zase ROOTKIT

[brankar]

tady je vypis neco to našlo


http://www.virustotal.com/cs/analisis/6 ... 1263905457

[earl]

Pouzijte OTM navod zde - http://www.viry.cz/forum/viewtopic.php?f=15&t=72743

s timto skriptem:

Kód: Vybrat vše

:processes
explorer.exe
game.exe
:files
C:\Program Files\game.exe
:commands
[emptytemp]
[start explorer]
[reboot]

Pak popiste stav pc.

[brankar]

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
No active process named game.exe was found!
========== FILES ==========
C:\Program Files\game.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Opera cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: user
->Temp folder emptied: 123403 bytes
->Temporary Internet Files folder emptied: 72194 bytes
->Java cache emptied: 13690431 bytes
->Opera cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16384 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 446882096 bytes

Total Files Cleaned = 440,00 mb


OTM by OldTimer - Version 3.1.6.0 log created on 01202010_093434

Files moved on Reboot...

Registry entries deleted on Reboot...

[earl]

Jak se chova pc ted?

[brankar]

zdravim PC zatim ok nechci vas pořád otravovat uvidíme později zatím díky za vše

[earl]

Docistete pc dle postupu mnou uvedeneho v drivejsich postech (Spustit - Combofix /Uninstal - Enter,Ccleaner)

Nemate zac,kdyztak jsme tu

[brankar]

zdravím chci se jen optat syn koupil hru a při instalaci se mu oběvila hlaška

the installShield engine Ikernel.exe cold not be launched
provadění serveru slhalo


da se stím něo udělat skoušel jsem nainstalovat další věci a ta hlaška to samí

[earl]

Co je to za hru?

U kterych dalsich softwaru pri instalaci to udelalo?

Jaky mate firewall a antispyware?(pokud ano)

[brankar]

star wars HRA
firewall COMODO ALE PŘI INSTALACI BYLO VŠE VYPLY

[brankar]

programy jdou nainstalovat ale žadna hra nejde

[earl]

Tak s timto bude nejlepsi se obratit na specializovane herni forum napr.

http://www.level.cz/default.asp?page=ar ... ah&LID=191

http://bonusweb.idnes.cz/

[brankar]

tak jsem zase tady comodo našlo viruta v NET FRAMEWORK 1.1 CONFIG WIZARDS EXE

POČÍTAČ SE ZAČAL KAŽDYCH 10 VTEŘIN ZAMRZAT

[earl]

Dotycny soubor najdete pomoci funkce Hledat a otestujte na Virustotalu.Link vlozte sem.

Udelejte kompletni scan pomoci AvpTool,

postupujte presne dle navodu, pri vyberu jaka akce nechte lecit,obsah logu vlozte sem.

Stáhnete DDS a uložte ho na plochu.

Zavřete všechna spuštěná okna a spusťte program, potvrďte licenční podmínky a postupujte podle pokynů. Začne scanování.

Až skončí, tak by měl vytvořit 2 logy proto se vam 2krát otevře notepad. Jeden log bude mít název DDS.txt a druhý attach.txt.

Zkopírujte sem pouze ten DDS.txt.

V pripade nejasnosti navod zde

[brankar]

tady je log dds


DDS (Ver_09-12-01.01) - NTFSx86
Run by user at 21:39:50,82 on st 03.02.2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.511.273 [GMT 1:00]

AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
AV: AVG *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\USB TV\EM28XX\BDARemote.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\opera.exe
C:\Documents and Settings\user\Dokumenty\kikikikikikikikikikikiiá\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com
uStart Page = about:blank
mDefault_Search_URL = hxxp://www.google.com
mSearch Page = hxxp://www.google.com
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
StartupFolder: c:\docume~1\alluse~1\nabdka~1\programy\posput~1\bdarem~1.lnk - c:\program files\usb tv\em28xx\BDARemote.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
TCP: {7E1B775D-FB9F-4945-8B6B-60D8BA4F52C7} = 10.1.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-27 64160]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-4-21 134344]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-4-21 723632]
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2010-2-3 45696]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2008-4-14 69120]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2010-02-03 19:50:45 56960 ----a-w- c:\windows\system32\drivers\ousb2hub.sys
2010-02-03 19:50:45 45696 ----a-w- c:\windows\system32\drivers\ousbehci.sys
2010-02-03 19:50:44 0 d-----w- c:\windows\Drivers
2010-02-03 10:35:17 5635494 ----a-w- c:\windows\REGBK08.ZIP
2010-02-03 10:35:14 0 d---a-w- c:\windows\system32\runouce.exe
2010-02-03 10:31:42 28 ----a-w- c:\windows\Lic.xxx
2010-02-03 10:31:25 626688 ----a-w- c:\windows\system32\msvcr80.dll
2010-02-03 10:31:23 548864 ----a-w- c:\windows\system32\msvcp80.dll
2010-02-03 10:31:19 147968 ----a-w- c:\windows\REGEDIT.COM
2010-02-03 10:31:19 147968 ----a-w- c:\windows\R.COM
2010-02-03 10:31:19 137216 ----a-w- c:\windows\system32\TASKMGR.COM
2010-02-03 10:31:19 137216 ----a-w- c:\windows\system32\T.COM
2010-02-03 10:31:18 0 d-----w- c:\program files\common files\MicroWorld
2010-02-03 10:31:15 0 d-----w- c:\docume~1\alluse~1\dataap~1\MicroWorld
2010-02-02 12:17:41 0 d-----w- c:\program files\MultiRes
2010-02-02 12:16:30 451072 ----a-w- c:\windows\Radeon Omega Drivers v2.6.87 Uninstall.exe
2010-02-02 12:16:30 0 d-----w- c:\program files\Radeon Omega Drivers
2010-02-02 09:38:45 520192 ------w- c:\windows\system32\ati2sgag.exe
2010-02-02 09:24:00 0 d-----w- c:\program files\USB TV
2010-02-01 19:38:41 0 d-----w- c:\docume~1\alluse~1\dataap~1\KONAMI
2010-02-01 19:25:25 0 d-----w- c:\program files\KONAMI
2010-01-30 18:26:00 0 d--h--w- c:\windows\msdownld.tmp
2010-01-30 18:16:37 0 d-----w- C:\04e20b3a18f427c1f989a64a53
2010-01-29 09:38:57 262144 ----a-w- c:\windows\system32\wrap_oal.dll
2010-01-29 09:38:56 86016 ----a-w- c:\windows\system32\OpenAL32.dll
2010-01-29 09:34:41 6173 ----a-w- c:\windows\system32\drivers\Entech.vxd
2010-01-29 09:34:41 5632 ----a-w- c:\windows\system32\drivers\Entech64.sys
2010-01-29 09:34:41 21664 ----a-w- c:\windows\system32\drivers\Entech.sys
2010-01-29 09:34:39 0 d-----w- c:\windows\system32\Futuremark
2010-01-25 09:19:16 0 d-----w- c:\program files\Ares
2010-01-24 15:37:52 693 ----a-w- c:\windows\eReg.dat
2010-01-24 15:34:13 0 d-----w- c:\program files\GameSpy Arcade
2010-01-24 14:15:20 0 d-----w- c:\program files\LucasArts
2010-01-24 11:55:07 0 d-----w- c:\program files\EA GAMES
2010-01-24 09:35:57 7069696 ----a-w- c:\documents and settings\user\ntuser.dat.rctemp
2010-01-24 07:45:25 620 ----a-w- c:\windows\RegGenie.ini
2010-01-24 06:28:02 0 d-----w- c:\program files\Yamicsoft
2010-01-23 12:41:47 0 d-----w- c:\docume~1\user\dataap~1\Uniblue
2010-01-23 08:45:43 5394529 ----a-w- c:\windows\REGBK07.ZIP
2010-01-22 14:44:29 0 d--h--w- c:\windows\$hf_mig$
2010-01-17 15:52:48 835584 ----a-w- c:\windows\system32\NCTAudioCDGrabber2.dll
2010-01-17 15:52:48 348160 ----a-w- c:\windows\system32\NCTWMAFile2.dll
2010-01-17 15:52:48 1986560 ----a-w- c:\windows\system32\NCTAudioFile2.dll
2010-01-17 15:52:48 113486 ----a-w- c:\windows\system32\NCTWMAProfiles.prx
2010-01-17 15:52:47 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-01-17 15:52:47 1212416 ----a-w- c:\windows\system32\NCTAudioInformation2.dll
2010-01-17 15:52:45 237568 ----a-w- c:\windows\system32\lame_enc.dll
2010-01-17 15:52:42 0 d-----w- c:\program files\Free Mp3WmaOgg Converter
2010-01-17 14:26:36 0 d-----w- c:\program files\Euro Truck Simulator
2010-01-14 11:49:59 77312 ----a-w- c:\windows\MBR.exe
2010-01-06 12:46:01 0 d-----w- c:\program files\unite
2010-01-06 12:46:01 0 d-----w- c:\program files\ui
2010-01-06 12:46:01 0 d-----w- c:\program files\styles
2010-01-06 12:46:01 0 d-----w- c:\program files\skin
2010-01-06 12:46:01 0 d-----w- c:\program files\program
2010-01-06 12:46:01 0 d-----w- c:\program files\extra
2010-01-06 12:46:01 0 d-----w- c:\program files\defaults
2010-01-06 12:23:40 0 d-----w- c:\program files\locale

