robo21
9 Czerwiec 2007 15:36
#1
Witam wszystkich
Od kilku dni mój serwer na windows 200 server zaczął rozsyłać spam własnymi sposobami próbowałem go leczyć. Częściowo mi się to udało ale po 24 godzinach na nowo rozsyła spam. Mam logi z HijackThis i z Silent Runnera, Proszę o poradę i przejrzenie logów.
Logfile of HijackThis v1.99.1 Scan saved at 12:09:21, on 2007-06-09 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\termsrv.exe C:\Program Files\CoSine Communications\IPSec Dial Client\IreIKE.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\aspimgr.exe C:\WINNT\system32\Dfssvc.exe C:\WINNT\System32\svchost.exe C:\Program Files\CoSine Communications\IPSec Dial Client\IPSecMon.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\locator.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\tcpsvcs.exe C:\WINNT\System32\snmp.exe C:\WINNT\System32\svchost.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\inetsrv\inetinfo.exe C:\WINNT\System32\msdtc.exe C:\WINNT\system32\logon.scr C:\WINNT\system32\winlogon.exe C:\WINNT\system32\rdpclip.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\CMD.EXE C:\DOCUME~1\grzes’m3\LOCALS~1\Temp\1\wnset.exe C:\Documents and Settings\grzes’m3\Desktop\HijackThis.exe C:\ComboFix\nircmd.cfexe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.22.169.3:8080 O2 - BHO: C:\WINNT\system32\jseufr73hb.dll - {8D5849C4-93F3-429D-FF34-260A2068897C} - C:\WINNT\system32\jseufr73hb.dll O4 - HKLM…\Run: [FMStart] “C:\Program Files\GFI\FAXmaker Client\FMSTART.EXE” O4 - HKLM…\Run: [combofix] C:\WINNT\system32\cmd.exe /c C:\ComboFix\Combobatch.bat O4 - HKCU…\Run: [internat.exe] internat.exe O4 - Global Startup: IPSec Dial Client.lnk = C:\Program Files\CoSine Communications\IPSec Dial Client\SafeCfg.exe.vir O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://hd.zibi.pl/serwerekranu/msrdp.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zibi.pl O17 - HKLM\System\CCS\Services\Tcpip…{62F74129-3715-4F00-A91E-E47768F51372}: Domain = zibi.pl O17 - HKLM\System\CCS\Services\Tcpip…{62F74129-3715-4F00-A91E-E47768F51372}: NameServer = 192.168.1.10,192.168.2.4 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zibi.pl O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = zibi.pl,zibi.biz O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = zibi.pl O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = zibi.pl,zibi.biz O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = zibi.pl,zibi.biz O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINNT\system32\aspimgr.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\CoSine Communications\IPSec Dial Client\IPSecMon.exe O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\CoSine Communications\IPSec Dial Client\IreIKE.exe O23 - Service: Password - Unknown owner - C:\WINNT\System32\PwdServ.exe O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing) O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing) “grzes’m3” - 2007-06-09 8:52:10 Service Pack 4 NTFS ComboFix 07-06-3B - Running from: “C:\Documents and Settings\grzes’m3\Desktop\pytonfix” ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINNT\g32.txt C:\WINNT\s32.txt C:\WINNT\ws386.ini ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_LDRSVC -------\LEGACY_NM -------\LEGACY_NTIO256 -------\nm -------\ntio256 ((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 ))))))))))))))))))))))))))))))) 2007-06-08 18:57 16˙384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3fc.dat 2007-06-08 18:34 2007-06-08 17:34 2007-06-08 12:25 48˙912 --a------ C:\WINNT\system32\Ntrights.exe 2007-06-08 12:25 28˙672 --a------ C:\WINNT\system32\restart.exe 2007-06-08 12:25 185˙344 --a------ C:\WINNT\system32\strings.exe 2007-06-08 12:25 139˙264 --a------ C:\WINNT\system32\zip.exe 2007-06-08 12:25 11˙254 --a------ C:\WINNT\system32\locate.com 2007-06-08 10:52 58˙880 --a------ C:\WINNT\nircmd.exe 2007-06-08 10:34 65˙536 --a------ C:\WINNT\system32\Process.exe 2007-06-08 10:34 60˙928 --a------ C:\WINNT\system32\dumphive.exe 2007-06-08 10:34 288˙417 --a------ C:\WINNT\system32\SrchSTS.exe 2007-06-06 17:28 40˙448 --a------ C:\WINNT\system32\ipmon.exe 2007-06-06 01:05 73˙728 --a------ C:\WINNT\system32\aspimgr.exe 2007-06-05 22:17 737˙280 --a------ C:\WINNT\system32\r_server.exe 2007-06-05 22:16 2007-06-05 21:32 253˙200 -ra------ C:\WINNT\explorer.exe 2007-06-05 20:07 954˙368 --a------ C:\temp\abmaster.dll 2007-06-05 20:07 194˙560 --a------ C:\temp\avfix.exe 2007-06-05 19:59 2007-06-01 18:47 15˙376 --a------ C:\DOCUME~1\przyda’g\nspmcvt.exe 2007-06-01 18:47 135˙168 --ah----- C:\DOCUME~1\przyda’g\NTUSER.DAT 