pro Motji - Win srv 2003 a rootkit

[motji]

POčkejte, ten soubor tam je nebo není?
Já seomlouvám, ale k pc se dostanu zase až večer..

[dopa]

soubor tam je. S nulovou velikostí

JAsně, to je v pohodě..

[motji]

tohle znáte?
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = smedjorgensen.local





tento soubor znáte? Pokud ne, otestujte ho na www.virustotal.com
C:\msizap.exe

[dopa]

msizap.exe je čistý, ale nic mi to neříká..

klíč v registru. to si myslím, že je nějaká definice ohledně domény resp. active directory...

[motji]

Fajn, můžete si prosím ten soubor někde zazálohovat (do rar souboru, na flešku?ú. Já ho smažu.
Až budete moct restartovat počítač, proveďte tento skript



Spustte OTL
-do bílého okna dole skopírujte tento skript:

Kód: Vybrat vše

:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
DRV - File not found [File_System | Unknown | Running] -- -- (setup_9.0.0.722_13.12.2010_10-22drv)
DRV - File not found [Kernel | Unknown | Running] -- -- (80856892)
DRV - File not found [Kernel | Disabled | Running] -- C:\WINDOWS\System32\DRIVERS\80856891.sys -- (80856891)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - Startup: C:\Documents and Settings\Administrator\Nabídka Start\Programy\Po spuštění\GuildFTPd FTP Deamon.lnk = C:\Program Files\GuildFTPd\GuildFTPd.exe File not found
O4 - Startup: C:\Documents and Settings\Administrator\Nabídka Start\Programy\Po spuštění\setup_9.0.0.722_13.12.2010_10-22.lnk = F:\Virus Removal Tool1\setup_9.0.0.722_13.12.2010_10-22\startup.exe ()

:files
C:\WINDOWS\system32\*.tmp.dll /s
C:\WINDOWS\system32\SET*.tmp /s
C:\WINDOWS\*.tmp /s
C:\msizap.exe
 C:\WINDOWS\System32\-1

:commands
[emptytemp]
[EMPTYFLASH]
[Reboot]

-klikněte na tlačítko opravit.
-Následně se pc restartuje.
- Log vložte zde


Můžete nějak odzkoušet, zda ještě spamuje?

[dopa]

níže přikládám log. Přemýšlím, jak to vyzkoušet... ja meziím zakázal některé porty a open relay SMTP. nicméně server běžel i dosti pomalu. Ted, co tak namátkově "klikám", tak běží docela líp...


