trojský kůň - GENERIC.ZWE a I-WORM/STRATION.FMI

ewash · Příspěvekod **ewash** » 22 led 2008 18:29

paul27 píše:Tákže..

Přesuňte Combofix na plochu (pokud ho tam ještě nemáte) - otevřete si poznámkový blok - do něj zkopírujte text z nasledujícího okna:

File::
C:\WINDOWS\system32\4nc6nE1bD.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ppc.exe"="-
"mhl.exe"="-
"rmm.exe"="-
"xdr"="-
"msk.exe"="-
"teg.exe"="-
"bass.exe"="-
"vpgr.exe"="-

ComboFix 08-01-21.7 - ewash 2008-01-22 18:18:59.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.238 [GMT 1:00]
Running from: C:\Documents and Settings\ewash\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\ewash\Plocha\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\4nc6nE1bD.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\4nc6nE1bD.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-22 to 2008-01-22 )))))))))))))))))))))))))))))))
.

2008-01-22 17:00 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-14 16:51 . 2008-01-14 16:51 <DIR> d-a------ C:\WINDOWS\zts2.exe
2008-01-14 16:51 . 2008-01-14 16:51 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-01-14 16:51 . 2008-01-14 16:51 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-01-14 16:51 . 2008-01-14 16:51 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2008-01-14 16:51 . 2008-01-14 16:51 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-01-14 16:51 . 2008-01-14 16:51 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-01-14 16:40 . 2004-08-17 15:49 147,968 --a------ C:\WINDOWS\R.COM
2008-01-14 16:40 . 2004-08-17 15:49 137,216 --a------ C:\WINDOWS\system32\T.COM
2008-01-14 16:40 . 2008-01-14 16:47 50 --a------ C:\WINDOWS\Lic.xxx
2008-01-08 16:48 . 2008-01-08 16:48 <DIR> d-------- C:\WINDOWS\Sun
2008-01-08 16:46 . 2008-01-08 16:46 <DIR> d-------- C:\Program Files\Java
2008-01-08 16:46 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-08 16:45 . 2008-01-08 16:45 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-08 16:45 . 2008-01-08 16:49 671 --a------ C:\WINDOWS\mozver.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 15:10 --------- d-----w C:\Program Files\mIRC
2008-01-21 15:26 --------- d-----w C:\Program Files\ICQ6
2008-01-15 16:09 --------- d-----w C:\Program Files\sdc203
2008-01-14 15:41 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-02-13 09:24 76 ---ha-w C:\Program Files\Desktop.ini
2003-11-03 19:56 30,208 ----a-w C:\Program Files\GameMinimizer.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-22_17.03.32,12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-22 16:01:13 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-22 17:18:44 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-22 16:01:13 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-22 17:18:44 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-22 16:01:13 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-22 17:18:44 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-22 16:01:13 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-22 17:18:44 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-22 16:01:13 5,042,176 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-22 17:18:44 5,046,272 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-22 16:01:14 159,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-22 17:18:45 159,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-11 13:47 7311360]
"nwiz"="nwiz.exe" [2005-11-11 13:47 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-11-11 13:47 86016]
"CTHelper"="CTHELPER.EXE" [2003-08-28 09:45 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"razer"="C:\Program Files\Razer\razerhid.exe" [2005-05-17 18:21 147456]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-12-12 18:55 53248]
"Home Theater SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2004-09-29 03:01 106496]
"WINCINEMAMGR"="C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" [2004-09-29 03:26 192512]
"ppc.exe"="C:\WINDOWS\system32\ppc.exe" [ ]
"mhl.exe"="C:\WINDOWS\system32\skp32.exe" [ ]
"rmm.exe"="C:\WINDOWS\system32\rmm.exe" [ ]
"xdr"="C:\WINDOWS\xdr.exe" [ ]
"msk.exe"="C:\WINDOWS\system32\msk.exe" [ ]
"teg.exe"="C:\WINDOWS\system32\teg.exe" [ ]
"bass.exe"="C:\WINDOWS\system32\bass.exe" [ ]
"vpgr.exe"="C:\WINDOWS\system32\vpgr.exe" [ ]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 22:29 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-17 15:49 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-21 22:16 219136]

