Trojan Horse, W32.Silly FDC

Witam.

Bardzo prosze o pomoc mam takie wirusy Trojan Horse, W32.Silly FDC i nie mogę sobie poradzić z rozszyyfrowaniem loga z Combo fixa i co potem? Serdecznie dziękuję za pomoc.

log:

ComboFix 09-02-08.02 - user 2009-02-09 10:29:18.11 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.511.285 [GMT 1:00]

Running from: C:\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\kmd.exe

c:\windows\system32\UTSCSI.EXE

.

((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))

.

2009-02-09 10:27 . 2009-02-09 10:28

2009-02-09 10:27 . 2009-02-09 10:24 2,919,117 -ra------ C:\ComboFix.exe

2009-02-09 10:23 . 2009-02-09 10:23 62,464 --a------ c:\windows\system32\mcenspc.dll

2009-02-09 10:16 . 2008-08-08 07:04 545 --a------ c:\windows\UC.PIF

2009-02-09 10:16 . 2008-08-08 07:04 545 --a------ c:\windows\RAR.PIF

2009-02-09 10:16 . 2008-08-08 07:04 545 --a------ c:\windows\PKZIP.PIF

2009-02-09 10:16 . 2008-08-08 07:04 545 --a------ c:\windows\PKUNZIP.PIF

2009-02-09 10:16 . 2008-08-08 07:04 545 --a------ c:\windows\NOCLOSE.PIF

2009-02-09 10:16 . 2008-08-08 07:04 545 --a------ c:\windows\LHA.PIF

2009-02-09 10:16 . 2008-08-08 07:04 545 --a------ c:\windows\ARJ.PIF

2009-01-16 10:39 . 2009-01-16 10:39

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-09 09:16 --------- d-----w c:\program files\TC UP

2009-02-09 08:10 --------- d-----w c:\program files\Symantec AntiVirus

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-09-04 09:33 32,768 --sha-w c:\windows\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012008090420080905\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360]

“MSMSGS”=“c:\program files\Messenger\msmsgs.exe” [2008-04-14 1695232]

“swg”=“c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-07-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2006-06-01 7618560]

“NvMediaCenter”=“c:\windows\system32\NvMcTray.dll” [2006-06-01 86016]

“NeroFilterCheck”=“c:\windows\system32\NeroCheck.exe” [2001-07-09 155648]

“Adobe Photo Downloader”=“c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” [2005-06-06 57344]

“StatusClient 2.6”=“c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe” [2004-02-27 61440]

“TomcatStartup 2.5”=“c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe” [2004-05-20 188416]

“HP Software Update”=“c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe” [2004-01-07 49152]

“EEventManager”=“c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe” [2006-10-12 102400]

“Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 39792]

“ccApp”=“c:\program files\Common Files\Symantec Shared\ccApp.exe” [2006-03-07 53408]

“vptray”=“c:\progra~1\SYMANT~1\VPTray.exe” [2006-04-21 125072]

“RTHDCPL”=“RTHDCPL.EXE” [2006-05-27 c:\windows\RTHDCPL.exe]

“SkyTel”=“SkyTel.EXE” [2006-05-16 c:\windows\SkyTel.exe]

“nwiz”=“nwiz.exe” [2006-06-01 c:\windows\system32\nwiz.exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusOverride”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“c:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“%windir%\system32\sessmgr.exe”=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-03 99376]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-04-21 119952]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{5592080f-e115-11dc-91d2-0016e61e80eb}]

\Shell\AutoRun\command - F:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{9a125f34-f71c-11dc-91f7-0016e61e80eb}]

\Shell\AutoRun\command - 3o.exe

\Shell\explore\Command - 3o.exe

\Shell\open\Command - 3o.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{9a125f35-f71c-11dc-91f7-0016e61e80eb}]

\Shell\AutoRun\command - 3o.exe

\Shell\explore\Command - 3o.exe

\Shell\open\Command - 3o.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e5cc006c-d85f-11db-90a0-0016e61e80eb}]

\Shell\AutoRun\command - F:\USBNB.exe

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.uni.opole.pl/shownews.php?lang=pl

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}sourceid=ie7rls=com.microsoft:en-USie=utf8oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride =

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

TCP: {5B22AF3E-606E-4F95-8EA5-43721C78CD33} = 195.205.69.250,217.173.193.3

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-09 10:31:42

Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-02-09 10:32:39

ComboFix-quarantined-files.txt 2009-02-09 09:32:36

Pre-Run: 32 815 214 592 bajtów wolnych

Post-Run: 33,596,866,560 bajtów wolnych

108 — E O F — 2009-01-15 08:01:40

Wklej do Notatnika :

File::

c:\windows\system32\mcenspc.dll


Registry::

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a125f34-f71c-11dc-91f7-0016e61e80eb}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a125f35-f71c-11dc-91f7-0016e61e80eb}]

>>Plik>>Zapisz jako… >>> CFScript

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

– podobnie jak na tym obrazku –>cfscript10gm1.gif

Ma się rozpocząć usuwanie. (i powstanie log). Daj ten log.

