TR/Rootkit.gen Problem z rootkitem prosze o sprawdzenie logó

Dla specjalistów Bezpieczeństwo
#1

Witam

Antywirus Avira wykrył u mnie wirusa Rootkit.gen. Przeskanowałem komputer Combofixem i Avirą, Avira jednak za kazdym razem wykrywa rootkita w systemie. Proszę o pomoc w odczytaniu logów combofix z przed i po skanie antywirusem.

=====================log combofix zanim przeskanowałem avira================

ComboFix 09-04-04.01 - Administrator 2009-04-10 23:55:50.11 - NTFSx86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.511.374 [GMT 2:00]

Uruchomiony z: c:\documents and settings\Banner\Pulpit\Comb.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated)

FW: Online Armor Firewall *enabled*

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Poprzednie uruchomienie -------

.

c:\windows\system32\drivers\UACpbwylteh.sys

c:\windows\system32\UACdhornsve.dll

c:\windows\system32\UACetsoesii.log

c:\windows\system32\uacinit.dll

c:\windows\system32\UACksntmpqj.dll

c:\windows\system32\UACsqtoiyvv.dat

c:\windows\system32\UACtdxhorgk.log

c:\windows\system32\UACvrtqpxev.dll

c:\windows\system32\UACwiqhxtts.log

c:\windows\system32\UACwwulvrnl.dll

c:\windows\system32\UACypicxdlm.dll

.

((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

((((((((((((((((((((((((( Pliki utworzone od 2009-03-10 do 2009-04-10 )))))))))))))))))))))))))))))))

.

2009-04-10 21:56 . 2009-04-10 21:56

2009-04-10 21:56 . 2009-04-10 21:56

2009-04-10 21:56 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys

2009-04-10 21:08 . 2008-07-28 11:29 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys

2009-04-10 21:04 . 2009-04-10 21:24

2009-04-10 20:57 . 2009-04-10 21:01

2009-04-05 17:15 . 2009-04-05 17:15 491 --a------ c:\windows\my.ini

2009-04-05 17:06 . 2009-04-05 17:08

2009-03-30 23:11 . 2009-04-05 19:55

2009-03-29 14:49 . 2009-03-29 14:49

2009-03-29 14:49 . 2009-03-29 14:49

2009-03-29 13:42 . 2009-03-30 22:52

2009-03-29 13:17 . 2009-03-29 13:17

2009-03-28 19:19 . 2009-03-28 19:20

2009-03-25 18:55 . 2009-03-25 18:55

2009-03-25 18:53 . 2009-03-30 22:50

2009-03-25 18:51 . 2009-03-30 22:50

2009-03-24 16:04 . 2009-03-24 16:04

2009-03-24 15:24 . 2009-03-24 15:24

2009-03-24 15:24 . 2009-04-10 23:53

2009-03-24 15:24 . 2009-03-24 15:24

2009-03-24 15:24 . 2008-10-07 01:09 178,376 --a------ c:\windows\system32\drivers\OADriver.sys

2009-03-24 15:24 . 2008-10-07 01:09 30,920 --a------ c:\windows\system32\drivers\OAmon.sys

2009-03-24 15:24 . 2008-10-07 01:09 28,872 --a------ c:\windows\system32\drivers\OAnet.sys

2009-03-24 14:38 . 2009-03-24 14:38

2009-03-24 10:14 . 2009-03-24 10:15

2009-03-24 10:14 . 2001-10-28 17:42 116,224 --a------ c:\windows\system32\pdfcmnnt.dll

2009-03-24 10:14 . 1998-07-06 01:00 23,552 --a------ c:\windows\system32\MSMPIDE.DLL

