VIRY.CZ

Pomáháme v boji s počítačovou havěti!
https://forum.viry.cz:443/

trojan Win32/Olmarik.KW - jak na něj?

https://forum.viry.cz:443/viewtopic.php?t=91852

Stránka 1 z 3

trojan Win32/Olmarik.KW - jak na něj?

Napsal: 11 říj 2009 14:12
od Zdeni
Ahoj,
NOD mi hlásí tojana - V operační paměti nalezen trojský kůň Win32/Olmarik.KW ! Tento soubor může být smazán. Před zahájením akce se ujistěte, že máte zálohu důležitých dat. Nelze vykonat žádnou akci na infekci v paměti. Klikněte na tlačítko Ponechat a spusťte léčení všech pevných disků počítače. Operační paměť byla infikována ze souboru \\?\globalroot\systemroot\system32\gasfkyjboybmce.dll.
Při kontrole disků pak našel jinýho trojana, kterýho smazal a poslal jako novinku na Eset, problém v operační paměti pořád stejný.
Poradí prosím někdo jak na potvoru Olmarika? ;)
ZD

Re: trojan Win32/Olmarik.KW - jak na něj?

Napsal: 11 říj 2009 14:19
od pitimir
Ahoj :)

1) Stiahni RootRepeal. Spustis program, kliknes na "Report" -> "Scan" a zafajknes vsetky polozky. Stlac "OK" a spusti sa scan. Po jeho dokonceni klik na "Save Report" a vzniknuty log skopiruj sem.


2) Stiahni ComboFix, najlepsie na plochu. Vypni vsetky otvorene aplikacie, ako aj rezidenty antiviru, antispywaru a firewall. Spust program cez ucet s administratorskymi pravami a postupuj podla instrukcii. Cely sken bude trvat cca 10 minut. Pocas neho moze byt PC restartovane. Log, ktory ComboFix vytvori, najdes na adrese "C:\ComboFix.txt".
Ten vloz sem.

Pozor: Kym ComboFix nevytvori log, na nic neklikat, nic nestlacat !!

Re: trojan Win32/Olmarik.KW - jak na něj?

Napsal: 11 říj 2009 15:10
od Zdeni
Moc děkuju za ochotu!
Mám problém hned s tím RootRepealem, když ho spouštím, tak nahlásí: Could not read the boot sector. Try adjusting the disk access level in the options dialog. To odkliknu a několikrát za sebou, pak naběhne ten program, když běží scan files, tak na konci posledního disku spadne systém a po obnovení to hlásí že došlo k závažný chybě. Během té analýzy to označí několik adres na disku C (jeden z nich hlásí i NOD). Zkusila jsem ty scany udělat pro jednotlivý ty položky, tak všechny proběhnou i s výsledkem. Mám sem nakopírovat aspoň ty jednotlivý výsledky? Ještě jsem teď zkusila zaškrtnout všechno kromě files a to prozměnu spadnul systém hned ;)
Jinak počítač mám odpojený ze sítě a jsem teď na jiném.

Re: trojan Win32/Olmarik.KW - jak na něj?

Napsal: 11 říj 2009 15:33
od Zdeni
no, takže jednotlivé výsledky z RootRepeal:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/11 16:09
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 2
Status: Sector mismatch

Path: Volume C:\, Sector 3
Status: Sector mismatch

Path: Volume C:\, Sector 4
Status: Sector mismatch

Path: Volume C:\, Sector 5
Status: Sector mismatch

Path: Volume C:\, Sector 6
Status: Sector mismatch

Path: Volume C:\, Sector 7
Status: Sector mismatch

Path: Volume C:\, Sector 8
Status: Sector mismatch

Path: Volume C:\, Sector 9
Status: Sector mismatch

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 12
Status: Sector mismatch

Path: Volume C:\, Sector 14
Status: Sector mismatch

Path: Volume C:\, Sector 15
Status: Sector mismatch

Path: Volume C:\, Sector 17
Status: Sector mismatch

Path: Volume C:\, Sector 18
Status: Sector mismatch

Path: Volume C:\, Sector 23
Status: Sector mismatch

Path: Volume C:\, Sector 24
Status: Sector mismatch

Path: Volume C:\, Sector 28
Status: Sector mismatch

Path: Volume C:\, Sector 29
Status: Sector mismatch

Path: Volume C:\, Sector 31
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 33
Status: Sector mismatch

