Logfile of HijackThis v1.99.1
Scan saved at 13:38:05, on 29.11.2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\system32\mscsrv.exe
C:\WINNT\system32\winIogon.exe
C:\Program Files\Eset\nod32.exe
C:\Program Files\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1029,&Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft Synchronization Manager] mscsrv.exe
O4 - HKLM\..\Run: [Synchronization Manager Updater] winIogon.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] mscsrv.exe
O4 - HKLM\..\RunServices: [Synchronization Manager Updater] winIogon.exe
O4 - HKCU\..\Run: [Skype] "C:\Documents and Settings\Administrator\Plocha\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Microsoft Synchronization Manager] mscsrv.exe
O4 - HKCU\..\Run: [Synchronization Manager Updater] winIogon.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C5723A6-F54A-4BFF-92B4-27C5EE2D6808}: NameServer = 81.31.33.19,80.79.16.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF53DBC5-F5E9-44F1-B1D3-FEA59B6C0852}: NameServer = 81.31.33.19,80.79.16.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: 41458 - Unknown owner - \\80.79.22.94\Admin$\eraseme_72104.exe (file missing)
O23 - Service: 50534 - Unknown owner - \\80.79.22.94\Admin$\eraseme_88321.exe (file missing)
O23 - Service: 75023 - Unknown owner - \\80.79.22.94\Admin$\eraseme_00622.exe (file missing)
O23 - Service: Application Layer Gateway Services - Unknown owner - C:\WINNT\alg.exe (file missing)
O23 - Service: Disk Checker Service (Check Disk) - Unknown owner - C:\WINNT\chkdsk.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: Events Log (Event) - Unknown owner - C:\WINNT\system32\drivers\csrss.exe (file missing)
O23 - Service: Scheduling Agent (Mstinit) - Unknown owner - C:\WINNT\mstinit.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\WINNT\system32\MSupdate.exe (file missing)
O23 - Service: Windows Messenger - Unknown owner - C:\WINNT\msnmsgr.exe (file missing)
O23 - Service: Windows SP2 Service - Unknown owner - C:\WINNT\spsrv.exe (file missing)
Prosím o kontrolu logu
Prosím o kontrolu logu
CPU Core 2 Duo 1,86Ghz, RAM 2x2GB DDR3, HDD WD 250GB+1,5TB, VGA Intel GMA 4500
1. Použij SDFix:
Stáhni si SDFix a spusť ho, zeptá se tě kam se má vybalit tak nechej již tu přednastavenou volbu aby se vybalil na disk C: Na disku C: se objeví složka SDFix tam bude rozbalený.
Poté restartuj PC do nouzového režimu.Otevři složku kde je vybalený SDFix a spusť soubor RunThis.bat a stiskni Y pro zahájení čistícího procesu.
Pro dokončení bude třeba stisknout libovolnou klávesu a počítač se restartuje.
Při nabíhání operačního systému budeš muset po vyzvání stisknout libovolnou klávesu pro vstup do do Win.
Po naběhnutí OS by ti měl zobrazit výpis SDFixu tak ho sem zkopíruj pokud by ti nevyběhne tak je umístěný ve své vlastní složce jako Report.txt.
2. Použij ComboFix:
Stáhni si ComboFix, ulož ho na plochu zavři všechna spuštěná okna a spusť ho.
Postupuj dle pokynů během aplikování ComboFixu neklikej do zobrazujícího se okna může se stát totiž že to proces zastaví.
Je možné, že se počítač restartuje znamená to, že ComboFix našel škodlivé soubory, a aby je smazal tak je nutný restart.
Po skončení se vytvoří log tak sem zkopíruj jeho obsah.
Jinak je ComboFixův log umístěný na C:\ComboFix.txt
Stáhni si SDFix a spusť ho, zeptá se tě kam se má vybalit tak nechej již tu přednastavenou volbu aby se vybalil na disk C: Na disku C: se objeví složka SDFix tam bude rozbalený.
