Samovolné posílání spamu přes facebook chat

[rada85]

Prosím o pomoc, facebook mě samovolně odesílám přátelům přes chat zprávy ve tvaru (Foto http://apps.facebook.com/valentinsc/pho ... 0084297259)

Díky za pomoc

[Rudy]

Dejte log z RSIT: http://www.viry.cz/forum/viewtopic.php?f=13&t=105895 .

[rada85]

Logfile of random's system information tool 1.08 (written by random/random)
Run by User at 2011-03-25 19:27:27
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 89 GB (89%) free of 100 GB
Total RAM: 2046 MB (74% free)

HijackThis download failed

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-09-22 75200]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2010-07-06 98304]
"ATICustomerCare"=C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe [2010-03-04 311296]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2009-12-08 18789920]
"nod32kui"=C:\Program Files\Eset\nod32kui.exe [2011-01-05 949376]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2005-12-07 30208]
"LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2006-04-13 49152]
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2007-03-01 153136]
"NBKeyScan"=C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [2007-09-20 1836328]
"UpdateReminder"=C:\Program Files\Eset\UpdateReminder.exe [2011-01-05 434176]
"NVIDIA driver monitor"=c:\windows\nvsvc32.exe [2011-03-18 80896]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2011-01-31 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-09-20 932288]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe [2007-09-20 202024]
"NVIDIA driver monitor"=c:\windows\nvsvc32.exe [2011-03-18 80896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2010-07-07 159744]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\96T8XG42\facebook-pic00320123561[1].exe"="c:\windows\nvsvc32.exe:*:Enabled:NVIDIA driver monitor"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2011-03-25 19:27:27 ----D---- C:\rsit
2011-03-25 19:27:27 ----D---- C:\Program Files\trend micro
2011-03-23 07:28:35 ----D---- C:\Program Files\Adobe
2011-03-23 07:28:18 ----SHD---- C:\Config.Msi
2011-03-18 17:25:04 ----RSH---- C:\WINDOWS\nvsvc32.exe

======List of files/folders modified in the last 1 months======

2011-03-25 19:27:27 ----RD---- C:\Program Files
2011-03-25 19:27:13 ----D---- C:\WINDOWS\Prefetch
2011-03-25 18:48:29 ----D---- C:\WINDOWS\system32\CatRoot2
2011-03-25 18:47:58 ----D---- C:\WINDOWS\Temp
2011-03-25 18:47:44 ----D---- C:\WINDOWS\system32\config
2011-03-25 18:32:47 ----A---- C:\WINDOWS\SchedLgU.Txt
2011-03-25 18:32:35 ----D---- C:\Program Files\ESET
2011-03-23 16:00:55 ----A---- C:\WINDOWS\NeroDigital.ini
2011-03-23 07:29:36 ----SHD---- C:\WINDOWS\Installer
2011-03-23 07:29:02 ----D---- C:\WINDOWS\system32
2011-03-23 07:28:44 ----D---- C:\Program Files\Common Files\Adobe
2011-03-23 07:28:42 ----D---- C:\Documents and Settings\All Users\Data aplikací\Adobe
2011-03-20 19:28:42 ----D---- C:\WINDOWS\Network Diagnostic
2011-03-18 17:25:38 ----D---- C:\WINDOWS
2011-03-16 14:05:40 ----SD---- C:\Documents and Settings\User\Data aplikací\Microsoft
2011-03-12 12:32:44 ----HD---- C:\WINDOWS\inf
2011-03-09 13:25:18 ----HD---- C:\WINDOWS\$hf_mig$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Řadič procesoru Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40192]
R1 nod32drv;nod32drv; C:\WINDOWS\system32\drivers\nod32drv.sys [2011-01-05 15424]
R1 WS2IFSL;Podpůrné prostředí zprostředkovatele služeb Windows Socket 2.0 bez podpory IFS; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-18 12032]
R2 AMON;AMON; C:\WINDOWS\system32\drivers\amon.sys [2011-01-05 512096]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2010-07-07 5069312]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service; C:\WINDOWS\system32\drivers\AtihdXP3.sys [2010-11-17 101904]
R3 HDAudBus;Ovladač Microsoft UAA pro sběrnici High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2009-12-08 6017568]
R3 ip100xp;ASUS NX1001 Network Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\ipfnd51.sys [2006-03-27 26752]
R3 usbstor;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 Ambfilt;Ambfilt; C:\WINDOWS\system32\drivers\Ambfilt.sys [2009-11-18 1691480]
S3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 Monfilt;Monfilt; C:\WINDOWS\system32\drivers\Monfilt.sys [2009-11-18 1395800]
S3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-24 12160]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2010-07-07 602112]
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3; C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [2007-09-20 853288]
R2 NOD32krn;NOD32 Kernel Service; C:\Program Files\Eset\nod32krn.exe [2011-01-05 552064]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared files\RichVideo.exe [2006-10-31 167936]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2007-09-20 382248]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