2009-03-23 13:54 . 2009-03-23 13:54

2009-03-23 11:11 . 2009-03-23 11:11

2009-03-23 11:11 . 2009-03-23 11:11 286,720 --------- c:\windows\Setup1.exe

2009-03-23 11:11 . 2009-03-23 11:11 73,216 --a------ c:\windows\ST6UNST.EXE

2009-03-18 14:50 . 2009-03-30 23:17

2009-03-18 14:50 . 1999-09-10 13:06 45,056 --a------ c:\windows\system32\Wnaspi32.dll

2009-03-18 14:50 . 1999-09-10 13:06 25,244 --a------ c:\windows\system32\drivers\Aspi32.sys

2009-03-18 14:50 . 1999-09-10 13:06 5,600 --a------ c:\windows\system32\Winaspi.dll

2009-03-18 14:50 . 1999-09-10 13:06 4,672 --a------ c:\windows\system32\Wowpost.exe

2009-03-17 15:12 . 2009-03-17 15:12

2009-03-17 15:12 . 2009-03-17 15:12

2009-03-16 19:26 . 2009-03-16 19:43

2009-03-16 19:11 . 2009-03-16 19:11

2009-03-16 19:11 . 2009-03-23 11:03

2009-03-16 19:11 . 2002-01-05 15:37 344,064 --a------ c:\windows\system32\msvcr70.dll

2009-03-15 20:07 . 2009-03-15 20:07 14,437 --a------ c:\windows\FontData.fdb

2009-03-15 20:07 . 2009-03-16 19:08 56 -r-hs---- c:\windows\system32\F5874EDA42.sys

2009-03-15 20:05 . 2009-03-15 20:05

2009-03-15 20:04 . 2009-03-15 20:04

2009-03-15 20:00 . 2009-03-16 19:08 3,350 --ahs---- c:\windows\system32\KGyGaAvL.sys

2009-03-15 19:59 . 2009-03-30 22:51

2009-03-15 16:36 . 2009-03-15 16:36

2009-03-15 16:36 . 2009-03-15 16:36

2009-03-15 00:44 . 2009-03-15 20:05

2009-03-15 00:43 . 2009-03-15 00:43

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-10 18:53 --------- d-----w c:\documents and settings\Banner\Dane aplikacji\skypePM

2009-04-10 18:53 --------- d-----w c:\documents and settings\Banner\Dane aplikacji\Skype

2009-04-08 20:43 --------- d-----w c:\documents and settings\Banner\Dane aplikacji\uTorrent

2009-03-30 20:51 --------- d–h--w c:\program files\InstallShield Installation Information

2009-03-30 20:47 --------- d-----w c:\documents and settings\Banner\Dane aplikacji\Nowe Gadu-Gadu

2009-03-17 13:13 --------- d-----w c:\program files\Common Files\Adobe

2009-03-15 18:04 --------- d-----w c:\program files\Common Files\InstallShield

2009-03-15 15:50 --------- d-----w c:\program files\COMODO

2009-03-15 15:15 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\comodo

2009-03-15 15:01 --------- d-----w c:\documents and settings\Banner\Dane aplikacji\Cream Software

2009-03-15 14:59 --------- d-----w c:\program files\ezHTML

2009-03-07 17:11 --------- d-----w c:\program files\Pity 2008

2009-03-04 06:33 --------- d-----w c:\program files\Aptana

2009-02-28 12:55 --------- d-----w c:\program files\Eusing Free Registry Cleaner

2009-02-27 14:48 --------- d-----w c:\program files\SubEdit-Player

2009-02-25 20:52 --------- d-----w c:\documents and settings\Banner\Dane aplikacji\LimeWire

2009-02-25 20:48 410,984 ----a-w c:\windows\system32\deploytk.dll

2009-02-25 20:48 --------- d-----w c:\program files\Java

2009-02-22 14:14 --------- d-----w c:\program files\B2BPOKER

2009-02-20 08:41 --------- d-----w c:\program files\Common Files\ChaosGroup

2009-02-20 08:36 --------- d-----w c:\documents and settings\All Users\Dane aplikacji_comodo_

