Trojan Vundo

Dla specjalistów Bezpieczeństwo
#1

ComboFix 08-05-26.2 - Piotrek 2008-05-28 9:05:15.1 - NTFSx86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.620 [GMT 2:00]

Running from: C:\Documents and Settings\Piotrek\Moje dokumenty\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\khfEWQkh.dll

.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))

.

2008-05-28 08:42 . 2008-05-28 08:44

2008-05-24 23:00 . 2008-05-25 13:53 23 --a------ C:\WINDOWS\BlendSettings.ini

2008-05-24 11:04 . 2008-05-24 11:04

2008-05-24 10:47 . 2008-05-27 08:57

2008-05-23 22:30 . 2008-05-23 22:30

2008-05-23 22:30 . 2007-05-23 16:58 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-05-23 22:30 . 2007-05-23 16:58 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-05-23 22:30 . 2007-05-23 16:58 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-05-23 22:30 . 2007-05-23 16:58 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys

2008-05-23 22:30 . 2007-05-23 16:58 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-05-23 22:29 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

2008-05-22 23:24 . 2008-03-15 17:57 199,445 --a------ C:\Documents and Settings\Piotrek\Dane aplikacji\toolbar.dll

2008-05-22 23:24 . 2008-05-22 23:24 57,344 --a------ C:\WINDOWS\system32\tuvTNeDT.dll.vir

2008-05-21 15:58 . 2008-05-27 23:17

2008-05-20 12:14 . 2008-05-20 12:14

2008-05-14 08:41 . 2008-05-14 08:41

2008-05-14 08:40 . 2008-05-14 08:40

2008-05-13 14:36 . 2008-05-13 14:36

2008-05-13 14:36 . 2008-05-13 14:36

2008-05-12 20:22 . 2008-05-12 20:22

2008-05-12 20:22 . 1996-11-05 16:13 299,008 --a------ C:\WINDOWS\uninst.exe

2008-05-11 20:38 . 2008-05-11 20:38

2008-05-11 20:10 . 2008-05-11 20:10

2008-05-10 09:02 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll

2008-05-10 09:02 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll

2008-05-10 09:02 . 2008-03-05 15:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll

2008-05-10 09:02 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll

2008-05-10 09:02 . 2008-03-05 16:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll

2008-05-10 09:02 . 2008-02-05 23:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll

2008-05-10 09:02 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll

2008-05-10 09:02 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll

2008-05-10 09:02 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll

2008-05-10 09:02 . 2008-03-05 16:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll

2008-05-09 10:01 . 2008-05-09 10:01

2008-05-09 10:01 . 2008-05-09 10:01

2008-05-04 18:31 . 2008-05-04 18:31

2008-05-03 16:27 . 2008-05-03 16:27

2008-04-30 16:01 . 2008-04-30 20:20

2008-04-30 15:55 . 2008-04-30 15:55 192 --a------ C:\WINDOWS\disneysy.ini

2008-04-30 15:55 . 2008-05-04 16:09 108 --a------ C:\WINDOWS\disney.ini

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-24 20:38 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-05-10 08:27 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-05-10 06:26 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2008-04-21 09:46 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help

2008-04-20 18:15 --------- d-----w C:\Documents and Settings\Piotrek\Dane aplikacji\Leadertech

2008-04-19 21:25 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

2008-04-19 21:22 --------- d-----w C:\Documents and Settings\Piotrek\Dane aplikacji\Corel

2008-04-18 14:24 --------- d-----w C:\Documents and Settings\Piotrek\Dane aplikacji\CyberLink

2008-04-18 14:24 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\CyberLink

2008-04-12 10:26 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys

2008-04-12 10:26 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys

2008-04-11 21:32 --------- d-----w C:\Program Files\Real Alternative

2008-04-11 21:32 --------- d-----w C:\Program Files\Media Player Classic

2008-04-11 21:32 --------- d-----w C:\Documents and Settings\Piotrek\Dane aplikacji\Media Player Classic

2008-04-11 20:03 --------- d-----w C:\Program Files\Common Files\Adobe

2008-04-11 15:18 --------- d-----w C:\Program Files\Common Files\LightScribe

2008-04-11 15:16 --------- d-----w C:\Program Files\Common Files\Ahead

2008-04-11 15:16 --------- d-----w C:\Program Files\Ahead

2008-04-11 15:14 --------- d-----w C:\Program Files\CyberLink

2008-04-11 11:23 2,560 ----a-w C:\WINDOWS\system32\bitcometres.dll

2008-04-11 10:55 --------- d-----w C:\Documents and Settings\Piotrek\Dane aplikacji\HP

2008-04-11 10:54 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\HP

2008-04-11 10:52 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Corel

2008-04-11 10:51 --------- d-----w C:\Program Files\Corel

2008-04-11 10:51 --------- d-----w C:\Program Files\Common Files\Corel

2008-04-11 10:50 --------- d-----w C:\Program Files\Common Files\HP

2008-04-11 10:49 --------- d-----w C:\Program Files\Hewlett-Packard

2008-04-11 10:48 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard

2008-04-11 10:47 --------- d-----w C:\Program Files\HP

2008-04-11 10:35 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\WinZip

2008-04-11 10:24 --------- d-----w C:\Program Files\Microsoft Works

2008-04-11 10:23 --------- d-----w C:\Program Files\MSBuild

2008-04-11 10:16 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\DAEMON Tools Pro