All processes killed
========== OTL ==========
No active process named explorer.exe was found!
Error: Unable to stop service setup_9.0.0.722_13.12.2010_10-22drv!
Service\Driver key setup_9.0.0.722_13.12.2010_10-22drv not found.
Error: Unable to stop service 80856892!
Service\Driver key 80856892 not found.
Error: Unable to stop service 80856891!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\80856891 deleted successfully.
File C:\WINDOWS\System32\DRIVERS\80856891.sys not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck not found.
C:\Documents and Settings\Administrator\Nabídka Start\Programy\Po spuštění\GuildFTPd FTP Deamon.lnk moved successfully.
C:\Documents and Settings\Administrator\Nabídka Start\Programy\Po spuštění\setup_9.0.0.722_13.12.2010_10-22.lnk moved successfully.
F:\Virus Removal Tool1\setup_9.0.0.722_13.12.2010_10-22\startup.exe moved successfully.
========== FILES ==========
File\Folder C:\WINDOWS\system32\*.tmp.dll not found.
File\Folder C:\WINDOWS\system32\SET*.tmp not found.
C:\WINDOWS\LMI14.tmp folder moved successfully.
C:\WINDOWS\SET11.tmp moved successfully.
C:\WINDOWS\SET12.tmp moved successfully.
C:\WINDOWS\SET13.tmp moved successfully.
C:\WINDOWS\SET27.tmp moved successfully.
C:\WINDOWS\SET3.tmp moved successfully.
C:\WINDOWS\SET4.tmp moved successfully.
C:\WINDOWS\SET7.tmp moved successfully.
C:\WINDOWS\SET8.tmp moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP17B.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1CD.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP27A.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP29C.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2AB.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP384.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3D3.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5B3.tmp folder moved successfully.
C:\WINDOWS\inf\005\MSExchangeOMA\tmpF79.tmp moved successfully.
C:\WINDOWS\inf\009\MSExchangeOMA\tmpF79.tmp moved successfully.
C:\WINDOWS\inf\inc\MSExchangeOMA\tmpF7A.tmp moved successfully.
C:\WINDOWS\Installer\MSI30.tmp moved successfully.
C:\WINDOWS\Installer\MSI42.tmp moved successfully.
C:\WINDOWS\Installer\MSI4A.tmp moved successfully.
C:\WINDOWS\Installer\MSI99B.tmp moved successfully.
C:\WINDOWS\system32\CONFIG.TMP moved successfully.
C:\WINDOWS\system32\inetsrv\ASP Compiled Templates\PID10740.TMP folder moved successfully.
C:\WINDOWS\Temp\bba100C.tmp moved successfully.
C:\WINDOWS\Temp\bba1051.tmp moved successfully.
C:\WINDOWS\Temp\bba1106.tmp moved successfully.
C:\WINDOWS\Temp\bba12E7.tmp moved successfully.
C:\WINDOWS\Temp\bba1634.tmp moved successfully.
C:\WINDOWS\Temp\bba1638.tmp moved successfully.
C:\WINDOWS\Temp\bba1CD8.tmp moved successfully.
C:\WINDOWS\Temp\bba1D4F.tmp moved successfully.
C:\WINDOWS\Temp\bba1FC7.tmp moved successfully.
C:\WINDOWS\Temp\bba2050.tmp moved successfully.
C:\WINDOWS\Temp\bba2086.tmp moved successfully.
C:\WINDOWS\Temp\bba20CB.tmp moved successfully.
C:\WINDOWS\Temp\bba2254.tmp moved successfully.
C:\WINDOWS\Temp\bba230B.tmp moved successfully.
C:\WINDOWS\Temp\bba2943.tmp moved successfully.
C:\WINDOWS\Temp\bba29A0.tmp moved successfully.
C:\WINDOWS\Temp\bba2C42.tmp moved successfully.
C:\WINDOWS\Temp\bba2C43.tmp moved successfully.
C:\WINDOWS\Temp\bba3073.tmp moved successfully.
C:\WINDOWS\Temp\bba307D.tmp moved successfully.
C:\WINDOWS\Temp\bba3107.tmp moved successfully.
C:\WINDOWS\Temp\bba3116.tmp moved successfully.
C:\WINDOWS\Temp\bba311A.tmp moved successfully.
C:\WINDOWS\Temp\bba312D.tmp moved successfully.
C:\WINDOWS\Temp\bba3152.tmp moved successfully.
C:\WINDOWS\Temp\bba316A.tmp moved successfully.
C:\WINDOWS\Temp\bba3190.tmp moved successfully.
C:\WINDOWS\Temp\bba336.tmp moved successfully.
C:\WINDOWS\Temp\bba358A.tmp moved successfully.
C:\WINDOWS\Temp\bba35AA.tmp moved successfully.
C:\WINDOWS\Temp\bba37DA.tmp moved successfully.
C:\WINDOWS\Temp\bba38B.tmp moved successfully.
C:\WINDOWS\Temp\bba3E13.tmp moved successfully.
C:\WINDOWS\Temp\bba435E.tmp moved successfully.
C:\WINDOWS\Temp\bba4BE5.tmp moved successfully.
C:\WINDOWS\Temp\bba4D71.tmp moved successfully.
C:\WINDOWS\Temp\bba4EE8.tmp moved successfully.
C:\WINDOWS\Temp\bba523A.tmp moved successfully.
C:\WINDOWS\Temp\bba526D.tmp moved successfully.
C:\WINDOWS\Temp\bba5288.tmp moved successfully.
C:\WINDOWS\Temp\bba54D9.tmp moved successfully.
C:\WINDOWS\Temp\bba54E4.tmp moved successfully.
C:\WINDOWS\Temp\bba54EB.tmp moved successfully.
C:\WINDOWS\Temp\bba54FD.tmp moved successfully.
C:\WINDOWS\Temp\bba5622.tmp moved successfully.
C:\WINDOWS\Temp\bba562A.tmp moved successfully.
C:\WINDOWS\Temp\bba57DC.tmp moved successfully.
C:\WINDOWS\Temp\bba5A69.tmp moved successfully.
C:\WINDOWS\Temp\bba5A71.tmp moved successfully.
C:\WINDOWS\Temp\bba5A81.tmp moved successfully.
C:\WINDOWS\Temp\bba5F6C.tmp moved successfully.
C:\WINDOWS\Temp\bba5F77.tmp moved successfully.
C:\WINDOWS\Temp\bba67AD.tmp moved successfully.
C:\WINDOWS\Temp\bba69D3.tmp moved successfully.
C:\WINDOWS\Temp\bba69EF.tmp moved successfully.
C:\WINDOWS\Temp\bba6A5B.tmp moved successfully.
C:\WINDOWS\Temp\bba6BA2.tmp moved successfully.
C:\WINDOWS\Temp\bba6D17.tmp moved successfully.
C:\WINDOWS\Temp\bba6D1F.tmp moved successfully.
C:\WINDOWS\Temp\bba6EF.tmp moved successfully.
C:\WINDOWS\Temp\bba745C.tmp moved successfully.
C:\WINDOWS\Temp\bba7460.tmp moved successfully.
C:\WINDOWS\Temp\bba749C.tmp moved successfully.
C:\WINDOWS\Temp\bba76CA.tmp moved successfully.
C:\WINDOWS\Temp\bba79CF.tmp moved successfully.
C:\WINDOWS\Temp\bba81EF.tmp moved successfully.
C:\WINDOWS\Temp\bba86D2.tmp moved successfully.
C:\WINDOWS\Temp\bba86DC.tmp moved successfully.
C:\WINDOWS\Temp\bba89AD.tmp moved successfully.
C:\WINDOWS\Temp\bba8C86.tmp moved successfully.
C:\WINDOWS\Temp\bba8CF1.tmp moved successfully.
C:\WINDOWS\Temp\bba8CFA.tmp moved successfully.
C:\WINDOWS\Temp\bba8CFE.tmp moved successfully.
C:\WINDOWS\Temp\bba8FDB.tmp moved successfully.
C:\WINDOWS\Temp\bba9BE1.tmp moved successfully.
C:\WINDOWS\Temp\bbaA53E.tmp moved successfully.
C:\WINDOWS\Temp\bbaA554.tmp moved successfully.
C:\WINDOWS\Temp\bbaAD5.tmp moved successfully.
C:\WINDOWS\Temp\bbaC84.tmp moved successfully.
C:\WINDOWS\Temp\bbaEE63.tmp moved successfully.
C:\WINDOWS\Temp\bbaF7F3.tmp moved successfully.
C:\WINDOWS\Temp\UPD34.tmp moved successfully.
C:\msizap.exe moved successfully.
C:\WINDOWS\System32\-1 moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 2010262 bytes
->Temporary Internet Files folder emptied: 949277 bytes
->Java cache emptied: 63104043 bytes
->FireFox cache emptied: 56726339 bytes
->Flash cache emptied: 759 bytes