2009-02-17 14:52 --------- d-----w c:\program files\WYSIWYG Web Builder 5

2009-02-17 14:17 737,280 ----a-w c:\windows\iun6002.exe

2009-02-06 16:13 119,583 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_02_06_17_08_21_small.dmp.zip

2009-01-13 11:29 5,858 --sh–w c:\documents and settings\Banner\Setup_ver1.1751.0.exe

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“c:\windows\system32\ctfmon.exe” [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“LXBUCATS”=“c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll” [2004-11-02 69632]

“NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2006-08-17 7630848]

“NvMediaCenter”=“c:\windows\system32\NvMcTray.dll” [2006-08-17 86016]

@OnlineArmor GUI”=“c:\program files\Tall Emu\Online Armor\oaui.exe” [2008-10-07 6223048]

“avgnt”=“c:\program files\Avira\AntiVir Desktop\avgnt.exe” [2009-03-02 209153]

“nForce Tray Options”=“sstray.exe” [2003-08-13 c:\windows\system32\sstray.exe]

“nwiz”=“nwiz.exe” [2006-08-17 c:\windows\system32\nwiz.exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2004-08-04 15360]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

“tscuninstall”=“c:\windows\system32\tscupgrd.exe” [2004-08-04 44544]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

“{4F07DA45-8170-4859-9B5F-037EF2970034}”= “c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll” [2008-10-07 886984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

“AppInit_DLLs”=

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk]

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^Banner^Menu Start^Programy^Autostart^Adobe Gamma.lnk]

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]

–a------ 2004-09-17 19:24 61440 c:\program files\Lexmark 6200 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

–a------ 2004-06-16 07:03 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

–a------ 2004-06-16 07:03 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]

–a------ 2007-05-17 23:45 279912 c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxbumon.exe]

–a------ 2005-01-18 16:39 196608 c:\program files\Lexmark 6200 Series\lxbumon.exE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-08-04 01:55 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

–a------ 2001-07-09 12:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra------ 2008-11-07 15:31 21633320 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

–a------ 2009-02-25 22:48 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]

–a------ 2006-10-04 16:41 86016 c:\program files\MAGIX\Movie_Edit_Pro_12_e-version\Trayserver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX1000]

–a------ 2007-04-10 23:46 709992 c:\windows\vVX1000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusDisableNotify”=dword:00000001

“UpdatesDisableNotify”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“c:\Program Files\Autodesk\3ds Max 9\3dsmax.exe”=

“c:\Program Files\uTorrent\uTorrent.exe”=

“d:\KURS\TESTOUT\Cmi\Navigator.exe”=

“c:\Program Files\Microsoft LifeCam\LifeCam.exe”=

“c:\Program Files\Microsoft LifeCam\LifeExp.exe”=

“c:\Program Files\Gadu-Gadu\gg.exe”=

“c:\Program Files\B2BPOKER\i4poker\jre\bin\javaw.exe”=

“c:\Program Files\Aptana\Aptana Studio 1.2\jre\bin\javaw.exe”=

“c:\Program Files\Mozilla Firefox\firefox.exe”=

“c:\Program Files\Opera\opera.exe”=

“c:\Program Files\Soldier of Fortune II - Double Helix MP TEST\SoF2MP-Test.exe”=

“c:\xampp\apache\bin\apache.exe”=

“c:\xampp\mysql\bin\mysqld.exe”=

“c:\totalcmd\Totalcmd_.exe”=

“c:\Program Files\Skype\Phone\Skype.exe”=

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\si3112r.sys [2005-03-11 89749]

R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2005-03-11 9600]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-03-24 30920]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-03-24 28872]

R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-04-10 160792]

S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-03-24 178376]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-10 108289]

S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2008-12-10 24636]

S2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2009-03-24 1402568]

S2 PHPGeekUtil;PHPGeekUtil; [x]

S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2009-03-24 3321032]

S3 RT2400;ASUS Wireless Driver;c:\windows\system32\drivers\RT2400.sys [2009-02-21 51584]

.

