 | | |
 | Stránka: 1 z 1
| [ Príspevkov: 7 ] | |
| Autor | Správa |
|---|
Registrovaný: 26.05.08
Príspevky: 6
Témy: 1 |
Zdravím, neviem ako a akým spôsobom som schytal pravdepodobne vír/malware ktorý proces systému explorer.exe najprv vypne a potom zapne pričom sa to približne v 10sek. intervaloch opakuje (zvyčajne už od nabootovania do GUI). Pregooglil som mnoho fór ale jednoznačnú odpoveď som nenašiel. Po čase keď som to prebehol NOD-om, Ad-Aware 07 Free a SpyBot-om S&D na nič som nedošiel ale za tým som skúsil rôzne iné utility ako Vundofix, Hijackthis a Combofix. Dospel som k záveru, že v zložke %windir%/system32 sa generujú 3x súbory náhodného názvu.. konkrétne vždy jeden povedzme XYZ.ini ďalší XYZ.ini2 a ešte ZYX.dll (áno presne vždy má *.dll súbor rovnaký názov ako *.ini súbory ale odzadu). Combofix ich aj odstránil lenže po reboote sa vygenerovali nové a s iným názvom. Všimol som si tiež že v bežiacich procesoch sa zvykne usadiť rundll32.exe, čo sa mi bežne nestávalo (nakoľko tento proces môže mať veľkú súvislosť s napadnutím PC pomocou spywaru, inak súvisí myslým z pripojenými zariadeniami) - okrem neho sa mi zdá podozrivý aj winlogon.exe lenže neviem zistiť aké dll súbory si volá na pomoc. Teda ako som vravel aj po premenovaní 2x ini a 1x dll súboru vo win recovery konzole a následnom zmazaní sa vygenerovali nové, poslednou záhadnou vecou čo som si všimol je súbor taktiež v system32 zložke a to tuvsRlLe.dll = na 60% som si istý že nepatrí k systému (google o ňom samozrejme nič nevie, a najlepšie na tom je že znak ktorý vyzerá ako toto I prípadne | je nejaký špeciálny, tento súbor nejde zmazať ani v safe móde). Prikladám logy z hijackthis a combofix - posledných pár hodín sa systém zdá byť OKay ale potrebujem nejakého experta ktorý by mi logy preveril a prípadne ešte niečo poradil - je veľmi možné že za tým je ešte aj iný súbor/proces. THX
Log z Hijackthis
Kód: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:20:44, on 25.5.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trust\Trust R-series Mouse And Keyboard\KMWDSrv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\explorer.exe
D:\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\PROGRA~1\PCTRAN~1\webie.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CanonSolutionMenu] "C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" /logon
O4 - HKLM\..\Run: [CanonMyPrinter] "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" /logon
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: WebTran - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\PROGRA~1\PCTRAN~1\webie.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\PROGRA~1\PCTRAN~1\webie.dll
O9 - Extra 'Tools' menuitem: &Nastaviť prekladač - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\PROGRA~1\PCTRAN~1\webie.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\PROGRA~1\PCTRAN~1\webie.dll
O9 - Extra 'Tools' menuitem: Preložiť &označený text - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\PROGRA~1\PCTRAN~1\webie.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\PROGRA~1\PCTRAN~1\webie.dll
O9 - Extra 'Tools' menuitem: Preložiť &stránku - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\PROGRA~1\PCTRAN~1\webie.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Trust\Trust R-series Mouse And Keyboard\KMWDSrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6372 bytes
Log z ComboFix Kód: ComboFix 08-05-21.3 - IT'S NOT IMPORTANT FOR YOU WHO'S USER 2008-05-25 17:08:35.4 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.705 [GMT 2:00]
Running from: D:\ComboFix.exe
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\SrYyyyxx.ini
C:\WINDOWS\system32\SrYyyyxx.ini2
C:\WINDOWS\system32\xxyyyYrS.dll
.
((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.
