Prosím o kontrolu logu+hláška CTF Loader

[Baron Prášil]

tak se podíváme co nám poví combofix
Stáhni si ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem klávesy 1
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log, který se ti zobrazí, jinak ho najdeš zde: C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

[Reklama]

[JANíčOK]

Pozriem sa na to hneď ako prídem domov a zašlem log. Zatiaľ veľmi pekne ďakujem!

[JANíčOK]

Posielam log z ComboFixu. Keď som ho spustil PC nejako čudne pípol, neviete čo to bolo?

ComboFix 08-02.05.3 - Ján Beňo 2008-02-08 15:59:01.3 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.527 [GMT 1:00]
Running from: C:\Documents and Settings\Ján Beňo\Plocha\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\pPTS41.dll

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-05 21:46 . 2008-02-05 21:46 <DIR> d-------- C:\Program Files\ptc_custom
2008-02-05 21:18 . 2008-02-05 21:21 <DIR> d-------- C:\zaloha Applic
2008-02-03 17:35 . 2008-02-03 17:34 158,483 --a------ C:\config.pro
2008-02-03 15:59 . 2008-02-07 22:06 43 --a------ C:\WINDOWS\gswin32.ini
2008-02-03 15:50 . 2008-02-03 15:50 <DIR> d-------- C:\Program Files\gs
2008-02-02 22:56 . 2008-02-02 22:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-02 22:56 . 2008-02-02 22:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-31 19:10 . 2008-01-31 19:11 <DIR> d-------- C:\CMonitor
2008-01-27 23:48 . 2008-01-27 23:48 <DIR> d-------- C:\Program Files\Microsoft Office 2003
2008-01-27 23:40 . 2008-01-27 23:53 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-27 20:29 . 2008-01-27 20:29 <DIR> d-------- C:\Program Files\CCleaner
2008-01-27 17:05 . 2008-01-27 22:46 <DIR> d-------- C:\Program Files\Microsoft Office 2007
2008-01-22 19:25 . 2008-01-27 23:54 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Microsoft Help
2008-01-21 22:42 . 2008-01-27 13:40 <DIR> d-------- C:\Program Files\MSTS Activity Analysis
2008-01-19 20:36 . 2008-01-19 20:36 104,954 --a------ C:\acadminidump.dmp
2008-01-19 17:04 . 2008-01-19 17:04 <DIR> d-------- C:\Program Files\IrfanView
2008-01-16 18:12 . 2003-05-30 08:00 1,189,888 --a--c--- C:\WINDOWS\system32\dx8vb.dll
2008-01-16 18:12 . 2003-05-30 08:00 1,189,888 --a--c--- C:\WINDOWS\system32\dllcache\dx8vb.dll
2008-01-13 20:25 . 2008-01-13 20:25 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-01-13 20:23 . 2008-01-13 22:14 <DIR> d-------- C:\Program Files\SpeedFan
2008-01-11 17:01 . 2008-01-11 17:01 <DIR> d-------- C:\Program Files\Common Files\COWON
2008-01-10 22:12 . 2008-01-10 22:12 214,232 --a------ C:\BrowzarWinstyle1500.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 14:57 --------- d-----w C:\Documents and Settings\Ján Beňo\Data aplikací\DMCache
2008-02-07 21:29 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-06 22:07 --------- d-----w C:\Documents and Settings\Ján Beňo\Data aplikací\Skype
2008-02-03 23:36 814,080 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-01-28 19:04 --------- d-----w C:\Program Files\JetAudio
2008-01-27 22:42 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-27 22:35 --------- d-----w C:\Program Files\7-Zip
2008-01-27 20:56 --------- d-----w C:\Program Files\QIP
2008-01-27 20:15 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2008-01-27 20:03 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd1469.sys
2008-01-26 20:32 --------- d-----w C:\Program Files\AnyReader
2008-01-22 23:59 52,736 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-01-22 23:59 2,145,280 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-01-22 19:01 56,832 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-01-21 22:28 436,736 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-01-21 22:28 2,133,504 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-01-19 15:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 15:28 --------- d-----w C:\Program Files\Smarty Uninstaller Pro
2008-01-19 15:28 --------- d-----w C:\Program Files\RegVac Registry Cleaner
2008-01-19 15:28 --------- d-----w C:\Program Files\epson
2008-01-19 15:28 --------- d-----w C:\Documents and Settings\Ján Beňo\Data aplikací\Uniblue
2008-01-19 15:27 --------- d-----w C:\Documents and Settings\Ján Beňo\Data aplikací\Smart PC Solutions
2008-01-19 15:25 --------- d-----w C:\Program Files\Google
2008-01-16 17:28 --------- d-----w C:\Program Files\ConBuilder
2008-01-13 11:46 90,624 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-01-12 14:35 41,984 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-01-12 14:35 2,003,968 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-01-12 00:23 890,368 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-01-12 00:23 2,001,408 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-01-11 16:01 --------- d-----w C:\Documents and Settings\Ján Beňo\Data aplikací\COWON
2008-01-09 14:40 --------- d-----w C:\Documents and Settings\Ján Beňo\Data aplikací\IDM
2008-01-08 21:17 --------- d-----w C:\Program Files\Microsoft Games
2008-01-08 20:28 --------- d-----w C:\Program Files\ICQToolbar
2008-01-05 23:01 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-01-05 23:00 --------- d-----w C:\Program Files\AVSMedia
2008-01-05 22:12 --------- d-----w C:\Program Files\kmp
2008-01-05 11:24 --------- d-----w C:\Program Files\Shape Viewer
2008-01-01 15:23 --------- d-----w C:\Program Files\Java
2008-01-01 15:23 --------- d-----w C:\Program Files\Common Files\Java
2007-12-31 18:08 71,680 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2007-12-31 18:08 1,321,472 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2007-12-31 17:07 --------- d-----w C:\Program Files\Zone Labs
2007-12-31 16:33 --------- d-----w C:\Program Files\CyberLink
2007-12-31 09:12 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\DVD Shrink
2007-12-31 06:44 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\CyberLink
2007-09-06 18:07 7,906 -c--a-w C:\Program Files\irunin.bmp
2007-09-06 18:07 55,719 -c--a-w C:\Program Files\irunin.dat
2007-09-06 18:07 18,226 -c--a-w C:\Program Files\irunin.ini
2007-09-06 18:07 16,152 -c--a-w C:\Program Files\irunin.lng
2007-09-02 13:39 15,792,436 -c--a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_09_02_14_04_53_full.dmp.zip
2007-09-02 06:32 17,827,220 -c--a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_09_01_22_52_05_full.dmp.zip
2007-09-01 20:50 18,144,769 -c--a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_09_01_21_44_17_full.dmp.zip
2007-09-01 20:50 18,098,218 -c--a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_09_01_21_22_43_full.dmp.zip
2007-09-01 18:43 18,114,202 -c--a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_09_01_11_15_52_full.dmp.zip
2007-09-01 07:31 18,935,240 -c--a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_08_31_18_48_01_full.dmp.zip
2007-08-31 15:27 17,965,913 -c--a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_08_31_16_56_17_full.dmp.zip
2007-08-30 19:12 18,073,229 -c--a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_08_30_20_53_52_full.dmp.zip
2007-08-30 19:11 19,038,364 -c--a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_08_30_19_42_54_full.dmp.zip
2007-08-30 17:49 17,903,906 -c--a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_08_30_19_07_18_full.dmp.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 23:49 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 10:12 139264]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 16:51 57344]
"EPSON Stylus Photo RX620 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HE.exe" [2004-05-19 19:00 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-10-04 13:12 90112 C:\WINDOWS\soundman.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-02-07 10:57 949376]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-23 10:26 77824]
"FineReader7NewsReaderPro"="C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe" [2003-12-10 00:19 278528]
"EPSON Stylus Photo RX620 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HE.exe" [2004-05-19 19:00 98304]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 20:05 344064]
"pdfFactory Pro Dispečér v2"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2005-03-29 21:40 483328]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 11:34 755480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 23:49 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-08-05 20:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe

R2 MSSQL$AUTODESKVAULT;SQL Server (AUTODESKVAULT);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" [2007-02-13 07:08]
R2 pqeauto.database.dbmonitor.GMG;pqeauto.database.dbmonitor.GMG;C:\Program Files\BHPS\Gmg\bin\DBMonService.exe -sn"pqeauto.database.dbmonitor.GMG" []
R2 pqeauto.energy.mappermonitor;pqeauto.energy.mappermonitor;C:\Program Files\BHPS\Pmap1\bin\MapperMonService.exe -sn"pqeauto.energy.mappermonitor" []
R2 pqeauto.engine.tomcatmonitor.GMG;pqeauto.engine.tomcatmonitor.GMG;C:\Program Files\BHPS\Gmg\bin\TomcatMonService.exe [2007-07-31 16:02]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-17 23:49]
R3 dsnpfd;DeskSoft Service;C:\WINDOWS\system32\DRIVERS\dsnpfd.sys [2007-03-15 11:09]
R3 FlarionDTM;Flarion DTM Network Interface;C:\WINDOWS\system32\DRIVERS\FlrnDTM.sys [2005-05-26 13:06]
R3 PAC207;Trust WB-1200p Mini Webcam;C:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-02-24 11:29]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 07:04]
S3 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2006-04-14 09:04]
S3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2004-06-24 02:54]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\SETUP.EXE
\Shell\configure\command - G:\SETUP.EXE
\Shell\install\command - G:\SETUP.EXE

.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 16:16:08 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 16:02:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus Photo RX620 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HE.EXE /P31 "EPSON Stylus Photo RX620 Series" /M "Stylus Photo RX620" /EF "HKCU"??????????????????????????????4??????w|??w ?w?? ?p\O?dl?w?l?w?O?w???w?tf?????9??w?P?w8???????O??????????????????????????wx??w8???????9??w????????????[??w???????????????????????????????|?????????tf?????????????????sJ?wr??w???w8???????????*???????????3???`?%?????B???????4????h?w8???????????????????????????????T????h?w?????????????H??????????????-??w???????????????w????????8???????????`??

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-02-08 16:06:51
ComboFix-quarantined-files.txt 2008-02-08 15:06:42
[/code]

[Baron Prášil]

nic špatnýho nevidím.bude to nějaká systémová chybka.

[JANíčOK]

Neviem prečo, ale od vtedy ako som použil ComboFix sú niektoré názvy súborov písané normálnym čiernym písmom a niektoré modrým... ako sa to dá napraviť? ComboFix som normálne odinštaloval.
Keď tak na to lepšie pozerám zisťujem že to má zrejme niečo s tým ComboFixom, lebo v ComboFix.log je toto: ((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
a súbory vytvorené alebo upravené medzi tými dátumami sú čiernym písmom a ostatné modrým.

[Baron Prášil]

mohli by sme ten log vidět?nebo je tajnej?

[JANíčOK]

Myslím ten log čo je tu na str. 1.

[Baron Prášil]

tenhle tejden byl tochu pernej logy se mi již mírně pletou
modrý soubory jsou komprimovaný-neni to problém.

[JANíčOK]

Ďakujem. A čo mám urobiť so súborom kmd.exe ktorý mi ComboFix vytvoril na C:\ ?

[Baron Prášil]

klíďo smazat.
můžeš použít též T-Cleaner smaže vše po Combu,SDFixu,Avengeru atd.