Path: Volume C:\, Sector 34
Status: Sector mismatch

Path: Volume C:\, Sector 35
Status: Sector mismatch

Path: Volume C:\, Sector 36
Status: Sector mismatch

Path: Volume C:\, Sector 37
Status: Sector mismatch

Path: Volume C:\, Sector 38
Status: Sector mismatch

Path: Volume C:\, Sector 39
Status: Sector mismatch

Path: Volume C:\, Sector 40
Status: Sector mismatch

Path: Volume C:\, Sector 44
Status: Sector mismatch

Path: Volume C:\, Sector 45
Status: Sector mismatch

Path: Volume C:\, Sector 46
Status: Sector mismatch

Path: Volume C:\, Sector 47
Status: Sector mismatch

Path: Volume C:\, Sector 48
Status: Sector mismatch

Path: Volume C:\, Sector 53
Status: Sector mismatch

Path: Volume C:\, Sector 54
Status: Sector mismatch

Path: Volume C:\, Sector 56
Status: Sector mismatch

Path: Volume C:\, Sector 60
Status: Sector mismatch

Path: Volume C:\, Sector 61
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Path: C:\WINDOWS\system32\gasfkyprqxodpk.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkydbewulvg.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyholtokcd.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyjboybmce.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyosvpxgfl.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyrctobcce.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyyanbaimp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\gasfkybqwgeett.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Zdenka\Data aplikací\StatSoft\STATISTICA\Automatické uložení: 00000DB0Tabulka2.sta
Status: Visible to the Windows API, but not on disk.

Path: Volume D:\
Status: MBR Rootkit Detected!

