Trojan poszywający się pod rundll32

Jairute · 26 Sierpień 2008 13:19

Tak dokładnie to nie wiem czy to trojan ale na pewno jakiś wirus.

Jakiś czas temu zaczęły się pojawiać dwa procesy pod nazwą Rundll32. Na początku pomyślałem ok to nic takiego ale na następny dzień wywnioskowałem że nie powinno być takich procesów pod tą nazwą, więc zacząłem węszyć. Zauważyłem takie coś…

Rundll32 które uruchamiają się podczas startu systemu:

A Rundll32 które są z Hijackthis’a:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:15:11, on 2008-08-26 Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 SP1 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\DRIVERS\WtSrv.exe C:\WINDOWS\system32\WService.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\explorer.exe C:\Program Files\MoorHunt\2\MoorHunt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\foobar2000\foobar2000.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\Program Files\Fic_Products\DoctorTweak XP\DrTweakXP.exe C:\WINDOWS\regedit.exe C:\WINDOWS\system32\mspaint.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - (no file) O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe/Adobe Contribute CS3/contributeieplugin.dll O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [egui] “C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” /hide /waitservice O4 - HKLM…\Run: [WService] WService.EXE O4 - HKLM…\Run: [bM4f3b6a9b] Rundll32.exe “C:\WINDOWS\system32\ekbcjnad.dll”,s O4 - HKLM…\Run: [4c085907] rundll32.exe “C:\WINDOWS\system32\dorokthm.dll”,b O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing) O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/sezam/components/SignActivX.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe – End of file - 7249 bytes

Mianowicie proces BM4f3b6a9b bo tak się raczej nazywa naprawdę ma dwa inne pliki docelowe. Niby proste do naprawienia ale jak raz usunąłem już te pliki to po kilku dniach znowu zaczęło się od nowa, tutaj proszę was o pomoc. Jedyne co zauważyłem że te procesy blokują dostęp do najczęściej odwiedzanych stron, to tylko to co zauważyłem jak na razie.

Pomocy

pozdrawiam Jairute

PS. Jak temat był to przepraszam ale wśród 1000 stron przy wyszukiwarce zajęłoby mi to z 3 dni ^^

djarta · 26 Sierpień 2008 13:23

Te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked

Daj log z -----> ComboFix (niżej na stronie linku).

===============

K.

Leon1 · 26 Sierpień 2008 13:26

wpisy

usuń HijackThisem >> Fix checked

Pobierz program SDFix

Jairute · 26 Sierpień 2008 14:27

Raport z SDFix:

