kryptik.QO

[vyosek]

Nalezy MBAMu smazte

TFC http://oldtimer.geekstogo.com/TFC.exe

• Stahnete a spustte
• Kliknete na Start a potvrdte OK
• Program uklidi a restartuje pc
• Po pouziti utilitu smazte

Udelejte sken avptoolem http://forum.viry.cz/viewtopic.php?f=29&t=58179

[palot]

TFC zmrzol, po reštarte odstránený. skúsiť znova?

[vyosek]

Nemusite, je to jen drobnost, pokracujte avptoolem

[palot]

Vyskočilo alarm okno z infiltraciou packed.win32.katusha.o v sekcii c: \system32\userinit.exe čo s tym?

[vyosek]

Okno od avptoolu? Dejte Lecit-Disinfect

[palot]

Disinfect prebehol comp. Restartoval avp nenabehol. Spustit znovu?

[vyosek]

Nasledujici soubory otestujte na VirusTotalu (viz muj podpis)

• c:\system32\userinit.exe
• Kliknete na Choose file
• Soubor nehledejte, jen vlozte cestu souboru, ktery chci otestovat
• Kliknete na Scan It
• Pokud na Vas vyskoci obrazovka jako je nize, tak kliknete na ReAnalyse
  
• Vysledek analyzy sem vlozte (jako odkaz)

[palot]

https://www.virustotal.com/file/c14e751 ... 328101095/

[vyosek]

Stahnete SytemLook (viz muj podpis) a ulozte jej na plochu

• Do okna vlozte skript nize

• Kód: Vybrat vše

  :dir
  c:\system32

• Kliknete na Look
• Tlacitko Look se zmeni na Scanning a zsedne
• Pockejte pokud se tlacitko Scanning opet nezmeni na Look - tak poznate ze SystemLook dokoncil svou praci
• Vyskoci na Vas log s nazvem SystemLook (pripadne bude ulozen na plose), jeho obsah mi sem vlozte

[palot]

SystemLook 30.07.11 by jpshortstuff
Log created at 14:28 on 01/02/2012 by palo talpas
Administrator - Elevation successful

========== dir ==========

c:\system32 - Unable to find folder.

-= EOF =-

[vyosek]

Zkuste nyni spustit ComboFix

[palot]

