| | |
| Stránka: 1 z 1
| [ Príspevkov: 7 ] | |
Autor | Správa |
---|
Registrovaný: 26.05.08 Príspevky: 6 Témy: 1 |
Zdravím, neviem ako a akým spôsobom som schytal pravdepodobne vír/malware ktorý proces systému explorer.exe najprv vypne a potom zapne pričom sa to približne v 10sek. intervaloch opakuje (zvyčajne už od nabootovania do GUI). Pregooglil som mnoho fór ale jednoznačnú odpoveď som nenašiel. Po čase keď som to prebehol NOD-om, Ad-Aware 07 Free a SpyBot-om S&D na nič som nedošiel ale za tým som skúsil rôzne iné utility ako Vundofix, Hijackthis a Combofix. Dospel som k záveru, že v zložke %windir%/system32 sa generujú 3x súbory náhodného názvu.. konkrétne vždy jeden povedzme XYZ.ini ďalší XYZ.ini2 a ešte ZYX.dll (áno presne vždy má *.dll súbor rovnaký názov ako *.ini súbory ale odzadu). Combofix ich aj odstránil lenže po reboote sa vygenerovali nové a s iným názvom. Všimol som si tiež že v bežiacich procesoch sa zvykne usadiť rundll32.exe, čo sa mi bežne nestávalo (nakoľko tento proces môže mať veľkú súvislosť s napadnutím PC pomocou spywaru, inak súvisí myslým z pripojenými zariadeniami) - okrem neho sa mi zdá podozrivý aj winlogon.exe lenže neviem zistiť aké dll súbory si volá na pomoc. Teda ako som vravel aj po premenovaní 2x ini a 1x dll súboru vo win recovery konzole a následnom zmazaní sa vygenerovali nové, poslednou záhadnou vecou čo som si všimol je súbor taktiež v system32 zložke a to tuvsRlLe.dll = na 60% som si istý že nepatrí k systému (google o ňom samozrejme nič nevie, a najlepšie na tom je že znak ktorý vyzerá ako toto I prípadne | je nejaký špeciálny, tento súbor nejde zmazať ani v safe móde). Prikladám logy z hijackthis a combofix - posledných pár hodín sa systém zdá byť OKay ale potrebujem nejakého experta ktorý by mi logy preveril a prípadne ešte niečo poradil - je veľmi možné že za tým je ešte aj iný súbor/proces. THX
Log z Hijackthis
Kód: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:20:44, on 25.5.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Trust\Trust R-series Mouse And Keyboard\KMWDSrv.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\mHotkey.exe C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\nvraidservice.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\explorer.exe D:\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\PROGRA~1\PCTRAN~1\webie.dll O4 - HKLM\..\Run: [CHotkey] mHotkey.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [CanonSolutionMenu] "C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" /logon O4 - HKLM\..\Run: [CanonMyPrinter] "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" /logon O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: WebTran - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\PROGRA~1\PCTRAN~1\webie.dll O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\PROGRA~1\PCTRAN~1\webie.dll O9 - Extra 'Tools' menuitem: &Nastaviť prekladač - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\PROGRA~1\PCTRAN~1\webie.dll O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\PROGRA~1\PCTRAN~1\webie.dll O9 - Extra 'Tools' menuitem: Preložiť &označený text - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\PROGRA~1\PCTRAN~1\webie.dll O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\PROGRA~1\PCTRAN~1\webie.dll O9 - Extra 'Tools' menuitem: Preložiť &stránku - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\PROGRA~1\PCTRAN~1\webie.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Trust\Trust R-series Mouse And Keyboard\KMWDSrv.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
-- End of file - 6372 bytes
Log z ComboFix Kód: ComboFix 08-05-21.3 - IT'S NOT IMPORTANT FOR YOU WHO'S USER 2008-05-25 17:08:35.4 - NTFSx86 Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.705 [GMT 2:00] Running from: D:\ComboFix.exe * Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) .
C:\WINDOWS\system32\SrYyyyxx.ini C:\WINDOWS\system32\SrYyyyxx.ini2 C:\WINDOWS\system32\xxyyyYrS.dll
. ((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 ))))))))))))))))))))))))))))))) .
