Win32/trojandownloader.v3

[hubron]

Dzisiaj mój program wykrył trojana Win32/TrojanDownloader.V3 i skutecznie go wyleczył Chciałbym się jednak dowiedzieć co on powodował np. Opóźniał procesy itd.

[Lukesh]

Co mogl powodowac? Utratę dostępu do dysków poprzez mój komputer, a także do narzedzi windowsowskich, panelu sterowania, wyszukiwania, miejsc sieciowych, itd z poziomu menu start itp itd...

Takze:

Wykonaj to co jest podane w tym temacie

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz daj loga z hijacka

[hubron]

Więć tak:

Oto raport z SDFix:

Kod: Zaznacz wszystko

[b]SDFix: Version 1.240 [/b]
Run by hubron on 2009-01-03 at 16:47

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:

[b]Name [/b]:
{DEF85C80-216A-43ab-AF70-1665EDBE2780}

[b]Path [/b]:
\??\C:\WINDOWS\TEMP\4.tmp

{DEF85C80-216A-43ab-AF70-1665EDBE2780} - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

No Trojan Files Found


[color=red]Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the [url=http://www2.gmer.net/mbr/]MBR Rootkit Detector[/url] by Gmer[/color]




Removing Temp Files

[b]ADS Check [/b]:



                                 [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 16:53:14
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:7f039801
"s2"=dword:93058995
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:02,1c,3c,00,be,61,65,3c,20,1c,64,b1,c0,f7,33,8e,0d,5d,73,75,61,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000001
"khjeh"=hex:4c,20,8d,be,ea,2d,23,51,4f,9b,23,ba,87,15,4d,7f,38,91,87,02,27,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,4c,56,c1,14,3c,94,bc,11,24,3e,49,71,50,3b,b5,20,42,..
"khjeh"=hex:2e,76,f6,2c,00,63,c9,08,ff,f1,6f,61,80,b3,51,70,fe,cc,23,9b,55,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:19,d1,b1,82,04,56,f8,b4,00,2b,c4,fb,f2,b2,a3,e4,62,64,3f,01,77,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:60,52,a2,d7,0d,7e,a5,cd,29,82,25,68,b0,77,7a,20,a4,b1,eb,79,63,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:02,1c,3c,00,be,61,65,3c,20,1c,64,b1,c0,f7,33,8e,0d,5d,73,75,61,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000001
"khjeh"=hex:4c,20,8d,be,ea,2d,23,51,4f,9b,23,ba,87,15,4d,7f,38,91,87,02,27,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,4c,56,c1,14,3c,94,bc,11,24,3e,49,71,50,3b,b5,20,42,..
"khjeh"=hex:2e,76,f6,2c,00,63,c9,08,ff,f1,6f,61,80,b3,51,70,fe,cc,23,9b,55,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:19,d1,b1,82,04,56,f8,b4,00,2b,c4,fb,f2,b2,a3,e4,62,64,3f,01,77,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:60,52,a2,d7,0d,7e,a5,cd,29,82,25,68,b0,77,7a,20,a4,b1,eb,79,63,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120% (Trial Version)"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\WinFast\\WFDTV\\DVBTAP.exe"="C:\\Program Files\\WinFast\\WFDTV\\DVBTAP.exe:*:Disabled:WinFast DTV Application"
"D:\\PROGRAMY\\Programs\\RM.exe"="D:\\PROGRAMY\\Programs\\RM.exe:*:Enabled:Render Manager"
"D:\\PROGRAMY\\Programs\\Studio.exe"="D:\\PROGRAMY\\Programs\\Studio.exe:*:Enabled:Studio"
"D:\\PROGRAMY\\Programs\\umi.exe"="D:\\PROGRAMY\\Programs\\umi.exe:*:Enabled:umi"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[b]Remaining Files [/b]:


File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Mon 22 Dec 2008            23 A.SH. --- "C:\WINDOWS\system32\addbaed_z.dll"
Sun  3 Feb 2008       824,832 A..H. --- "C:\Documents and Settings\All Users\Dane aplikacji\Data\LicenseManager2007.dll"
Sat 23 Aug 2008             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

[b]Finished![/b]



Oto log z hijackthis:

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:55:39, on 2009-01-03
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Documents and Settings\hubron\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\hubron\Pulpit\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.allegro.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\PROGRAMY\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - D:\PROGRAMY\ghgggg\MegaIEMn.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [WinGuard Pro] C:\WINDOWS\system32\setup_vf.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\hubron\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\PROGRAMY\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\PROGRAMY\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\PROGRAMY\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRAMY\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz z &BitSpirit - D:\HAHA\BitSpirit\bsurl.htm
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRAMY\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\PROGRAMY\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6283 bytes

Oto log z ComboFix:

Kod: Zaznacz wszystko

ComboFix 09-01-01.02 - hubron 2009-01-03 17:09:15.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.511.194 [GMT 1:00]
Uruchomiony z: d:\program files\ComboFix.exe
* Resident AV is active


[COLOR=RED][B]UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !![/B][/COLOR]
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\addbaed_z.dll
c:\windows\system32\Dvbpws.dll

.
(((((((((((((((((((((((((   Pliki utworzone od 2008-12-03 do 2009-01-03  )))))))))))))))))))))))))))))))
.