        • USUNIĘTO PUSTE WPISY - - - -

MSConfigStartUp-sysav - c:\documents and settings\Banner\Dane aplikacji\pcdefender.exe

.

------- Skan uzupełniający -------

.

DPF: {EA53AFD2-297C-4452-A8F2-3C1763E86D14} - hxxp://www.bespin.dgsm.pl/filesbank/setup20020.cab

FF - ProfilePath - c:\documents and settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\42rxkkxf.default\

FF - component: c:\program files\Mozilla Firefox\extensions{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-10 23:57:23

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów …

skanowanie ukrytych wpisów autostartu …

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXBUCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16???

skanowanie ukrytych plików …

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

Czas ukończenia: 2009-04-10 23:58:10

ComboFix-quarantined-files.txt 2009-04-10 21:58:08

Przed: 5,063,008,256 bajtów wolnych

Po: 5,050,683,392 bajtów wolnych

224

=============================================log aviry ===============================

Avira AntiVir Personal

Report file date: 11 kwietnia 2009 15:28

Scanning for 1346528 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Dodatek Service Pack 2) [5.1.2600]

Boot mode : Save mode with network

Username : Administrator

Computer name : BANNER-6F53C4FE

Version information:

BUILD.DAT : 9.0.0.387 17962 Bytes 2009-03-24 11:04:00

AVSCAN.EXE : 9.0.3.3 464641 Bytes 2009-02-24 10:13:26

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2009-02-27 08:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2009-02-20 09:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2009-02-27 08:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 2008-10-27 10:30:36

ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2009-02-11 18:33:26

ANTIVIR2.VDF : 7.1.3.0 1330176 Bytes 2009-04-01 19:58:40

ANTIVIR3.VDF : 7.1.3.41 162304 Bytes 2009-04-10 19:58:41

Engineversion : 8.2.0.138

AEVDF.DLL : 8.1.1.0 106868 Bytes 2009-01-27 15:36:42

AESCRIPT.DLL : 8.1.1.73 373114 Bytes 2009-04-10 19:58:45

AESCN.DLL : 8.1.1.10 127348 Bytes 2009-04-10 19:58:44

AERDL.DLL : 8.1.1.3 438645 Bytes 2008-10-29 16:24:41

AEPACK.DLL : 8.1.3.12 397687 Bytes 2009-04-10 19:58:44

AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2009-02-26 18:01:56

AEHEUR.DLL : 8.1.0.114 1700214 Bytes 2009-04-10 19:58:44

AEHELP.DLL : 8.1.2.2 119158 Bytes 2009-02-26 18:01:56

AEGEN.DLL : 8.1.1.33 340340 Bytes 2009-04-10 19:58:42

AEEMU.DLL : 8.1.0.9 393588 Bytes 2008-10-09 12:32:40

AECORE.DLL : 8.1.6.7 176502 Bytes 2009-04-10 19:58:41

AEBB.DLL : 8.1.0.3 53618 Bytes 2008-10-09 12:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 2008-12-12 06:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 2008-12-05 08:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 2009-01-20 12:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 2008-12-05 08:32:09

AVARKT.DLL : 9.0.0.1 292609 Bytes 2009-02-09 05:52:24

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 2009-01-30 08:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 2009-01-28 13:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2009-02-02 06:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 2008-12-05 08:32:10

RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2009-02-09 09:45:45

RCTEXT.DLL : 9.0.35.0 87297 Bytes 2009-03-11 13:55:12

Configuration settings for the scan:

Jobname…: Complete system scan

Configuration file…: c:\program files\avira\antivir desktop\sysscan.avp

Logging…: low

Primary action…: interactive

Secondary action…: ignore

Scan master boot sector…: on

Scan boot sector…: on

Boot sectors…: C:, D:,

Process scan…: on

Scan registry…: on

Search for rootkits…: on

Integrity checking of system files…: off

Scan all files…: All files

Scan archives…: on

Recursion depth…: 20

Smart extensions…: on

Macro heuristic…: on

File heuristic…: medium

Start of the scan: 11 kwietnia 2009 15:28

Starting search for hidden objects.