R3 axsaki;axsaki;C:\WINDOWS\system32\DRIVERS\axsaki.sys [2003-03-30 21:38]
R3 axskbus;axskbus;C:\WINDOWS\system32\DRIVERS\axskbus.sys [2003-03-28 11:58]
R3 Cap713x;Cap713x Video Capture;C:\WINDOWS\system32\DRIVERS\Cap713x.sys [2004-10-14 08:19]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 23:08]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 23:08]
R3 usbstor;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
S3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 22:43]
S3 w550bus;Sony Ericsson W550 driver (WDM);C:\WINDOWS\system32\DRIVERS\w550bus.sys [2005-07-15 14:47]
S3 w550mdfl;Sony Ericsson W550 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w550mdfl.sys [2005-07-15 14:48]
S3 w550mdm;Sony Ericsson W550 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w550mdm.sys [2005-07-15 14:48]
S3 w550mgmt;Sony Ericsson W550 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w550mgmt.sys [2005-07-15 14:49]
S3 w550obex;Sony Ericsson W550 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w550obex.sys [2005-07-15 14:50]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 18:20:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-22 18:21:28
ComboFix-quarantined-files.txt 2008-01-22 17:21:14
ComboFix2.txt 2008-01-22 16:04:04

Reklama

paul27 · Příspěvekod **paul27** » 22 led 2008 18:50

Hmm. Zkus tenhle script:

File::
C:\WINDOWS\system32\4nc6nE1bD.dll
C:\WINDOWS\system32\ppc.exe
C:\WINDOWS\system32\skp32.exe
C:\WINDOWS\system32\rmm.exe
C:\WINDOWS\xdr.exe
C:\WINDOWS\system32\msk.exe
C:\WINDOWS\system32\teg.exe
C:\WINDOWS\system32\bass.exe
C:\WINDOWS\system32\vpgr.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ppc.exe"="-
"mhl.exe"="-
"rmm.exe"="-
"xdr"="-
"msk.exe"="-
"teg.exe"="-
"bass.exe"="-
"vpgr.exe"="-

\\EDIT: Opraven script podle fredika, díky.

Příspěvekod **fredik** » 22 led 2008 19:18

Skript pod položkou Registry:: je špatně, vlož si tam toto:

Kód: Vybrat vše

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ppc.exe"=-
"mhl.exe"=-
"rmm.exe"=-
"xdr"=-
"msk.exe"=-
"teg.exe"=-
"bass.exe"=-
"vpgr.exe"=-

ewash · Příspěvekod **ewash** » 22 led 2008 22:41

no nevim prijde mi to porad stejne.

ComboFix 08-01-21.7 - ewash 2008-01-22 22:23:58.4 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.259 [GMT 1:00]
Running from: C:\Documents and Settings\ewash\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\ewash\Plocha\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\4nc6nE1bD.dll
C:\WINDOWS\system32\bass.exe
C:\WINDOWS\system32\msk.exe
C:\WINDOWS\system32\ppc.exe
C:\WINDOWS\system32\rmm.exe
C:\WINDOWS\system32\skp32.exe
C:\WINDOWS\system32\teg.exe
C:\WINDOWS\system32\vpgr.exe
C:\WINDOWS\xdr.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-22 to 2008-01-22 )))))))))))))))))))))))))))))))
.

2008-01-22 17:00 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-14 16:51 . 2008-01-14 16:51 <DIR> d-a------ C:\WINDOWS\zts2.exe
2008-01-14 16:51 . 2008-01-14 16:51 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-01-14 16:51 . 2008-01-14 16:51 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-01-14 16:51 . 2008-01-14 16:51 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2008-01-14 16:51 . 2008-01-14 16:51 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-01-14 16:51 . 2008-01-14 16:51 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-01-14 16:40 . 2004-08-17 15:49 147,968 --a------ C:\WINDOWS\R.COM
2008-01-14 16:40 . 2004-08-17 15:49 137,216 --a------ C:\WINDOWS\system32\T.COM
2008-01-14 16:40 . 2008-01-14 16:47 50 --a------ C:\WINDOWS\Lic.xxx
2008-01-08 16:48 . 2008-01-08 16:48 <DIR> d-------- C:\WINDOWS\Sun
2008-01-08 16:46 . 2008-01-08 16:46 <DIR> d-------- C:\Program Files\Java
2008-01-08 16:46 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-08 16:45 . 2008-01-08 16:45 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-08 16:45 . 2008-01-08 16:49 671 --a------ C:\WINDOWS\mozver.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 15:10 --------- d-----w C:\Program Files\mIRC
2008-01-21 15:26 --------- d-----w C:\Program Files\ICQ6
2008-01-15 16:09 --------- d-----w C:\Program Files\sdc203
2008-01-14 15:41 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-02-13 09:24 76 ---ha-w C:\Program Files\Desktop.ini
2003-11-03 19:56 30,208 ----a-w C:\Program Files\GameMinimizer.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-22_17.03.32,12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-22 16:01:13 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-22 21:23:45 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-22 16:01:13 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-22 21:23:45 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-22 16:01:13 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-22 21:23:45 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-22 16:01:13 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-22 21:23:45 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-22 16:01:13 5,042,176 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-22 21:23:45 5,046,272 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-22 16:01:14 159,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-22 21:23:45 159,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-11 13:47 7311360]
"nwiz"="nwiz.exe" [2005-11-11 13:47 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-11-11 13:47 86016]
"CTHelper"="CTHELPER.EXE" [2003-08-28 09:45 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"razer"="C:\Program Files\Razer\razerhid.exe" [2005-05-17 18:21 147456]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-12-12 18:55 53248]
"Home Theater SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2004-09-29 03:01 106496]
"WINCINEMAMGR"="C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" [2004-09-29 03:26 192512]
"ppc.exe"="C:\WINDOWS\system32\ppc.exe" [ ]
"mhl.exe"="C:\WINDOWS\system32\skp32.exe" [ ]
"rmm.exe"="C:\WINDOWS\system32\rmm.exe" [ ]
"xdr"="C:\WINDOWS\xdr.exe" [ ]
"msk.exe"="C:\WINDOWS\system32\msk.exe" [ ]
"teg.exe"="C:\WINDOWS\system32\teg.exe" [ ]
"bass.exe"="C:\WINDOWS\system32\bass.exe" [ ]
"vpgr.exe"="C:\WINDOWS\system32\vpgr.exe" [ ]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 22:29 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-17 15:49 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-21 22:16 219136]

