Problem z virtumonde

system · 10 Wrzesień 2008 10:59

Złapałem sobie virtumonde, wiele osób mówi że najlepiej formatować, ja jednak wolałbym najpierw usunąć a potem formatować.

Całe szczęście że ten trojan nie zdaje się mieć takich złych efektów… poza tym że spybot w połowie przestaje skanować bo prosi o restart, ale nawet po pięciu takich restartach on ciągle tam jest… oto mój log

ComboFix 08-09-05.14 - user 2008-09-10 12:51:22.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.1506 [GMT 2:00]

Running from: C:\Documents and Settings\user\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Program Files\PCHealthCenter

.

((((((((((((((((((((((((( Files Created from 2008-08-10 to 2008-09-10 )))))))))))))))))))))))))))))))

.

2008-09-10 11:32 . 2008-09-10 11:32

2008-09-10 08:47 . 2008-09-10 10:35 199 --a------ C:\WINDOWS\wininit.ini

2008-09-09 22:33 . 2008-09-09 22:34

2008-09-09 22:32 . 2008-09-09 22:32

2008-09-09 22:29 . 2008-09-10 10:06

2008-09-09 20:57 . 2008-09-09 20:57 33,664 --a------ C:\WINDOWS\system32\mlJdBtTm.dll.vir

2008-09-09 20:57 . 2008-09-08 17:32 3,262 --a------ C:\WINDOWS\system32\2.ico

2008-09-09 20:53 . 2008-09-10 10:25

2008-09-09 20:53 . 2008-09-08 16:50 165,888 --a------ C:\WINDOWS\system32\MSa.cpl

2008-09-09 20:53 . 2008-09-08 17:32 106,496 --a------ C:\x

2008-09-09 20:53 . 2008-09-08 17:32 3,262 --a------ C:\WINDOWS\system32\1.ico

2008-09-01 20:25 . 2008-09-01 20:42

2008-08-30 21:52 . 2008-08-30 23:58 13,030 --a------ C:\PDOXUSRS.NET

2008-08-30 21:50 . 2008-08-30 21:50

2008-08-18 11:17 . 2008-08-18 11:17

2008-08-16 20:56 . 2008-08-16 20:56

2008-08-15 20:48 . 2008-08-15 20:48

2008-08-15 20:48 . 2008-08-15 20:48 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll

2008-08-14 21:17 . 2004-08-18 10:34 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll

2008-08-14 21:15 . 2008-07-28 17:19 116,736 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys

2008-08-13 09:55 . 2008-05-01 16:37 331,776 -----c— C:\WINDOWS\system32\dllcache\msadce.dll

2008-08-13 09:49 . 2008-04-11 21:06 691,712 -----c— C:\WINDOWS\system32\dllcache\inetcomm.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-10 10:51 --------- d-----w C:\Program Files\Tlen.pl

2008-09-10 10:36 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\Skype

2008-09-10 10:35 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\skypePM

2008-09-09 15:49 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\uTorrent

2008-08-28 14:26 --------- d-----w C:\Program Files\ICQ6

2008-08-22 11:37 --------- d-----w C:\Program Files\Common Files\Adobe

2008-08-20 13:25 --------- d—a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP

2008-08-13 09:26 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help

2008-08-09 19:48 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\Tlen.pl

2008-08-06 09:47 --------- d-----w C:\Program Files\Winamp

2008-07-29 21:39 258,352 ----a-w C:\WINDOWS\system32\unicows.dll

2008-07-29 21:33 --------- d-----w C:\Program Files\uTorrent

2008-07-25 10:04 --------- d-----w C:\Program Files\Outsim

2008-07-25 10:04 --------- d-----w C:\Program Files\Image-Line

2008-07-25 09:22 --------- d-----w C:\Program Files\Java

2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe

2008-07-24 19:14 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\Ahead

2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll

2008-07-23 09:40 --------- d-----w C:\Program Files\Apple Software Update

2008-07-23 09:40 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer

2008-07-23 09:40 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple

2008-07-21 16:30 --------- d-----w C:\Program Files\Common Files\SWF Studio

2008-07-21 09:28 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\DivX

2008-07-21 08:49 --------- d-----w C:\Program Files\NCH Software

2008-07-21 08:41 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\NCH Software

2008-07-21 08:40 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\NCH Software

2008-07-21 07:42 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\Publish Providers

2008-07-21 07:41 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\Sony

2008-07-20 14:24 --------- d-----w C:\Program Files\Common Files\xing shared

2008-07-20 14:24 --------- d-----w C:\Program Files\Common Files\Real

2008-07-20 12:45 --------- d-----w C:\Program Files\MSBuild

2008-07-20 12:41 --------- d-----w C:\Program Files\Reference Assemblies

2008-07-20 12:31 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\Sony Setup

