Tak jsem vypnul skype, qip atd.
vypnul jsem obnovu systému
Fixnul jsem hijackthis dané body.
Spustil jsem Combofix pomocí cfscriptu s uvedeným textem.
posílám log .
WLCtrl32 změnil vzhled a koncovku. Vypadá nyní jako soubor, po jehož otevření, bych byl vyzván k výběru programu, s nímž ho chci otevřít. A dám li na něj pravím, pak ve vlastnostech vidím, že koncovka je DL_
Kerio hlásí stále pokus o průnik winlogon.
Jdu restartovat pc a pošlu Hijackthis
ComboFix 08-03-03.4 - User 2008-03-13 19:19:39.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.1554 [GMT 1:00]
Running from: C:\Documents and Settings\User\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Plocha\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\inf\qwetab.inf
C:\WINDOWS\system32\spmsg2.dll
C:\WINDOWS\SYSTEM32\WLCtrl32.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\inf\qwetab.inf
C:\WINDOWS\system32\spmsg2.dll
C:\WINDOWS\SYSTEM32\WLCtrl32.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\qwetab
((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.
2008-03-13 19:25 . 2008-03-13 19:25 11,776 --a------ C:\WINDOWS\system32\WLCtrl32.dl_
2008-03-11 22:14 . 2008-03-11 22:20 <DIR> d-------- C:\Program Files\RegCleaner
2008-03-11 16:38 . 2008-03-11 16:38 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-11 16:38 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-11 16:38 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-11 16:38 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-11 16:38 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-11 16:38 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-11 16:38 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-11 16:38 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-11 16:38 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-10 17:47 . 2006-11-24 14:13 <DIR> d--h----- C:\Documents and Settings\Administrator\ćablony
2008-03-10 17:47 . 2008-03-13 15:19 <DIR> d-------- C:\Documents and Settings\Administrator\Plocha
2008-03-10 17:47 . 2006-11-24 15:03 <DIR> d--h----- C:\Documents and Settings\Administrator\Okolnˇ tisk rny
2008-03-10 17:47 . 2006-11-24 15:03 <DIR> d--h----- C:\Documents and Settings\Administrator\Okolnˇ sˇś
2008-03-10 17:47 . 2006-11-24 15:03 <DIR> d-------- C:\Documents and Settings\Administrator\Oblˇben‚ polo§ky
2008-03-10 17:47 . 2006-11-24 15:03 <DIR> dr------- C:\Documents and Settings\Administrator\Nabˇdka Start
2008-03-10 17:47 . 2006-11-24 15:03 <DIR> d-------- C:\Documents and Settings\Administrator\Dokumenty
2008-03-10 17:47 . 2006-11-24 15:03 <DIR> dr-h----- C:\Documents and Settings\Administrator\Data aplikacˇ
2008-03-09 12:38 . 2008-03-10 22:22 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-03-09 12:20 . 2008-03-09 12:20 <DIR> d-------- C:\searchplugins
2008-03-09 12:20 . 2008-03-09 12:20 <DIR> d-------- C:\Program Files\Crawler
2008-03-09 12:19 . 2008-03-10 05:29 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-03-09 12:19 . 2008-03-10 04:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Spyware Terminator
2008-03-09 12:19 . 2008-03-09 12:19 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-09 05:22 . 2008-03-09 05:22 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-09 05:22 . 2008-03-09 05:22 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-02 21:02 . 2008-03-02 21:02 <DIR> d-------- C:\Program Files\CCleaner
2008-03-02 19:21 . 2008-03-02 19:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-02 19:20 . 2008-03-13 18:59 116,962 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2008-03-02 18:59 . 2008-03-10 18:10 <DIR> d-------- C:\SDFix
2008-03-02 18:58 . 2008-03-02 18:58 1,312,273 --a------ C:\SDFix.exe
2008-03-02 18:48 . 2008-03-02 18:49 1,312,273 --a------ C:\default
2008-03-02 17:18 . 2008-03-02 17:18 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-03-02 16:36 . 2008-03-13 19:25 26,240 --a------ C:\WINDOWS\system32\drivers\Fms64.sys
2008-03-02 16:19 . 2008-03-02 16:19 <DIR> d-------- C:\Program Files\Ashampoo
2008-03-01 14:16 . 2008-03-02 14:38 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-03-01 13:47 . 2008-03-01 13:47 <DIR> d-------- C:\Program Files\MagicISO
2008-02-27 15:52 . 2008-02-27 15:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\DassaultSystemes
2008-02-27 15:45 . 2008-02-27 15:45 0 --a------ C:\WINDOWS\eDrawingOfficeAutomator.INI
2008-02-27 15:43 . 2008-02-27 15:58 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-27 15:39 . 2008-02-27 15:39 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-02-27 15:39 . 2008-02-27 16:02 <DIR> d-------- C:\Program Files\Common Files\SolidWorks Shared
2008-02-27 15:39 . 2008-02-27 15:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\SolidWorks