2008-05-25 10:12 . 2008-05-25 12:36 <DIR> d-------- C:\Program Files\Miranda IM 2008-05-24 19:54 . 2008-05-25 17:12 612,384 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-05-24 19:54 . 2008-05-25 17:12 10,268 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-05-24 19:51 . 2008-04-02 21:07 75,248 --a------ C:\WINDOWS\zllsputility.exe 2008-05-24 19:50 . 2008-05-24 19:50 <DIR> d-------- C:\Program Files\Zone Labs 2008-05-24 19:50 . 2008-04-02 21:07 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll 2008-05-24 19:50 . 2008-05-25 17:14 352,918 --a------ C:\WINDOWS\system32\vsconfig.xml 2008-05-24 19:49 . 2008-05-25 17:00 <DIR> d-------- C:\WINDOWS\Internet Logs 2008-05-24 18:08 . 2008-05-24 18:08 <DIR> d-------- C:\Program Files\CCleaner 2008-05-24 17:02 . 2008-05-24 17:06 82 --a------ C:\WINDOWS\winDecrypt.INI 2008-05-24 14:50 . 2008-05-24 14:50 <DIR> d-------- C:\WINDOWS\java 2008-05-24 14:45 . 2008-05-24 13:00 <DIR> d--h----- C:\Documents and Settings\Administrator\ćabl˘ny 2008-05-24 14:45 . 2008-05-24 13:00 <DIR> d-------- C:\Documents and Settings\Administrator\Pracovn plocha 2008-05-24 14:45 . 2008-05-24 13:00 <DIR> d---s---- C:\Documents and Settings\Administrator\Ponuka ćtart 2008-05-24 14:45 . 2008-05-24 13:00 <DIR> d-------- C:\Documents and Settings\Administrator\Ob–Łben‚ polo§ky 2008-05-24 14:45 . 2008-05-24 13:00 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty 2008-05-24 14:45 . 2008-05-24 14:45 <DIR> d-------- C:\Documents and Settings\Administrator 2008-05-24 14:30 . 2004-08-04 14:00 571,392 --a--c--- C:\WINDOWS\system32\dllcache\tintlgnt.ime 2008-05-24 14:29 . 2004-08-04 14:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex 2008-05-24 14:28 . 2004-08-04 14:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll 2008-05-24 14:27 . 2004-08-04 14:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll 2008-05-24 14:26 . 2004-08-04 14:00 290,816 --a--c--- C:\WINDOWS\system32\dllcache\adsiis51.dll 2008-05-24 14:20 . 2008-05-24 14:24 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM 2008-05-24 14:18 . 2008-05-24 14:18 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2008-05-24 14:18 . 2008-05-24 14:18 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest 2008-05-24 14:18 . 2008-05-24 14:18 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest 2008-05-24 14:18 . 2008-05-24 14:18 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest 2008-05-24 14:18 . 2008-05-24 14:18 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest 2008-05-24 14:18 . 2008-05-24 14:18 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest 2008-05-24 14:17 . 2004-08-04 14:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe 2008-05-24 13:51 . 2004-08-04 14:00 1,086,058 -ra------ C:\WINDOWS\SETD4.tmp 2008-05-24 13:51 . 2004-08-04 14:00 1,042,903 -ra------ C:\WINDOWS\SETD1.tmp 2008-05-24 13:51 . 2004-08-04 14:00 13,753 -ra------ C:\WINDOWS\SETE0.tmp 2008-05-24 13:15 . 2008-05-24 13:15 <DIR> d-------- C:\WINDOWS\NV720268.TMP 2008-05-24 13:10 . 2008-05-24 13:10 <DIR> d-------- C:\WINDOWS\NV7202028.TMP 2008-05-24 13:00 . 2008-05-24 13:00 <DIR> d--h----- C:\Documents and Settings\Default User\ćabl˘ny 2008-05-24 13:00 . 2008-05-24 13:00 <DIR> d-------- C:\Documents and Settings\Default User\Pracovn plocha 2008-05-24 13:00 . 2008-05-24 13:00 <DIR> d---s---- C:\Documents and Settings\Default User\Ponuka ćtart 2008-05-24 13:00 . 2008-05-24 13:00 <DIR> d-------- C:\Documents and Settings\Default User\Ob–Łben‚ polo§ky 2008-05-24 13:00 . 