2007-06-01 18:47 2007-06-01 18:47 2007-06-01 18:13 53˙248 --------- C:\WINNT\system32\PwdServ.exe 2007-06-01 13:58 15˙376 --a------ C:\DOCUME~1\komend’r\nspmcvt.exe 2007-06-01 13:58 126˙976 --ah----- C:\DOCUME~1\komend’r\NTUSER.DAT 2007-06-01 13:58 2007-06-01 13:58 2007-06-01 12:08 2007-06-01 12:06 2007-06-01 11:40 2007-06-01 11:26 2007-06-01 08:16 2007-05-31 17:24 8˙192 --a------ C:\DOCUME~1\ALLUSE~1\ntuser.dat 2007-05-31 17:24 2007-05-31 17:11 2007-05-31 17:11 2007-05-31 16:51 66˙832 --a------ C:\WINNT\system32\w32tm.exe 2007-05-31 16:51 57˙104 --a------ C:\WINNT\system32\wlnotify.dll 2007-05-31 16:51 48˙400 --a------ C:\WINNT\system32\w32time.dll 2007-05-31 16:51 399˙120 --a------ C:\WINNT\system32\USERENV.DLL 2007-05-31 16:51 29˙456 --a------ C:\WINNT\system32\VDMDBG.DLL 2007-05-31 16:51 239˙888 --a------ C:\WINNT\system32\wow32.dll 2007-05-31 16:51 167˙184 --a------ C:\WINNT\system32\WINTRUST.DLL 2007-05-31 16:51 146˙192 --a------ C:\WINNT\system32\WLDAP32.DLL 2007-05-31 16:50 973˙072 --a------ C:\WINNT\system32\sfcfiles.dll 2007-05-31 16:50 94˙992 --a------ C:\WINNT\system32\LLSSRV.EXE 2007-05-31 16:50 938˙768 --a------ C:\WINNT\system32\ntdsa.dll 2007-05-31 16:50 78˙096 --a------ C:\WINNT\system32\cryptsvc.dll 2007-05-31 16:50 71˙440 --a------ C:\WINNT\system32\browser.dll 2007-05-31 16:50 63˙760 --a------ C:\WINNT\system32\CRYPTNET.DLL 2007-05-31 16:50 63˙760 --a------ C:\WINNT\system32\adsmsext.dll 2007-05-31 16:50 563˙984 --a------ C:\WINNT\system32\CRYPT32.DLL 2007-05-31 16:50 56˙080 --a------ C:\WINNT\system32\cabinet.dll 2007-05-31 16:50 549˙136 --a------ C:\WINNT\system32\netcfgx.dll 2007-05-31 16:50 49˙424 --a------ C:\WINNT\system32\EVENTLOG.DLL 2007-05-31 16:50 46˙352 --a------ C:\WINNT\system32\BASESRV.DLL 2007-05-31 16:50 443˙664 --a------ C:\WINNT\system32\CRYPTUI.DLL 2007-05-31 16:50 366˙864 --a------ C:\WINNT\system32\NETLOGON.DLL 2007-05-31 16:50 338˙704 --a------ C:\WINNT\system32\MSGINA.DLL 2007-05-31 16:50 32˙528 --------- C:\WINNT\system32\fltmc.exe 2007-05-31 16:50 299˙792 --a------ C:\WINNT\system32\dsprop.dll 2007-05-31 16:50 29˙968 --a------ C:\WINNT\system32\profmap.dll 2007-05-31 16:50 261˙904 --a------ C:\WINNT\system32\scesrv.dll 2007-05-31 16:50 246˙544 --a------ C:\WINNT\system32\CMD.EXE 2007-05-31 16:50 241˙936 --a------ C:\WINNT\system32\msjtes40.dll 2007-05-31 16:50 18˙192 --------- C:\WINNT\system32\fltlib.dll 2007-05-31 16:50 17˙680 --a------ C:\WINNT\system32\seclogon.dll 2007-05-31 16:50 151˙312 --a------ C:\WINNT\system32\SCHANNEL.DLL 2007-05-31 16:50 136˙912 --------- C:\WINNT\system32\drivers\fltmgr.sys 2007-05-31 16:50 134˙928 --a------ C:\WINNT\system32\adsldpc.dll 2007-05-31 16:50 131˙856 --a------ C:\WINNT\system32\mstask.exe 2007-05-31 16:50 130˙832 --a------ C:\WINNT\system32\adsldp.dll 2007-05-31 16:50 117˙520 --a------ C:\WINNT\system32\PSBASE.DLL 2007-05-31 16:50 114˙448 --a------ C:\WINNT\system32\scecli.dll 2007-05-31 16:50 114˙448 --a------ C:\WINNT\system32\newdev.dll 2007-05-31 16:50 1˙507˙600 --a------ C:\WINNT\system32\msjet40.dll 2007-05-31 16:32 2007-05-31 16:31 2007-05-31 11:30 2007-05-31 11:21 41˙240 --a------ C:\WINNT\system32\wups.dll 2007-05-31 11:21 194˙328 --a------ C:\WINNT\system32\wuaueng1.dll 2007-05-31 11:21 18˙200 --a------ C:\WINNT\system32\wups2.dll 2007-05-31 11:21 127˙256 --a------ C:\WINNT\system32\wucltui.dll 2007-05-31 11:20 465˙176 --a------ C:\WINNT\system32\wuapi.dll 2007-05-31 11:20 172˙312 --a------ C:\WINNT\system32\wuauclt1.exe 2007-05-31 11:20 2007-05-31 11:14 2007-05-31 10:49 2007-05-30 17:35 11˙824 --a------ C:\WINNT\sxfkql.exe 2007-05-29 01:26 10˙000 --a------ C:\WINNT\system32\jseufr73hb.dll (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-08 16:26:51 -------- d-----w C:\Program Files\Hyena 2007-05-31 08:11:52 -------- d-----w C:\Program Files\Microsoft AntiSpyware 2007-04-05 07:17:39 2,854,400 ----a-w C:\WINNT\system32\msi.dll 2007-03-15 10:00:36 466,432 ----a-w C:\WINNT\system32\SkanerOnline.dll 2007-03-13 09:44:49 245,520 ----a-w C:\WINNT\system32\WINSRV.DLL ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {8D5849C4-93F3-429D-FF34-260A2068897C}=C:\WINNT\system32\jseufr73hb.dll [07-05-29 01:26] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “FMStart”=“C:\Program Files\GFI\FAXmaker Client\FMSTART.EXE” [] “combofix”=“C:\WINNT\system32\cmd.exe” [04-11-03 00:48] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “internat.exe”=“internat.exe” [] [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “Restore Operation”=C:\WINNT\TEMP\svchots.exe “xp_sys”=“C:\WINNT\servicepackfiles\mmwnd.exe” updated [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] “disablecad”=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] “{8D5849C4-93F3-429D-FF34-260A2068897C}”=“C:\WINNT\system32\jseufr73hb.dll” [07-05-29 01:26] “{8D5849A2-93F3-429D-FF34-260A2068897C}”=“C:\WINNT\system32\lfhs76ghf.dll” [] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages FPNWCLNT RASSFM KDCSVC scecli [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] tapisrv Tapisrv HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* WmdmPmSN ************************************************************************** catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-09 12:08:14 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes … ? [1880] scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-09 12:09:09 - machine was rebooted C:\ComboFix-quarantined-files.txt … 07-06-09 12:09 C:\ComboFix2.txt … 07-06-08 10:52 — E O F — “Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows 2000 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “internat.exe” = “internat.exe” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “FMStart” = ““C:\Program Files\GFI\FAXmaker Client\FMSTART.EXE”” [file not found] “combofix” = “C:\WINNT\system32\cmd.exe /c C:\ComboFix\Combobatch.bat” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {8D5849C4-93F3-429D-FF34-260A2068897C}(Default) = (no title provided) -> {HKLM…CLSID} = “C:\WINNT\system32\jseufr73hb.dll” \InProcServer32(Default) = “C:\WINNT\system32\jseufr73hb.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Display Panning CPL Extension” -> {HKLM…CLSID} = “Display Panning CPL Extension” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “HyperTerminal Icon Ext” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINNT\System32\hticons.dll” [“Hilgraeve, Inc.”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ <> “{8D5849C4-93F3-429D-FF34-260A2068897C}” = “Hex port setting” -> {HKLM…CLSID} = “C:\WINNT\system32\jseufr73hb.dll” \InProcServer32(Default) = “C:\WINNT\system32\jseufr73hb.dll” [null data] <> “{8D5849A2-93F3-429D-FF34-260A2068897C}” = “Fdjskie8 jf8e” -> {HKLM…CLSID} = “C:\WINNT\system32\lfhs76ghf.dll” \InProcServer32(Default) = “C:\WINNT\system32\lfhs76ghf.dll” [file not found] HKLM\System\CurrentControlSet\Control\SecurityProviders\ <> (“pwdssp.dll” [MS]) “SecurityProviders” = “msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll” HKLM\System\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”|“DfsInit” [MS] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ UltraEdit-32(Default) = “{b5eedee0-c06e-11cf-8c56-444553540000}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\UltraEdit\ue32ctmn.dll” [empty string] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “disablecad” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Active Desktop web content (hidden if disabled): HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\ “FriendlyName” = “My Current Home Page” “Source” = “About:Home” “SubscribedURL” = “About:Home” Startup items in “grzes’m3” & “All Users” startup folders: ---------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup “IPSec Dial Client” -> shortcut to: “C:\Program Files\CoSine Communications\IPSec Dial Client\SafeCfg.exe.vir” [“SafeNet”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\rnr20.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Distributed Link Tracking Server, TrkSvr, “C:\WINNT\system32\services.exe” [MS] Kerberos Key Distribution Center, kdc, “C:\WINNT\System32\lsass.exe” [MS] Microsoft ASPI Manager, aspimgr, “C:\WINNT\system32\aspimgr.exe” [null data] NtmlSvc, NtmlSvc, “C:\WINNT\System32\svchost.exe -k netsvcs” {“C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll” [file not found]} SafeNet IKE Service, IREIKE, ““C:\Program Files\CoSine Communications\IPSec Dial Client\IreIKE.exe”” [“SafeNet”] SafeNet Monitor Service, IPSECMON, ““C:\Program Files\CoSine Communications\IPSec Dial Client\IPSecMon.exe”” [“SafeNet”] Simple TCP/IP Services, SimpTcp, “C:\WINNT\System32\tcpsvcs.exe” [MS] SNMP Service, SNMP, “C:\WINNT\System32\snmp.exe” [MS] Terminal Services, TermService, “C:\WINNT\System32\termsrv.exe” [MS] VNC Server Version 4, WinVNC4, ““C:\Program Files\RealVNC\VNC4\WinVNC4.exe” -service” [“RealVNC Ltd.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 58 seconds)
Pozdrawiam
Robo21
Gutek
10 Czerwiec 2007 00:29
#2
Dokończyć skanerami online - Skanery do wyboru
Daj jeszcze raz log z Combo
robo21
11 Czerwiec 2007 06:14
#3
Witam
Rozsyła ponownie był spokój 24 godziny i od nowa, Jeszcze raz dam logi z HT SR i Combo.
