system
(system)
7 Kwiecień 2006 16:41
#1
uruchomilem sobie rootkit reveal i takie cos jest:
HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6\ProductName 2005-10-18 15:59 58 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName 2005-10-21 15:44 58 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\PSGuard.com \PSGuard\P.S.Guard\License* 2005-12-21 21:52 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\a347scsi\Config\jdgg40 2006-03-30 13:15 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\a347scsi\Config\jdgg41 2006-04-07 08:59 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\d347prt\Cfg\0Jf40 2006-04-07 08:59 0 bytes Hidden from Windows API.
C:\Documents and Settings\user\Ustawienia lokalne\Temp~DFD4A6.tmp 2006-04-07 18:15 16.00 KB Hidden from Windows API.
C:\Documents and Settings\user\Ustawienia lokalne\Temp~DFD4C3.tmp 2006-04-07 18:15 512 bytes Hidden from Windows API.
C:\Documents and Settings\user\Ustawienia lokalne\Temporary Internet Files\Content.IE5\E9W7OV0N\CAGMCGES.HTM 2006-04-07 18:15 1.15 KB Hidden from Windows API.
C:\Program Files\Opera\profile\cache4\opr05KIG.html 2006-04-07 18:15 576 bytes Hidden from Windows API.
C:\Program Files\Opera\profile\cache4\opr05KIH.html 2006-04-07 18:15 576 bytes Hidden from Windows API.
C:\Program Files\Opera\profile\cache4\opr05KII.ico 2006-04-07 18:15 766 bytes Hidden from Windows API.
co mam z tym zrobic?
Black_rat
(Jem Mirabelki)
7 Kwiecień 2006 18:10
#2
''C:\Program Files\Opera\profile\cache4\opr05KIG.html 2006-04-07 18:15 576 bytes Hidden from Windows API.
C:\Program Files\Opera\profile\cache4\opr05KIH.html 2006-04-07 18:15 576 bytes Hidden from Windows API.
C:\Program Files\Opera\profile\cache4\opr05KII.ico 2006-04-07 18:15 766 bytes Hidden from Windows API. ’’ na jakie strony wchodziłeś? :mrgreen:
przedewszystkim opróżnij folder (nie skasuj!) C:\Program Files\Opera\profile\cache4 tam są wszystkie zdjęcia jakie oglądałeś w przeglądarce Operze, niestety więcej ci nie moge pomóc.
W zdjęciach mogą być wirusy.
Podobno powinno sie opróżnić również folder TEMP (ale musisz sie kogoś spytać żeby potwierdził)
Coś mi się zdaje, że masz/miałeś doczynienia z fałszywym programem PSGuard.
Otwórz notatnik i wklej w nim to:
Plik>>>zapisz jako>>>zmień rozszerze nie z .txt na wszystkie pliki>>zapisz pod nazwą FIX.REG
Przechodzisz do trybu awaryjnego i odpalasz fixa.
Wrzuć loga z SilentRunners
I zapomnij o RR,jak narazie najlepszym programem do wykrywania rootkitów jest Gmer 8)
system
(system)
8 Kwiecień 2006 10:54
#4
skan silentrunner:
“Silent Runners.vbs”, revision 44, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “Fraps” = “C:\PROGRAM FILES\FRAPS 2.5.5\FRAPS.EXE” [empty string] “wrzw” = “C:\Program Files\Common Files\wrzw\wrzwm.exe” [file not found] “PayTime” = “C:\WINDOWS\system32\paytime.exe” [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “avast!” = “C:\PROGRA~1\Avast\ashDisp.exe” [null data] “NeroCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “C-Media Mixer” = “Mixer.exe /startup” [“C-Media Electronic Inc. (http://www.cmedia.com.tw )”] “SunJavaUpdateSched” = “C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [“Sun Microsystems, Inc.”] “Microsoft tool” = “C:\WINDOWS\system32\mstool.exe” [file not found] “Microsoft Office” = “C:\WINDOWS\system32\msvcp.exe” [file not found] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Acrobat reader 7.01\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] {A5366673-E8CA-11D3-9CD9-0090271D075B}(Default) = (no title provided) -> {HKLM…CLSID} = “IeCatch2 Class” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\jccatch.dll” [“Amaze Soft”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Avast\ashShell.dll” [“ALWIL Software”] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1.2\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Office\Office10\msohev.dll” [MS] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {HKLM…CLSID} = “Portable Media Devices” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] INFECTION WARNING! WgaLogon\DLLName = “WgaLogon.dll” [file not found] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Acrobat reader 7.01\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Avast\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Avast\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Startup items in “user” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\user\Menu Start\Programy\Autostart “Azureus” -> shortcut to: “C:\Program Files\Azureus 2.3.0.4\Azureus.exe” [“Aelitis”] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “C:\Program Files\Office\Office10\OSA.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_06” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll” [“Sun Microsystems, Inc.”] {85D1F590-48F4-11D9-9669-0800200C9A66}\ “MenuText” = “Uninstall BitDefender Online Scanner v8” “Exec” = “%windir%\bdoscandel.exe” [null data] {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “&FlashGet” “Exec” = “C:\PROGRA~1\FlashGet\flashget.exe” [“Amaze Soft”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] avast! Antivirus, avast! Antivirus, ““C:\Program Files\Avast\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Avast\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Avast\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Avast\ashWebSv.exe” /service” [“ALWIL Software”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 57 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 17 seconds. ---------- (total run time: 108 seconds)
Nie wiem po co byl ten fix, ale jesli do skasowania wpisu to mission failed.
Probowalem go juz kasowac regCleanerem ale sie odnawia.
btw czemu nie moglem zwiekszyc rozdzielczosci w trybie awaryjnym na koncie admina?
Ściągnij Gmera ,
Przejdź do zakładki CMD i zaznacz regedit.exe>>wklej to:
Przejdź do zakładki procesy i wybierz opcje zabij wszystko>>>powrót do cmd- regedit.exe i klikasz uruchom/
Później po resecie kompa otwierasz gmera, przejdź do zakładki rootkit>>>szukaj>>>czekaj aż program zakończy prace>>>kopiuj>>ctrl + v i wklej do posta.
Daj nowego loga z silenta + hijackthis +gmer
Jeśli masz na kompie zainstlowanego PSGuard to go wykop.
Zrób skan gmerem i skasuj ten klucz powyżej z prawokliku
Poszukaj na dysku plików:
Wywal jeśli będą
system
(system)
8 Kwiecień 2006 14:49
#8
plikow tych nie znalazlem.
Mam jeszcze pytanie: jak skasowac te pliki ukryte z pierwszego posta w temacie? kaspersky znalazl mi w ktoryms z nich malware.