R3 axsaki;axsaki;C:\WINDOWS\system32\DRIVERS\axsaki.sys [2003-03-30 21:38]
R3 axskbus;axskbus;C:\WINDOWS\system32\DRIVERS\axskbus.sys [2003-03-28 11:58]
R3 Cap713x;Cap713x Video Capture;C:\WINDOWS\system32\DRIVERS\Cap713x.sys [2004-10-14 08:19]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 23:08]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 23:08]
R3 usbstor;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
S3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 22:43]
S3 w550bus;Sony Ericsson W550 driver (WDM);C:\WINDOWS\system32\DRIVERS\w550bus.sys [2005-07-15 14:47]
S3 w550mdfl;Sony Ericsson W550 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w550mdfl.sys [2005-07-15 14:48]
S3 w550mdm;Sony Ericsson W550 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w550mdm.sys [2005-07-15 14:48]
S3 w550mgmt;Sony Ericsson W550 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w550mgmt.sys [2005-07-15 14:49]
S3 w550obex;Sony Ericsson W550 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w550obex.sys [2005-07-15 14:50]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 22:25:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-22 22:26:24
ComboFix-quarantined-files.txt 2008-01-22 21:26:10
ComboFix2.txt 2008-01-22 17:58:38
ComboFix3.txt 2008-01-22 17:21:29
ComboFix4.txt 2008-01-22 16:04:04

Příspěvekod **fredik** » 23 led 2008 17:13

Vytvoř si nový CFScript a vlož do něj přesně co jsem napsal na předchozí stránce (označené zeleně) Dej sem pak nový log z ComboFix po použití skriptu.

ewash · Příspěvekod **ewash** » 24 led 2008 11:44

No tak snad sem to udelal dobre, ja to s tou tvou opravou uz taky zkousel ale pak jsem si uvedomil ze mam jen nahradit tu cast o tech registrech, tak tady to je s tim zelenym :)

ComboFix 08-01-21.7 - ewash 2008-01-24 11:17:58.6 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.235 [GMT 1:00]
Running from: C:\Documents and Settings\ewash\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\ewash\Plocha\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\4nc6nE1bD.dll
C:\WINDOWS\system32\bass.exe
C:\WINDOWS\system32\msk.exe
C:\WINDOWS\system32\ppc.exe
C:\WINDOWS\system32\rmm.exe
C:\WINDOWS\system32\skp32.exe
C:\WINDOWS\system32\teg.exe
C:\WINDOWS\system32\vpgr.exe
C:\WINDOWS\xdr.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-24 10:40 . 2008-01-24 10:40 <DIR> d-------- C:\Program Files\GameHouse
2008-01-22 22:27 . 2008-01-22 22:27 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-22 17:00 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-14 16:51 . 2008-01-14 16:51 <DIR> d-a------ C:\WINDOWS\zts2.exe
2008-01-14 16:51 . 2008-01-14 16:51 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-01-14 16:51 . 2008-01-14 16:51 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-01-14 16:51 . 2008-01-14 16:51 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2008-01-14 16:51 . 2008-01-14 16:51 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-01-14 16:51 . 2008-01-14 16:51 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-01-14 16:40 . 2004-08-17 15:49 147,968 --a------ C:\WINDOWS\R.COM
2008-01-14 16:40 . 2004-08-17 15:49 137,216 --a------ C:\WINDOWS\system32\T.COM
2008-01-14 16:40 . 2008-01-14 16:47 50 --a------ C:\WINDOWS\Lic.xxx
2008-01-08 16:48 . 2008-01-08 16:48 <DIR> d-------- C:\WINDOWS\Sun
2008-01-08 16:46 . 2008-01-08 16:46 <DIR> d-------- C:\Program Files\Java
2008-01-08 16:46 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-08 16:45 . 2008-01-08 16:45 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-08 16:45 . 2008-01-08 16:49 671 --a------ C:\WINDOWS\mozver.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 15:10 --------- d-----w C:\Program Files\mIRC
2008-01-21 15:26 --------- d-----w C:\Program Files\ICQ6
2008-01-15 16:09 --------- d-----w C:\Program Files\sdc203
2008-01-14 15:41 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-02-13 09:24 76 ---ha-w C:\Program Files\Desktop.ini
2003-11-03 19:56 30,208 ----a-w C:\Program Files\GameMinimizer.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-22_17.03.32,12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-22 16:01:13 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 10:17:44 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-22 16:01:13 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 10:17:44 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-22 16:01:13 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 10:17:45 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-22 16:01:13 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 10:17:45 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-22 16:01:13 5,042,176 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-24 10:17:45 5,087,232 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-22 16:01:14 159,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 10:17:45 159,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-11 13:47 7311360]
"nwiz"="nwiz.exe" [2005-11-11 13:47 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-11-11 13:47 86016]
"CTHelper"="CTHELPER.EXE" [2003-08-28 09:45 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"razer"="C:\Program Files\Razer\razerhid.exe" [2005-05-17 18:21 147456]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-12-12 18:55 53248]
"Home Theater SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2004-09-29 03:01 106496]
"WINCINEMAMGR"="C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" [2004-09-29 03:26 192512]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 22:29 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-17 15:49 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-21 22:16 219136]