The driver could not be initialized.

The scan of running processes will be started

Scan process ‘avscan.exe’ - ‘1’ Module(s) have been scanned

Scan process ‘avcenter.exe’ - ‘1’ Module(s) have been scanned

Scan process ‘explorer.exe’ - ‘1’ Module(s) have been scanned

Scan process ‘svchost.exe’ - ‘1’ Module(s) have been scanned

Scan process ‘svchost.exe’ - ‘1’ Module(s) have been scanned

Scan process ‘svchost.exe’ - ‘1’ Module(s) have been scanned

Scan process ‘svchost.exe’ - ‘1’ Module(s) have been scanned

Scan process ‘svchost.exe’ - ‘1’ Module(s) have been scanned

Scan process ‘lsass.exe’ - ‘1’ Module(s) have been scanned

Scan process ‘services.exe’ - ‘1’ Module(s) have been scanned

Scan process ‘winlogon.exe’ - ‘1’ Module(s) have been scanned

Scan process ‘csrss.exe’ - ‘1’ Module(s) have been scanned

Scan process ‘smss.exe’ - ‘1’ Module(s) have been scanned

13 processes with 13 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).

The registry was scanned ( ‘48’ files ).

Starting the file scan:

Begin scan in ‘C:’

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACdhornsve.dll.vir

[DETECTION] Is the TR/PCK.Tdss.F.2062 Trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACksntmpqj.dll.vir

[DETECTION] Is the TR/PCK.Tdss.F.2061 Trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvrtqpxev.dll.vir

[DETECTION] Is the TR/Alureon.BF Trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACwwulvrnl.dll.vir

[DETECTION] Is the TR/PCK.Tdss.F.2060 Trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACpbwylteh.sys.vir

[DETECTION] Is the TR/Rootkit.Gen Trojan

Begin scan in ‘D:’

Beginning disinfection:

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACdhornsve.dll.vir

[DETECTION] Is the TR/PCK.Tdss.F.2062 Trojan

[NOTE] The file was moved to ‘4a23a9dd.qua’!

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACksntmpqj.dll.vir

[DETECTION] Is the TR/PCK.Tdss.F.2061 Trojan

[NOTE] The file was moved to ‘4bbb2c56.qua’!

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvrtqpxev.dll.vir

[DETECTION] Is the TR/Alureon.BF Trojan

[NOTE] The file was moved to ‘4bb93cc6.qua’!

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACwwulvrnl.dll.vir

[DETECTION] Is the TR/PCK.Tdss.F.2060 Trojan

[NOTE] The file was moved to ‘4bb8353e.qua’!

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACpbwylteh.sys.vir

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to ‘4bbe07d6.qua’!

End of the scan: 11 kwietnia 2009 16:30

Used time: 1:01:34 Hour(s)

The scan has been done completely.

10135 Scanned directories

541677 Files were scanned

5 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

5 Files were moved to quarantine

0 Files were renamed

1 Files cannot be scanned

541671 Files not concerned

8461 Archives were scanned

1 Warnings

6 Notes

============================================= log combofix po skanie antywirusem ==============================

ComboFix 09-04-04.01 - Administrator 2009-04-10 23:55:50.11 - NTFSx86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.511.374 [GMT 2:00]

Uruchomiony z: c:\documents and settings\Banner\Pulpit\Comb.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated)

FW: Online Armor Firewall *enabled*

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Poprzednie uruchomienie -------

.

c:\windows\system32\drivers\UACpbwylteh.sys

c:\windows\system32\UACdhornsve.dll

c:\windows\system32\UACetsoesii.log

c:\windows\system32\uacinit.dll

c:\windows\system32\UACksntmpqj.dll

c:\windows\system32\UACsqtoiyvv.dat

c:\windows\system32\UACtdxhorgk.log

c:\windows\system32\UACvrtqpxev.dll

c:\windows\system32\UACwiqhxtts.log

c:\windows\system32\UACwwulvrnl.dll

c:\windows\system32\UACypicxdlm.dll

.