2008-05-25 10:12 . 2008-05-25 12:36 <DIR> d-------- C:\Program Files\Miranda IM
2008-05-24 19:54 . 2008-05-25 17:12 612,384 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-24 19:54 . 2008-05-25 17:12 10,268 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-24 19:51 . 2008-04-02 21:07 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-05-24 19:50 . 2008-05-24 19:50 <DIR> d-------- C:\Program Files\Zone Labs
2008-05-24 19:50 . 2008-04-02 21:07 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-05-24 19:50 . 2008-05-25 17:14 352,918 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-05-24 19:49 . 2008-05-25 17:00 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-05-24 18:08 . 2008-05-24 18:08 <DIR> d-------- C:\Program Files\CCleaner
2008-05-24 17:02 . 2008-05-24 17:06 82 --a------ C:\WINDOWS\winDecrypt.INI
2008-05-24 14:50 . 2008-05-24 14:50 <DIR> d-------- C:\WINDOWS\java
2008-05-24 14:45 . 2008-05-24 13:00 <DIR> d--h----- C:\Documents and Settings\Administrator\ćabl˘ny
2008-05-24 14:45 . 2008-05-24 13:00 <DIR> d-------- C:\Documents and Settings\Administrator\Pracovn plocha
2008-05-24 14:45 . 2008-05-24 13:00 <DIR> d---s---- C:\Documents and Settings\Administrator\Ponuka ćtart
2008-05-24 14:45 . 2008-05-24 13:00 <DIR> d-------- C:\Documents and Settings\Administrator\Ob–Łben‚ polo§ky
2008-05-24 14:45 . 2008-05-24 13:00 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty
2008-05-24 14:45 . 2008-05-24 14:45 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-24 14:30 . 2004-08-04 14:00 571,392 --a--c--- C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-05-24 14:29 . 2004-08-04 14:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-05-24 14:28 . 2004-08-04 14:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-05-24 14:27 . 2004-08-04 14:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-05-24 14:26 . 2004-08-04 14:00 290,816 --a--c--- C:\WINDOWS\system32\dllcache\adsiis51.dll
2008-05-24 14:20 . 2008-05-24 14:24 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
2008-05-24 14:18 . 2008-05-24 14:18 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-05-24 14:18 . 2008-05-24 14:18 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-05-24 14:18 . 2008-05-24 14:18 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-05-24 14:18 . 2008-05-24 14:18 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-05-24 14:18 . 2008-05-24 14:18 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-05-24 14:18 . 2008-05-24 14:18 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-05-24 14:17 . 2004-08-04 14:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-05-24 13:51 . 2004-08-04 14:00 1,086,058 -ra------ C:\WINDOWS\SETD4.tmp
2008-05-24 13:51 . 2004-08-04 14:00 1,042,903 -ra------ C:\WINDOWS\SETD1.tmp
2008-05-24 13:51 . 2004-08-04 14:00 13,753 -ra------ C:\WINDOWS\SETE0.tmp
2008-05-24 13:15 . 2008-05-24 13:15 <DIR> d-------- C:\WINDOWS\NV720268.TMP
2008-05-24 13:10 . 2008-05-24 13:10 <DIR> d-------- C:\WINDOWS\NV7202028.TMP
2008-05-24 13:00 . 2008-05-24 13:00 <DIR> d--h----- C:\Documents and Settings\Default User\ćabl˘ny
2008-05-24 13:00 . 2008-05-24 13:00 <DIR> d-------- C:\Documents and Settings\Default User\Pracovn plocha
2008-05-24 13:00 . 2008-05-24 13:00 <DIR> d---s---- C:\Documents and Settings\Default User\Ponuka ćtart
2008-05-24 13:00 . 2008-05-24 13:00 <DIR> d-------- C:\Documents and Settings\Default User\Ob–Łben‚ polo§ky
2008-05-24 13:00 . 2008-05-24 13:00 <DIR> d-------- C:\Documents and Settings\Default User\Moje dokumenty
2008-05-24 13:00 . 2008-05-24 13:00 <DIR> d--h----- C:\Documents and Settings\All Users\ćabl˘ny
2008-05-24 13:00 . 2008-05-25 13:45 <DIR> d-------- C:\Documents and Settings\All Users\Pracovn plocha
2008-05-24 13:00 . 2008-05-24 15:03 <DIR> d---s---- C:\Documents and Settings\All Users\Ponuka ćtart
2008-05-24 13:00 . 2008-05-24 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Ob–Łben‚ polo§ky
