c:\windows\system32\perfh015.dat
2009-04-15 08:08 . 2004-08-04 12:00 141140 ----a-w c:\windows\system32\perfc015.dat
2009-04-15 08:07 . 2008-09-19 10:51 -------- d-----w c:\program files\Microsoft SQL Server
2009-04-07 13:08 . 2009-04-07 13:08 -------- d-----w c:\program files\Bosch Rexroth Electric Drives and Controls GmbH
2009-04-07 13:08 . 2008-07-25 16:45 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-02 08:42 . 2008-07-29 08:31 98 ----a-w c:\windows\system32\CnfUTW3.dat
2009-02-23 20:19 . 2008-07-25 17:20 27262976 ----a-w C:\VIRTPART.DAT
1998-04-27 17:15 . 2008-07-28 08:13 570128 ------w c:\program files\Common Files\dao350.dll
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" CTFMON.EXE " = " c:\windows\system32\ctfmon.exe " [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" SunJavaUpdateSched " = " c:\program files\Java\jre1.5.0\bin\jusched.exe " [2008-07-25 36972]
" NvCplDaemon " = " c:\windows\system32\NvCpl.dll " [2007-05-11 8429568]
" NvMediaCenter " = " c:\windows\system32\NvMcTray.dll " [2007-05-11 81920]
" IndicatorUtility " = " c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe " [2006-04-20 90112]
" LoadFUJ02E3 " = " c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe " [2006-11-17 80688]
" LoadFujitsuQuickTouch " = " c:\program files\Fujitsu\Application Panel\QuickTouch.exe " [2005-11-01 353792]
" LoadBtnHnd " = " c:\program files\Fujitsu\BtnHnd\BtnHnd.exe " [2005-11-01 61440]
" PSUtility " = " c:\addon\Fujitsu\PSUtility\TrayManager.exe " [2006-07-05 118784]
" TvOutSwitch " = " c:\addon\Fujitsu\DispSwitch\DispSwitchLauncher.exe " [2006-08-02 81920]
" SSUtility " = " c:\program files\Fujitsu\SSUtility\FJSSDMN.exe " [2006-07-22 233472]
" GhostStartTrayApp " = " c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe " [2002-08-14 94208]
" QuickFinder Scheduler " = " c:\program files\WordPerfect Office X3\Programs\QFSCHD130.EXE " [2007-01-02 83568]
" SSBkgdUpdate " = " c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe " [2006-10-25 210472]
" ScanSoft PDF Create! 4-reminder " = " c:\program files\ScanSoft\PDF Create! 4\Ereg\Ereg.exe " [2006-11-16 35368]
" S7UB Start " = " c:\program files\common files\Siemens\S7ubtoox\s7ubtstx.exe " [2008-07-14 102453]
" WinCC flexible Smart Start " = " c:\program files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2007\HmiSmartStart.exe " [2007-07-20 159744]
" nwiz " = " nwiz.exe " - c:\windows\system32\nwiz.exe [2007-05-11 1626112]
" RTHDCPL " = " RTHDCPL.EXE " - c:\windows\RTHDCPL.exe [2007-03-12 16125440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
" CTFMON.EXE " = " c:\windows\system32\CTFMON.EXE " [2004-08-04 15360]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-8-2 2760704]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FJWSEL]
2006-06-29 13:45 32768 ------w c:\windows\system32\FJWSWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PSUTY]
2006-06-02 15:04 32768 ------w c:\windows\system32\PSUWNP.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
" %windir%\\system32\\sessmgr.exe " =
" c:\\Program Files\\Common Files\\Rockwell\\EventClientMultiplexer.exe " =
" c:\\Program Files\\Common Files\\Rockwell\\RsvcHost.exe " =
" c:\\Program Files\\Common Files\\Rockwell\\RnaDirServer.exe " =
" c:\\Program Files\\Common Files\\Rockwell\\EventServer.exe " =
" c:\\Program Files\\Common Files\\Rockwell\\DaClient.exe " =
" c:\\Program Files\\Common Files\\Rockwell\\RNADiagReceiver.exe " =
" c:\\Program Files\\Common Files\\Rockwell\\RNADiagnosticsSrv.exe " =
" c:\\Program Files\\Common Files\\Rockwell\\VStudio.exe " =
" c:\\WINDOWS\\system32\\OpcEnum.exe " =
" c:\\Program Files\\Rockwell Software\\RSLINX\\RSLINX.EXE " =
" c:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe " =
" c:\\Program Files\\Siemens\\Step7\\S7BIN\\S7tgtopx.exe " =
" c:\\Program Files\\Siemens\\Step7\\S7INF\\S7usiapx.exe " =
" c:\\WINDOWS\\system32\\s7otbxsx.exe " =
" c:\\Program Files\\Common Files\\Siemens\\SQLANY\\dbsrv9.exe " =
" c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2007\\HmiES.exe " =
" c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2007\\TraceServer.exe " =
" c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2007\\Extern\\ExConServer.exe " =
" c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2007 Runtime\\MiniWeb.exe " =
" c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2007 Runtime\\SmartServer.exe " =
" c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2007 Runtime\\HmiLoad.exe " =