2008-04-11 10:15 --------- d-----w C:\Documents and Settings\Piotrek\Dane aplikacji\DAEMON Tools Pro

2008-04-11 10:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2008-04-10 19:13 --------- d-----w C:\Program Files\ffdshow

2008-04-10 18:05 --------- d-----w C:\Documents and Settings\Piotrek\Dane aplikacji\Winamp

2008-04-10 17:54 --------- d-----w C:\Documents and Settings\Piotrek\Dane aplikacji\Gadu-Gadu

2008-04-10 17:40 --------- d-----w C:\Program Files\Alwil Software

2008-04-10 17:26 55,808 ----a-w C:\WINDOWS\ALCFDRTM.EXE

2008-04-10 17:22 --------- d-----w C:\Program Files\Realtek Sound Manager

2008-04-10 17:22 --------- d-----w C:\Program Files\AvRack

2008-04-10 17:04 --------- d-----w C:\Program Files\microsoft frontpage

2008-04-10 17:02 --------- d-----w C:\Program Files\Usługi online

2004-10-01 13:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44 15360]

“BitComet”=“E:\Programy\BitComet\BitComet.exe” [2008-02-01 09:20 2194744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2005-06-15 11:20 6803456]

“nwiz”=“nwiz.exe” [2005-06-15 11:20 1519616 C:\WINDOWS\system32\nwiz.exe]

“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2005-06-15 11:20 86016]

“SoundMan”=“SOUNDMAN.EXE” [2003-03-27 10:34 53248 C:\WINDOWS\SOUNDMAN.EXE]

“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-05-16 01:19 79224]

“HP Software Update”=“E:\Programy\All-In one\HP Software Update\HPWuSchd2.exe” [2006-02-19 02:41 49152]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50 155648]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 00:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

HP Digital Imaging Monitor.lnk - E:\Programy\All-In one\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^WinZip Quick Pick.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\WinZip Quick Pick.lnk

backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^Piotrek^Menu Start^Programy^Autostart^PowerReg Scheduler V3.exe]

path=C:\Documents and Settings\Piotrek\Menu Start\Programy\Autostart\PowerReg Scheduler V3.exe

backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

–a------ 2008-01-11 22:16 39792 E:\Programy\Adobe Reader 8 Pl\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]

–a------ 2008-02-01 09:20 2194744 E:\Programy\BitComet\BitComet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]

–a------ 2007-09-06 15:08 136136 E:\Programy\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

–a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

–a------ 2004-11-02 20:24 32768 E:\Programy\Nero\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

–a------ 2008-04-01 20:49 36352 e:\Programy\Winamp\winampa.exe

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=

“C:\Program Files\Microsoft Office\Office12\GROOVE.EXE”=

“C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”=

“E:\Programy\BitComet\BitComet.exe”=

“E:\Programy\Gadu-Gadu\gg.exe”=

“E:\Programy\eMule\emule.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

“19662:TCP”= 19662:TCP:BitComet 19662 TCP

“19662:UDP”= 19662:UDP:BitComet 19662 UDP

“26385:TCP”= 26385:TCP:BitComet 26385 TCP

“26385:UDP”= 26385:UDP:BitComet 26385 UDP

S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]

S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]

\Shell\AutoRun\command - J:\OblivionLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]

\Shell\AutoRun\command - K:\OblivionLauncher.exe

*Newly Created Service* - CATCHME

.

Contents of the ‘Scheduled Tasks’ folder

“2008-05-22 21:28:09 C:\WINDOWS\Tasks\At1.job”

  • C:\Documents and Settings\Piotrek\Dane aplikacji\wunauclt.exe

“2008-05-22 21:28:09 C:\WINDOWS\Tasks\At2.job”

  • C:\Documents and Settings\Piotrek\Dane aplikacji\wunauclt.exe

“2008-05-22 21:28:09 C:\WINDOWS\Tasks\At3.job”

  • C:\Documents and Settings\Piotrek\Dane aplikacji\wunauclt.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-28 09:06:24

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-05-28 9:06:44

ComboFix-quarantined-files.txt 2008-05-28 07:06:42

Pre-Run: 24,283,369,472 bajtów wolnych

Post-Run: 24,369,180,672 bajtów wolnych

188

#2

renegat_8384 ,

Ważne

W związku ze zmianą, jaka obowiązuje przy wklejaniu logów w tym dziale, przeczytaj i zastosuj się do Tematu

#3

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\Documents and Settings\Piotrek\Dane aplikacji\toolbar.dll

C:\WINDOWS\system32\tuvTNeDT.dll.vir


Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

02f8f1e3c410a4cc.gif

Rozpocznie się usuwanie i powstanie log, daj ten log na forum.

Logi dajesz na http://www.wklej.org