Path: Volume D:\, Sector 1
Status: Sector mismatch

Path: Volume D:\, Sector 2
Status: Sector mismatch

Path: Volume D:\, Sector 3
Status: Sector mismatch

Path: Volume D:\, Sector 4
Status: Sector mismatch

Path: Volume D:\, Sector 5
Status: Sector mismatch

Path: Volume D:\, Sector 6
Status: Sector mismatch

Path: Volume D:\, Sector 7
Status: Sector mismatch

Path: Volume D:\, Sector 8
Status: Sector mismatch

Path: Volume D:\, Sector 9
Status: Sector mismatch

Path: Volume D:\, Sector 13
Status: Sector mismatch

Path: Volume D:\, Sector 14
Status: Sector mismatch

Path: Volume D:\, Sector 17
Status: Sector mismatch

Path: Volume D:\, Sector 18
Status: Sector mismatch

Path: Volume D:\, Sector 19
Status: Sector mismatch

Path: Volume D:\, Sector 20
Status: Sector mismatch

Path: Volume D:\, Sector 21
Status: Sector mismatch

Path: Volume D:\, Sector 23
Status: Sector mismatch

Path: Volume D:\, Sector 24
Status: Sector mismatch

Path: Volume D:\, Sector 25
Status: Sector mismatch

Path: Volume D:\, Sector 26
Status: Sector mismatch

Path: Volume D:\, Sector 27
Status: Sector mismatch

Path: Volume D:\, Sector 28
Status: Sector mismatch

Path: Volume D:\, Sector 32
Status: Sector mismatch

Path: Volume D:\, Sector 33
Status: Sector mismatch

Path: Volume D:\, Sector 35
Status: Sector mismatch

Path: Volume D:\, Sector 36
Status: Sector mismatch

Path: Volume D:\, Sector 42
Status: Sector mismatch

Path: Volume D:\, Sector 43
Status: Sector mismatch

Path: Volume D:\, Sector 44
Status: Sector mismatch

Path: Volume D:\, Sector 45
Status: Sector mismatch

Path: Volume D:\, Sector 46
Status: Sector mismatch

Path: Volume D:\, Sector 47
Status: Sector mismatch

Path: Volume D:\, Sector 48
Status: Sector mismatch

Path: Volume D:\, Sector 49
Status: Sector mismatch

Path: Volume D:\, Sector 50
Status: Sector mismatch

Path: Volume D:\, Sector 51
Status: Sector mismatch

Path: Volume D:\, Sector 58
Status: Sector mismatch

Path: Volume D:\, Sector 59
Status: Sector mismatch

Path: Volume D:\, Sector 62
Status: Sector mismatch

==EOF==

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/11 16:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF1845000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8ACC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP1924
Image Path: \Driver\PCI_PNP1924
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF0F95000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sphw.sys
Image Path: sphw.sys
Address: 0xF8414000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

==EOF==

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/11 16:19
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

==EOF==

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/11 16:19
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "sphw.sys" at address 0xf84150e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sphw.sys" at address 0xf8433ca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sphw.sys" at address 0xf8434032

#: 119 Function Name: NtOpenKey
Status: Hooked by "sphw.sys" at address 0xf84150c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "sphw.sys" at address 0xf843410a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sphw.sys" at address 0xf8433f8a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "sphw.sys" at address 0xf843419c

==EOF==

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/11 16:21
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Stealth Objects
-------------------
Object: Hidden Module [Name: gasfkyrctobcce.dll]
Process: svchost.exe (PID: 864) Address: 0x00770000 Size: 24576

Object: Hidden Module [Name: gasfkyprqxodpk.dll]
Process: svchost.exe (PID: 864) Address: 0x10000000 Size: 57344

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x82158500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x82158500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x82158500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x82158500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82158500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82158500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x82158500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x82158500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82158500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82158500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82158500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82158500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82158500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82158500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82158500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82158500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x82158500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x82158500 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_CREATE]
Process: System Address: 0x816c21f8 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_CLOSE]
Process: System Address: 0x816c21f8 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x816c21f8 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x816c21f8 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_POWER]
Process: System Address: 0x816c21f8 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x816c21f8 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_PNP]
Process: System Address: 0x816c21f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x822081f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x822081f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x822081f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x822081f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x822081f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x822081f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x822081f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x822081f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x822081f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x822081f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x822081f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x817cb1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x817cb1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x817cb1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x817cb1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x817cb1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x817cb1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x817cb1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x82157500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x82157500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x82157500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x82157500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82157500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82157500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x82157500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82157500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x82157500 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x816db368 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x816db368 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x816db368 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x816db368 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x816db368 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x816db368 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x816ce500 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_CREATE]
Process: System Address: 0x81786500 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_CLOSE]
Process: System Address: 0x81786500 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_READ]
Process: System Address: 0x81786500 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x81786500 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x81786500 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x81786500 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x81786500 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x81786500 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x81786500 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_SHUTDOWN]
Process: System Address: 0x81786500 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x81786500 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_CLEANUP]
Process: System Address: 0x81786500 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_PNP]
Process: System Address: 0x81786500 Size: 121

==EOF==

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/11 16:21
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden Services
-------------------
Service Name: gasfkyvmqsklvd
Image Path: C:\WINDOWS\system32\drivers\gasfkybqwgeett.sys

==EOF==
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/11 16:21
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

==EOF==

Re: trojan Win32/Olmarik.KW - jak na něj?

Napsal: 11 říj 2009 15:35
od Zdeni
Combo fix mi píše, že nemám nainstalovanou konzolu pro zotavení a nabízí, že ji stáhne a nainstaluje - mám dát ano nebo ne? ;)

Re: trojan Win32/Olmarik.KW - jak na něj?