Poté restartuj PC do nouzového režimu.Otevři složku kde je vybalený SDFix a spusť soubor RunThis.bat a stiskni Y pro zahájení čistícího procesu.
Pro dokončení bude třeba stisknout libovolnou klávesu a počítač se restartuje.
Při nabíhání operačního systému budeš muset po vyzvání stisknout libovolnou klávesu pro vstup do do Win.
Po naběhnutí OS by ti měl zobrazit výpis SDFixu tak ho sem zkopíruj pokud by ti nevyběhne tak je umístěný ve své vlastní složce jako Report.txt.
2. Použij ComboFix:
Stáhni si ComboFix, ulož ho na plochu zavři všechna spuštěná okna a spusť ho.
Postupuj dle pokynů během aplikování ComboFixu neklikej do zobrazujícího se okna může se stát totiž že to proces zastaví.
Je možné, že se počítač restartuje znamená to, že ComboFix našel škodlivé soubory, a aby je smazal tak je nutný restart.
Po skončení se vytvoří log tak sem zkopíruj jeho obsah.
Jinak je ComboFixův log umístěný na C:\ComboFix.txt
SDFix: Version 1.116
Run by Administrator on źt 29.11.2007 at 14:38
Microsoft Windows 2000 [Verze 5.00.2195]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
Application Layer Gateway Services
Check Disk
Mstinit
Windows Messenger
Path:
"C:\WINNT\alg.exe"
"C:\WINNT\chkdsk.exe"
"C:\WINNT\mstinit.exe"
"C:\WINNT\msnmsgr.exe"
Application Layer Gateway Services - Deleted
Check Disk - Deleted
Mstinit - Deleted
Windows Messenger - Deleted
C:\WINNT\system32\Microsoft\backup.ftp Found
C:\WINNT\system32\Microsoft\backup.tftp Found
Checking files:
Genuine:
C:\WINNT\system32\Microsoft\backup.ftp
C:\WINNT\system32\Microsoft\backup.tftp
Dummy:
C:\WINNT\system32\ftp.exe
C:\WINNT\system32\tftp.exe
Files copied to SDFix\Backups
Restoring files if backups are found
Final Check:
Genuine:
C:\WINNT\system32\Microsoft\backup.ftp
C:\WINNT\system32\Microsoft\backup.tftp
C:\WINNT\system32\ftp.exe
C:\WINNT\system32\tftp.exe
C:\WINNT\system32\dllcache\ftp.exe
C:\WINNT\system32\dllcache\tftp.exe
Dummy:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINNT\system32\eraseme_26437.exe - Deleted
C:\WINNT\system32\explorers.exe - Deleted
C:\WINNT\system32\Microsoft\backup.ftp - Deleted
C:\WINNT\system32\Microsoft\backup.tftp - Deleted
C:\WINNT\system32\mirc.ini - Deleted
C:\WINNT\system32\winIogon.exe - Deleted
Folder C:\Program Files\Common Files\delsim - Removed
Removing Temp Files...
ADS Check:
C:\WINNT
No streams found.
C:\WINNT\system32
No streams found.
C:\WINNT\system32\svchost.exe
No streams found.
C:\WINNT\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 14:47:13
Windows 5.0.2195 Service Pack 4 FAT NTAPI
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services:
------------------
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Mon 29 May 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Finished!
ComboFix 07-11-19.4C - Administrator 29.11.2007 14:57:24.1 - FAT32x86
Running from: C:\Documents and Settings\Administrator\Plocha\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.