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll

2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll

2008-07-18 12:21 --------- d-----w C:\Program Files\Windows Media Connect 2

2008-07-18 11:22 --------- d-----w C:\Program Files\Microsoft Works

2008-07-18 11:21 --------- d-----w C:\Program Files\Microsoft.NET

2008-07-18 00:39 --------- d-----w C:\Program Files\Skype

2008-07-18 00:39 --------- d-----w C:\Program Files\Common Files\Skype

2008-07-18 00:39 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Skype

2008-07-17 08:15 --------- d-----w C:\Program Files\MSXML 4.0

2008-07-17 08:14 --------- d-----w C:\Program Files\Common Files\Macromedia

2008-07-17 07:49 --------- d-----w C:\Program Files\Tablet

2008-07-16 18:36 --------- dcsh–w C:\Program Files\Common Files\WindowsLiveInstaller

2008-07-16 18:36 --------- d-----w C:\Program Files\Windows Live

2008-07-16 18:30 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-07-16 18:30 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\ICQ

2008-07-16 18:30 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\WLInstaller

2008-07-16 18:03 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\FLEXnet

2008-07-16 17:23 --------- d-----w C:\Program Files\Bonjour

2008-07-16 17:14 --------- d-----w C:\Program Files\Common Files\Macrovision Shared

2008-07-16 14:57 --------- d-----w C:\Program Files\Miranda IM

2008-07-16 13:10 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\Winamp

2008-07-16 12:08 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\Nero

2008-07-16 12:07 --------- d-----w C:\Program Files\Common Files\Nero

2008-07-16 12:06 --------- d-----w C:\Program Files\Nero

2008-07-16 12:06 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Nero

2008-07-15 11:16 --------- d-----w C:\Program Files\Alwil Software

2008-07-07 20:29 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-07-03 13:38 315,392 -c–a-w C:\WINDOWS\HideWin.exe

2008-06-27 09:23 16,875,008 ----a-w C:\WINDOWS\RTHDCPL.exe

2008-06-24 16:46 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-24 14:06 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe

2008-06-23 16:42 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-06-20 17:48 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-19 14:42 2,808,832 -c–a-w C:\WINDOWS\alcwzrd.exe

2008-06-19 14:27 9,715,200 -c–a-w C:\WINDOWS\RTLCPL.exe

2008-06-19 14:20 57,344 ----a-w C:\WINDOWS\Alcmtr.exe

2008-06-18 16:01 77,824 -c–a-w C:\WINDOWS\SoundMan.exe

2008-06-17 13:17 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll

2008-06-17 13:14 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll

2008-06-11 00:07 129,784 ------w C:\WINDOWS\system32\pxafs.dll

2008-06-11 00:07 120,056 -c----w C:\WINDOWS\system32\pxcpyi64.exe

2008-06-11 00:07 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe

.

((((((((((((((((((((((((((((( snapshot@2008-09-10_12.45.06.89 )))))))))))))))))))))))))))))))))))))))))

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2008-04-14 15360]

“IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe” [2008-06-24 1840424]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2008-04-14 1695232]

“msnmsgr”=“C:\Program Files\Windows Live\Messenger\msnmsgr.exe” [2007-10-18 5724184]

“SpybotSD TeaTimer”=“D:\Program Files\Spybot - Search Destroy\TeaTimer.exe” [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe” [2008-06-10 144784]

“IAAnotif”=“C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe” [2007-10-03 178712]

“StartCCC”=“C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2006-11-10 90112]

“SMSERIAL”=“C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe” [2006-11-22 630784]

“NeroFilterCheck”=“C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe” [2008-06-19 570664]

“NBKeyScan”=“C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe” [2008-06-08 2221352]

“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2008-08-04 36352]

“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 39792]

“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2008-07-20 185896]

“QuickTime Task”=“D:\Program Files\QuickTime\QTTask.exe” [2008-05-27 413696]

“RTHDCPL”=“RTHDCPL.EXE” [2008-06-27 C:\WINDOWS\RTHDCPL.exe]

C:\Documents and Settings\user\Menu Start\Programy\Autostart\

MagicDisc.lnk - D:\Program Files\MagicDisc\MagicDisc.exe [2008-08-14 575488]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2008-07-17 106496]

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“C:\Program Files\Bonjour\mDNSResponder.exe”=

“C:\Program Files\Tlen.pl\tlen.exe”=

“C:\Program Files\ICQ6\ICQ.exe”=

“C:\Program Files\Windows Live\Messenger\msnmsgr.exe”=

“C:\Program Files\Windows Live\Messenger\livecall.exe”=

“C:\Program Files\uTorrent\uTorrent.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]

S3 itecir;ITECIR Infrared Receiver;C:\WINDOWS\system32\DRIVERS\itecir.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{2b27f284-6a2d-11dd-a68e-00030d6e71a7}]

\Shell\AutoRun\command - F:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{2b27f290-6a2d-11dd-a68e-00030d6e71a7}]

\Shell\AutoRun\command - G:\RunGame.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{79e2e17e-5afa-11dd-a63c-00030d6e71a7}]

\Shell\AutoRun\command - F:\jdwx.exe

\Shell\explore\Command - F:\jdwx.exe

\Shell\open\Command - F:\jdwx.exe

.