Napsal: 11 říj 2009 15:38
od pitimir
Daj ano, mas to tam vesele...budeme ju pripadne potrebovat.

Re: trojan Win32/Olmarik.KW - jak na něj?

Napsal: 11 říj 2009 16:15
od Zdeni
Vysledek z ComboFix

ComboFix 09-10-10.02 - Zdenka 11.10.2009 16:52.1.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.511.297 [GMT 2:00]
Spuštěný z: c:\documents and settings\Zdenka\Plocha\ComboFix.exe
AV: Eset NOD32 Antivirus 2.50 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Vytvořen nový Bod Obnovení
* Rezidentní štít AV je zapnutý

.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Zdenka\Dokumenty\cc_20090419_141102.reg
c:\windows\system32\drivers\gasfkybqwgeett.sys
c:\windows\system32\gasfkydbewulvg.dll
c:\windows\system32\gasfkyholtokcd.dat
c:\windows\system32\gasfkyjboybmce.dll
c:\windows\system32\gasfkyosvpxgfl.dat
c:\windows\system32\gasfkyprqxodpk.dll
c:\windows\system32\gasfkyrctobcce.dll
c:\windows\system32\gasfkyyanbaimp.dll
c:\windows\system32\ieuinit.inf

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkyvmqsklvd
-------\Legacy_gasfkyvmqsklvd


((((((((((((((((((((((((( Soubory vytvořené od 2009-09-11 do 2009-10-11 )))))))))))))))))))))))))))))))
.

2009-10-11 09:45 . 2009-10-11 09:45 -------- d-----w- c:\program files\Crawler
2009-10-11 09:45 . 2009-10-11 09:45 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-10-10 10:45 . 2007-03-30 07:14 32256 ----a-w- c:\windows\system32\drivers\maplom.sys
2009-10-10 10:45 . 2009-10-10 11:01 -------- d-----w- c:\program files\Game Jackal
2009-10-06 17:06 . 2009-10-06 17:06 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-10-06 17:06 . 2009-10-06 17:06 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-10-06 16:40 . 2009-10-10 10:50 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-10-06 16:39 . 2009-10-06 16:40 -------- d-----w- c:\program files\Boardmaker with SD Pro
2009-09-19 19:14 . 2009-09-19 19:14 -------- d-----w- C:\install

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 14:52 . 2008-10-29 13:50 -------- d-----w- c:\program files\Eset
2009-10-11 09:49 . 2009-04-19 11:39 -------- d-----w- c:\program files\Spyware Terminator
2009-10-06 17:03 . 2008-11-27 16:19 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-22 11:42 . 2001-10-25 14:00 68736 ----a-w- c:\windows\system32\perfc005.dat
2009-08-22 11:42 . 2001-10-25 14:00 389664 ----a-w- c:\windows\system32\perfh005.dat
2006-12-12 20:15 . 2008-10-29 19:33 2725376 ----a-w- c:\program files\Past.exe
2005-09-14 09:25 . 2008-10-29 16:58 2588672 ----a-w- c:\program files\Foxit Reader.exe
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Zdenka\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2009-08-21 133104]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-10-11 3055616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-10-29 917504]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-02-13 35328]
"CloneCDTray"="c:\program files\CloneCD\CloneCDTray.exe" [2004-12-09 57344]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 40960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-C740-7760-100000000002}\SC_Acrobat.exe [2009-1-2 25214]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\Program Files\\Miranda IM\\miranda32.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [11.10.2009 11:45 142592]
S3 MaplomL;MaplomL; [x]
.
Obsah adresáře 'Naplánované úlohy'
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://seznam.cz/
uDefault_Search_URL = hxxp://search.qip.ru
uSearchURL,(Default) = hxxp://search.qip.ru/search?query=%s&from=IE
IE: Crawler Search - tbr:iemenu
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Převést cíl vazby do Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Převést cíl vazby do existujícího PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Převést do Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Převést do existujícího PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Převést vybrané vazby do Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Převést vybrané vazby do existujícího PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Převést výběr do Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Převést výběr do existujícího PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\progra~1\TRANSL~1\WEBIE.DLL
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\progra~1\TRANSL~1\WEBIE.DLL
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\progra~1\TRANSL~1\WEBIE.DLL
LSP: imon.dll
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-11 17:00
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'lsass.exe'(708)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Celkový čas: 2009-10-11 17:02
ComboFix-quarantined-files.txt 2009-10-11 15:02