2008-05-24 13:00 . 2008-05-24 13:00 <DIR> d---s---- C:\Documents and Settings\All Users\Dokumenty
2008-05-24 12:59 . 2004-08-04 14:00 1,086,058 -ra------ C:\WINDOWS\SETEE.tmp
2008-05-24 12:59 . 2004-08-04 14:00 1,042,903 -ra------ C:\WINDOWS\SETEB.tmp
2008-05-24 12:59 . 2004-08-04 14:00 13,753 -ra------ C:\WINDOWS\SETFA.tmp
2008-05-24 12:09 . 2008-05-24 12:23 <DIR> d-------- C:\i386
2008-05-23 18:37 . 2008-05-23 18:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-23 18:37 . 2008-05-23 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-23 15:34 . 2008-05-23 15:34 59,392 --------- C:\WINDOWS\system32\tuvsRlLe.dll
2008-05-22 21:20 . 2008-05-24 17:52 14,400 --a------ C:\WINDOWS\SLEX99.BMS
2008-05-22 21:20 . 2008-05-24 17:52 27 --a------ C:\WINDOWS\SLEX99.INI
2008-05-22 21:20 . 2008-05-22 21:20 4 --a------ C:\WINDOWS\SLEX99.ANS
2008-05-21 15:47 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-05-21 15:46 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-05-21 15:46 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-05-21 15:46 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-05-21 15:46 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-05-19 17:22 . 2008-05-19 17:22 <DIR> d-------- C:\Program Files\Winamp
2008-05-19 17:22 . 2008-05-19 17:34 <DIR> d-------- C:\Documents and Settings\IT'S NOT IMPORTANT FOR YOU WHO'S USER\Application Data\Winamp
2008-05-15 22:34 . 2008-05-15 23:39 <DIR> d-------- C:\Temp\Graf-tab praca
2008-05-12 19:01 . 2008-05-12 19:01 <DIR> d-------- C:\Program Files\OpenSSL
2008-04-30 20:51 . 2008-05-01 18:04 <DIR> d-------- C:\Temp\_cd potlaź
2008-04-25 21:49 . 2008-04-25 22:12 <DIR> d-------- C:\Temp\biosoz
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 17:36 --------- d-----w C:\Documents and Settings\IT'S NOT IMPORTANT FOR YOU WHO'S USER\Application Data\Comodo
2008-05-24 16:12 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-24 15:08 --------- d-----w C:\Documents and Settings\IT'S NOT IMPORTANT FOR YOU WHO'S USER\Application Data\Graphisoft
2008-05-21 11:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania
2008-04-26 19:31 --------- d-----w C:\Program Files\Opera
2008-04-22 20:21 --------- d-----w C:\Program Files\ClipMate7
2008-04-22 15:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 15:41 --------- d-----w C:\Program Files\LG Soft India
2008-04-22 15:41 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-19 18:02 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-04-19 18:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-04-19 18:01 --------- d-----w C:\Program Files\Sony Ericsson
2008-04-19 17:57 94,064 ----a-w C:\WINDOWS\system32\drivers\k510mdm.sys
2008-04-19 17:57 85,408 ----a-w C:\WINDOWS\system32\drivers\k510mgmt.sys
2008-04-19 17:57 83,344 ----a-w C:\WINDOWS\system32\drivers\k510obex.sys
2008-04-19 17:57 8,336 ----a-w C:\WINDOWS\system32\drivers\k510mdfl.sys
2008-04-19 17:57 6,176 ----a-w C:\WINDOWS\system32\drivers\k510cmnt.sys
2008-04-19 17:57 6,176 ----a-w C:\WINDOWS\system32\drivers\k510cm.sys
2008-04-19 17:57 58,288 ----a-w C:\WINDOWS\system32\drivers\k510bus.sys
2008-04-19 17:57 5,808 ----a-w C:\WINDOWS\system32\drivers\k510whnt.sys
2008-04-19 17:57 5,808 ----a-w C:\WINDOWS\system32\drivers\k510wh.sys
2008-03-26 20:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-26 20:07 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-03-26 20:04 --------- d-----w C:\Program Files\Microsoft SDKs
2008-03-26 20:03 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-26 20:03 --------- d-----w C:\Program Files\MSBuild
2008-03-26 19:58 --------- d-----w C:\Program Files\MSXML 6.0
2007-12-31 15:55 47,360 ----a-w C:\Documents and Settings\IT'S NOT IMPORTANT FOR YOU WHO'S USER\Application Data\pcouffin.sys
2008-01-26 14:12 8 --sha-r C:\WINDOWS\system32\6B09D056F6.sys
2007-04-13 20:26 88 -csha-r C:\WINDOWS\system32\7007FFB19F.sys
.