((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

((((((((((((((((((((((((( Pliki utworzone od 2009-03-10 do 2009-04-10 )))))))))))))))))))))))))))))))

.

2009-04-10 21:56 . 2009-04-10 21:56

2009-04-10 21:56 . 2009-04-10 21:56

2009-04-10 21:56 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys

2009-04-10 21:08 . 2008-07-28 11:29 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys

2009-04-10 21:04 . 2009-04-10 21:24

2009-04-10 20:57 . 2009-04-10 21:01

2009-04-05 17:15 . 2009-04-05 17:15 491 --a------ c:\windows\my.ini

2009-04-05 17:06 . 2009-04-05 17:08

2009-03-30 23:11 . 2009-04-05 19:55

2009-03-29 14:49 . 2009-03-29 14:49

2009-03-29 14:49 . 2009-03-29 14:49

2009-03-29 13:42 . 2009-03-30 22:52

2009-03-29 13:17 . 2009-03-29 13:17

2009-03-28 19:19 . 2009-03-28 19:20

2009-03-25 18:55 . 2009-03-25 18:55

2009-03-25 18:53 . 2009-03-30 22:50

2009-03-25 18:51 . 2009-03-30 22:50

2009-03-24 16:04 . 2009-03-24 16:04

2009-03-24 15:24 . 2009-03-24 15:24

2009-03-24 15:24 . 2009-04-10 23:53

2009-03-24 15:24 . 2009-03-24 15:24

2009-03-24 15:24 . 2008-10-07 01:09 178,376 --a------ c:\windows\system32\drivers\OADriver.sys

2009-03-24 15:24 . 2008-10-07 01:09 30,920 --a------ c:\windows\system32\drivers\OAmon.sys

2009-03-24 15:24 . 2008-10-07 01:09 28,872 --a------ c:\windows\system32\drivers\OAnet.sys

2009-03-24 14:38 . 2009-03-24 14:38

2009-03-24 10:14 . 2009-03-24 10:15

2009-03-24 10:14 . 2001-10-28 17:42 116,224 --a------ c:\windows\system32\pdfcmnnt.dll

2009-03-24 10:14 . 1998-07-06 01:00 23,552 --a------ c:\windows\system32\MSMPIDE.DLL

2009-03-23 13:54 . 2009-03-23 13:54

2009-03-23 11:11 . 2009-03-23 11:11

2009-03-23 11:11 . 2009-03-23 11:11 286,720 --------- c:\windows\Setup1.exe

2009-03-23 11:11 . 2009-03-23 11:11 73,216 --a------ c:\windows\ST6UNST.EXE

2009-03-18 14:50 . 2009-03-30 23:17

2009-03-18 14:50 . 1999-09-10 13:06 45,056 --a------ c:\windows\system32\Wnaspi32.dll

2009-03-18 14:50 . 1999-09-10 13:06 25,244 --a------ c:\windows\system32\drivers\Aspi32.sys

2009-03-18 14:50 . 1999-09-10 13:06 5,600 --a------ c:\windows\system32\Winaspi.dll

2009-03-18 14:50 . 1999-09-10 13:06 4,672 --a------ c:\windows\system32\Wowpost.exe

2009-03-17 15:12 . 2009-03-17 15:12

2009-03-17 15:12 . 2009-03-17 15:12

2009-03-16 19:26 . 2009-03-16 19:43

2009-03-16 19:11 . 2009-03-16 19:11

2009-03-16 19:11 . 2009-03-23 11:03

2009-03-16 19:11 . 2002-01-05 15:37 344,064 --a------ c:\windows\system32\msvcr70.dll