Před spuštěním: 3 285 291 008
Po spuštění: 4 175 097 856

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=signature(e97fdc2b)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
signature(e97fdc2b)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

147 --- E O F --- 2008-11-11 21:07

Re: trojan Win32/Olmarik.KW - jak na něj?

Napsal: 11 říj 2009 16:22
od pitimir
1) Presun ikonu CF na plochu, vypni vsetky otvorene aplikacie, ako aj rezidenty antiviru, antispywaru a firewall a otvor poznamkovy blok. Donho skopiruj:

Kód: Vybrat vše

KillAll::
Folder::
c:\program files\DAEMON Tools Toolbar

FileLook::
c:\program files\Past.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

DDS::
uDefault_Search_URL = hxxp://search.qip.ru
uSearchURL,(Default) = hxxp://search.qip.ru/search?query=%s&from=IE

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
Uloz na plochu ako CFScript.txt a mysou pretiahni nad ikonou CF.

Obrázek

Program script spracuje a spravi novy log.


Pozor: Ak po aplikacii skriptu nenabehne Windows, restartuj PC, stlac F8 a zvol Poslednu znamu funkcnu konfiguraciu.


2) Stiahni MBR. Uloz na disk C:\ a spust dvojklikom. Vytvori sa log (mbr.log), vloz ho cely sem.

Re: trojan Win32/Olmarik.KW - jak na něj?

Napsal: 11 říj 2009 16:47
od Zdeni
Hotovo, system naběhl a log z mbr zde:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Re: trojan Win32/Olmarik.KW - jak na něj?

Napsal: 11 říj 2009 16:50
od pitimir
OK...mozem poprosit o novy log z RootRepealu? Tak, ako to uz raz bolo spravene :)

Re: trojan Win32/Olmarik.KW - jak na něj?

Napsal: 11 říj 2009 17:06
od Zdeni
tentokrát proběhlo spuštění RootRepealu i scan hladce, log:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/11 17:54
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xF88E6000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF8596000 Size: 60416 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF1855000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A60000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mbr.sys
Image Path: C:\DOCUME~1\Zdenka\LOCALS~1\Temp\mbr.sys
Address: 0xF0E61000 Size: 11776 File Visible: No Signed: -
Status: -

Name: PCI_PNP4372
Image Path: \Driver\PCI_PNP4372
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xF8ABC000 Size: 6464 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF85F6000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spfc.sys
Image Path: spfc.sys
Address: 0xF8414000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Zdenka\Data aplikací\StatSoft\STATISTICA\Automatické uložení: 00000DB0Tabulka2.sta
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "spfc.sys" at address 0xf84150e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spfc.sys" at address 0xf8433ca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spfc.sys" at address 0xf8434032

#: 119 Function Name: NtOpenKey
Status: Hooked by "spfc.sys" at address 0xf84150c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spfc.sys" at address 0xf843410a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spfc.sys" at address 0xf8433f8a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spfc.sys" at address 0xf843419c

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x823711f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0xfe31d500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0xfe31d500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0xfe31d500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0xfe31d500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0xfe31d500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0xfe31d500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0xfe31d500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0xfe31d500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0xfe31d500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0xfe31d500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0xfe31d500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0xfe31d500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0xfe31d500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xfe31d500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0xfe31d500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0xfe31d500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0xfe31d500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0xfe31d500 Size: 121