2008-05-24 13:00 <DIR> d-------- C:\Documents and Settings\Default User\Moje dokumenty 2008-05-24 13:00 . 2008-05-24 13:00 <DIR> d--h----- C:\Documents and Settings\All Users\ćabl˘ny 2008-05-24 13:00 . 2008-05-25 13:45 <DIR> d-------- C:\Documents and Settings\All Users\Pracovn plocha 2008-05-24 13:00 . 2008-05-24 15:03 <DIR> d---s---- C:\Documents and Settings\All Users\Ponuka ćtart 2008-05-24 13:00 . 2008-05-24 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Ob–Łben‚ polo§ky 2008-05-24 13:00 . 2008-05-24 13:00 <DIR> d---s---- C:\Documents and Settings\All Users\Dokumenty 2008-05-24 12:59 . 2004-08-04 14:00 1,086,058 -ra------ C:\WINDOWS\SETEE.tmp 2008-05-24 12:59 . 2004-08-04 14:00 1,042,903 -ra------ C:\WINDOWS\SETEB.tmp 2008-05-24 12:59 . 2004-08-04 14:00 13,753 -ra------ C:\WINDOWS\SETFA.tmp 2008-05-24 12:09 . 2008-05-24 12:23 <DIR> d-------- C:\i386 2008-05-23 18:37 . 2008-05-23 18:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-05-23 18:37 . 2008-05-23 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-05-23 15:34 . 2008-05-23 15:34 59,392 --------- C:\WINDOWS\system32\tuvsRlLe.dll 2008-05-22 21:20 . 2008-05-24 17:52 14,400 --a------ C:\WINDOWS\SLEX99.BMS 2008-05-22 21:20 . 2008-05-24 17:52 27 --a------ C:\WINDOWS\SLEX99.INI 2008-05-22 21:20 . 2008-05-22 21:20 4 --a------ C:\WINDOWS\SLEX99.ANS 2008-05-21 15:47 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll 2008-05-21 15:46 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll 2008-05-21 15:46 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll 2008-05-21 15:46 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll 2008-05-21 15:46 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll 2008-05-19 17:22 . 2008-05-19 17:22 <DIR> d-------- C:\Program Files\Winamp 2008-05-19 17:22 . 2008-05-19 17:34 <DIR> d-------- C:\Documents and Settings\IT'S NOT IMPORTANT FOR YOU WHO'S USER\Application Data\Winamp 2008-05-15 22:34 . 2008-05-15 23:39 <DIR> d-------- C:\Temp\Graf-tab praca 2008-05-12 19:01 . 2008-05-12 19:01 <DIR> d-------- C:\Program Files\OpenSSL 2008-04-30 20:51 . 2008-05-01 18:04 <DIR> d-------- C:\Temp\_cd potlaź 2008-04-25 21:49 . 2008-04-25 22:12 <DIR> d-------- C:\Temp\biosoz
. (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-24 17:36 --------- d-----w C:\Documents and Settings\IT'S NOT IMPORTANT FOR YOU WHO'S USER\Application Data\Comodo 2008-05-24 16:12 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-05-24 15:08 --------- d-----w C:\Documents and Settings\IT'S NOT IMPORTANT FOR YOU WHO'S USER\Application Data\Graphisoft 2008-05-21 11:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania 2008-04-26 19:31 --------- d-----w C:\Program Files\Opera 2008-04-22 20:21 --------- d-----w C:\Program Files\ClipMate7 2008-04-22 15:41 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-22 15:41 --------- d-----w C:\Program Files\LG Soft India 2008-04-22 15:41 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-04-19 18:02 --------- d-----w C:\Program Files\Common Files\Teleca Shared 2008-04-19 18:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson 2008-04-19 18:01 --------- d-----w C:\Program Files\Sony Ericsson 2008-04-19 17:57 94,064 ----a-w C:\WINDOWS\system32\drivers\k510mdm.sys 2008-04-19 17:57 85,408 ----a-w C:\WINDOWS\system32\drivers\k510mgmt.sys 2008-04-19 17:57 83,344 ----a-w C:\WINDOWS\system32\drivers\k510obex.sys 2008-04-19 17:57 8,336 ----a-w C:\WINDOWS\system32\drivers\k510mdfl.sys 2008-04-19 17:57 6,176 ----a-w C:\WINDOWS\system32\drivers\k510cmnt.sys 