SDFix: Version 1.219 Run by Kamaker on 2008-08-26 at 15:46 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\system32\wvUnMfec.dll - Deleted C:\DOCUME~1\Kamaker\USTAWI~1\Temp\tmp3D.tmp - Deleted Folder C:\Documents and Settings\Kamaker\Dane aplikacji\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys#w*w.redtube.com - Removed Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-26 16:04:25 Windows 5.1.2600 Dodatek Service Pack 3 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40] “khjeh”=hex:20,02,00,00,df,83,a0,6a,0c,a9,dc,6a,c3,5e,5a,a0,f0,c4,14,8f,2f,… “hj34z0”=hex:94,b1,fa,c0,6c,03,4c,d4,da,89,03,fb,bb,6e,cc,cf,89,46,8f,f8,ad,… “hj34z1”=hex:5d,b1,fa,c0,14,03,4c,d4,db,89,02,fb,ba,6e,cc,cf,89,46,8f,f8,d0,… “hj34z2”=hex:5d,b1,fa,c0,14,03,4c,d4,db,89,02,fb,ba,6e,cc,cf,89,46,8f,f8,d0,… “hj34z3”=hex:5d,b1,fa,c0,14,03,4c,d4,db,89,02,fb,ba,6e,cc,cf,89,46,8f,f8,d0,… “hj34z4”=hex:5d,b1,fa,c0,14,03,4c,d4,db,89,02,fb,ba,6e,cc,cf,89,46,8f,f8,d0,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41] “khjeh”=hex:20,02,00,00,df,83,a0,6a,ed,68,49,48,c3,5e,5a,a0,0d,9a,14,8f,2f,… “hj34z0”=hex:c5,b1,fa,c0,6c,03,4c,d4,da,89,03,fb,bb,6e,cc,cf,89,46,8f,f8,40,… “hj34z1”=hex:0c,f2,fc,c0,a4,48,4a,d4,d6,dd,04,fb,d0,32,ca,cf,4e,22,89,f8,f4,… “hj34z2”=hex:66,75,f7,c0,33,cf,41,d4,c9,5d,0f,fb,46,b5,c1,cf,6e,a5,82,f8,01,… “hj34z3”=hex:36,52,ee,c0,e1,e9,58,d4,a5,7b,16,fb,bd,94,d8,cf,19,47,9a,f8,c8,… “hj34z4”=hex:32,1f,e1,c0,b0,b6,57,d4,03,35,19,fb,b1,aa,d7,cf,b6,8d,94,f8,a3,… “hj34z5”=hex:ab,9e,d8,c0,f4,35,6e,d4,12,b4,20,fb,09,2a,ee,cf,15,0d,ad,f8,55,… “hj34z6”=hex:ca,c1,d2,c0,2b,74,64,d4,3d,f4,2a,fb,37,ea,e4,cf,bd,cd,a7,f8,0b,… “hj34z7”=hex:03,c6,d4,c0,df,7e,62,d4,ed,0d,2c,fb,18,e4,e2,cf,87,d7,a1,f8,a9,… “hj34z8”=hex:7b,fb,ce,c0,49,53,78,d4,48,df,36,fb,73,32,f8,cf,76,24,bb,f8,e5,… “hj34z9”=hex:81,5c,c3,c0,f7,f0,75,d4,33,70,3b,fb,54,91,f5,cf,7a,43,b5,f8,29,… “hj34z10”=hex:ef,d7,c5,c0,98,6f,73,d4,be,fb,3d,fb,84,16,f3,cf,9e,38,b0,f8,20,… “hj34z11”=hex:19,09,be,c0,e1,be,08,d4,7e,4a,46,fb,ec,a7,88,cf,8f,89,cb,f8,66,… “hj34z12”=hex:ee,54,b3,c0,2a,e8,05,d4,12,79,4b,fb,ee,98,85,cf,56,bd,c6,f8,b9,… “hj34z13”=hex:e4,40,b4,c0,35,f4,02,d4,52,75,4c,fb,4b,6f,83,cf,d0,41,c0,f8,11,… “hj34z14”=hex:9d,6f,a9,c0,1c,e7,1f,d4,94,60,51,fb,2c,80,9f,cf,57,b5,dc,f8,f5,… “hj34z15”=hex:bb,1f,a2,c0,1b,b7,14,d4,e2,30,5a,fb,d8,d0,94,cf,02,85,d7,f8,64,… “hj34z16”=hex:49,d5,a7,c0,36,6a,11,d4,f4,e7,5f,fb,86,1d,91,cf,c0,3e,d2,f8,85,… “hj34z17”=hex:5d,b1,fa,c0,14,03,4c,d4,db,89,02,fb,ba,6e,cc,cf,89,46,8f,f8,d0,… “hj34z18”=hex:5d,b1,fa,c0,14,03,4c,d4,db,89,02,fb,ba,6e,cc,cf,89,46,8f,f8,d0,… “hj34z19”=hex:5d,b1,fa,c0,14,03,4c,d4,db,89,02,fb,ba,6e,cc,cf,89,46,8f,f8,d0,… “hj34z20”=hex:5d,b1,fa,c0,14,03,4c,d4,db,89,02,fb,ba,6e,cc,cf,89,46,8f,f8,d0,… “hj34z21”=hex:5d,b1,fa,c0,14,03,4c,d4,db,89,02,fb,ba,6e,cc,cf,89,46,8f,f8,d0,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42] “khjeh”=hex:20,02,00,00,df,83,a0,6a,f7,f2,55,49,c3,5e,5a,a0,c4,d5,14,8f,2f,… “hj34z0”=hex:94,b0,fa,c0,7c,02,4c,d4,da,89,03,fb,bb,6e,cc,cf,89,46,8f,f8,37,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf43] “khjeh”=hex:20,02,00,00,df,83,a0,6a,5d,41,2d,50,c3,5e,5a,a0,cb,d5,14,8f,2f,… “hj34z0”=hex:9b,b0,fa,c0,7c,02,4c,d4,da,89,03,fb,bb,6e,cc,cf,89,46,8f,f8,0a,… scanning hidden registry entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “C:\Program Files\FlashGet\flashget.exe”=“C:\Program Files\FlashGet\flashget.exe:*:Enabled:FlashGet” “C:\GRY\Battlefield 