2009-01-03 17:05 . 2009-01-03 17:06   2,888,937   -ra------   d:\program files\ComboFix.exe
2009-01-03 16:45 . 2009-01-03 16:45   <DIR>   d--------   c:\windows\ERUNT
2009-01-03 16:39 . 2009-01-03 16:54   <DIR>   d----c---   C:\SDFix
2009-01-03 16:38 . 2009-01-03 16:38   1,529,241   --a------   d:\program files\SDFix.exe
2009-01-03 14:05 . 2009-01-03 14:05   <DIR>   d--------   d:\program files\ESET
2009-01-03 14:05 . 2009-01-03 14:05   <DIR>   d----c---   c:\documents and settings\All Users\Dane aplikacji\ESET
2009-01-02 11:13 . 2009-01-02 11:13   <DIR>   d--------   d:\program files\x2
2009-01-01 20:57 . 2009-01-01 20:57   <DIR>   d--h-----   d:\program files\InstallShield Installation Information
2009-01-01 20:56 . 2009-01-01 20:56   <DIR>   d--------   c:\documents and settings\NetworkService\Dane aplikacji\Xfire
2009-01-01 20:56 . 2009-01-01 20:56   <DIR>   d----c---   c:\documents and settings\hubron\Dane aplikacji\InstallShield
2008-12-31 11:58 . 2008-12-31 11:58   43,520   --a------   c:\windows\system32\CmdLineExt03.dll
2008-12-31 08:03 . 2008-12-31 08:03   <DIR>   d--------   d:\program files\PocketRAR
2008-12-30 21:39 . 2008-12-30 21:43   <DIR>   d--------   d:\program files\Xfire
2008-12-30 21:39 . 2009-01-02 15:30   <DIR>   d----c---   c:\documents and settings\hubron\Dane aplikacji\Xfire
2008-12-27 07:33 . 2008-12-27 07:33   <DIR>   d----c---   C:\Downloads
2008-12-23 18:40 . 2008-12-23 18:40   <DIR>   d--------   d:\program files\Ahead
2008-12-23 18:38 . 2008-12-23 18:38   <DIR>   d----c---   c:\documents and settings\All Users\Dane aplikacji\QuickTime
2008-12-23 18:20 . 2008-12-23 18:20   <DIR>   d----c---   c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2008-12-23 18:19 . 2008-12-23 18:19   <DIR>   d----c---   c:\documents and settings\hubron\Dane aplikacji\Kaspersky_Key_Finder_(KKF
2008-12-22 20:08 . 2008-12-22 20:08   69   --a------   c:\windows\NeroDigital.ini
2008-12-22 18:43 . 2008-12-22 18:43   <DIR>   d--------   d:\program files\microsoft frontpage
2008-12-22 10:29 . 2008-12-23 13:58   <DIR>   d--------   c:\program files\Common Files\Nero
2008-12-22 09:47 . 2008-12-22 09:47   23   --a------   c:\windows\system32\adbeaedfaba8_z.ocx
2008-12-11 21:38 . 2008-12-11 21:38   42,320   --a------   c:\windows\system32\xfcodec.dll
2008-12-09 16:47 . 2008-12-12 20:53   <DIR>   d----c---   c:\documents and settings\hubron\Dane aplikacji\U3
2008-12-09 16:16 . 2008-12-09 16:16   <DIR>   d--------   C:\Drivers
2008-12-09 16:16 . 2008-07-01 11:04   1,155,072   --a------   c:\windows\system32\ChilkatCrypt2.dll
2008-12-09 16:16 . 2006-02-13 02:22   933,888   --a------   c:\windows\system32\SmartTabs29.ocx
2008-12-09 16:16 . 2004-11-14 05:27   212,992   --a------   c:\windows\system32\wodShellMenu.dll
2008-12-09 16:16 . 2008-07-29 22:53   45,056   --a------   c:\windows\system32\regexprt.exe
2008-12-09 16:16 . 2008-07-30 08:59   24,264   --a------   c:\windows\system32\winguard.chm