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
" 135:TCP " = 135:TCP:Port 135 TCP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
" AllowInboundEchoRequest " = 1 (0x1)

R0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [25/07/2008 18:52 7168]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [25/07/2008 18:47 36640]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [25/07/2008 18:47 35456]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [14/08/2002 15:11 5632]
R2 almservice;Automation License Manager Service;c:\program files\Common Files\Siemens\SWS\almsrv\almsrvx.exe [20/05/2008 15:10 1146880]
R2 dpmconv;dpmconv;c:\windows\system32\drivers\dpmconv.sys [25/06/2007 15:46 266240]
R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [25/06/2007 15:47 28363]
R2 MSSQL$ARETICSTEKLA;MSSQL$ARETICSTEKLA;c:\program files\Microsoft SQL Server\MSSQL$ARETICSTEKLA\Binn\sqlservr.exe -sARETICSTEKLA -- & gt; c:\program files\Microsoft SQL Server\MSSQL$ARETICSTEKLA\Binn\sqlservr.exe -sARETICSTEKLA [?]
R2 MSSQL$WINCC;MSSQL$WINCC;c:\progra~1\MICROS~2\MSSQL$~2\binn\sqlservr.exe -sWINCC -- & gt; c:\progra~1\MICROS~2\MSSQL$~2\binn\sqlservr.exe -sWINCC [?]
R2 MSSQL$WINCCFLEXIBLE;MSSQL$WINCCFLEXIBLE;c:\program files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlservr.exe [04/05/2005 00:04 9150464]
R2 NA_Service;NetAccess Service;c:\windows\system32\NA_Service.exe [29/07/2008 10:30 49152]
R2 s7asysvx;S7 Global Services;c:\program files\Siemens\Step7\S7BIN\s7asysvx.exe [14/07/2008 19:02 69685]
R2 S7ODPX2X;SIMATIC MPI/PROFIBUS DPX2 Driver;c:\windows\system32\drivers\s7odpx2x.sys [03/07/2008 13:03 77312]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [03/07/2008 13:30 1571912]
R2 s7opcmcx;s7opcmcx;c:\windows\system32\drivers\s7opcmcx.sys [03/07/2008 13:04 209920]
R2 S7opcsrtx;PROFINET IO RT-Protocol (LLDP);c:\windows\system32\drivers\s7opcsrtx.sys [03/07/2008 13:04 31232]
R2 s7osmcax;s7osmcax;c:\windows\system32\drivers\s7osmcax.sys [03/07/2008 13:07 173568]
R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [30/07/2007 12:06 71168]
R2 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [03/07/2008 13:30 240712]
R2 SQLAgent$WINCCFLEXIBLE;SQLAgent$WINCCFLEXIBLE;c:\program files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlagent.EXE [03/05/2005 21:42 323584]
R2 vsnl2ada;SIMATIC MPI/PROFIBUS FDL Transport Driver;c:\windows\system32\drivers\vsnl2ada.sys [05/11/2007 11:31 115654]
R3 DUNTLW;UNTLW device;c:\windows\system32\drivers\DuntlwNT.sys [29/07/2008 10:30 53568]
R3 EventServer;Rockwell Event Server;c:\program files\Common Files\Rockwell\EventServer.exe [23/06/2005 17:29 172032]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [25/07/2008 18:43 4864]