Robert
Złączono Posta : 11.06.2007 (Pon) 8:55
Podaje dzisiejsze rezultatu skanowania
Logfile of HijackThis v1.99.1 Scan saved at 08:30:55, on 2007-06-11 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\termsrv.exe C:\Program Files\CoSine Communications\IPSec Dial Client\IreIKE.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\aspimgr.exe C:\WINNT\system32\Dfssvc.exe C:\WINNT\System32\svchost.exe C:\Program Files\CoSine Communications\IPSec Dial Client\IPSecMon.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\locator.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\tcpsvcs.exe C:\WINNT\System32\snmp.exe C:\WINNT\System32\svchost.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\inetsrv\inetinfo.exe C:\WINNT\System32\msdtc.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\rdpclip.exe C:\WINNT\Explorer.EXE C:\Program Files\UltraEdit\uedit32.exe C:\WINNT\system32\notepad.exe C:\WINNT\system32\cmd.exe C:\WINNT\Explorer.EXE C:\Program Files\UltraEdit\uedit32.exe C:\Documents and Settings\grzes’m3\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.22.169.3:8080 O2 - BHO: C:\WINNT\system32\jseufr73hb.dll - {8D5849C4-93F3-429D-FF34-260A2068897C} - C:\WINNT\system32\jseufr73hb.dll O4 - HKLM…\Run: [FMStart] “C:\Program Files\GFI\FAXmaker Client\FMSTART.EXE” O4 - HKLM…\Run: [combofix] C:\WINNT\system32\cmd.exe /c C:\ComboFix\Combobatch.bat O4 - HKCU…\Run: [internat.exe] internat.exe O4 - Global Startup: IPSec Dial Client.lnk = C:\Program Files\CoSine Communications\IPSec Dial Client\SafeCfg.exe.vir O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://hd.zibi.pl/serwerekranu/msrdp.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zibi.pl O17 - HKLM\System\CCS\Services\Tcpip…{62F74129-3715-4F00-A91E-E47768F51372}: Domain = zibi.pl O17 - HKLM\System\CCS\Services\Tcpip…{62F74129-3715-4F00-A91E-E47768F51372}: NameServer = 192.168.1.10,192.168.2.4 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zibi.pl O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = zibi.pl,zibi.biz O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = zibi.pl O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = zibi.pl,zibi.biz O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = zibi.pl,zibi.biz O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINNT\system32\aspimgr.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\CoSine Communications\IPSec Dial Client\IPSecMon.exe O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\CoSine Communications\IPSec Dial Client\IreIKE.exe O23 - Service: Password - Unknown owner - C:\WINNT\System32\PwdServ.exe O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing) O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing) “Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows 2000 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “internat.exe” = “internat.exe” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “FMStart” = ““C:\Program Files\GFI\FAXmaker Client\FMSTART.EXE”” [file not found] “combofix” = “C:\WINNT\system32\cmd.exe /c C:\ComboFix\Combobatch.bat” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {8D5849C4-93F3-429D-FF34-260A2068897C}(Default) = (no title provided) -> {HKLM…CLSID} = “C:\WINNT\system32\jseufr73hb.dll” \InProcServer32(Default) = “C:\WINNT\system32\jseufr73hb.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Display Panning CPL Extension” -> {HKLM…CLSID} = “Display Panning CPL Extension” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “HyperTerminal Icon Ext” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINNT\System32\hticons.dll” [“Hilgraeve, Inc.”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ <> “{8D5849C4-93F3-429D-FF34-260A2068897C}” = “Hex port setting” -> {HKLM…CLSID} = “C:\WINNT\system32\jseufr73hb.dll” \InProcServer32(Default) = “C:\WINNT\system32\jseufr73hb.dll” [null data] <> “{8D5849A2-93F3-429D-FF34-260A2068897C}” = “Fdjskie8 jf8e” -> {HKLM…CLSID} = “C:\WINNT\system32\lfhs76ghf.dll” \InProcServer32(Default) = “C:\WINNT\system32\lfhs76ghf.dll” [file not found] HKLM\System\CurrentControlSet\Control\SecurityProviders\ <> (“pwdssp.dll” [MS]) “SecurityProviders” = “msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll” HKLM\System\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”|“DfsInit” [MS] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ UltraEdit-32(Default) = “{b5eedee0-c06e-11cf-8c56-444553540000}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\UltraEdit\ue32ctmn.dll” [empty string] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “disablecad” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Active Desktop web content (hidden if disabled): HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\ “FriendlyName” = “My Current Home Page” “Source” = “About:Home” “SubscribedURL” = “About:Home” Startup items in “grzes’m3” & “All Users” startup folders: ---------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup “IPSec Dial Client” -> shortcut to: “C:\Program Files\CoSine Communications\IPSec Dial Client\SafeCfg.exe.vir” [“SafeNet”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\rnr20.