2008-02-27 15:38 . 2008-02-27 15:38 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-02-27 15:13 . 2008-02-27 15:13 <DIR> d-------- C:\Program Files\MSBuild
2008-02-27 15:11 . 2008-02-27 15:11 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-27 15:10 . 2008-02-27 15:10 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-27 15:09 . 2008-02-27 15:09 <DIR> d-------- C:\Program Files\MSECache
2008-02-27 14:55 . 2008-02-27 14:55 <DIR> d-------- C:\Program Files\PowerISO
2008-02-21 21:40 . 2008-03-02 17:53 <DIR> d-------- C:\Program Files\Opera
2008-02-15 19:07 . 2008-02-15 19:12 2,359,350 --a------ C:\WINDOWS\ACD Wallpaper.bmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-13 18:24 11,776 ----a-w C:\WINDOWS\system32\WLCtrl32.dll
2008-03-13 14:20 --------- d-----w C:\DOCUME~1\ALLUSE~1\DATAAP~1\avg7
2008-03-09 16:24 --------- d-----w C:\Program Files\ElcomSoft
2008-03-09 04:22 --------- d-----w C:\Program Files\QuickTime
2008-03-01 16:07 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2008-03-01 16:07 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-03-01 16:07 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-01 16:07 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-02-27 15:03 --------- d-----w C:\Program Files\SpeedFan
2008-02-27 14:55 --------- d-----w C:\Program Files\Software2000
2008-02-17 22:53 --------- d-----w C:\Program Files\Cool CENZURA
2008-02-07 20:15 --------- d-----w C:\Program Files\EA SPORTS
2008-02-06 20:19 --------- d-----w C:\Program Files\Electronic Arts
2008-02-06 19:38 --------- d-----w C:\Program Files\totalcmd
2008-02-03 19:48 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-02-03 19:48 --------- d-----w C:\Program Files\Zaklínač
2008-02-03 19:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-31 16:54 --------- d-----w C:\Program Files\THQ
2008-01-27 21:56 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-26 23:31 --------- d-----w C:\Program Files\uTorrent
2008-01-20 07:07 33,292 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
2008-01-16 16:20 52,736 ----a-w C:\WINDOWS\ipuninst.exe
2008-01-16 16:18 --------- d-----w C:\Program Files\BlackIsle
2008-01-02 10:13 197,120 ----a-w C:\WINDOWS\system32\FHMcom_OxleyStrip.scr
2007-09-23 21:32 4,687,304 ----a-w C:\Program Files\paradisepoker_com_cs.exe
2007-01-14 21:00 1 ----a-w C:\Documents and Settings\User\SI.bin
2005-08-08 00:41 35,328 ----a-w C:\Program Files\usb_format.exe
2002-05-27 08:25 295,424 ----a-w C:\Program Files\SubtitleToolCZ.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 17:32 25365032]
"pdfSaver3"="c:\Program Files\PDF\pdfSaver\pdfSaver3.exe" [2004-05-19 14:29 385024]
"uTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2008-01-26 18:02 219952]
"QIP2005"="C:\Program Files\QIP\qip.exe" [2007-11-16 14:17 3264512]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 14:43 7630848]
"nwiz"="nwiz.exe" [2006-08-11 14:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 14:43 86016]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 07:54 16248320 C:\WINDOWS\RTHDCPL.exe]
"pdfSaver3"="" []
"602PC SUITE PDF Saver"="C:\Program Files\Common Files\602phs\pdfSaver.exe" [2005-08-31 16:00 49152]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 10:58 278528]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2006-07-07 15:04 262144]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-18 14:12 843776]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-20 08:05 217088]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-03-09 12:19 2957824]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]
C:\DOCUME~1\ALLUSE~1\NABDKA~1\Programy\POSPUT~1\
Mˇstnˇ vyhled v nˇ.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\QIP\\qip.exe"=
"C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-02-20 13:34]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-02-20 13:34]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-03-09 12:19]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2006-03-02 13:00]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 23:08]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-03-02 13:00]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-08-28 23:54]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23146296-69c9-11dc-a3cc-001617ba045b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-03-13 19:26:45
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\WLCtrl32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2008-03-13 19:30:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-13 18:30:27
ComboFix2.txt 2008-03-13 15:01:16
ComboFix3.txt 2008-03-12 16:01:47
ComboFix4.txt 2008-03-12 19:53:12
ComboFix5.txt 2008-03-11 21:32:55
.
2008-03-11 22:22:05 --- E O F ---
a podle mýho je tam nějakej růtkit mizernej.