Object: Hidden Code [Driver: a62p3mjzЅఉ瑎捦܉@考, IRP_MJ_CREATE]
Process: System Address: 0x81786500 Size: 121

Object: Hidden Code [Driver: a62p3mjzЅఉ瑎捦܉@考, IRP_MJ_CLOSE]
Process: System Address: 0x81786500 Size: 121

Object: Hidden Code [Driver: a62p3mjzЅఉ瑎捦܉@考, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x81786500 Size: 121

Object: Hidden Code [Driver: a62p3mjzЅఉ瑎捦܉@考, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x81786500 Size: 121

Object: Hidden Code [Driver: a62p3mjzЅఉ瑎捦܉@考, IRP_MJ_POWER]
Process: System Address: 0x81786500 Size: 121

Object: Hidden Code [Driver: a62p3mjzЅఉ瑎捦܉@考, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x81786500 Size: 121

Object: Hidden Code [Driver: a62p3mjzЅఉ瑎捦܉@考, IRP_MJ_PNP]
Process: System Address: 0x81786500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x820ee1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x820ee1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x820ee1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x820ee1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x820ee1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x820ee1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x820ee1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x820ee1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x820ee1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x820ee1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x820ee1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x817c31f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x817c31f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x817c31f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x817c31f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x817c31f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x817c31f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x817c31f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8216f368 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8216f368 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8216f368 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8216f368 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8216f368 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8216f368 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8219a1f8 Size: 121

Object: Hidden Code [Driver: Documents a, IRP_MJ_CREATE]
Process: System Address: 0x8177d500 Size: 121

Object: Hidden Code [Driver: Documents a, IRP_MJ_CLOSE]
Process: System Address: 0x8177d500 Size: 121

Object: Hidden Code [Driver: Documents a, IRP_MJ_READ]
Process: System Address: 0x8177d500 Size: 121

Object: Hidden Code [Driver: Documents a, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8177d500 Size: 121

Object: Hidden Code [Driver: Documents a, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8177d500 Size: 121

Object: Hidden Code [Driver: Documents a, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8177d500 Size: 121

Object: Hidden Code [Driver: Documents a, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8177d500 Size: 121

Object: Hidden Code [Driver: Documents a, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8177d500 Size: 121

Object: Hidden Code [Driver: Documents a, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8177d500 Size: 121

Object: Hidden Code [Driver: Documents a, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8177d500 Size: 121

Object: Hidden Code [Driver: Documents a, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8177d500 Size: 121

Object: Hidden Code [Driver: Documents a, IRP_MJ_CLEANUP]
Process: System Address: 0x8177d500 Size: 121

Object: Hidden Code [Driver: Documents a, IRP_MJ_PNP]
Process: System Address: 0x8177d500 Size: 121

==EOF==

Re: trojan Win32/Olmarik.KW - jak na něj?

Napsal: 11 říj 2009 17:10
od pitimir
Ako to vyzera s PC?

Re: trojan Win32/Olmarik.KW - jak na něj?

Napsal: 11 říj 2009 17:13
od Zdeni
PC i plocha vypada jako vzdycky ;)

Re: trojan Win32/Olmarik.KW - jak na něj?

Napsal: 11 říj 2009 17:16
od pitimir
=vsetko je tak, ako by malo byt a smejd uz nie je hlaseny? :)

Pre istotu pojdes sem a das si spravit scan - tu mas navod (by sundavis):
Obrázek

Re: trojan Win32/Olmarik.KW - jak na něj?

Napsal: 11 říj 2009 17:22
od Zdeni
tak zeby? NOD hlasi operacni pamet v poradku :) tak jeste zkusim ten online scanner....
Všechny časy jsou v UTC+01:00
Stránka 1 z 3

Založeno na phpBB® Forum Software © phpBB Limited

Český překlad – phpBB.cz