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Distributed Link Tracking Server, TrkSvr, “C:\WINNT\system32\services.exe” [MS] Kerberos Key Distribution Center, kdc, “C:\WINNT\System32\lsass.exe” [MS] Microsoft ASPI Manager, aspimgr, “C:\WINNT\system32\aspimgr.exe” [null data] NtmlSvc, NtmlSvc, “C:\WINNT\System32\svchost.exe -k netsvcs” {“C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll” [file not found]} SafeNet IKE Service, IREIKE, ““C:\Program Files\CoSine Communications\IPSec Dial Client\IreIKE.exe”” [“SafeNet”] SafeNet Monitor Service, IPSECMON, ““C:\Program Files\CoSine Communications\IPSec Dial Client\IPSecMon.exe”” [“SafeNet”] Simple TCP/IP Services, SimpTcp, “C:\WINNT\System32\tcpsvcs.exe” [MS] SNMP Service, SNMP, “C:\WINNT\System32\snmp.exe” [MS] Terminal Services, TermService, “C:\WINNT\System32\termsrv.exe” [MS] VNC Server Version 4, WinVNC4, ““C:\Program Files\RealVNC\VNC4\WinVNC4.exe” -service” [“RealVNC Ltd.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 58 seconds) “grzes’m3” - 2007-06-11 8:31:46 Service Pack 4 NTFS ComboFix 07-06-3B - Running from: “C:\Documents and Settings\grzes’m3\Desktop\pytonfix” ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINNT\g32.txt C:\WINNT\gs32.txt C:\WINNT\s32.txt C:\WINNT\ws386.ini ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_LDRSVC -------\LEGACY_NM -------\LEGACY_NTIO256 -------\nm -------\ntio256 ((((((((((((((((((((((((( Files Created from 2007-05-11 to 2007-06-11 ))))))))))))))))))))))))))))))) 2007-06-11 08:42 16˙384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3f4.dat 2007-06-08 18:34 2007-06-08 17:34 2007-06-08 12:25 48˙912 --a------ C:\WINNT\system32\Ntrights.exe 2007-06-08 12:25 28˙672 --a------ C:\WINNT\system32\restart.exe 2007-06-08 12:25 185˙344 --a------ C:\WINNT\system32\strings.exe 2007-06-08 12:25 139˙264 --a------ C:\WINNT\system32\zip.exe 2007-06-08 12:25 11˙254 --a------ C:\WINNT\system32\locate.com 2007-06-08 10:52 58˙880 --a------ C:\WINNT\nircmd.exe 2007-06-08 10:34 65˙536 --a------ C:\WINNT\system32\Process.exe 2007-06-08 10:34 60˙928 --a------ C:\WINNT\system32\dumphive.exe 2007-06-08 10:34 288˙417 --a------ C:\WINNT\system32\SrchSTS.exe 2007-06-06 17:28 40˙448 --a------ C:\WINNT\system32\ipmon.exe 2007-06-06 01:05 73˙728 --a------ C:\WINNT\system32\aspimgr.exe 2007-06-05 22:17 737˙280 --a------ C:\WINNT\system32\r_server.exe 2007-06-05 22:16 2007-06-05 21:32 253˙200 -ra------ C:\WINNT\explorer.exe 2007-06-05 20:07 954˙368 --a------ C:\temp\abmaster.dll 2007-06-05 20:07 194˙560 --a------ C:\temp\avfix.exe 2007-06-05 19:59 2007-06-01 18:47 15˙376 --a------ C:\DOCUME~1\przyda’g\nspmcvt.exe 2007-06-01 18:47 135˙168 --ah----- C:\DOCUME~1\przyda’g\NTUSER.DAT 2007-06-01 18:47 2007-06-01 18:47 2007-06-01 18:13 53˙248 --------- C:\WINNT\system32\PwdServ.exe 2007-06-01 13:58 15˙376 --a------ C:\DOCUME~1\komend’r\nspmcvt.exe 2007-06-01 13:58 126˙976 --ah----- C:\DOCUME~1\komend’r\NTUSER.DAT 2007-06-01 13:58 2007-06-01 13:58 2007-06-01 12:08 2007-06-01 12:06 2007-06-01 11:40 2007-06-01 11:26 2007-06-01 08:16 2007-05-31 17:24 8˙192 --a------ C:\DOCUME~1\ALLUSE~1\ntuser.dat 2007-05-31 17:24 2007-05-31 17:11 2007-05-31 17:11 2007-05-31 16:51 66˙832 --a------ C:\WINNT\system32\w32tm.exe 2007-05-31 16:51 57˙104 --a------ C:\WINNT\system32\wlnotify.dll 2007-05-31 16:51 48˙400 --a------ C:\WINNT\system32\w32time.dll 2007-05-31 16:51 399˙120 --a------ C:\WINNT\system32\USERENV.DLL 2007-05-31 16:51 29˙456 --a------ C:\WINNT\system32\VDMDBG.DLL 2007-05-31 16:51 239˙888 --a------ C:\WINNT\system32\wow32.dll 2007-05-31 16:51 167˙184 --a------ C:\WINNT\system32\WINTRUST.DLL 2007-05-31 16:51 146˙192 --a------ C:\WINNT\system32\WLDAP32.DLL 2007-05-31 16:50 973˙072 --a------ C:\WINNT\system32\sfcfiles.dll 2007-05-31 16:50 94˙992 --a------ C:\WINNT\system32\LLSSRV.EXE 2007-05-31 16:50 938˙768 --a------ C:\WINNT\system32\ntdsa.dll 2007-05-31 16:50 78˙096 --a------ C:\WINNT\system32\cryptsvc.dll 2007-05-31 16:50 71˙440 --a------ C:\WINNT\system32\browser.dll 2007-05-31 16:50 63˙760 --a------ C:\WINNT\system32\CRYPTNET.DLL 2007-05-31 16:50 63˙760 --a------ C:\WINNT\system32\adsmsext.dll 2007-05-31 16:50 563˙984 --a------ C:\WINNT\system32\CRYPT32.DLL 2007-05-31 16:50 56˙080 --a------ C:\WINNT\system32\cabinet.dll 2007-05-31 16:50 549˙136 --a------ C:\WINNT\system32\netcfgx.dll 2007-05-31 16:50 49˙424 --a------ C:\WINNT\system32\EVENTLOG.DLL 2007-05-31 16:50 46˙352 --a------ C:\WINNT\system32\BASESRV.DLL 2007-05-31 16:50 443˙664 --a------ C:\WINNT\system32\CRYPTUI.DLL 2007-05-31 16:50 366˙864 --a------ C:\WINNT\system32\NETLOGON.DLL 2007-05-31 16:50 338˙704 --a------ C:\WINNT\system32\MSGINA.DLL 2007-05-31 16:50 32˙528 --------- C:\WINNT\system32\fltmc.exe 2007-05-31 16:50 299˙792 --a------ C:\WINNT\system32\dsprop.dll 2007-05-31 16:50 29˙968 --a------ C:\WINNT\system32\profmap.dll 2007-05-31 16:50 261˙904 --a------ C:\WINNT\system32\scesrv.dll 2007-05-31 16:50 246˙544 --a------ C:\WINNT\system32\CMD.EXE 2007-05-31 16:50 241˙936 --a------ C:\WINNT\system32\msjtes40.dll 2007-05-31 16:50 18˙192 --------- C:\WINNT\system32\fltlib.dll 2007-05-31 16:50 17˙680 --a------ C:\WINNT\system32\seclogon.dll 2007-05-31 16:50 151˙312 --a------ C:\WINNT\system32\SCHANNEL.DLL 2007-05-31 16:50 136˙912 --------- C:\WINNT\system32\drivers\fltmgr.sys 2007-05-31 16:50 134˙928 --a------ C:\WINNT\system32\adsldpc.dll 2007-05-31 16:50 131˙856 --a------ C:\WINNT\system32\mstask.exe 2007-05-31 16:50 130˙832 --a------ C:\WINNT\system32\adsldp.dll 2007-05-31 16:50 117˙520 --a------ C:\WINNT\system32\PSBASE.DLL 2007-05-31 16:50 114˙448 --a------ C:\WINNT\system32\scecli.dll 