2007-11-29 14:57 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_304.dat
2007-11-29 14:38 41,232 --a------ C:\WINNT\system32\dllcache\ftp.exe
2007-11-29 14:38 17,680 --a------ C:\WINNT\system32\dllcache\tftp.exe
2007-11-29 14:06 <DIR> d-------- C:\Program Files\backups
2007-11-29 13:48 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_2c4.dat
2007-11-29 13:37 218,112 -ra------ C:\Program Files\hijackthis.exe
2007-11-29 13:33 <DIR> d-------- C:\Program Files\jv16 PowerTools 2006
2007-11-28 18:15 545 --a------ C:\WINNT\LHA.PIF
2007-11-28 18:15 545 --a------ C:\WINNT\ARJ.PIF
2007-11-28 17:29 18,704 --a------ C:\WINNT\system32\drivers\RTL8139.sys
2007-11-28 14:58 37,136 --a------ C:\WINNT\system32\drivers\elnk3.sys
2007-11-27 15:40 1,277,440 --a------ C:\WINNT\system32\mscsrv.exe
2007-11-24 13:27 1,268,736 --a------ C:\WINNT\system32\Isass..exe
2007-11-23 13:17 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_4b0.dat
2007-11-22 15:32 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_44c.dat
2007-11-22 14:29 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_4b8.dat
2007-11-10 17:33 1,227,264 --a------ C:\WINNT\system32\devcon.exe
2007-11-10 17:33 33,846 -rahs---- C:\WINNT\system32\invi.dbx
2007-11-10 17:32 3,184 --a------ C:\WINNT\system32\nero.inf
2007-11-10 17:32 125 --a------ C:\WINNT\system32\protect.bat
2007-11-10 15:03 73,728 --a------ C:\WINNT\system32\DNTUS26.EXE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 13:17 3,900 ----a-w C:\Program Files\hijackthis.log
2006-05-17 16:21 271 ---h--w C:\Program Files\desktop.ini
2006-05-17 16:21 22,034 ---h--w C:\Program Files\folder.htt
2000-03-19 23:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Documents and Settings\Administrator\Plocha\Phone\Skype.exe" [25.08.07 21:54 ]
"Synchronization Manager Updater"="winIogon.exe" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [21.05.06 09:54 ]
"Synchronization Manager"="mobsync.exe" [19.06.03 12:05 C:\WINNT\system32\mobsync.exe]
"Synchronization Manager Updater"="winIogon.exe" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Synchronization Manager Updater"="winIogon.exe" []
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [20.03.00 00:00 C:\WINNT\system32\internat.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [19.06.03 12:05 ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"internat.exe"=internat.exe
"FreeCall"="C:\program files\freecall.com\freecall\freecall.exe" -nosplash -minimized
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroCheck"=C:\WINNT\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
"Synchronization Manager"=mobsync.exe /logon
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" -minimize
"NeroFilterCheck"=C:\WINNT\system32\NeroCheck.exe
"Win2KService"=C:\WINNT\system32\nero.exe
R1 oreans32;oreans32;\??\C:\WINNT\system32\drivers\oreans32.sys
R3 laguna;laguna;C:\WINNT\system32\DRIVERS\cl546xm.sys
R3 solo;ESS Solo Audio Driver (WDM);C:\WINNT\system32\drivers\solo.sys
S2 Event;Events Log;C:\WINNT\system32\drivers\csrss.exe -k NetworkService
S2 Serv-U;Serv-U FTP Server;C:\WINNT\system32\MSupdate.exe
S2 Windows SP2 Service;Windows SP2 Service;"C:\WINNT\spsrv.exe"
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys
S3 ELNK3;3Com EtherLink III;C:\WINNT\system32\DRIVERS\elnk3.sys
S3 NtApm;Ovladač rozhraní služby NT Apm/Legacy;C:\WINNT\system32\DRIVERS\NtApm.sys
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 16:15:28 C:\WINNT\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 14:59:59
Windows 5.0.2195 Service Pack 4 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 29.11.2007 15:01:04
.