2\BF2.exe”=“C:\GRY\Battlefield 2\BF2.exe:*:Enabled:Battlefield 2” “%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" “C:\Program Files\Bonjour\mDNSResponder.exe”=“C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour” “C:\Program Files\FlashFXP\FlashFXP.exe”=“C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3” “C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe”=“C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server” “C:\GRY\Battlefield 2142 Deluxe Edition\BF2142.exe”=“C:\GRY\Battlefield 2142 Deluxe Edition\BF2142.exe:*:Enabled:Battlefield 2142” “C:\Program Files\Konnekt\konnekt.exe”=“C:\Program Files\Konnekt\konnekt.exe:*:Enabled:Konnekt - Core” “C:\Program Files\VertrigoServ\Mysql\bin\v_mysqld.exe”=“C:\Program Files\VertrigoServ\Mysql\bin\v_mysqld.exe:*:Enabled:v_mysqld” “C:\Program Files\VertrigoServ\Apache\bin\v_apache.exe”=“C:\Program Files\VertrigoServ\Apache\bin\v_apache.exe:*:Enabled:Apache HTTP Server” “C:\GRY\Battlefield 2 Deluxe Edition\BF2.exe”=“C:\GRY\Battlefield 2 Deluxe Edition\BF2.exe:*:Enabled:BF2” “C:\WINDOWS\system32\dplaysvr.exe”=“C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper” “C:\SYFY\Heroes\Heroes\Heroes\Heroes 3 Full\h3blade.exe”=“C:\SYFY\Heroes\Heroes\Heroes\Heroes 3 Full\h3blade.exe:*:Enabled:Heroes of Might and Magic III” “C:\SYFY\Heroes\Heroes\Heroes\Heroes 3 Full\Heroes3.exe”=“C:\SYFY\Heroes\Heroes\Heroes\Heroes 3 Full\Heroes3.exe:*:Enabled:Heroes of Might and MagicR III” “C:\SYFY\Heroes\Heroes\Heroes\Heroes 3 Full\Heroes 3 Full\Heroes3.exe”=“C:\SYFY\Heroes\Heroes\Heroes\Heroes 3 Full\Heroes 3 Full\Heroes3.exe:*:Enabled:Heroes of Might and MagicR III” “C:\GRY\Heroes of Might and Magic III - Zlota Edycja\Heroes3.exe”=“C:\GRY\Heroes of Might and Magic III - Zlota Edycja\Heroes3.exe:*:Enabled:Heroes of Might and MagicR III” “C:\Program Files\Electronic Arts\EADM\Core.exe”=“C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager” “C:\GRY\teeworlds-0.4.2-win32\teeworlds_srv.exe”=“C:\GRY\teeworlds-0.4.2-win32\teeworlds_srv.exe:*:Enabled:teeworlds_srv” “C:\Program Files\Opera\opera.exe”=“C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser” “C:\GRY\Warcraft III\Warcraft III.exe”=“C:\GRY\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III” “C:\Program Files\Xfire\xfire.exe”=“C:\Program Files\Xfire\xfire.exe:*:Enabled:Xfire” “C:\Program Files\Paltalk Messenger\paltalk.exe”=“C:\Program Files\Paltalk Messenger\paltalk.exe:*:Disabled:PaltalkScene” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" “C:\Program Files\FlashFXP\FlashFXP.exe”=“C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3” Remaining Files : File Backups: - C:\SDFix\SDFix\backups\backups.zip Files with Hidden Attributes : Mon 22 Jul 2002 418,816 …HR — “C:\WINDOWS\system32\Tools\All.exe” Fri 19 Jul 2002 390,144 …HR — “C:\WINDOWS\system32\Tools\Change.exe” Fri 19 Jul 2002 574,464 …HR — “C:\WINDOWS\system32\Tools\CheckPath.exe” Tue 20 Aug 2002 430,592 …HR — “C:\WINDOWS\system32\Tools\Counter.exe” Tue 23 Jul 2002 390,656 …HR — “C:\WINDOWS\system32\Tools\DelFolders.exe” Fri 22 Nov 2002 399,872 …HR — “C:\WINDOWS\system32\Tools\DirectSetup.exe” Fri 19 Jul 2002 388,096 …HR — “C:\WINDOWS\system32\Tools\RegClean.exe” Fri 19 Jul 2002 388,608 …HR — “C:\WINDOWS\system32\Tools\Regexe.exe” Mon 2 Dec 2002 431,616 …HR — “C:\WINDOWS\system32\Tools\Restart.exe” Fri 19 Jul 2002 388,096 …HR — “C:\WINDOWS\system32\Tools\RunRegexe.exe” Finished!