2007-05-31 16:50 114˙448 --a------ C:\WINNT\system32\newdev.dll 2007-05-31 16:50 1˙507˙600 --a------ C:\WINNT\system32\msjet40.dll 2007-05-31 16:32 2007-05-31 16:31 2007-05-31 11:30 2007-05-31 11:21 41˙240 --a------ C:\WINNT\system32\wups.dll 2007-05-31 11:21 194˙328 --a------ C:\WINNT\system32\wuaueng1.dll 2007-05-31 11:21 18˙200 --a------ C:\WINNT\system32\wups2.dll 2007-05-31 11:21 127˙256 --a------ C:\WINNT\system32\wucltui.dll 2007-05-31 11:20 465˙176 --a------ C:\WINNT\system32\wuapi.dll 2007-05-31 11:20 172˙312 --a------ C:\WINNT\system32\wuauclt1.exe 2007-05-31 11:20 2007-05-31 11:14 2007-05-31 10:49 2007-05-30 17:35 11˙824 --a------ C:\WINNT\sxfkql.exe 2007-05-29 01:26 10˙000 --a------ C:\WINNT\system32\jseufr73hb.dll (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-08 16:26:51 -------- d-----w C:\Program Files\Hyena 2007-05-31 08:11:52 -------- d-----w C:\Program Files\Microsoft AntiSpyware 2007-04-05 07:17:39 2,854,400 ----a-w C:\WINNT\system32\msi.dll 2007-03-15 10:00:36 466,432 ----a-w C:\WINNT\system32\SkanerOnline.dll 2007-03-13 09:44:49 245,520 ----a-w C:\WINNT\system32\WINSRV.DLL ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {8D5849C4-93F3-429D-FF34-260A2068897C}=C:\WINNT\system32\jseufr73hb.dll [07-05-29 01:26] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “FMStart”=“C:\Program Files\GFI\FAXmaker Client\FMSTART.EXE” [] “combofix”=“C:\WINNT\system32\cmd.exe” [04-11-03 00:48] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “internat.exe”=“internat.exe” [] [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “Restore Operation”=C:\WINNT\TEMP\svchots.exe “xp_sys”=“C:\WINNT\servicepackfiles\mmwnd.exe” updated [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] “disablecad”=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] “{8D5849C4-93F3-429D-FF34-260A2068897C}”=“C:\WINNT\system32\jseufr73hb.dll” [07-05-29 01:26] “{8D5849A2-93F3-429D-FF34-260A2068897C}”=“C:\WINNT\system32\lfhs76ghf.dll” [] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages FPNWCLNT RASSFM KDCSVC scecli [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] tapisrv Tapisrv HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* WmdmPmSN ************************************************************************** catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-11 08:49:28 Windows 5.0.2195 Service Pack 4 NTFS detected NTDLL code modification: ZwOpenFile scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-11 8:50:06 - machine was rebooted C:\ComboFix-quarantined-files.txt … 07-06-11 08:50 C:\ComboFix2.txt … 07-06-09 12:09 C:\ComboFix3.txt … 07-06-08 10:52 — E O F —
Złączono Posta : 11.06.2007 (Pon) 8:56
Podaje dzisiejsze rezultatu skanowania
Logfile of HijackThis v1.99.1 Scan saved at 08:30:55, on 2007-06-11 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\termsrv.exe C:\Program Files\CoSine Communications\IPSec Dial Client\IreIKE.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\aspimgr.exe C:\WINNT\system32\Dfssvc.exe C:\WINNT\System32\svchost.exe C:\Program Files\CoSine Communications\IPSec Dial Client\IPSecMon.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\locator.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\tcpsvcs.exe C:\WINNT\System32\snmp.exe C:\WINNT\System32\svchost.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\inetsrv\inetinfo.exe C:\WINNT\System32\msdtc.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\rdpclip.exe C:\WINNT\Explorer.EXE C:\Program Files\UltraEdit\uedit32.exe C:\WINNT\system32\notepad.exe C:\WINNT\system32\cmd.exe C:\WINNT\Explorer.EXE C:\Program Files\UltraEdit\uedit32.exe C:\Documents and Settings\grzes’m3\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.22.169.3:8080 O2 - BHO: C:\WINNT\system32\jseufr73hb.dll - {8D5849C4-93F3-429D-FF34-260A2068897C} - C:\WINNT\system32\jseufr73hb.dll O4 - HKLM…\Run: [FMStart] “C:\Program Files\GFI\FAXmaker Client\FMSTART.EXE” O4 - HKLM…\Run: [combofix] C:\WINNT\system32\cmd.exe /c C:\ComboFix\Combobatch.bat O4 - HKCU…\Run: [internat.exe] internat.exe O4 - Global Startup: IPSec Dial Client.lnk = C:\Program Files\CoSine Communications\IPSec Dial Client\SafeCfg.exe.vir O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://hd.zibi.pl/serwerekranu/msrdp.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zibi.pl O17 - HKLM\System\CCS\Services\Tcpip…{62F74129-3715-4F00-A91E-E47768F51372}: Domain = zibi.pl O17 - HKLM\System\CCS\Services\Tcpip…{62F74129-3715-4F00-A91E-E47768F51372}: NameServer = 192.168.1.10,192.168.2.4 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zibi.pl O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = zibi.pl,zibi.biz O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = zibi.pl O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = zibi.pl,zibi.biz O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = zibi.pl,zibi.biz O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINNT\system32\aspimgr.