--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 15:03:58, on 29.11.2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\explorer.exe
C:\Program Files\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Synchronization Manager Updater] winIogon.exe
O4 - HKLM\..\RunServices: [Synchronization Manager Updater] winIogon.exe
O4 - HKCU\..\Run: [Skype] "C:\Documents and Settings\Administrator\Plocha\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Synchronization Manager Updater] winIogon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C5723A6-F54A-4BFF-92B4-27C5EE2D6808}: NameServer = 81.31.33.19,80.79.16.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF53DBC5-F5E9-44F1-B1D3-FEA59B6C0852}: NameServer = 81.31.33.19,80.79.16.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: 41458 - Unknown owner - \\80.79.22.94\Admin$\eraseme_72104.exe (file missing)
O23 - Service: 50534 - Unknown owner - \\80.79.22.94\Admin$\eraseme_88321.exe (file missing)
O23 - Service: 75023 - Unknown owner - \\80.79.22.94\Admin$\eraseme_00622.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: Events Log (Event) - Unknown owner - C:\WINNT\system32\drivers\csrss.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\WINNT\system32\MSupdate.exe (file missing)
O23 - Service: Windows SP2 Service - Unknown owner - C:\WINNT\spsrv.exe (file missing)
Run by Administrator on źt 29.11.2007 at 14:38
Microsoft Windows 2000 [Verze 5.00.2195]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
Application Layer Gateway Services
Check Disk
Mstinit
Windows Messenger
Path:
"C:\WINNT\alg.exe"
"C:\WINNT\chkdsk.exe"
"C:\WINNT\mstinit.exe"
"C:\WINNT\msnmsgr.exe"
Application Layer Gateway Services - Deleted
Check Disk - Deleted
Mstinit - Deleted
Windows Messenger - Deleted
C:\WINNT\system32\Microsoft\backup.ftp Found
C:\WINNT\system32\Microsoft\backup.tftp Found
Checking files:
Genuine:
C:\WINNT\system32\Microsoft\backup.ftp
C:\WINNT\system32\Microsoft\backup.tftp
Dummy:
C:\WINNT\system32\ftp.exe
C:\WINNT\system32\tftp.exe
Files copied to SDFix\Backups
Restoring files if backups are found
Final Check:
Genuine:
C:\WINNT\system32\Microsoft\backup.ftp
C:\WINNT\system32\Microsoft\backup.tftp
C:\WINNT\system32\ftp.exe
C:\WINNT\system32\tftp.exe
C:\WINNT\system32\dllcache\ftp.exe
C:\WINNT\system32\dllcache\tftp.exe
Dummy:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINNT\system32\eraseme_26437.exe - Deleted
C:\WINNT\system32\explorers.exe - Deleted
C:\WINNT\system32\Microsoft\backup.ftp - Deleted
C:\WINNT\system32\Microsoft\backup.tftp - Deleted
C:\WINNT\system32\mirc.ini - Deleted
C:\WINNT\system32\winIogon.exe - Deleted
Folder C:\Program Files\Common Files\delsim - Removed
Removing Temp Files...
ADS Check:
C:\WINNT
No streams found.
C:\WINNT\system32
No streams found.
C:\WINNT\system32\svchost.exe
No streams found.
C:\WINNT\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 14:47:13
Windows 5.0.2195 Service Pack 4 FAT NTAPI
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services:
------------------
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Mon 29 May 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Finished!
ComboFix 07-11-19.4C - Administrator 29.11.2007 14:57:24.1 - FAT32x86
Running from: C:\Documents and Settings\Administrator\Plocha\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.