==================== Find3M ====================

2010-02-02 11:42:47 171552 ----a-w- c:\windows\system32\guard32.dll
2010-02-02 11:42:46 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-02-02 11:42:46 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-01-30 18:16:07 91866 ----a-w- c:\windows\system32\perfc005.dat
2010-01-30 18:16:07 469558 ----a-w- c:\windows\system32\perfh005.dat
2010-01-07 15:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 15:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 12:46:09 209 ----a-w- c:\program files\operaprefs_default.ini
2009-12-27 12:53:50 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-21 19:08:42 916480 ------w- c:\windows\system32\wininet.dll
2009-12-11 19:11:59 5466642 ----a-w- c:\windows\REGBK06.ZIP
2009-11-20 18:11:28 15828 ----a-w- c:\program files\license.rtf
2009-11-20 18:01:18 832296 ----a-w- c:\program files\opera.exe
2009-11-20 18:01:16 4450088 ----a-w- c:\program files\opera.dll
2009-11-20 18:00:24 653419 ----a-w- c:\program files\encoding.bin
2009-11-13 08:51:34 29512 ----a-w- c:\windows\system32\TURegOpt.exe
2009-06-17 13:41:58 3870 ----a-w- c:\program files\lngcode.txt
2008-06-09 09:17:20 301 ----a-w- c:\program files\c3nform.vxml
2004-06-10 12:13:53 40960 ----a-w- c:\program files\owcsetup.dll
2004-04-29 12:36:58 40960 ----a-w- c:\program files\owsetup1.dll
2004-02-26 12:35:04 7904 ----a-w- c:\program files\html40_entities.dtd

============= FINISH: 21:41:21,20 ===============

[earl]

Pc zamrza,protoze mate nainstalovany dva antiviry.

AVG odinstalujte,COMODO IS uz antivir obsahuje.

:arrow:Otestujte na VIRUSTOTALu a JOTTISCANu

c:\windows\RegGenie.ini

(navod prosty: po nacteni stranky kliknete na tlacitko Prochazet , najdete cestu k vyse zminenemu souboru a kliknete na tlacitko Odeslat soubor; dejte skenerum nejakych deset minut; vysledky sem vlozte)

Pokud skener napíše, že soubor již byl testován, dejte otestovat znovu.

:arrow:A ten log z AVPToolu?