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 13:13   ---------   dc----w   c:\documents and settings\hubron\Dane aplikacji\Hamachi
2008-12-15 14:45   ---------   d-----w   c:\program files\Common Files\Panda Software
2008-12-12 16:26   ---------   d-----w   c:\program files\Common Files\Ahead
2008-12-11 16:14   ---------   dc----w   c:\documents and settings\hubron\Dane aplikacji\Nero
2008-11-28 18:11   ---------   dc----w   c:\documents and settings\hubron\Dane aplikacji\BitSpirit
2008-11-05 14:30   ---------   dc----w   c:\documents and settings\hubron\Dane aplikacji\Megaupload
2008-11-05 14:30   ---------   dc----w   c:\documents and settings\hubron\Dane aplikacji\EmailNotifier
2008-11-05 14:30   ---------   dc----w   c:\documents and settings\All Users\Dane aplikacji\Megaupload
2008-11-05 14:30   ---------   dc----w   c:\documents and settings\All Users\Dane aplikacji\EmailNotifier
.

(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-04 486856]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"Google Update"="c:\documents and settings\hubron\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 335872]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"egui"="d:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i263_32.drv
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk /k:D *

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22720:TCP"= 22720:TCP:BitComet 22720 TCP
"22720:UDP"= 22720:UDP:BitComet 22720 UDP
"13186:TCP"= 13186:TCP:BitComet 13186 TCP
"13186:UDP"= 13186:UDP:BitComet 13186 UDP

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-07-01 34312]
R2 ekrn;Eset Service;"d:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-07-01 468224]
R3 bbcap;bbcap;c:\windows\system32\DRIVERS\bbcap.sys [2008-08-29 4096]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\Drivers\LCcFltr.Sys [2008-02-20 14156]
S3 DtvAudio;DtvAudio;c:\windows\system32\DRIVERS\DtvAudio.sys [2008-03-25 10330]
S3 DtvVideo;DtvVideo;c:\windows\system32\DRIVERS\DtvVideo.sys [2008-03-25 25600]
S3 WFIOCTL;WFIOCTL;\??\c:\program files\WinFast\WFDTV\WFIOCTL.SYS []
S3 WFLR6654;WinFast TV2000 XP Global/Global TV (Video);c:\windows\system32\drivers\wfeaglxt.sys [2008-02-19 405632]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{333d44a8-c47c-11dd-a1d9-000ea64330c9}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Zawartość folderu 'Zaplanowane zadania'

2009-01-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1078145449-682003330-1003.job
- c:\documents and settings\hubron\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2008-09-03 15:46]
.
- - - - USUNIĘTO PUSTE WPISY - - - -

WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)
HKLM-Run-WinGuard Pro - c:\windows\system32\setup_vf.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-NWEReboot - (no file)


.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.allegro.pl/
uInternet Connection Wizard,ShellNext = iexplore
IE: &D&ownload &with BitComet - d:\programy\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - d:\programy\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - d:\programy\BitComet\BitComet.exe/AddAllLink.htm
IE: Download Video - http://www.viloader.net/addon.htm
IE: E&ksport do programu Microsoft Excel - d:\programy\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Pobierz z &BitSpirit - d:\haha\BitSpirit\bsurl.htm
IE: { - c:\program files\Messenger\msmsgs.exe
FF - ProfilePath - c:\documents and settings\hubron\Dane aplikacji\Mozilla\Firefox\Profiles\yy3765bb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.plemiona.pl/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\hubron\Dane aplikacji\Mozilla\Firefox\Profiles\yy3765bb.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - plugin: c:\documents and settings\hubron\Ustawienia lokalne\Dane aplikacji\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Adobe\Acrobat 5.0 CE\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJPI140_03.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Windows Media Player\npdrmv2.dll
FF - plugin: c:\program files\Windows Media Player\npdsplay.dll
FF - plugin: c:\program files\Windows Media Player\npwmsdrm.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 17:10:18
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\SYSTEM32\Ati2evxx.dll
.
Czas ukończenia: 2009-01-03 17:11:05
ComboFix-quarantined-files.txt  2009-01-03 16:10:45

Przed: 3,116,843,008 bajtów wolnych
Po: 3,111,829,504 bajtów wolnych

164


[sgsman]

A log z ComboFixa?

[hubron]

Już daję, zapomniałem

[wojtas]

1. Wykonaj skan Dr. Web CureIt
2. Robisz loga z mbr.exe
3. dajesz loga z combofixa

[hubron]

1. Komunikat: Wykonano-nie wykryto żadnych wirusów.

2.