User: All Users

User: blackberry
->Temp folder emptied: 66688 bytes
->Temporary Internet Files folder emptied: 388176 bytes
->Java cache emptied: 49674868 bytes
->FireFox cache emptied: 46332898 bytes
->Flash cache emptied: 446 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 104843 bytes
->Temporary Internet Files folder emptied: 402 bytes

User: SBS Backup User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1967134 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 211,00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: blackberry
->Flash cache emptied: 0 bytes

User: Default User

User: LocalService

User: NetworkService

User: SBS Backup User

Total Flash Files Cleaned = 0,00 mb


OTL by OldTimer - Version 3.2.17.3 log created on 12142010_203006

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\blackberry\Local Settings\Temp\hsperfdata_blackberry\9056 not found!

Registry entries deleted on Reboot...

[motji]

Víte kdy ten spam odcházel? Většinou odchází denně ve stejnou dobu.
Vyzkoušejte to, jinak na to nepřijdeme

[dopa]

Dobrá dobrá.. zkusím to nějak vyzkoušet...

[dopa]

tak jsem to nemusel ani zkoušet a IP adresa je znova na blacklistu.

[JaRon]

citat: ja meziím zakázal některé porty a open relay SMTP
nuz mat na serveri povolene open relay je hruba nezodpovednost ,,, aj kvoli tomu si sa mohol dostat na BL, vymazanie niektorych zaznamov BL trva dlhsie zvacsa 7 dni,,,

[dopa]

To samozřejmě souhlasím. Open relay jsem zakázal ještě dřív, než se dostal na blacklist. Trvá to většinou pár hodin.
nicméně toto je vada Win serverů. Defaultně při instalaci mají open relay a povolené skoro všechny porty, jak dovnitř, tak ven..Tento server jsem začal spravovat až poté, co se dostal jednou na blacklist a správa se přesunula pode mě. takže toto bylo první, co mě dostalo na kolena..
i přes open relay, zakázané porty, odesílání přes SSL, stejně počítač SPAMuje.

[JaRon]

skus teda pohladaj rootkit http://www.antirootkit.com/software/index.htm
doporucujem produkty od AVG, Avira, Sophos >> pre zaciatok ,,,

[dopa]

tak jediný, co šel spustit, byl spohos, ale hned při startu hodil chyby -

Warning: Failed to read the complete raw process list. Process scan may not be supported on this version of Windows.
Nepřípustný přístup k paměťovému místu.

Warning: Failed to read kernel process handle list. Process scan may not be supported on this version of Windows.

Error: Failed to read raw process list by any method. Process scan may not be supported on this version of Windows.

[JaRon]

Sophos by mal fungovat ,,,
no tam bude treba iba skusat napr. http://www.antirootkit.com/software/F-S ... t-Beta.htm
+
http://www.techmixer.com/mcafee-rootkit ... t-remover/
dost malo utilit bezi na serveroch ,,,