R3 axsaki;axsaki;C:\WINDOWS\system32\DRIVERS\axsaki.sys [2003-03-30 21:38]
R3 axskbus;axskbus;C:\WINDOWS\system32\DRIVERS\axskbus.sys [2003-03-28 11:58]
R3 Cap713x;Cap713x Video Capture;C:\WINDOWS\system32\DRIVERS\Cap713x.sys [2004-10-14 08:19]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 23:08]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 23:08]
S3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 22:43]
S3 usbstor;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
S3 w550bus;Sony Ericsson W550 driver (WDM);C:\WINDOWS\system32\DRIVERS\w550bus.sys [2005-07-15 14:47]
S3 w550mdfl;Sony Ericsson W550 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w550mdfl.sys [2005-07-15 14:48]
S3 w550mdm;Sony Ericsson W550 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w550mdm.sys [2005-07-15 14:48]
S3 w550mgmt;Sony Ericsson W550 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w550mgmt.sys [2005-07-15 14:49]
S3 w550obex;Sony Ericsson W550 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w550obex.sys [2005-07-15 14:50]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 11:19:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-24 11:20:31
ComboFix-quarantined-files.txt 2008-01-24 10:20:16
ComboFix2.txt 2008-01-22 21:26:25
ComboFix3.txt 2008-01-22 17:58:38
ComboFix4.txt 2008-01-22 17:21:29
ComboFix5.txt 2008-01-22 16:04:04

ewash · Příspěvekod **ewash** » 24 led 2008 13:43

No aspon bych rad vedel co to vlastne delam :), jinak klidne smaznu rucne ty spatne veci, kdyz mi reknete ktere to jsou, diky moc

Příspěvekod **fredik** » 24 led 2008 15:58

Jdi přes Start -> Spustit... a napiš do okna tento příkaz označený modře ComboFix /u (mezi comobofix a /u musí být mezera) a dej Ok.

Dej sem pak nový log z HJT a řekni jestli ještě problémy přetrvávají.

paul27 · Příspěvekod **paul27** » 25 led 2008 20:50

No tak fredik to vyřešil. Bohužel jsem zapoměl, jak se píše ten mazací script (pořád jsem tam cpal ty uvozovky, to se smazat prostě nemohlo), takže se omlouvám ewashovy a děkuju fredikovi, že napsal správný script.

ewash · Příspěvekod **ewash** » 26 led 2008 01:30

Diky moc, hlasky se neobjevuji, vsechno vypada OK.

LOCK PLS :)

Diky

Příspěvekod **fredik** » 26 led 2008 09:11

Dej sem ještě log z HijackThis jak jsem psal aby se upravily případné drobnosti, které tam mohou být.

ewash · Příspěvekod **ewash** » 27 led 2008 13:02

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:02:37, on 27.1.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Razer\razerhid.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Razer\razerofa.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.atlas.cz/?from=icqhp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINCINEMAMGR] "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Stáhnout Free Download Managerem - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Stáhnout vybrané Free Download Managerem - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Stáhnout vše Free Download Managerem - file://C:\Program Files\Free Download Manager\dlall.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\Ctsvccda.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5923 bytes

trojský kůň - GENERIC.ZWE a I-WORM/STRATION.FMI

Kdo je online