Raport z Combofix:

ComboFix 08-08-25.01 - Kamaker 2008-08-26 16:12:11.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.569 [GMT 2:00] Running from: C:\Documents and Settings\Kamaker\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\Kamaker\Pulpit\CFScript.txt * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED FILE :: C:\WINDOWS\system32\dorokthm.dll C:\WINDOWS\system32\ekbcjnad.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Kamaker\Cookies\kamaker@www.9pen[2].txt C:\WINDOWS\BM4f3b6a9b.txt C:\WINDOWS\BM4f3b6a9b.xml C:\WINDOWS\pskt.ini C:\WINDOWS\system32\adhcumlp.ini C:\WINDOWS\system32\ajgrjmiy.ini C:\WINDOWS\system32\akjmgsvv.ini C:\WINDOWS\system32\akssopmy.ini C:\WINDOWS\system32\ankeuuke.dll C:\WINDOWS\system32\axlqlybh.dll C:\WINDOWS\system32\bdlidqrg.dll C:\WINDOWS\system32\cfdenokg.ini C:\WINDOWS\system32\csdencxl.ini C:\WINDOWS\system32\dataulov.ini C:\WINDOWS\system32\dbqeuaed.dll C:\WINDOWS\system32\derfvjqj.dll C:\WINDOWS\system32\dorokthm.dll C:\WINDOWS\system32\dpgrhtfu.dll C:\WINDOWS\system32\dtcuonvt.dll C:\WINDOWS\system32\dycmrjfy.dll C:\WINDOWS\system32\ehsxregs.dll C:\WINDOWS\system32\ekbcjnad.dll C:\WINDOWS\system32\eqwwdsvt.dll C:\WINDOWS\system32\fccbYOfF.dll C:\WINDOWS\system32\fdlnatmd.dll C:\WINDOWS\system32\FfOYbccf.ini C:\WINDOWS\system32\FfOYbccf.ini2 C:\WINDOWS\system32\fjmppvaj.dll C:\WINDOWS\system32\fpbjydxl.dll C:\WINDOWS\system32\hbugxhoh.ini C:\WINDOWS\system32\hbylqlxa.ini C:\WINDOWS\system32\hohxgubh.dll C:\WINDOWS\system32\huikirgt.ini C:\WINDOWS\system32\hyhraewu.dll C:\WINDOWS\system32\icstfmjn.dll C:\WINDOWS\system32\iodiofvp.dll C:\WINDOWS\system32\ixrrhaqm.dll C:\WINDOWS\system32\javppmjf.ini C:\WINDOWS\system32\jcgmbhws.ini C:\WINDOWS\system32\jcqflbho.dll C:\WINDOWS\system32\jocyfvug.dll C:\WINDOWS\system32\jtigfrkt.ini C:\WINDOWS\system32\jxcaxljh.dll C:\WINDOWS\system32\kabwsmpv.dll C:\WINDOWS\system32\kudvlvwi.dll C:\WINDOWS\system32\kvhlrtus.dll C:\WINDOWS\system32\kwjrqcxq.ini C:\WINDOWS\system32\lbistium.dll C:\WINDOWS\system32\lcpebkdp.ini C:\WINDOWS\system32\lkekxwpp.dll C:\WINDOWS\system32\lndibbks.ini C:\WINDOWS\system32\ltncplqj.dll C:\WINDOWS\system32\lwoujpmr.dll C:\WINDOWS\system32\lxcnedsc.dll C:\WINDOWS\system32\lxdyjbpf.ini C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\mhtkorod.ini C:\WINDOWS\system32\mkxamliw.dll C:\WINDOWS\system32\mldlcqph.dll C:\WINDOWS\system32\mqahrrxi.ini C:\WINDOWS\system32\mqvfngya.dll C:\WINDOWS\system32\msuxysev.dll C:\WINDOWS\system32\oaggulyb.ini C:\WINDOWS\system32\ofpdlidj.dll C:\WINDOWS\system32\ohblfqcj.ini C:\WINDOWS\system32\ontgjupx.dll C:\WINDOWS\system32\osjhawmp.dll C:\WINDOWS\system32\pavtygrv.dll C:\WINDOWS\system32\pdkbepcl.dll C:\WINDOWS\system32\pdwjpefb.ini C:\WINDOWS\system32\plmuchda.dll C:\WINDOWS\system32\ptfffgxk.ini C:\WINDOWS\system32\qbkyrrto.dll C:\WINDOWS\system32\qdpsvbdp.ini C:\WINDOWS\system32\qevigvpu.ini C:\WINDOWS\system32\qfufvvpt.dll C:\WINDOWS\system32\qofsffwm.ini C:\WINDOWS\system32\qrwjuhir.dll C:\WINDOWS\system32\qvcuyexy.dll C:\WINDOWS\system32\qxcqrjwk.dll C:\WINDOWS\system32\raivcsil.dll C:\WINDOWS\system32\rhkpsbru.ini C:\WINDOWS\system32\rirexjei.ini C:\WINDOWS\system32\riylokhe.ini C:\WINDOWS\system32\rmpjuowl.ini C:\WINDOWS\system32\rrkxqviq.ini C:\WINDOWS\system32\rsmbmlay.ini C:\WINDOWS\system32\sdsbvvbw.dll C:\WINDOWS\system32\sjndbtwa.ini C:\WINDOWS\system32\skbbidnl.dll C:\WINDOWS\system32\SkypeComm.dll C:\WINDOWS\system32\sslfvwlc.dll C:\WINDOWS\system32\swhbmgcj.dll C:\WINDOWS\system32\swpocebo.dll C:\WINDOWS\system32\tgrikiuh.dll C:\WINDOWS\system32\tkrfgitj.dll C:\WINDOWS\system32\tnnwhuqp.ini C:\WINDOWS\system32\tpvvfufq.ini C:\WINDOWS\system32\tvnouctd.ini C:\WINDOWS\system32\tvsdwwqe.ini C:\WINDOWS\system32\ugjefrfx.ini C:\WINDOWS\system32\uvitalkx.dll C:\WINDOWS\system32\uwearhyh.ini