VIRY.CZ

Jeste jsem zkousel Gmer na druhem PC se stejnym problemem. V logu je toho vic. Poznate z toho neco?


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-18 10:25:52
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST380215A rev.3.AAC
Running: gmer.exe; Driver ...

Bud je cisty nebo je trojan dobre zamaskovany. Momentane dnes rano i dopoledne zadne spojeni svchost nenavazal. Zajimave, prece se to samo neodstranilo.

Gmer bohuzel taky nic

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-17 09:36:29
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST380215A rev.3.AAC
Running: gmer.exe; Driver: C:\DOCUME~1\ECUSER\LOCALS~1\Temp\pwlcipow.sys


---- Registry - GMER 1.0.15 ...

No vypada to spise na nejaky botnet. Jiz zminene spojeni se navazuje jen v urcitych casech (spise dopoledne). Den po "utoku" (kdy se na pc pripojil nejaky trojan pres RDP) se cca na 3 hodiny zvysil traffic na SK, dokonce byla v event logu hlaska, ze byl prekrocet pocet soubeznych TCP pripojemi ...

ComboFix bez vysledku

ComboFix 11-08-16.02 - Administrator 16.08.2011 18:19:37.1.1 - x86
Syst\UffffffffMicrosoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.479.222 [GMT 2:00]
Spu\Ufffffffft\Uffffffff z: c:\documents and settings\Administrator\Plocha\ComboFix.exe
AV: Microsoft Security ...

log z kaspersky


Status: Deleted (events: 1)
16.8.2011 16:39:46 Deleted Trojan program Trojan.Win32.Swisyn.bsct C:\Documents and Settings\Administrator\Plocha\OTL.exe High
Status: Detected (events: 2)
16.8.2011 16:46:53 Detected virus Virus.Win32.VB.ab C:\install\Automat.zip/Oinstsrv.exe High ...

Kaspersky antivirem jsem jiz testoval a bohuzel jsem nic nenasel. Za chvilku dodam log, ale nejspis bez nalezu.

extras.txt

OTL Extras logfile created on: 16.8.2011 15:36:31 - Run 1
OTL by OldTimer - Version 3.2.26.4 Folder = C:\Documents and Settings\Administrator\Plocha
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13 ...

olt.txt
OTL logfile created on: 16.8.2011 15:36:31 - Run 1
OTL by OldTimer - Version 3.2.26.4 Folder = C:\Documents and Settings\Administrator\Plocha
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000405 ...

Co konkretne udela program otl.exe po vlozeni skriptu?

Dekuji za pomoc, dole prikladam log

Logfile of random's system information tool 1.09 (written by random/random)
Run by Administrator at 2011-08-16 14:14:08
Syst\UffffffffMicrosoft Windows XP Professional Service Pack 3
System drive C: has 61 GB (80%) free of 76 GB
Total RAM: 479 MB (48% free ...

Dobry den, potreboval bych poradit. Pred dvema dny mi byl napaden PC wxp pomoci RDP. Od te doby mam ve vypisu nestat -ano aktivni odchozi spojeni na ruzne IP na portu 80 (podle whois se jedna i cinske servery). Podle PID procesu jsme zjisti, ze toto spojeni navazuje svchost.exe. Vyzkousel jsem jiz ...