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\CoSine Communications\IPSec Dial Client\IPSecMon.exe O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\CoSine Communications\IPSec Dial Client\IreIKE.exe O23 - Service: Password - Unknown owner - C:\WINNT\System32\PwdServ.exe O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing) O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing) “Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows 2000 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “internat.exe” = “internat.exe” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “FMStart” = ““C:\Program Files\GFI\FAXmaker Client\FMSTART.EXE”” [file not found] “combofix” = “C:\WINNT\system32\cmd.exe /c C:\ComboFix\Combobatch.bat” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {8D5849C4-93F3-429D-FF34-260A2068897C}(Default) = (no title provided) -> {HKLM…CLSID} = “C:\WINNT\system32\jseufr73hb.dll” \InProcServer32(Default) = “C:\WINNT\system32\jseufr73hb.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Display Panning CPL Extension” -> {HKLM…CLSID} = “Display Panning CPL Extension” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “HyperTerminal Icon Ext” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINNT\System32\hticons.dll” [“Hilgraeve, Inc.”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ <> “{8D5849C4-93F3-429D-FF34-260A2068897C}” = “Hex port setting” -> {HKLM…CLSID} = “C:\WINNT\system32\jseufr73hb.dll” \InProcServer32(Default) = “C:\WINNT\system32\jseufr73hb.dll” [null data] <> “{8D5849A2-93F3-429D-FF34-260A2068897C}” = “Fdjskie8 jf8e” -> {HKLM…CLSID} = “C:\WINNT\system32\lfhs76ghf.dll” \InProcServer32(Default) = “C:\WINNT\system32\lfhs76ghf.dll” [file not found] HKLM\System\CurrentControlSet\Control\SecurityProviders\ <> (“pwdssp.dll” [MS]) “SecurityProviders” = “msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll” HKLM\System\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”|“DfsInit” [MS] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ UltraEdit-32(Default) = “{b5eedee0-c06e-11cf-8c56-444553540000}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\UltraEdit\ue32ctmn.dll” [empty string] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “disablecad” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Active Desktop web content (hidden if disabled): HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\ “FriendlyName” = “My Current Home Page” “Source” = “About:Home” “SubscribedURL” = “About:Home” Startup items in “grzes’m3” & “All Users” startup folders: ---------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup “IPSec Dial Client” -> shortcut to: “C:\Program Files\CoSine Communications\IPSec Dial Client\SafeCfg.exe.vir” [“SafeNet”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\rnr20.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Distributed Link Tracking Server, TrkSvr, “C:\WINNT\system32\services.exe” [MS] Kerberos Key Distribution Center, kdc, “C:\WINNT\System32\lsass.exe” [MS] Microsoft ASPI Manager, aspimgr, “C:\WINNT\system32\aspimgr.exe” [null data] NtmlSvc, NtmlSvc, “C:\WINNT\System32\svchost.exe -k netsvcs” {“C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll” [file not found]} SafeNet IKE Service, IREIKE, ““C:\Program Files\CoSine Communications\IPSec Dial Client\IreIKE.exe”” [“SafeNet”] SafeNet Monitor Service, IPSECMON, ““C:\Program Files\CoSine Communications\IPSec Dial Client\IPSecMon.exe”” [“SafeNet”] Simple TCP/IP Services, SimpTcp, “C:\WINNT\System32\tcpsvcs.exe” [MS] SNMP Service, SNMP, “C:\WINNT\System32\snmp.exe” [MS] Terminal Services, TermService, “C:\WINNT\System32\termsrv.exe” [MS] VNC Server Version 4, WinVNC4, ““C:\Program Files\RealVNC\VNC4\WinVNC4.exe” -service” [“RealVNC Ltd.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 58 seconds) “grzes’m3” - 2007-06-11 8:31:46 Service Pack 4 NTFS ComboFix 07-06-3B - Running from: “C:\Documents and Settings\grzes’m3\Desktop\pytonfix” ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINNT\g32.txt C:\WINNT\gs32.txt C:\WINNT\s32.txt C:\WINNT\ws386.ini ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_LDRSVC -------\LEGACY_NM -------\LEGACY_NTIO256 -------\nm -------\ntio256 ((((((((((((((((((((((((( Files Created from 2007-05-11 to 2007-06-11 ))))))))))))))))))))))))))))))) 2007-06-11 08:42 16˙384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3f4.dat 2007-06-08 18:34 2007-06-08 17:34 2007-06-08 12:25 48˙912 --a------ C:\WINNT\system32\Ntrights.exe 2007-06-08 12:25 28˙672 --a------ C:\WINNT\system32\restart.exe 2007-06-08 12:25 185˙344 --a------ C:\WINNT\system32\strings.exe 2007-06-08 12:25 139˙264 --a------ C:\WINNT\system32\zip.exe 2007-06-08 12:25 11˙254 --a------ C:\WINNT\system32\locate.com 2007-06-08 10:52 58˙880 --a------ C:\WINNT\nircmd.exe 2007-06-08 10:34 65˙536 --a------ C:\WINNT\system32\Process.exe 2007-06-08 10:34 60˙928 --a------ C:\WINNT\system32\dumphive.exe 2007-06-08 10:34 288˙417 --a------ C:\WINNT\system32\SrchSTS.exe 2007-06-06 17:28 40˙448 --a------ C:\WINNT\system32\ipmon.exe 2007-06-06 01:05 73˙728 --a------ C:\WINNT\system32\aspimgr.exe 2007-06-05 22:17 737˙280 --a------ C:\WINNT\system32\r_server.exe 2007-06-05 22:16 2007-06-05 21:32 253˙200 -ra------ C:\WINNT\explorer.exe 2007-06-05 20:07 954˙368 --a------ C:\temp\abmaster.dll 2007-06-05 20:07 194˙560 --a------ C:\temp\avfix.exe 2007-06-05 19:59 2007-06-01 18:47 15˙376 --a------ C:\DOCUME~1\przyda’g\nspmcvt.exe 2007-06-01 18:47 135˙168 --ah----- C:\DOCUME~1\przyda’g\NTUSER.DAT 2007-06-01 18:47 2007-06-01 18:47 2007-06-01 18:13 53˙248 --------- C:\WINNT\system32\PwdServ.exe 2007-06-01 13:58 15˙376 --a------ C:\DOCUME~1\komend’r\nspmcvt.exe 2007-06-01 13:58 126˙976 --ah----- C:\DOCUME~1\komend’r\NTUSER.DAT 2007-06-01 13:58 2007-06-01 13:58 