C:\WINDOWS\system32\uwkemvmk.dll C:\WINDOWS\system32\vfnfhfll.ini C:\WINDOWS\system32\visbxikv.dll C:\WINDOWS\system32\vmaxcpap.ini C:\WINDOWS\system32\voluatad.dll C:\WINDOWS\system32\vrgytvap.ini C:\WINDOWS\system32\vvsgmjka.dll C:\WINDOWS\system32\wdobjnlj.ini C:\WINDOWS\system32\wilmaxkm.ini C:\WINDOWS\system32\wodrooon.dll C:\WINDOWS\system32\wpcjvllj.dll C:\WINDOWS\system32\wreclbmt.dll C:\WINDOWS\system32\wxidukss.ini C:\WINDOWS\system32\xnpukiqt.ini C:\WINDOWS\system32\yayxvSJd.dll C:\WINDOWS\system32\yimjrgja.dll C:\WINDOWS\system32\yjiyhxmc.dll C:\WINDOWS\system32\ytvrjufi.dll C:\WINDOWS\system32\yxeyucvq.ini C:\WINDOWS\WINDOWS . ((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 ))))))))))))))))))))))))))))))) . 2008-08-26 15:44 . 2008-08-26 15:44 580,096 --a–c— C:\WINDOWS\system32\dllcache\user32.dll 2008-08-26 15:38 . 2008-08-26 15:39 2008-08-26 15:34 . 2008-08-26 15:34 2008-08-24 23:38 . 2008-08-24 23:38 2008-08-24 23:38 . 2008-08-24 23:38 2008-08-24 10:23 . 2008-08-24 10:23 2008-08-16 19:31 . 2008-08-16 19:31 2008-08-13 00:08 . 2008-08-13 00:08 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll 2008-08-11 10:44 . 2008-08-11 10:44 2008-08-10 13:34 . 2008-08-12 18:41 2008-07-31 13:42 . 2008-07-31 13:42 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-26 13:34 --------- d-----w C:\Documents and Settings\Kamaker\Dane aplikacji\foobar2000 2008-08-26 12:52 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-08-26 10:38 137,312 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-08-26 10:37 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe 2008-08-26 10:33 --------- d-----w C:\Documents and Settings\Kamaker\Dane aplikacji\teamspeak2 2008-08-25 23:33 --------- d-----w C:\Program Files\FlashGet 2008-08-25 19:05 --------- d-----w C:\Program Files\NAPI-PROJEKT 2008-08-25 11:02 --------- d-----w C:\Program Files\Xfire 2008-08-25 09:33 --------- d-----w C:\Documents and Settings\Kamaker\Dane aplikacji\Xfire 2008-07-31 11:54 --------- d—a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP 2008-07-29 11:27 --------- d-----w C:\Program Files\G-PEN SERIES 2008-07-26 09:47 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\TrackMania 2008-07-25 14:37 528,345,264 ----a-w C:\tmnationsforever_setup.exe 2008-07-24 11:52 --------- d-----w C:\Program Files\Mozilla Firefox3 2008-07-23 10:00 --------- d-----w C:\Program Files\America’s Army Server Manager 2008-07-18 17:14 143,360 ----a-w C:\WINDOWS\system32\neqrmkej.exe 2008-07-15 22:47 86,034 ----a-w C:\foo_audioscrobbler-1.3.15.zip 2008-07-15 22:47 182,818 ----a-w C:\up169.zip 2008-07-13 20:37 --------- d-----w C:\Program Files\Game Cam V2 2008-07-12 22:52 --------- d–h--w C:\Program Files\InstallShield Installation Information 2008-07-12 22:52 --------- d-----w C:\Program Files\SSH Communications Security 2008-07-12 22:36 454,656 ----a-w C:\putty.exe 2008-07-12 22:30 --------- d-----w C:\Program Files\FlashFXP 2008-07-12 20:35 --------- d-----w C:\Program Files\AskPBar 2008-07-12 20:34 --------- d-----w C:\Program Files\Unlocker 2008-07-12 18:44 33,952 ----a-w C:\WINDOWS\system32\drivers\oreans32.sys 2008-07-12 09:43 --------- d-----w C:\Program Files\Paltalk Messenger 2008-07-12 09:43 --------- d-----w C:\Documents and Settings\Kamaker\Dane aplikacji\Paltalk 2008-07-11 15:36 --------- d-----w C:\Documents and Settings\Kamaker\Dane aplikacji\Touchstone 2008-07-10 19:40 --------- d-----w C:\Documents and Settings\Kamaker\Dane aplikacji\Ventrilo 2008-07-10 19:39 --------- d-----w C:\Program Files\Ventrilo 2008-07-10 19:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-07-03 20:53 --------- d-----w C:\Program Files\The KMPlayer 2008-07-03 00:01 --------- d-----w C:\Documents and Settings\Kamaker\Dane aplikacji\Hamachi 2008-07-02 16:31 --------- d-----w C:\Program Files\Hamachi 2008-07-02 16:30 