-----------------EOF-----------------

[Rudy]

Vidím min. 1 trojáka. Dejte log z ComboFix.

Stahnete a ulozte nejlepe na plochu ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

pote spustte aplikaci pod uctem s administratorskym opravnenim

hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano.

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: pokud pouzivate antispyware s rezidentnim stitem, prepnete jeho rezidentni stit do Install Mode, pripadne jej po dobu skenu uplne deaktivujte, protoze dochazi pri skenu a vymazu pripadneho malware k nezadoucim kolizim s rezidentem antispyware

[rada85]

ComboFix 11-03-24.06 - User 25.03.2011 20:41:46.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2046.1491 [GMT 1:00]
Spuštěný z: c:\documents and settings\User\Plocha\ComboFix.exe
* Rezidentní štít AV je zapnutý
.
.
VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\ntdll.dl
c:\windows\nvsvc32.exe
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-02-25 do 2011-03-25 )))))))))))))))))))))))))))))))
.
.
2011-03-25 18:27 . 2011-03-25 18:27 -------- d-----w- C:\rsit
2011-03-25 18:27 . 2011-03-25 18:27 -------- d-----w- c:\program files\trend micro
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-10 16:56 . 2011-01-10 16:56 737280 ----a-w- c:\windows\iun6002.exe
2011-01-05 07:17 . 2011-01-05 07:17 512096 ----a-w- c:\windows\system32\drivers\amon.sys
2011-01-05 07:17 . 2011-01-05 07:17 298104 ----a-w- c:\windows\system32\imon.dll
2011-01-05 07:17 . 2011-01-05 07:17 15424 ----a-w- c:\windows\system32\drivers\nod32drv.sys
.
.
------- Sigcheck -------
.
[-] 2008-06-15 . FA8C867F90782BAFA2CA39CC9BA36FDD . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-07-06 98304]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"RTHDCPL"="RTHDCPL.EXE" [2009-12-08 18789920]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2011-01-05 949376]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"UpdateReminder"="c:\program files\Eset\UpdateReminder.exe" [2011-01-05 434176]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [5.1.2011 8:17 15424]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [5.1.2011 8:09 101904]
R3 ip100xp;ASUS NX1001 Network Adapter NT Driver;c:\windows\system32\drivers\ipfnd51.sys [4.1.2011 16:15 26752]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4.1.2011 16:27 1691480]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-25 20:43
Windows 5.1.2600 Service Pack 3 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'lsass.exe'(628)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Celkový čas: 2011-03-25 20:44:08
ComboFix-quarantined-files.txt 2011-03-25 19:44
.
Před spuštěním: Volných bajtů: 92 899 528 704
Po spuštění: Volných bajtů: 93 667 303 424
.
- - End Of File - - E055E3EB551A7B1797BA0E3CF2D92C7B

[Rudy]

2 infikované položky CF smazal. Zbytek logu vypadá čistý. Nastala nějaká změna?