Log wklej na http://wklej.org/ , a tu daj tylko link.

jessi

ComboFix 09-02-21.01 - user 2009-02-24 8:33:43.12 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.511.144 [GMT 1:00]

Uruchomiony z: c:\documents and settings\user\Pulpit\ComboFix.exe

Użyto następujących komend :: c:\documents and settings\user\Pulpit\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

* Utworzono nowy punkt przywracania

FILE ::

c:\windows\system32\mcenspc.dll

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\mcenspc.dll

.

((((((((((((((((((((((((( Pliki utworzone od 2009-01-24 do 2009-02-24 )))))))))))))))))))))))))))))))

.

2009-02-09 10:16 . 2008-08-08 07:04 545 --a------ c:\windows\UC.PIF

2009-02-09 10:16 . 2008-08-08 07:04 545 --a------ c:\windows\RAR.PIF

2009-02-09 10:16 . 2008-08-08 07:04 545 --a------ c:\windows\PKZIP.PIF

2009-02-09 10:16 . 2008-08-08 07:04 545 --a------ c:\windows\PKUNZIP.PIF

2009-02-09 10:16 . 2008-08-08 07:04 545 --a------ c:\windows\NOCLOSE.PIF

2009-02-09 10:16 . 2008-08-08 07:04 545 --a------ c:\windows\LHA.PIF

2009-02-09 10:16 . 2008-08-08 07:04 545 --a------ c:\windows\ARJ.PIF

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-24 07:31 --------- d-----w c:\program files\Symantec AntiVirus

2009-02-09 09:16 --------- d-----w c:\program files\TC UP

2008-12-20 23:03 826,368 ----a-w c:\windows\system32\wininet.dll

2008-09-04 09:33 32,768 --sha-w c:\windows\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012008090420080905\index.dat

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360]

“MSMSGS”=“c:\program files\Messenger\msmsgs.exe” [2008-04-14 1695232]

“swg”=“c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-07-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2006-06-01 7618560]

“NvMediaCenter”=“c:\windows\system32\NvMcTray.dll” [2006-06-01 86016]

“NeroFilterCheck”=“c:\windows\system32\NeroCheck.exe” [2001-07-09 155648]

“Adobe Photo Downloader”=“c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” [2005-06-06 57344]

“StatusClient 2.6”=“c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe” [2004-02-27 61440]

“TomcatStartup 2.5”=“c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe” [2004-05-20 188416]

“HP Software Update”=“c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe” [2004-01-07 49152]

“EEventManager”=“c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe” [2006-10-12 102400]

“Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 39792]

“ccApp”=“c:\program files\Common Files\Symantec Shared\ccApp.exe” [2006-03-07 53408]

“vptray”=“c:\progra~1\SYMANT~1\VPTray.exe” [2006-04-21 125072]

“RTHDCPL”=“RTHDCPL.EXE” [2006-05-27 c:\windows\RTHDCPL.exe]

“SkyTel”=“SkyTel.EXE” [2006-05-16 c:\windows\SkyTel.exe]

“nwiz”=“nwiz.exe” [2006-06-01 c:\windows\system32\nwiz.exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusOverride”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“c:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“%windir%\system32\sessmgr.exe”=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-03 99376]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-04-21 119952]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{5592080f-e115-11dc-91d2-0016e61e80eb}]

\Shell\AutoRun\command - F:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e5cc006c-d85f-11db-90a0-0016e61e80eb}]

\Shell\AutoRun\command - F:\USBNB.exe

.

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://www.uni.opole.pl/shownews.php?lang=pl

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride =

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

TCP: {5B22AF3E-606E-4F95-8EA5-43721C78CD33} = 195.205.69.250,217.173.193.3

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-24 08:34:58

Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów …

skanowanie ukrytych wpisów autostartu …

skanowanie ukrytych plików …

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

Czas ukończenia: 2009-02-24 8:36:09

ComboFix-quarantined-files.txt 2009-02-24 07:36:03

ComboFix2.txt 2009-02-09 09:32:41

Przed: 33 009 721 344 bajtów wolnych

Po: 33,207,676,928 bajtów wolnych

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional” /noexecute=optin /fastdetect

104 — E O F — 2009-02-11 08:02:06

Dodane 24.02.2009 (Wt) 8:40

Byłem akurat na urlopie i trochę czasu mi to zajęło. Pozdrawiam

Czysto.

  1. Usuń ręcznie folder C:** Qoobox**.

  2. Usuń kopie szkodników z folderu “System Volume Information” poprzez chwilowe wyłączenie “Przywracania Systemu”:

jessi

Serdecznie dziękuję.