2007-11-29 14:57 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_304.dat
2007-11-29 14:38 41,232 --a------ C:\WINNT\system32\dllcache\ftp.exe
2007-11-29 14:38 17,680 --a------ C:\WINNT\system32\dllcache\tftp.exe
2007-11-29 14:06 <DIR> d-------- C:\Program Files\backups
2007-11-29 13:48 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_2c4.dat
2007-11-29 13:37 218,112 -ra------ C:\Program Files\hijackthis.exe
2007-11-29 13:33 <DIR> d-------- C:\Program Files\jv16 PowerTools 2006
2007-11-28 18:15 545 --a------ C:\WINNT\LHA.PIF
2007-11-28 18:15 545 --a------ C:\WINNT\ARJ.PIF
2007-11-28 17:29 18,704 --a------ C:\WINNT\system32\drivers\RTL8139.sys
2007-11-28 14:58 37,136 --a------ C:\WINNT\system32\drivers\elnk3.sys
2007-11-27 15:40 1,277,440 --a------ C:\WINNT\system32\mscsrv.exe
2007-11-24 13:27 1,268,736 --a------ C:\WINNT\system32\Isass..exe
2007-11-23 13:17 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_4b0.dat
2007-11-22 15:32 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_44c.dat
2007-11-22 14:29 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_4b8.dat
2007-11-10 17:33 1,227,264 --a------ C:\WINNT\system32\devcon.exe
2007-11-10 17:33 33,846 -rahs---- C:\WINNT\system32\invi.dbx
2007-11-10 17:32 3,184 --a------ C:\WINNT\system32\nero.inf
2007-11-10 17:32 125 --a------ C:\WINNT\system32\protect.bat
2007-11-10 15:03 73,728 --a------ C:\WINNT\system32\DNTUS26.EXE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 13:17 3,900 ----a-w C:\Program Files\hijackthis.log
2006-05-17 16:21 271 ---h--w C:\Program Files\desktop.ini
2006-05-17 16:21 22,034 ---h--w C:\Program Files\folder.htt
2000-03-19 23:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Documents and Settings\Administrator\Plocha\Phone\Skype.exe" [25.08.07 21:54 ]
"Synchronization Manager Updater"="winIogon.exe" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [21.05.06 09:54 ]
"Synchronization Manager"="mobsync.exe" [19.06.03 12:05 C:\WINNT\system32\mobsync.exe]
"Synchronization Manager Updater"="winIogon.exe" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Synchronization Manager Updater"="winIogon.exe" []
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [20.03.00 00:00 C:\WINNT\system32\internat.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [19.06.03 12:05 ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"internat.exe"=internat.exe
"FreeCall"="C:\program files\freecall.com\freecall\freecall.exe" -nosplash -minimized
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroCheck"=C:\WINNT\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
"Synchronization Manager"=mobsync.exe /logon
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" -minimize
"NeroFilterCheck"=C:\WINNT\system32\NeroCheck.exe
"Win2KService"=C:\WINNT\system32\nero.exe
R1 oreans32;oreans32;\??\C:\WINNT\system32\drivers\oreans32.sys
R3 laguna;laguna;C:\WINNT\system32\DRIVERS\cl546xm.sys
R3 solo;ESS Solo Audio Driver (WDM);C:\WINNT\system32\drivers\solo.sys
S2 Event;Events Log;C:\WINNT\system32\drivers\csrss.exe -k NetworkService
S2 Serv-U;Serv-U FTP Server;C:\WINNT\system32\MSupdate.exe
S2 Windows SP2 Service;Windows SP2 Service;"C:\WINNT\spsrv.exe"
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys
S3 ELNK3;3Com EtherLink III;C:\WINNT\system32\DRIVERS\elnk3.sys
S3 NtApm;Ovladač rozhraní služby NT Apm/Legacy;C:\WINNT\system32\DRIVERS\NtApm.sys
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 16:15:28 C:\WINNT\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 14:59:59
Windows 5.0.2195 Service Pack 4 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 29.11.2007 15:01:04
.
--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 15:03:58, on 29.11.2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\explorer.exe
C:\Program Files\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Synchronization Manager Updater] winIogon.exe
O4 - HKLM\..\RunServices: [Synchronization Manager Updater] winIogon.exe
O4 - HKCU\..\Run: [Skype] "C:\Documents and Settings\Administrator\Plocha\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Synchronization Manager Updater] winIogon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C5723A6-F54A-4BFF-92B4-27C5EE2D6808}: NameServer = 81.31.33.19,80.79.16.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF53DBC5-F5E9-44F1-B1D3-FEA59B6C0852}: NameServer = 81.31.33.19,80.79.16.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: 41458 - Unknown owner - \\80.79.22.94\Admin$\eraseme_72104.exe (file missing)
O23 - Service: 50534 - Unknown owner - \\80.79.22.94\Admin$\eraseme_88321.exe (file missing)
O23 - Service: 75023 - Unknown owner - \\80.79.22.94\Admin$\eraseme_00622.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: Events Log (Event) - Unknown owner - C:\WINNT\system32\drivers\csrss.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\WINNT\system32\MSupdate.exe (file missing)
O23 - Service: Windows SP2 Service - Unknown owner - C:\WINNT\spsrv.exe (file missing)
CPU Core 2 Duo 1,86Ghz, RAM 2x2GB DDR3, HDD WD 250GB+1,5TB, VGA Intel GMA 4500
Spusť Notepad (Poznámkový blok) a vlož do něj text z bílého políčka:
Pak dej Soubor (File) -> Uložit jako (Save As) -> jak je Název souboru (File name) tak do toho řádku napiš: CFScript.txt
Typ souboru (Save as type) tak tam vyber *všechny soubory (*all files)
A ulož ho na plochu.
Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix a když se oba soubory překryjí, skript upusť.
ComboFix se automaticky spustí.
A vlož sem log který se ti objeví po skončení operace.
Tyto soubory nechej otestovat na Virustotalu (trošku se však změnil design stránky):
C:\WINNT\system32\devcon.exe
C:\WINNT\system32\invi.dbx
C:\WINNT\system32\nero.inf
C:\WINNT\system32\mscsrv.exe
C:\WINNT\system32\Isass..exe
Zapni si - Zobrazovat skryté a systémové soubory.
A zkopíruj sem výsledky.
Jinak tyto služby se mě nezdají znáš je?:
O23 - Service: 41458 - Unknown owner - \\80.79.22.94\Admin$\eraseme_72104.exe (file missing)
O23 - Service: 50534 - Unknown owner - \\80.79.22.94\Admin$\eraseme_88321.exe (file missing)
O23 - Service: 75023 - Unknown owner - \\80.79.22.94\Admin$\eraseme_00622.exe (file missing)
+ sem vlož nový log z HJT, ale z nové verze. Před stažením však smaž tu starou verzi HijackThisu.
A poté si stáhni novou verzi HijackThisu odsud.
Kód: Vybrat vše
File::
C:\WINNT\system32\drivers\oreans32.sys
C:\WINNT\system32\drivers\csrss.exe
C:\WINNT\system32\MSupdate.exe
C:\WINNT\spsrv.exe
C:\WINNT\system32\nero.exe
C:\WINNT\system32\protect.bat
Driver::
oreans32
Event
Serv-U
Windows SP2 Service
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager Updater"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager Updater"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Synchronization Manager Updater"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Win2KService"=-Pak dej Soubor (File) -> Uložit jako (Save As) -> jak je Název souboru (File name) tak do toho řádku napiš: CFScript.txt
Typ souboru (Save as type) tak tam vyber *všechny soubory (*all files)
A ulož ho na plochu.
Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix a když se oba soubory překryjí, skript upusť.
ComboFix se automaticky spustí.
A vlož sem log který se ti objeví po skončení operace.
Tyto soubory nechej otestovat na Virustotalu (trošku se však změnil design stránky):
C:\WINNT\system32\devcon.exe
C:\WINNT\system32\invi.dbx
C:\WINNT\system32\nero.inf
C:\WINNT\system32\mscsrv.exe
C:\WINNT\system32\Isass..exe
Zapni si - Zobrazovat skryté a systémové soubory.
A zkopíruj sem výsledky.
Jinak tyto služby se mě nezdají znáš je?:
O23 - Service: 41458 - Unknown owner - \\80.79.22.94\Admin$\eraseme_72104.exe (file missing)
O23 - Service: 50534 - Unknown owner - \\80.79.22.94\Admin$\eraseme_88321.exe (file missing)
O23 - Service: 75023 - Unknown owner - \\80.79.22.94\Admin$\eraseme_00622.exe (file missing)
+ sem vlož nový log z HJT, ale z nové verze. Před stažením však smaž tu starou verzi HijackThisu.
A poté si stáhni novou verzi HijackThisu odsud.
Kdo je online
Uživatelé prohlížející si toto fórum: Žádní registrovaní uživatelé a 94 hostů