2007-06-01 12:08 2007-06-01 12:06 2007-06-01 11:40 2007-06-01 11:26 2007-06-01 08:16 2007-05-31 17:24 8˙192 --a------ C:\DOCUME~1\ALLUSE~1\ntuser.dat 2007-05-31 17:24 2007-05-31 17:11 2007-05-31 17:11 2007-05-31 16:51 66˙832 --a------ C:\WINNT\system32\w32tm.exe 2007-05-31 16:51 57˙104 --a------ C:\WINNT\system32\wlnotify.dll 2007-05-31 16:51 48˙400 --a------ C:\WINNT\system32\w32time.dll 2007-05-31 16:51 399˙120 --a------ C:\WINNT\system32\USERENV.DLL 2007-05-31 16:51 29˙456 --a------ C:\WINNT\system32\VDMDBG.DLL 2007-05-31 16:51 239˙888 --a------ C:\WINNT\system32\wow32.dll 2007-05-31 16:51 167˙184 --a------ C:\WINNT\system32\WINTRUST.DLL 2007-05-31 16:51 146˙192 --a------ C:\WINNT\system32\WLDAP32.DLL 2007-05-31 16:50 973˙072 --a------ C:\WINNT\system32\sfcfiles.dll 2007-05-31 16:50 94˙992 --a------ C:\WINNT\system32\LLSSRV.EXE 2007-05-31 16:50 938˙768 --a------ C:\WINNT\system32\ntdsa.dll 2007-05-31 16:50 78˙096 --a------ C:\WINNT\system32\cryptsvc.dll 2007-05-31 16:50 71˙440 --a------ C:\WINNT\system32\browser.dll 2007-05-31 16:50 63˙760 --a------ C:\WINNT\system32\CRYPTNET.DLL 2007-05-31 16:50 63˙760 --a------ C:\WINNT\system32\adsmsext.dll 2007-05-31 16:50 563˙984 --a------ C:\WINNT\system32\CRYPT32.DLL 2007-05-31 16:50 56˙080 --a------ C:\WINNT\system32\cabinet.dll 2007-05-31 16:50 549˙136 --a------ C:\WINNT\system32\netcfgx.dll 2007-05-31 16:50 49˙424 --a------ C:\WINNT\system32\EVENTLOG.DLL 2007-05-31 16:50 46˙352 --a------ C:\WINNT\system32\BASESRV.DLL 2007-05-31 16:50 443˙664 --a------ C:\WINNT\system32\CRYPTUI.DLL 2007-05-31 16:50 366˙864 --a------ C:\WINNT\system32\NETLOGON.DLL 2007-05-31 16:50 338˙704 --a------ C:\WINNT\system32\MSGINA.DLL 2007-05-31 16:50 32˙528 --------- C:\WINNT\system32\fltmc.exe 2007-05-31 16:50 299˙792 --a------ C:\WINNT\system32\dsprop.dll 2007-05-31 16:50 29˙968 --a------ C:\WINNT\system32\profmap.dll 2007-05-31 16:50 261˙904 --a------ C:\WINNT\system32\scesrv.dll 2007-05-31 16:50 246˙544 --a------ C:\WINNT\system32\CMD.EXE 2007-05-31 16:50 241˙936 --a------ C:\WINNT\system32\msjtes40.dll 2007-05-31 16:50 18˙192 --------- C:\WINNT\system32\fltlib.dll 2007-05-31 16:50 17˙680 --a------ C:\WINNT\system32\seclogon.dll 2007-05-31 16:50 151˙312 --a------ C:\WINNT\system32\SCHANNEL.DLL 2007-05-31 16:50 136˙912 --------- C:\WINNT\system32\drivers\fltmgr.sys 2007-05-31 16:50 134˙928 --a------ C:\WINNT\system32\adsldpc.dll 2007-05-31 16:50 131˙856 --a------ C:\WINNT\system32\mstask.exe 2007-05-31 16:50 130˙832 --a------ C:\WINNT\system32\adsldp.dll 2007-05-31 16:50 117˙520 --a------ C:\WINNT\system32\PSBASE.DLL 2007-05-31 16:50 114˙448 --a------ C:\WINNT\system32\scecli.dll 2007-05-31 16:50 114˙448 --a------ C:\WINNT\system32\newdev.dll 2007-05-31 16:50 1˙507˙600 --a------ C:\WINNT\system32\msjet40.dll 2007-05-31 16:32 2007-05-31 16:31 2007-05-31 11:30 2007-05-31 11:21 41˙240 --a------ C:\WINNT\system32\wups.dll 2007-05-31 11:21 194˙328 --a------ C:\WINNT\system32\wuaueng1.dll 2007-05-31 11:21 18˙200 --a------ C:\WINNT\system32\wups2.dll 2007-05-31 11:21 127˙256 --a------ C:\WINNT\system32\wucltui.dll 2007-05-31 11:20 465˙176 --a------ C:\WINNT\system32\wuapi.dll 2007-05-31 11:20 172˙312 --a------ C:\WINNT\system32\wuauclt1.exe 2007-05-31 11:20 2007-05-31 11:14 2007-05-31 10:49 2007-05-30 17:35 11˙824 --a------ C:\WINNT\sxfkql.exe 2007-05-29 01:26 10˙000 --a------ C:\WINNT\system32\jseufr73hb.dll (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-08 16:26:51 -------- d-----w C:\Program Files\Hyena 2007-05-31 08:11:52 -------- d-----w C:\Program Files\Microsoft AntiSpyware 2007-04-05 07:17:39 2,854,400 ----a-w C:\WINNT\system32\msi.dll 2007-03-15 10:00:36 466,432 ----a-w C:\WINNT\system32\SkanerOnline.dll 2007-03-13 09:44:49 245,520 ----a-w C:\WINNT\system32\WINSRV.DLL ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {8D5849C4-93F3-429D-FF34-260A2068897C}=C:\WINNT\system32\jseufr73hb.dll [07-05-29 01:26] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “FMStart”=“C:\Program Files\GFI\FAXmaker Client\FMSTART.EXE” [] “combofix”=“C:\WINNT\system32\cmd.exe” [04-11-03 00:48] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “internat.exe”=“internat.exe” [] [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “Restore Operation”=C:\WINNT\TEMP\svchots.exe “xp_sys”=“C:\WINNT\servicepackfiles\mmwnd.exe” updated [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] “disablecad”=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] “{8D5849C4-93F3-429D-FF34-260A2068897C}”=“C:\WINNT\system32\jseufr73hb.dll” [07-05-29 01:26] “{8D5849A2-93F3-429D-FF34-260A2068897C}”=“C:\WINNT\system32\lfhs76ghf.dll” [] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages FPNWCLNT RASSFM KDCSVC scecli [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] tapisrv Tapisrv HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* WmdmPmSN ************************************************************************** catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-11 08:49:28 Windows 5.0.2195 Service Pack 4 NTFS detected NTDLL code modification: ZwOpenFile scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-11 8:50:06 - machine was rebooted C:\ComboFix-quarantined-files.txt … 07-06-11 08:50 C:\ComboFix2.txt … 07-06-09 12:09 C:\ComboFix3.txt … 07-06-08 10:52 — E O F —
Gutek
11 Czerwiec 2007 15:45
#4
pliki do usunięcia - w trybie awaryjnym usuń pliki ręcznie