Kod: Zaznacz wszystko

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x950a600 size 0x1a8 !
copy of MBR has been found in sector 62 !


3.

Kod: Zaznacz wszystko

ComboFix 09-01-01.02 - hubron 2009-01-03 17:09:15.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.511.194 [GMT 1:00]
Uruchomiony z: d:\program files\ComboFix.exe
* Resident AV is active


[COLOR=RED][B]UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !![/B][/COLOR]
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\addbaed_z.dll
c:\windows\system32\Dvbpws.dll

.
(((((((((((((((((((((((((   Pliki utworzone od 2008-12-03 do 2009-01-03  )))))))))))))))))))))))))))))))
.

2009-01-03 17:05 . 2009-01-03 17:06   2,888,937   -ra------   d:\program files\ComboFix.exe
2009-01-03 16:45 . 2009-01-03 16:45   <DIR>   d--------   c:\windows\ERUNT
2009-01-03 16:39 . 2009-01-03 16:54   <DIR>   d----c---   C:\SDFix
2009-01-03 16:38 . 2009-01-03 16:38   1,529,241   --a------   d:\program files\SDFix.exe
2009-01-03 14:05 . 2009-01-03 14:05   <DIR>   d--------   d:\program files\ESET
2009-01-03 14:05 . 2009-01-03 14:05   <DIR>   d----c---   c:\documents and settings\All Users\Dane aplikacji\ESET
2009-01-02 11:13 . 2009-01-02 11:13   <DIR>   d--------   d:\program files\x2
2009-01-01 20:57 . 2009-01-01 20:57   <DIR>   d--h-----   d:\program files\InstallShield Installation Information
2009-01-01 20:56 . 2009-01-01 20:56   <DIR>   d--------   c:\documents and settings\NetworkService\Dane aplikacji\Xfire
2009-01-01 20:56 . 2009-01-01 20:56   <DIR>   d----c---   c:\documents and settings\hubron\Dane aplikacji\InstallShield
2008-12-31 11:58 . 2008-12-31 11:58   43,520   --a------   c:\windows\system32\CmdLineExt03.dll
2008-12-31 08:03 . 2008-12-31 08:03   <DIR>   d--------   d:\program files\PocketRAR
2008-12-30 21:39 . 2008-12-30 21:43   <DIR>   d--------   d:\program files\Xfire
2008-12-30 21:39 . 2009-01-02 15:30   <DIR>   d----c---   c:\documents and settings\hubron\Dane aplikacji\Xfire
2008-12-27 07:33 . 2008-12-27 07:33   <DIR>   d----c---   C:\Downloads
2008-12-23 18:40 . 2008-12-23 18:40   <DIR>   d--------   d:\program files\Ahead
2008-12-23 18:38 . 2008-12-23 18:38   <DIR>   d----c---   c:\documents and settings\All Users\Dane aplikacji\QuickTime
2008-12-23 18:20 . 2008-12-23 18:20   <DIR>   d----c---   c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2008-12-23 18:19 . 2008-12-23 18:19   <DIR>   d----c---   c:\documents and settings\hubron\Dane aplikacji\Kaspersky_Key_Finder_(KKF
2008-12-22 20:08 . 2008-12-22 20:08   69   --a------   c:\windows\NeroDigital.ini
2008-12-22 18:43 . 2008-12-22 18:43   <DIR>   d--------   d:\program files\microsoft frontpage
2008-12-22 10:29 . 2008-12-23 13:58   <DIR>   d--------   c:\program files\Common Files\Nero
2008-12-22 09:47 . 2008-12-22 09:47   23   --a------   c:\windows\system32\adbeaedfaba8_z.ocx
2008-12-11 21:38 . 2008-12-11 21:38   42,320   --a------   c:\windows\system32\xfcodec.dll
2008-12-09 16:47 . 2008-12-12 20:53   <DIR>   d----c---   c:\documents and settings\hubron\Dane aplikacji\U3
2008-12-09 16:16 . 2008-12-09 16:16   <DIR>   d--------   C:\Drivers
2008-12-09 16:16 . 2008-07-01 11:04   1,155,072   --a------   c:\windows\system32\ChilkatCrypt2.dll
2008-12-09 16:16 . 2006-02-13 02:22   933,888   --a------   c:\windows\system32\SmartTabs29.ocx
2008-12-09 16:16 . 2004-11-14 05:27   212,992   --a------   c:\windows\system32\wodShellMenu.dll
2008-12-09 16:16 . 2008-07-29 22:53   45,056   --a------   c:\windows\system32\regexprt.exe
2008-12-09 16:16 . 2008-07-30 08:59   24,264   --a------   c:\windows\system32\winguard.chm

