Prosim o kontrolu logu, udajne muj ntb zatezuje sit.

[vyosek]

Stahnete SPTD http://www.duplexsecure.com/en/downloads

• Vyberte z uvedene stranky verzi dle sveho operacniho systemu (32(x86)bit ci 64(x64)bit)
• Ulozte na plochu a spustte
• Zvolte moznost Uninstall a restartujte PC - pokud nepujde kliknout (tlacitko bude sede), krok preskocte

Stahnete Defogger http://www.jpshortstuff.247fixes.com/Defogger.exe

• Ulozte na plochu a spustte
• Kliknete na Disable a restartujte PC - pokud nepujde kliknout (tlacitko bude sede), krok preskocte

Stahnete MBR na plochu http://www2.gmer.net/mbr/mbr.exe ale nespoustejte

Kliknete na Start a pote Spustit, pripadne pouzijte klavesou zkratku Win+R

• Vyskoci na Vas okenko, do ktereho zkopirujte text nize

• Kód: Vybrat vše

  "%userprofile%\Desktop\mbr" -t -s

• Kliknete na OK
• Na plose se Vam vytvori log s nazvem mbr.txt, jeho obsah mi sem vlozte

Dejte logy z Gmeru - viz muj podpis

[martybx]

sptd = unistal
deffoger = disable
log:
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 20:23 on 19/04/2011 (marty)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...

mbr=log:
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: WDC_WD5000BEVT-60ZAT1 rev.02.01A02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys
C:\Windows\system32\DRIVERS\hpdskflt.sys Hewlett-Packard Mobile Data Protection System
1 ntkrnlpa!IofCallDriver[0x82E7F52F] -> \Device\Harddisk0\DR0[0x855928F0]
3 CLASSPNP[0x8B7A559E] -> ntkrnlpa!IofCallDriver[0x82E7F52F] -> [0x863E5870]
5 hpdskflt[0x8B757090] -> ntkrnlpa!IofCallDriver[0x82E7F52F] -> \Device\Ide\IdeDeviceP0T0L0-0[0x86303908]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user & kernel MBR OK

gmer:log
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-04-19 20:32:15
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000BEVT-60ZAT1 rev.02.01A02
Running: gmer.exe; Driver: C:\Users\marty\AppData\Local\Temp\kxtdikow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


preventivne delam v gmer i hlavni sken (pisou ze to muze trvat az dve hodky)

[vyosek]

Ten hlavni sken z gmeru je pro me nejdulezitejsi - muze trvat i pul hodky, ale mam zkusenost (a prozatim rekord) ze trval i sest hodin Je to nejdukladnejsi sken na rootkity, ktere mohou zpusobovat problem co mate...

[martybx]

prave skoncil:
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-19 21:03:06
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000BEVT-60ZAT1 rev.02.01A02
Running: gmer.exe; Driver: C:\Users\marty\AppData\Local\Temp\kxtdikow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13C1 82E86339 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EBFD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91835000, 0x2D5378, 0xE8000020]
.text peauth.sys 9EA23C9D 28 Bytes CALL D4267232
.text peauth.sys 9EA23CC1 28 Bytes CALL D4267256
PAGE peauth.sys 9EA29B9B 57 Bytes JMP 404F15C7
? C:\Users\marty\AppData\Local\Temp\mbr.sys Systém nemůže nalézt uvedený soubor. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1920] kernel32.dll!SetUnhandledExceptionFilter 76B43D01 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Mozilla Firefox\firefox.exe[4988] ntdll.dll!LdrLoadDll 773622B8 5 Bytes JMP 011F13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5152] USER32.dll!TrackPopupMenu 75972228 5 Bytes JMP 65DD2024 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000052 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:5632] 9EBB9F2E