------- Sigcheck -------
2008-05-24 15:03 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-05-25_13.42.25.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 11:36:25 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-25 15:13:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CHotkey"="mHotkey.exe" [2002-07-05 17:37 491008 C:\WINDOWS\mHotkey.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-07-17 16:27 950664]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 14:00 33280 C:\WINDOWS\system32\rundll32.exe]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 03:01 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 03:50 1603152]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 11:51 57344]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 14:00 33280 C:\WINDOWS\system32\rundll32.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2005-01-17 14:43 84480]
C:\Documents and Settings\IT'S NOT IMPORTANT FOR YOU WHO'S USER\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"DisableCAD"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoAutoTrayNotify"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.ACDV"= ACDV.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^forteManager.lnk]
backup=C:\WINDOWS\pss\forteManager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a--c--- 2004-12-14 03:12 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a--c--- 2005-12-16 13:57 94208 C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a--c--- 2006-11-12 12:48 157592 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FinePrint Dispatcher v5]
--a--c--- 2006-10-27 15:48 507904 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FmctrlTray]
--a--c--- 2001-08-20 22:47 270336 C:\WINDOWS\system32\fmctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a--c--- 2004-11-02 21:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SRFirstRun]
--a------ 2004-08-04 14:00 67584 C:\WINDOWS\system32\srclient.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"CiSvc"=3 (0x3)
"gusvc"=3 (0x3)
"ERSvc"=2 (0x2)
"AcrSch2Svc"=3 (0x3)
"aawservice"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"mnmsrvc"=3 (0x3)
"helpsvc"=2 (0x2)
"BITS"=3 (0x3)
"ose"=3 (0x3)
"Adobe LM Service"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=nwiz.exe /install
"NVRaidService"=C:\WINDOWS\system32\nvraidservice.exe
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R2 DLPortIO;DriverLINX Port I/O Driver;C:\WINDOWS\system32\DRIVERS\DLPortIO.sys [1999-01-10 12:00]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;C:\Program Files\Trust\Trust R-series Mouse And Keyboard\KMWDSrv.exe [2007-02-28 19:12]
R2 RadPciNT;RadPciNT;C:\WINDOWS\system32\Drivers\RadPciNT.sys [2000-04-24 18:26]
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 14:00]
S3 FlarionDTM;Flarion DTM Network Interface;C:\WINDOWS\system32\DRIVERS\FlrnDTM.sys [2005-05-26 16:06]
S3 gameport;FM801 PCI Joystick;C:\WINDOWS\system32\DRIVERS\fmjoy.sys []
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2008-04-19 19:57]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2008-04-19 19:57]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2008-04-19 19:57]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2008-04-19 19:57]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2008-04-19 19:57]
S3 LGDDCDevice;LGDDCDevice;C:\Program Files\LG Soft India\forteManager\bin\I2CDriver.sys [2007-11-20 10:07]
S3 LGII2CDevice;LGII2CDevice;C:\Program Files\LG Soft India\forteManager\bin\PII2CDriver.sys [2007-11-20 10:07]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-02-08 22:26]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]
S3 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14:00]
S3 wdm_fm801;FM801 PCI Audio (WDM);C:\WINDOWS\system32\drivers\fm801.sys []
S3 WPRO_40_755;WinPcap Packet Driver (WPRO_40_755);C:\WINDOWS\system32\drivers\WPRO_40_755.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0181eda8-5711-11dc-82aa-806d6172696f}]
\shell\PlayWithPowerDVD\Command - "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" "%l"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba9d42ce-f1d5-11dc-ad98-82bc5d5e55e4}]
\Shell\AutoRun\command - F:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5d506a8-4cce-11dc-a61f-bea6d7e5d8a2}]
\Shell\AutoRun\command - F:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-05-02 15:17:40 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 17:14:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2008-05-25 17:19:58 - machine was rebooted [IT'S NOT IMPORTANT FOR YOU WHO'S USER]
ComboFix-quarantined-files.txt 2008-05-25 15:19:50
ComboFix2.txt 2008-05-25 11:43:14
Pre-Run: 5,753,303,040 bytes free
Post-Run: 5,743,120,384 bytes free
268
Na požiadanie zašlem ďalšie logy...
|
|
Registrovaný: 21.02.07
Prihlásený: 21.02.10
Príspevky: 3984
Témy: 96 |
presne rovnaký problém mám téme pod touto (resp. nad touto ...)