- - - ORPHANS REMOVED - - - -

HKCU-Run-\YUR5.exe - C:\Windows\system32\YUR5.exe

HKCU-Run-\YUR6.exe - C:\Windows\system32\YUR6.exe

HKCU-Run-\YUR7.exe - C:\Windows\system32\YUR7.exe

HKCU-Run-\YURB.exe - C:\Windows\system32\YURB.exe

HKCU-Run-\YUR21.exe - C:\Windows\system32\YUR21.exe

HKCU-Run-\YUR1.exe - C:\Windows\system32\YUR1.exe

HKCU-Run-\YUR2.exe - C:\Windows\system32\YUR2.exe

HKCU-Run-\YUR3.exe - C:\Windows\system32\YUR3.exe

HKCU-Run-\YUR4.exe - C:\Windows\system32\YUR4.exe

HKCU-Run-\YUR12.exe - C:\Windows\system32\YUR12.exe

HKCU-Run-\YUR13D.exe - C:\Windows\system32\YUR13D.exe

HKLM-Run-\YUR5.exe - C:\Windows\system32\YUR5.exe

HKLM-Run-\YUR6.exe - C:\Windows\system32\YUR6.exe

HKLM-Run-\YUR7.exe - C:\Windows\system32\YUR7.exe

HKLM-Run-\YURB.exe - C:\Windows\system32\YURB.exe

HKLM-Run-\YUR21.exe - C:\Windows\system32\YUR21.exe

HKLM-Run-\YUR1.exe - C:\Windows\system32\YUR1.exe

HKLM-Run-\YUR2.exe - C:\Windows\system32\YUR2.exe

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\user\Dane aplikacji\Mozilla\Firefox\Profiles\rhb85lek.default\

FF -: plugin - D:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll

FF -: plugin - D:\Program Files\DivX\DivX Web Player\npdivx32.dll

FF -: plugin - D:\Program Files\Netscape6\nppl3260.dll

FF -: plugin - D:\Program Files\Netscape6\nprjplug.dll

FF -: plugin - D:\Program Files\Netscape6\nprpjplug.dll

FF -: plugin - D:\Program Files\QuickTime\Plugins\npqtplugin.dll

FF -: plugin - D:\Program Files\QuickTime\Plugins\npqtplugin2.dll

FF -: plugin - D:\Program Files\QuickTime\Plugins\npqtplugin3.dll

FF -: plugin - D:\Program Files\QuickTime\Plugins\npqtplugin4.dll

FF -: plugin - D:\Program Files\QuickTime\Plugins\npqtplugin5.dll

FF -: plugin - D:\Program Files\QuickTime\Plugins\npqtplugin6.dll

FF -: plugin - D:\Program Files\QuickTime\Plugins\npqtplugin7.dll

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-10 12:52:25

Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-09-10 12:54:04

ComboFix-quarantined-files.txt 2008-09-10 10:53:08

ComboFix2.txt 2008-09-10 10:45:39

Pre-Run: 25,023,533,056 bajtów wolnych

Post-Run: 25,012,207,616 bajtów wolnych

228 — E O F — 2008-08-27 08:57:00

spandaupol · 10 Wrzesień 2008 11:03

wklej do notatnika:

Zapisz plik jako CFScript.txt najlepiej aby ikonka tego pliku znajdowała się obok ikonki ComboFix.exe

Przeciągnij i upuść plik CFScript.txt na ikonkę ComboFix.exe powinno rozpocząć się usuwanie po tym daj log na forum.

Usuń ręcznie folder C:\Qoobox , usuń instalkę Combofix z dysku.

system · 10 Wrzesień 2008 11:10

Gotowe, oto wynik

ComboFix 08-09-05.14 - user 2008-09-10 13:06:31.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.1511 [GMT 2:00]

Running from: C:\Documents and Settings\user\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\user\Pulpit\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Program Files\MSA

C:\Program Files\MSA\MSA.cpl

C:\Program Files\MSA\MSA.ooo

C:\Program Files\MSA\msa0.dat

C:\Program Files\MSA\msa1.dat