R3 fwkbd;fwkbd;c:\windows\system32\drivers\FwKbd.sys [28/07/2008 10:31 2976]
R3 fwkbdrtm;fwkbdrtm;c:\windows\system32\drivers\fwkbdrtm.sys [19/07/2007 20:56 5632]
S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\Drivers\VirtualBackplane.sys -- & gt; c:\windows\system32\Drivers\VirtualBackplane.sys [?]
S2 S7osobux;SIMATIC SoftBus;c:\windows\system32\drivers\S7osobux.sys [03/08/2006 10:45 133176]
S3 ABKTCX;Rockwell Software 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [03/06/2004 04:08 71448]
S3 c5511w2k;c5511w2k;c:\windows\system32\drivers\c5511w2k.sys [05/04/2000 14:22 8192]
S3 dpmcslv;dpmcslv;c:\windows\system32\drivers\dpmcslv.sys [04/07/2005 16:04 68280]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [03/03/2009 20:17 29292]
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [03/06/2004 04:08 142592]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [03/06/2004 04:08 30166]
S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [03/06/2004 04:08 155440]
S3 S7o5512x;SIMATIC CP 5512;c:\windows\system32\drivers\S7o5512x.sys [20/06/2007 12:51 216064]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [18/10/2002 02:34 30512]
S3 s7oppinx;s7oppinx;c:\windows\system32\drivers\s7oppinx.sys [03/07/2008 13:05 124928]
S3 SQLAgent$ARETICSTEKLA;SQLAgent$ARETICSTEKLA;c:\program files\Microsoft SQL Server\MSSQL$ARETICSTEKLA\Binn\sqlagent.EXE -i ARETICSTEKLA -- & gt; c:\program files\Microsoft SQL Server\MSSQL$ARETICSTEKLA\Binn\sqlagent.EXE -i ARETICSTEKLA [?]
S3 SQLAgent$WINCC;SQLAgent$WINCC;c:\program files\Microsoft SQL Server\MSSQL$WINCC\binn\sqlagent.exe -i WINCC -- & gt; c:\program files\Microsoft SQL Server\MSSQL$WINCC\binn\sqlagent.exe -i WINCC [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9251df06-9058-11dd-be82-001f3b7e8bc7}]
\Shell\Auto\command - Long.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Long.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f14963b2-6876-11dd-adb6-001f3b79c82d}]
\Shell\AutoRun\command - G:\[u]0[/u]xuc.com
\Shell\open\Command - G:\[u]0[/u]xuc.com
.
- - - - ORPHELINS SUPPRIMES - - - -

HKCU-Run-wsctf.exe - wsctf.exe


.
------- Examen supplémentaire -------
.
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-11 10:22
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succ?s
Fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - & gt; 'winlogon.exe'(816)
c:\windows\system32\FJWSWNP.dll
c:\windows\system32\PSUWNP.dll
.
Heure de fin: 2009-05-11 10:23
ComboFix-quarantined-files.txt 2009-05-11 08:23

Avant-CF: 30 171 955 200 bajtów wolnych
Apr?s-CF: 31 100 309 504 bajtów wolnych

185


Pobierz plik - link do postu