2008-04-19 17:57 6,176 ----a-w C:\WINDOWS\system32\drivers\k510cm.sys 2008-04-19 17:57 58,288 ----a-w C:\WINDOWS\system32\drivers\k510bus.sys 2008-04-19 17:57 5,808 ----a-w C:\WINDOWS\system32\drivers\k510whnt.sys 2008-04-19 17:57 5,808 ----a-w C:\WINDOWS\system32\drivers\k510wh.sys 2008-03-26 20:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-03-26 20:07 --------- d-----w C:\Program Files\Common Files\Merge Modules 2008-03-26 20:04 --------- d-----w C:\Program Files\Microsoft SDKs 2008-03-26 20:03 --------- d-----w C:\Program Files\Reference Assemblies 2008-03-26 20:03 --------- d-----w C:\Program Files\MSBuild 2008-03-26 19:58 --------- d-----w C:\Program Files\MSXML 6.0 2007-12-31 15:55 47,360 ----a-w C:\Documents and Settings\IT'S NOT IMPORTANT FOR YOU WHO'S USER\Application Data\pcouffin.sys 2008-01-26 14:12 8 --sha-r C:\WINDOWS\system32\6B09D056F6.sys 2007-04-13 20:26 88 -csha-r C:\WINDOWS\system32\7007FFB19F.sys .
------- Sigcheck -------
2008-05-24 15:03 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\system32\winlogon.exe . ((((((((((((((((((((((((((((( snapshot@2008-05-25_13.42.25.95 ))))))))))))))))))))))))))))))))))))))))) . - 2008-05-25 11:36:25 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-25 15:13:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CHotkey"="mHotkey.exe" [2002-07-05 17:37 491008 C:\WINDOWS\mHotkey.exe] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-07-17 16:27 950664] "NvCplDaemon"="RUNDLL32.exe" [2004-08-04 14:00 33280 C:\WINDOWS\system32\rundll32.exe] "CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 03:01 644696] "CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 03:50 1603152] "CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 11:51 57344] "nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="RUNDLL32.exe" [2004-08-04 14:00 33280 C:\WINDOWS\system32\rundll32.exe] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016] "NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2005-01-17 14:43 84480]
C:\Documents and Settings\IT'S NOT IMPORTANT FOR YOU WHO'S USER\Start Menu\Programs\Startup\ Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "SynchronousMachineGroupPolicy"= 0 (0x0) "SynchronousUserGroupPolicy"= 0 (0x0) "DisableCAD"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoStrCmpLogical"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMBalloonTip"= 1 (0x1) "MemCheckBoxInRunDlg"= 0 (0x0) "NoAutoTrayNotify"= 0 (0x0) "NoResolveTrack"= 0 (0x0) "NoResolveSearch"= 1 (0x1) "NoWelcomeScreen"= 1 (0x1) "NoRecentDocsNetHood"= 1 (0x1) "NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3acm"= l3codecp.acm "VIDC.ACDV"= ACDV.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 relog_ap
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^forteManager.lnk] backup=C:\WINDOWS\pss\forteManager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0] --a--c--- 2004-12-14 03:12 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a--c--- 2005-12-16 13:57 94208 C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a--c--- 2006-11-12 12:48 157592 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FinePrint Dispatcher v5] --a--c--- 2006-10-27 15:48 507904 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FmctrlTray] --a--c--- 2001-08-20 22:47 270336 C:\WINDOWS\system32\fmctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --a--c--- 2004-11-02 21:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SRFirstRun] --a------ 2004-08-04 14:00 67584 C:\WINDOWS\system32\srclient.