|
|
Registrovaný: 22.03.07
Prihlásený: 23.06.23
Príspevky: 2096
Témy: 15
Bydlisko: Bratislava V |  Napísal br4n0: 27.05.2008 19:36 | |
|
Toto vlož do avengeru a pošli z neho log:
Kód: files to delete:
C:\WINDOWS\SETD4.tmp
C:\WINDOWS\SETD1.tmp
C:\WINDOWS\SETE0.tmp
C:\WINDOWS\SETEE.tmp
C:\WINDOWS\SETEB.tmp
C:\WINDOWS\SETFA.tmp
C:\WINDOWS\system32\tuvsRlLe.dll
C:\WINDOWS\system32\6B09D056F6.sys
C:\WINDOWS\system32\7007FFB19F.sys
folders to delete:
C:\WINDOWS\NV720268.TMP
C:\WINDOWS\NV7202028.TMP
_________________
DESKTOP: Intel Pentium Dual Core E2180, Gigabyte GA-P31-DS3L, 3GB DDR2 800Mhz, ASUS Radeon HD3650 256MB, ASUS DRW-1608P3S, Hitachi Deskstar T7K250 160GB, Fortron FSP350-60GLN
NTB: HP 510: Intel Celeron M360, 512MB DDR2 533MHz, Intel GMA 900, Hitachi Travelstar 4K120 40GB, Sony CRX880A |
|
Registrovaný: 26.05.08
Príspevky: 6
Témy: 1 | Napísal autor témy riff-raff: 29.05.2008 19:18 | |
|
Mockrát THX br4no ... vypadá, že všetko pomazalo. Teda resp. malo by to byť asi čisté? A aby som nezabudol tu je log z avenger-u. A ak sa môžem spýtať aký typ víru to bol podľa teba?
Kód: Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "C:\WINDOWS\SETD4.tmp" deleted successfully.
File "C:\WINDOWS\SETD1.tmp" deleted successfully.
File "C:\WINDOWS\SETE0.tmp" deleted successfully.
File "C:\WINDOWS\SETEE.tmp" deleted successfully.
File "C:\WINDOWS\SETEB.tmp" deleted successfully.
File "C:\WINDOWS\SETFA.tmp" deleted successfully.
File "C:\WINDOWS\system32\tuvsRlLe.dll" deleted successfully.
File "C:\WINDOWS\system32\6B09D056F6.sys" deleted successfully.
File "C:\WINDOWS\system32\7007FFB19F.sys" deleted successfully.
Folder "C:\WINDOWS\NV720268.TMP" deleted successfully.
Folder "C:\WINDOWS\NV7202028.TMP" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
|
|
Registrovaný: 22.03.07
Prihlásený: 23.06.23
Príspevky: 2096
Témy: 15
Bydlisko: Bratislava V | Napísal br4n0: 29.05.2008 21:51 | |
|
Bol to trójsky kôň, čo v podstate nie je vírus, ale dnes rozhodne najrozšírenejší typ infekcie.
_________________
DESKTOP: Intel Pentium Dual Core E2180, Gigabyte GA-P31-DS3L, 3GB DDR2 800Mhz, ASUS Radeon HD3650 256MB, ASUS DRW-1608P3S, Hitachi Deskstar T7K250 160GB, Fortron FSP350-60GLN
NTB: HP 510: Intel Celeron M360, 512MB DDR2 533MHz, Intel GMA 900, Hitachi Travelstar 4K120 40GB, Sony CRX880A |
|
Registrovaný: 02.09.07
Prihlásený: 19.01.20
Príspevky: 6373
Témy: 298
Bydlisko: Žilina |
HiJackThis je cisty ako latexova podlaha.
_________________
NTB: Dell Vostro 5470 - Core i5-4200U, GT 740M, 8GB DDR3-1600, Crucial MX100 256GB, 14" 1366x768
Audio: KRK RoKit 5 G2 White, Lexicon Alpha, M-Audio Axiom 25 MKII, AKG Y55
Phone: Samsung Galaxy S8
Vozenie: Alfa Romeo 159 SW 1.9JTDm 110kW - DPF/EGR/SWIRL OFF, BOSE SOUND |
|
Registrovaný: 26.05.08
Príspevky: 6
Témy: 1 | Napísal autor témy riff-raff: 30.05.2008 21:52 | |
|
Hmm no trojan sranda, že ho nedetekoval NOD ale aj tak THX.
|
|
| Stránka: 1 z 1
| [ Príspevkov: 7 ] | |
| Nemôžete zakladať nové témy v tomto fóre
Nemôžete odpovedať na témy v tomto fóre
Nemôžete upravovať svoje príspevky v tomto fóre
Nemôžete mazať svoje príspevky v tomto fóre
|
|