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 13:13   ---------   dc----w   c:\documents and settings\hubron\Dane aplikacji\Hamachi
2008-12-15 14:45   ---------   d-----w   c:\program files\Common Files\Panda Software
2008-12-12 16:26   ---------   d-----w   c:\program files\Common Files\Ahead
2008-12-11 16:14   ---------   dc----w   c:\documents and settings\hubron\Dane aplikacji\Nero
2008-11-28 18:11   ---------   dc----w   c:\documents and settings\hubron\Dane aplikacji\BitSpirit
2008-11-05 14:30   ---------   dc----w   c:\documents and settings\hubron\Dane aplikacji\Megaupload
2008-11-05 14:30   ---------   dc----w   c:\documents and settings\hubron\Dane aplikacji\EmailNotifier
2008-11-05 14:30   ---------   dc----w   c:\documents and settings\All Users\Dane aplikacji\Megaupload
2008-11-05 14:30   ---------   dc----w   c:\documents and settings\All Users\Dane aplikacji\EmailNotifier
.

(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-04 486856]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"Google Update"="c:\documents and settings\hubron\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 335872]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"egui"="d:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i263_32.drv
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk /k:D *

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22720:TCP"= 22720:TCP:BitComet 22720 TCP
"22720:UDP"= 22720:UDP:BitComet 22720 UDP
"13186:TCP"= 13186:TCP:BitComet 13186 TCP
"13186:UDP"= 13186:UDP:BitComet 13186 UDP

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-07-01 34312]
R2 ekrn;Eset Service;"d:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-07-01 468224]
R3 bbcap;bbcap;c:\windows\system32\DRIVERS\bbcap.sys [2008-08-29 4096]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\Drivers\LCcFltr.Sys [2008-02-20 14156]
S3 DtvAudio;DtvAudio;c:\windows\system32\DRIVERS\DtvAudio.sys [2008-03-25 10330]
S3 DtvVideo;DtvVideo;c:\windows\system32\DRIVERS\DtvVideo.sys [2008-03-25 25600]
S3 WFIOCTL;WFIOCTL;\??\c:\program files\WinFast\WFDTV\WFIOCTL.SYS []
S3 WFLR6654;WinFast TV2000 XP Global/Global TV (Video);c:\windows\system32\drivers\wfeaglxt.sys [2008-02-19 405632]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{333d44a8-c47c-11dd-a1d9-000ea64330c9}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Zawartość folderu 'Zaplanowane zadania'

2009-01-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1078145449-682003330-1003.job
- c:\documents and settings\hubron\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2008-09-03 15:46]
.
- - - - USUNIĘTO PUSTE WPISY - - - -

WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)
HKLM-Run-WinGuard Pro - c:\windows\system32\setup_vf.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-NWEReboot - (no file)


.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.allegro.pl/
uInternet Connection Wizard,ShellNext = iexplore
IE: &D&ownload &with BitComet - d:\programy\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - d:\programy\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - d:\programy\BitComet\BitComet.exe/AddAllLink.htm
IE: Download Video - http://www.viloader.net/addon.htm
IE: E&ksport do programu Microsoft Excel - d:\programy\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Pobierz z &BitSpirit - d:\haha\BitSpirit\bsurl.htm
IE: { - c:\program files\Messenger\msmsgs.exe
FF - ProfilePath - c:\documents and settings\hubron\Dane aplikacji\Mozilla\Firefox\Profiles\yy3765bb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.plemiona.pl/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\hubron\Dane aplikacji\Mozilla\Firefox\Profiles\yy3765bb.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - plugin: c:\documents and settings\hubron\Ustawienia lokalne\Dane aplikacji\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Adobe\Acrobat 5.0 CE\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJPI140_03.dll
FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Windows Media Player\npdrmv2.dll
FF - plugin: c:\program files\Windows Media Player\npdsplay.dll
FF - plugin: c:\program files\Windows Media Player\npwmsdrm.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 17:10:18
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\SYSTEM32\Ati2evxx.dll
.
Czas ukończenia: 2009-01-03 17:11:05
ComboFix-quarantined-files.txt  2009-01-03 16:10:45

Przed: 3,116,843,008 bajtów wolnych
Po: 3,111,829,504 bajtów wolnych

164

[wojtas]

te plik/i :

c:\windows\system32\ChilkatCrypt2.dll
c:\windows\system32\SmartTabs29.ocx
c:\windows\system32\wodShellMenu.dll
c:\windows\system32\regexprt.exe
c:\windows\system32\winguard.chm

przesaknuj tu

http://virusscan.jotti.org/
http://www.virustotal.com/

i daj raporty ze skanow