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "wuauserv"=2 (0x2) "wscsvc"=2 (0x2) "CiSvc"=3 (0x3) "gusvc"=3 (0x3) "ERSvc"=2 (0x2) "AcrSch2Svc"=3 (0x3) "aawservice"=3 (0x3) "RemoteRegistry"=2 (0x2) "RDSessMgr"=3 (0x3) "mnmsrvc"=3 (0x3) "helpsvc"=2 (0x2) "BITS"=3 (0x3) "ose"=3 (0x3) "Adobe LM Service"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "nwiz"=nwiz.exe /install "NVRaidService"=C:\WINDOWS\system32\nvraidservice.exe "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions "ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"=
R2 DLPortIO;DriverLINX Port I/O Driver;C:\WINDOWS\system32\DRIVERS\DLPortIO.sys [1999-01-10 12:00] R2 KMWDSERVICE;Keyboard And Mouse Communication Service;C:\Program Files\Trust\Trust R-series Mouse And Keyboard\KMWDSrv.exe [2007-02-28 19:12] R2 RadPciNT;RadPciNT;C:\WINDOWS\system32\Drivers\RadPciNT.sys [2000-04-24 18:26] R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 14:00] S3 FlarionDTM;Flarion DTM Network Interface;C:\WINDOWS\system32\DRIVERS\FlrnDTM.sys [2005-05-26 16:06] S3 gameport;FM801 PCI Joystick;C:\WINDOWS\system32\DRIVERS\fmjoy.sys [] S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2008-04-19 19:57] S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2008-04-19 19:57] S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2008-04-19 19:57] S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2008-04-19 19:57] S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2008-04-19 19:57] S3 LGDDCDevice;LGDDCDevice;C:\Program Files\LG Soft India\forteManager\bin\I2CDriver.sys [2007-11-20 10:07] S3 LGII2CDevice;LGII2CDevice;C:\Program Files\LG Soft India\forteManager\bin\PII2CDriver.sys [2007-11-20 10:07] S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-02-08 22:26] S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01] S3 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14:00] S3 wdm_fm801;FM801 PCI Audio (WDM);C:\WINDOWS\system32\drivers\fm801.sys [] S3 WPRO_40_755;WinPcap Packet Driver (WPRO_40_755);C:\WINDOWS\system32\drivers\WPRO_40_755.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0181eda8-5711-11dc-82aa-806d6172696f}] \shell\PlayWithPowerDVD\Command - "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" "%l"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba9d42ce-f1d5-11dc-ad98-82bc5d5e55e4}] \Shell\AutoRun\command - F:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5d506a8-4cce-11dc-a61f-bea6d7e5d8a2}] \Shell\AutoRun\command - F:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
. Contents of the 'Scheduled Tasks' folder "2008-05-02 15:17:40 C:\WINDOWS\Tasks\1-Click Maintenance.job" - C:\Program Files\TuneUp Utilities 2008\OneClick.exe . **************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-25 17:14:39 Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully hidden files: 0
************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\ESET\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wbem\unsecapp.exe . ************************************************************************** . Completion time: 2008-05-25 17:19:58 - machine was rebooted [IT'S NOT IMPORTANT FOR YOU WHO'S USER] ComboFix-quarantined-files.txt 2008-05-25 15:19:50 ComboFix2.txt 2008-05-25 11:43:14
Pre-Run: 5,753,303,040 bytes free Post-Run: 5,743,120,384 bytes free
268
Na požiadanie zašlem ďalšie logy...
|
|
Registrovaný: 21.02.07 Prihlásený: 21.02.10 Príspevky: 3984 Témy: 96 |
presne rovnaký problém mám téme pod touto (resp. nad touto ...)