2009-03-15 20:07 . 2009-03-15 20:07 14,437 --a------ c:\windows\FontData.fdb

2009-03-15 20:07 . 2009-03-16 19:08 56 -r-hs---- c:\windows\system32\F5874EDA42.sys

2009-03-15 20:05 . 2009-03-15 20:05

2009-03-15 20:04 . 2009-03-15 20:04

2009-03-15 20:00 . 2009-03-16 19:08 3,350 --ahs---- c:\windows\system32\KGyGaAvL.sys

2009-03-15 19:59 . 2009-03-30 22:51

2009-03-15 16:36 . 2009-03-15 16:36

2009-03-15 16:36 . 2009-03-15 16:36

2009-03-15 00:44 . 2009-03-15 20:05

2009-03-15 00:43 . 2009-03-15 00:43

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-10 18:53 --------- d-----w c:\documents and settings\Banner\Dane aplikacji\skypePM

2009-04-10 18:53 --------- d-----w c:\documents and settings\Banner\Dane aplikacji\Skype

2009-04-08 20:43 --------- d-----w c:\documents and settings\Banner\Dane aplikacji\uTorrent

2009-03-30 20:51 --------- d–h--w c:\program files\InstallShield Installation Information

2009-03-30 20:47 --------- d-----w c:\documents and settings\Banner\Dane aplikacji\Nowe Gadu-Gadu

2009-03-17 13:13 --------- d-----w c:\program files\Common Files\Adobe

2009-03-15 18:04 --------- d-----w c:\program files\Common Files\InstallShield

2009-03-15 15:50 --------- d-----w c:\program files\COMODO

2009-03-15 15:15 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\comodo

2009-03-15 15:01 --------- d-----w c:\documents and settings\Banner\Dane aplikacji\Cream Software

2009-03-15 14:59 --------- d-----w c:\program files\ezHTML

2009-03-07 17:11 --------- d-----w c:\program files\Pity 2008

2009-03-04 06:33 --------- d-----w c:\program files\Aptana

2009-02-28 12:55 --------- d-----w c:\program files\Eusing Free Registry Cleaner

2009-02-27 14:48 --------- d-----w c:\program files\SubEdit-Player

2009-02-25 20:52 --------- d-----w c:\documents and settings\Banner\Dane aplikacji\LimeWire

2009-02-25 20:48 410,984 ----a-w c:\windows\system32\deploytk.dll

2009-02-25 20:48 --------- d-----w c:\program files\Java

2009-02-22 14:14 --------- d-----w c:\program files\B2BPOKER

2009-02-20 08:41 --------- d-----w c:\program files\Common Files\ChaosGroup

2009-02-20 08:36 --------- d-----w c:\documents and settings\All Users\Dane aplikacji_comodo_

2009-02-17 14:52 --------- d-----w c:\program files\WYSIWYG Web Builder 5

2009-02-17 14:17 737,280 ----a-w c:\windows\iun6002.exe

2009-02-06 16:13 119,583 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_02_06_17_08_21_small.dmp.zip

2009-01-13 11:29 5,858 --sh–w c:\documents and settings\Banner\Setup_ver1.1751.0.exe

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“c:\windows\system32\ctfmon.exe” [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“LXBUCATS”=“c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll” [2004-11-02 69632]

“NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2006-08-17 7630848]

“NvMediaCenter”=“c:\windows\system32\NvMcTray.dll” [2006-08-17 86016]

@OnlineArmor GUI”=“c:\program files\Tall Emu\Online Armor\oaui.exe” [2008-10-07 6223048]

“avgnt”=“c:\program files\Avira\AntiVir Desktop\avgnt.exe” [2009-03-02 209153]

“nForce Tray Options”=“sstray.exe” [2003-08-13 c:\windows\system32\sstray.exe]