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys 2008-07-01 11:09 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2008-07-01 11:09 249,856 ------w C:\WINDOWS\Setup1.exe 2008-07-01 11:09 --------- d-----w C:\Program Files\ColorLab 2008-07-01 10:54 --------- d-----w C:\Documents and Settings\Kamaker\Dane aplikacji\Desktopicon 2008-06-23 21:48 8,190 ----a-w C:\WINDOWS\system32\ealregsnapshot1.reg 2008-06-15 17:29 98 --sh–w C:\Program Files\desktop.ini 2008-05-30 14:07 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2008-04-14 22:51 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “DAEMON Tools-1033”=“C:\Program Files\D-Tools\daemon.exe” [2004-08-22 17:05 81920] “egui”=“C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” [2007-11-23 21:51 1410304] “WService”=“WService.EXE” [2005-11-23 10:06 40960 C:\WINDOWS\system32\WService.exe] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2008-04-14 22:51 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] “DisableStatusMessages”= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoStartMenuMFUprogramsList”= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “VIDC.FFDS”= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll “VIDC.ACDV”= ACDV.dll “VIDC.XFR1”= xfcodec.dll [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile] “EnableFirewall”= 0 (0x0) [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “C:\Program Files\FlashGet\flashget.exe”= “%windir%\Network Diagnostic\xpnetdiag.exe”= “C:\Program Files\Bonjour\mDNSResponder.exe”= “C:\Program Files\FlashFXP\FlashFXP.exe”= “C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe”= “C:\GRY\Battlefield 2142 Deluxe Edition\BF2142.exe”= “C:\Program Files\Konnekt\konnekt.exe”= “C:\Program Files\VertrigoServ\Mysql\bin\v_mysqld.exe”= “C:\Program Files\VertrigoServ\Apache\bin\v_apache.exe”= “C:\GRY\Battlefield 2 Deluxe Edition\BF2.exe”= “C:\WINDOWS\system32\dplaysvr.exe”= “C:\GRY\Heroes of Might and Magic III - Zlota Edycja\Heroes3.exe”= “C:\Program Files\Electronic Arts\EADM\Core.exe”= “C:\GRY\teeworlds-0.4.2-win32\teeworlds_srv.exe”= “C:\Program Files\Opera\opera.exe”= “C:\GRY\Warcraft III\Warcraft III.exe”= “C:\Program Files\Xfire\xfire.exe”= [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] “3703:TCP”= 3703:TCP:Adobe Version Cue CS3 Server “3704:TCP”= 3704:TCP:Adobe Version Cue CS3 Server “50900:TCP”= 50900:TCP:Adobe Version Cue CS3 Server “50901:TCP”= 50901:TCP:Adobe Version Cue CS3 Server “8461:TCP”= 8461:TCP:GoD High Port “8462:TCP”= 8462:TCP:GoD Low Port R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-23 21:52] R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-07-12 20:44] S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 14:18] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{5a55b86a-2b5f-11dd-9d9e-00304f299322}] \Shell\AutoRun\command - wscript.exe …vbs \Shell\open\command - wscript.exe …vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d44fe1d2-1f9e-11dd-9d82-00304f299322}] \Shell\AutoRun\command - F:\autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d44fe1d4-1f9e-11dd-9d82-00304f299322}] \Shell\AutoRun\command - H:_AUTORUN\AUTORUN.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d44fe1d5-1f9e-11dd-9d82-00304f299322}] \Shell\AutoRun\command - I:\Autorun.exe . - - - - ORPHANS REMOVED - - - - WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file) HKLM-Run-Cmaudio - cmicnfg.cpl Notify-WgaLogon - (no file) ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-26 16:21:35 Windows 5.1.2600 Dodatek Service Pack 3 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\drivers\WTSrv.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-08-26 16:29:19 - machine was rebooted [Kamaker] ComboFix-quarantined-files.txt 2008-08-26 14:28:33 Pre-Run: 5,199,208,448 bajtów wolnych Post-Run: 5,105,520,640 bajt˘w wolnych 291 — E O F — 2008-05-28 13:52:46