|
|
Registrovaný: 22.03.07 Prihlásený: 23.06.23 Príspevky: 2096 Témy: 15 Bydlisko: Bratislava V | Napísal br4n0: 27.05.2008 19:36 | |
|
Toto vlož do avengeru a pošli z neho log:
Kód: files to delete: C:\WINDOWS\SETD4.tmp C:\WINDOWS\SETD1.tmp C:\WINDOWS\SETE0.tmp C:\WINDOWS\SETEE.tmp C:\WINDOWS\SETEB.tmp C:\WINDOWS\SETFA.tmp C:\WINDOWS\system32\tuvsRlLe.dll C:\WINDOWS\system32\6B09D056F6.sys C:\WINDOWS\system32\7007FFB19F.sys
folders to delete: C:\WINDOWS\NV720268.TMP C:\WINDOWS\NV7202028.TMP
_________________ DESKTOP: Intel Pentium Dual Core E2180, Gigabyte GA-P31-DS3L, 3GB DDR2 800Mhz, ASUS Radeon HD3650 256MB, ASUS DRW-1608P3S, Hitachi Deskstar T7K250 160GB, Fortron FSP350-60GLN NTB: HP 510: Intel Celeron M360, 512MB DDR2 533MHz, Intel GMA 900, Hitachi Travelstar 4K120 40GB, Sony CRX880A |
|
Registrovaný: 26.05.08 Príspevky: 6 Témy: 1 | Napísal autor témy riff-raff: 29.05.2008 19:18 | |
|
Mockrát THX br4no ... vypadá, že všetko pomazalo. Teda resp. malo by to byť asi čisté? A aby som nezabudol tu je log z avenger-u. A ak sa môžem spýtať aký typ víru to bol podľa teba?
Kód: Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully. Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active. No rootkits found!
File "C:\WINDOWS\SETD4.tmp" deleted successfully. File "C:\WINDOWS\SETD1.tmp" deleted successfully. File "C:\WINDOWS\SETE0.tmp" deleted successfully. File "C:\WINDOWS\SETEE.tmp" deleted successfully. File "C:\WINDOWS\SETEB.tmp" deleted successfully. File "C:\WINDOWS\SETFA.tmp" deleted successfully. File "C:\WINDOWS\system32\tuvsRlLe.dll" deleted successfully. File "C:\WINDOWS\system32\6B09D056F6.sys" deleted successfully. File "C:\WINDOWS\system32\7007FFB19F.sys" deleted successfully. Folder "C:\WINDOWS\NV720268.TMP" deleted successfully. Folder "C:\WINDOWS\NV7202028.TMP" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
|
|
Registrovaný: 22.03.07 Prihlásený: 23.06.23 Príspevky: 2096 Témy: 15 Bydlisko: Bratislava V | Napísal br4n0: 29.05.2008 21:51 | |
|
Bol to trójsky kôň, čo v podstate nie je vírus, ale dnes rozhodne najrozšírenejší typ infekcie.
_________________ DESKTOP: Intel Pentium Dual Core E2180, Gigabyte GA-P31-DS3L, 3GB DDR2 800Mhz, ASUS Radeon HD3650 256MB, ASUS DRW-1608P3S, Hitachi Deskstar T7K250 160GB, Fortron FSP350-60GLN NTB: HP 510: Intel Celeron M360, 512MB DDR2 533MHz, Intel GMA 900, Hitachi Travelstar 4K120 40GB, Sony CRX880A |
|
Registrovaný: 02.09.07 Prihlásený: 19.01.20 Príspevky: 6373 Témy: 298 Bydlisko: Žilina |
HiJackThis je cisty ako latexova podlaha.
_________________ NTB: Dell Vostro 5470 - Core i5-4200U, GT 740M, 8GB DDR3-1600, Crucial MX100 256GB, 14" 1366x768 Audio: KRK RoKit 5 G2 White, Lexicon Alpha, M-Audio Axiom 25 MKII, AKG Y55 Phone: Samsung Galaxy S8 Vozenie: Alfa Romeo 159 SW 1.9JTDm 110kW - DPF/EGR/SWIRL OFF, BOSE SOUND |
|
Registrovaný: 26.05.08 Príspevky: 6 Témy: 1 | Napísal autor témy riff-raff: 30.05.2008 21:52 | |
|
Hmm no trojan sranda, že ho nedetekoval NOD ale aj tak THX.
|
|
| Stránka: 1 z 1
| [ Príspevkov: 7 ] | |
| Nemôžete zakladať nové témy v tomto fóre Nemôžete odpovedať na témy v tomto fóre Nemôžete upravovať svoje príspevky v tomto fóre Nemôžete mazať svoje príspevky v tomto fóre
|
|