“nwiz”=“nwiz.exe” [2006-08-17 c:\windows\system32\nwiz.exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2004-08-04 15360]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

“tscuninstall”=“c:\windows\system32\tscupgrd.exe” [2004-08-04 44544]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

“{4F07DA45-8170-4859-9B5F-037EF2970034}”= “c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll” [2008-10-07 886984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

“AppInit_DLLs”=

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk]

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^Banner^Menu Start^Programy^Autostart^Adobe Gamma.lnk]

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]

–a------ 2004-09-17 19:24 61440 c:\program files\Lexmark 6200 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

–a------ 2004-06-16 07:03 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

–a------ 2004-06-16 07:03 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]

–a------ 2007-05-17 23:45 279912 c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxbumon.exe]

–a------ 2005-01-18 16:39 196608 c:\program files\Lexmark 6200 Series\lxbumon.exE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-08-04 01:55 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

–a------ 2001-07-09 12:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra------ 2008-11-07 15:31 21633320 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

–a------ 2009-02-25 22:48 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]

–a------ 2006-10-04 16:41 86016 c:\program files\MAGIX\Movie_Edit_Pro_12_e-version\Trayserver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX1000]

–a------ 2007-04-10 23:46 709992 c:\windows\vVX1000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusDisableNotify”=dword:00000001

“UpdatesDisableNotify”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“c:\Program Files\Autodesk\3ds Max 9\3dsmax.exe”=

“c:\Program Files\uTorrent\uTorrent.exe”=

“d:\KURS\TESTOUT\Cmi\Navigator.exe”=

“c:\Program Files\Microsoft LifeCam\LifeCam.exe”=

“c:\Program Files\Microsoft LifeCam\LifeExp.exe”=

“c:\Program Files\Gadu-Gadu\gg.exe”=

“c:\Program Files\B2BPOKER\i4poker\jre\bin\javaw.exe”=

“c:\Program Files\Aptana\Aptana Studio 1.2\jre\bin\javaw.exe”=

“c:\Program Files\Mozilla Firefox\firefox.exe”=

“c:\Program Files\Opera\opera.exe”=

“c:\Program Files\Soldier of Fortune II - Double Helix MP TEST\SoF2MP-Test.exe”=

“c:\xampp\apache\bin\apache.exe”=

“c:\xampp\mysql\bin\mysqld.exe”=

“c:\totalcmd\Totalcmd_.exe”=

“c:\Program Files\Skype\Phone\Skype.exe”=

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\si3112r.sys [2005-03-11 89749]

R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2005-03-11 9600]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-03-24 30920]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-03-24 28872]

R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-04-10 160792]

S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-03-24 178376]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-10 108289]

S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2008-12-10 24636]

S2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2009-03-24 1402568]

S2 PHPGeekUtil;PHPGeekUtil; [x]

S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2009-03-24 3321032]

S3 RT2400;ASUS Wireless Driver;c:\windows\system32\drivers\RT2400.sys [2009-02-21 51584]

.

        • USUNIĘTO PUSTE WPISY - - - -

MSConfigStartUp-sysav - c:\documents and settings\Banner\Dane aplikacji\pcdefender.exe

.

------- Skan uzupełniający -------

.

DPF: {EA53AFD2-297C-4452-A8F2-3C1763E86D14} - hxxp://www.bespin.dgsm.pl/filesbank/setup20020.cab

FF - ProfilePath - c:\documents and settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\42rxkkxf.default\

FF - component: c:\program files\Mozilla Firefox\extensions{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-10 23:57:23

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów …

skanowanie ukrytych wpisów autostartu …

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXBUCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16???

skanowanie ukrytych plików …

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

Czas ukończenia: 2009-04-10 23:58:10

ComboFix-quarantined-files.txt 2009-04-10 21:58:08

Przed: 5,063,008,256 bajtów wolnych

Po: 5,050,683,392 bajtów wolnych

224