Leon1 · 26 Sierpień 2008 18:16

Otwórz notatnik i wklej

zapisz jako plik.reg >> wszystkie pliki >> scal z rejestrem >> restart

powstanie plik o takiej ikonie

w który dwa razy klikniesz potwierdzisz chęć dodania do rejestru potem restart

Pobierz CCleaner http://www.filehippo.com/download_ccleaner/

przeskanuj nim i wyczyść rejestr.

zrób optymalizacje uruchamiania

http://cybertrash.netarteria.pl/cyber/i … 378.0.html

usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.

Wyłącz I włącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

przeskanuj obszar Mój komputer http://www.kaspersky.pl/virusscanner.html pokaż raport stronę uruchomić przez IE

lub

Dr.WEB CureIt! http://dobreprogramy.pl/index.php?dz=2 … It!+4.44.5

Jairute · 26 Sierpień 2008 21:14

Wszystko zrobiłem oprócz tego skanowanie przez neta Kasperskim bo IE się nie włącza.

A do tego “lub” to po skanowaniu znalazło się tylko to:

http://b.imagehost.org/0863/swd.jpg

Leon1 · 26 Sierpień 2008 21:30

trzeba było go usunąć wyczyść kwarantannę

powinno być OK

Jairute · 27 Sierpień 2008 16:40

To może przy okazji spytam czy wiecie czemu jak wchodzę na stronę do pomiaru prędkości to jest taka jaką oczekuje a gdy wchodzę do gry Battlefield2142 to pingi skaczą od 150 do 200 a przy tym łączu powinny być do 60?

Jairute · 31 Sierpień 2008 10:34

Sorry że post pod postem ale mam problem z wyłączaniem komputera, jak klikam w start i wyłącz komputer to sie zacina komp i nic się nie da zrobić.