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@Broadcom 802.11g \x2013 síťový adaptér 1?
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e8c5125
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e8c5125@444e1ad544f4 0xC0 0x4F 0x23 0x3C ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e8c5125@a00798314b6f 0x89 0xE0 0x3E 0xD8 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e8c5125@00124792d85b 0xC8 0x0C 0xE7 0xC5 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3E 0xFA 0x6F 0x49 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x43 0x57 0x2D 0x95 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x86 0x02 0x3D 0x52 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x8A 0x58 0xB5 0xE8 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0x86 0x02 0x3D 0x52 ...
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@Broadcom 802.11g \x2013 síťový adaptér 1?
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e8c5125 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e8c5125@444e1ad544f4 0xC0 0x4F 0x23 0x3C ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e8c5125@a00798314b6f 0x89 0xE0 0x3E 0xD8 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e8c5125@00124792d85b 0xC8 0x0C 0xE7 0xC5 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3E 0xFA 0x6F 0x49 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x43 0x57 0x2D 0x95 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x86 0x02 0x3D 0x52 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x8A 0x58 0xB5 0xE8 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0x86 0x02 0x3D 0x52 ...

---- EOF - GMER 1.0.15 ----

[vyosek]

Gmer je taktez cisty...

Co presne Vam provider rikal, jak Vas ntb zahlcuje jeho sit

[martybx]

Notebook udajne blokuje porty 445 a 139. Udajne se tyto porty pouzivaji pro sdileni souboru a tiskaren. Kdyz se divam na okno: bezdratove pripojeni k siti - stav kde mi blikaji obrazovky v ikonce dvou pc , tak co chvili mi v odeslanych poctech bajtu poskoci o 1000 az 2000. zatimco prichozi se ani nepohne.
DODATEK: ted vecer jsem doma a tady je to OK :-O odchozi aktivita je nulova. Zvlastni. Uvidim rano v praci. Bud jsme to ted vecer vylecili, nebo v praci kde jsem na siti s ostatnimi pc se muj ntb probudi a zacne odesilat. Mozna fantaziruji ale vazne netusim co se deje.

[vyosek]

Kontaktujte firemniho IT technika, ten je na to placen a mel by se tim zabyvat...

[martybx]

bohuzel IT si dela sef (ma cca 5 pc + server) .
Jelikoz odstrihnuti netu znamenalo pad netu pro celou jeho firmu, tak mam zakaz se svym ntb se pripojovat do site.
Kdyz sem cely den byl odpojen od site, tak net sel.
Kdyz sem se podvecer pripojil, tak po pulhodine net byl odpojen providerem za zahlceni vyse uvedenych portu.
Zcela evidentne to dela muj ntb, (resil sem to telefonicky providerem, ktery mi potrvdil ze kdyz se pripojim na net zacno od nas odchazet data) a sef mi rekl, ze si to mam vyresit sam, nebot je to muj soukromy ntb.
Tak se o to snazim nebot chci byt online.
ted je zatim vse ok a zitra dam vedet. (preventivne si take pujcim i CDMA pro pripadne testovani) diky a dobrou noc

[vyosek]

Ok, tak zitra napiste

[martybx]

bohuzel v praci mi to dela neustale.
Tj. odesilaji se data ackoliv nemam nic spustene. cca 3000 bajtu za minutu a prichozi se ani nepohne.
Pockam este na CMDA a uvidim..

[martybx]

Takze to vypada ze jiz je problem odstranen.
Jak jiz to byva, tak chyba byla trivialni.
pomohl mi programek NETINFO ( http://netinfo.tsarfin.com/ )
Nyni popis:
V praci mam nastavenou automatickou IP adresu, a pro domacnost mam nastavenou alternativni pevnou IP adresu.
Toto je v poradku, avsak Netinfo mi ukazal ze i kdyz jsem v praci na firemnim netu , tak i presto mi wifi v ntb vola moji domaci IP adresu 192.168.11.5:445 , coz byl ten kamen urazu. Timto jsem zahltil port 445. Altzernativni IP jsem smazal, a pri nesledne tel. konzultaci s providerem, mi potvrdil ze mnou odesilane data ustaly i kdyz sem byl online na jejich netu.
Vyosek dekuji jeste jednou za pomoc a snad jiz to pojede v poradku.

[vyosek]

Nemate zac, na problem jste si prisel sam