tak teraz to už išlo "jak zamlada":
ComboFix 12-01-31.01 - palo talpas . 02. 2012 15:04:10.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.502.202 [GMT 1:00]
Spuštěný z: c:\documents and settings\palo talpas\Plocha\beruska.com.exe
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\palo talpas\WINDOWS
c:\program files\UNWISE.EXE
c:\windows\iun6002.exe
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\GetDiskSerial.dll
c:\windows\system32\PCLECoInst.dll
c:\windows\system32\system32
c:\windows\system32\system32\getdiskserial.dll
c:\windows\system32\system32\msmapi32.ocx
c:\windows\system32\system32\msvcr70.dll
c:\windows\system32\system32\msvcrt20.dll
D:\Autorun.inf
c:\windows\WindowsUpdate.log . . . . nemohl být smazán
.
Nakažená kopie c:\windows\system32\userinit.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\ServicePackFiles\i386\userinit.exe
.
c:\windows\system32\proquota.exe chyběl.
Obnovena kopie z - c:\windows\ServicePackFiles\i386\proquota.exe
.
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_RKHIT
-------\Service_RkHit
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2012-01-01 do 2012-02-01 )))))))))))))))))))))))))))))))
.
.
2012-02-01 14:26 . 2008-04-14 04:22 50176 ----a-w- c:\windows\system32\proquota.exe
2012-02-01 09:58 . 2012-02-01 11:48 133208 ----a-w- c:\windows\system32\drivers\08825654.sys
2012-02-01 09:26 . 2012-02-01 09:49 117563736 ----a-w- C:\setup_11.0.0.1245.x01_2012_02_01_12_48.exe
2012-01-31 18:57 . 2012-01-31 18:57 -------- d-----w- c:\documents and settings\palo talpas\Data aplikací\Malwarebytes
2012-01-31 18:56 . 2012-01-31 18:56 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Malwarebytes
2012-01-31 18:56 . 2012-01-31 18:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-31 18:56 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-31 18:51 . 2012-01-31 18:55 9502424 ----a-w- C:\mbam--setup-1.60.1.1000.exe
2012-01-31 18:30 . 2012-01-31 18:30 -------- d-----w- C:\FOUND.001
2012-01-31 16:48 . 2012-01-31 16:48 -------- d-----w- C:\ComboFix
2012-01-31 16:06 . 2012-01-31 16:06 -------- d-----w- c:\documents and settings\Administrator
2012-01-31 16:04 . 2012-01-31 16:04 -------- d-----w- C:\FOUND.000
2012-01-31 13:12 . 2012-01-31 13:12 2059056 ----a-w- C:\tdsskiller.exe
2012-01-31 08:47 . 2012-01-31 08:47 -------- d-----w- c:\program files\ESET
2012-01-31 08:47 . 2012-01-31 08:47 2322184 ----a-w- C:\esetsmartinstaller_sky.exe
2012-01-24 18:44 . 2012-01-24 18:44 -------- d-----w- C:\rsit
2012-01-13 16:10 . 2012-01-13 16:10 -------- d-----w- c:\program files\trend micro
2012-01-06 18:39 . 2012-01-06 18:39 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-06 18:39 . 2012-01-06 18:39 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-06 18:39 . 2012-01-06 18:39 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-06 18:39 . 2012-01-06 18:39 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2004-08-18 19:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 14:40 . 2004-08-18 19:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-20 06:12 . 2004-08-18 19:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-18 09:39 . 2011-11-18 09:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-16 14:21 . 2004-08-18 19:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-18 19:00 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:13 . 2006-01-09 19:08 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:13 . 2004-08-18 19:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:13 . 2004-08-18 19:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:24 . 2004-08-18 19:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:29 . 2004-08-18 19:00 386560 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:29 . 2004-08-18 19:00 1294848 ----a-w- c:\windows\system32\quartz.dll
2012-01-06 18:39 . 2011-09-30 12:13 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-02-01 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 88204]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-19 16248320]
"SkyTel"="SkyTel.EXE" [2006-07-19 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-19 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-29 766041]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-18 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-18 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-18 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-18 455168]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-06-07 208896]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-13 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-13 118784]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-07-12 438272]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2006-07-14 471040]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-29 1259376]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\palo talpas\Nabídka Start\Programy\Po spuštění\
_uninst_08825654.lnk - c:\documents and settings\palo talpas\Local Settings\Temp\_uninst_08825654.bat [N/A]
.
c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-6-29 45056]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-1-17 618557]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [N/A]
Rychlý začátek s aplikací HP Photosmart Premier.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqdirec.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqthb08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Product Assistant\\BIN\\hprbui.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\HPQDocViewer.exe"=
"c:\\Program Files\\Common Files\\NewTech Infosystems\\LiveUpdate\\LiveUpdate.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Acer\\Empowering Technology\\Acer.Empowering.Framework.Launcher.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
.
R0 08825654;08825654;c:\windows\system32\drivers\08825654.sys [1. 2. 2012 10:58 133208]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [31. 1. 2012 19:56 652360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [31. 1. 2012 19:56 20464]
S2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1. 2. 2011 18:21 136176]
S3 gupdatem;Služba Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1. 2. 2011 18:21 136176]
S3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [19. 6. 2006 12:20 1097728]
.
Obsah adresáře 'Naplánované úlohy'
.
2012-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-01 17:21]
.
2012-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-01 17:21]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77DE8857&ptnrS=GRxdm035YYSK&ptb=7syorNJL8Hs1tCufovq0Qw
uInternet Connection Wizard,ShellNext = iexplore
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\palo talpas\Data aplikací\Mozilla\Firefox\Profiles\v57ioe40.default\
FF - prefs.js: browser.search.selectedEngine - Zoznam
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=GRxdm035YYSK&ptb=7syorNJL8Hs1tCufovq0Qw&ind=2011092909&ptnrS=GRxdm035YYSK&si=7668583&n=77ded7ad&psa=&st=kwd&searchfor=
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
.
HKCU-Run-SpyEmergency - c:\program files\NETGATE\Spy Emergency\SpyEmergency.exe
HKLM-Run-USB2Check - c:\windows\system32\PCLECoInst.dll
HKLM-Run-PCLEUSBTip - c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
HKLM-Run-USBToolTip - c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-01 15:40
Windows 5.1.2600 Service Pack 3 FAT NTAPI
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'explorer.exe'(3592)
c:\windows\system32\MSNCHATHOOK.DLL
c:\windows\system32\sysenv.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\MFC71U.DLL
c:\windows\system32\webcheck.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\AGRSMMSG.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxext.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\docume~1\PALOTA~1\LOCALS~1\Temp\RtkBtMnt.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Celkový čas: 2012-02-01 15:57:11 - počítač byl restartován
ComboFix-quarantined-files.txt 2012-02-01 14:57
.
Před spuštěním: Volných bajtů: 30 153 474 048
Po spuštění: Volných bajtů: 35 682 091 008
.
- - End Of File - - 55E3C3634EA6679309BCDE2AD0D7F12B

[vyosek]

Nasledujici soubory otestujte na VirusTotalu (viz muj podpis)

• c:\windows\WindowsUpdate.log
• Kliknete na Choose file
• Soubor nehledejte, jen vlozte cestu souboru, ktery chci otestovat
• Kliknete na Scan It
• Pokud na Vas vyskoci obrazovka jako je nize, tak kliknete na ReAnalyse
  
• Vysledek analyzy sem vlozte (jako odkaz)

[palot]

https://www.virustotal.com/file/e38617d ... 328108837/

[vyosek]

Odinstalujte Spybot - Search & Destroy - program ma uz nejlepsi leta davno za sebou a posledni cca 3 roky neni schopen celit aktualnim hrozbam

Pokud nemate, tak presunte Combofix na plochu

• Spustte poznamkovy blok (Start-spustit-notepad)
• Zkopirujte skript nize

• Kód: Vybrat vše

  KillAll::
  
  Driver::
  08825654
  gupdatem
  gupdate
  
  Folder::
  C:\FOUND.001
  C:\FOUND.000
  
  Rootkit::
  c:\windows\system32\drivers\08825654.sys
  
  Registry::
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "SpybotSD TeaTimer"=-
  "swg"=-
  [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
  "CTFMON.EXE"=-
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "RemoteControl"=-
  "DivXUpdate"=-
  "Malwarebytes' Anti-Malware"=-
  
  Firefox::
  FF - ProfilePath - c:\documents and settings\palo talpas\Data aplikací\Mozilla\Firefox\Profiles\v57ioe40.default\
  FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsear ... searchfor=
  
  DDS::
  uStart Page = hxxp://home.mywebsearch.com/index.jhtml ... tCufovq0Qw
  
  File::
  c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
  c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
  c:\documents and settings\palo talpas\Nabídka Start\Programy\Po spuštění\_uninst_08825654.lnk
  
  Collect::
  c:\system32\userinit.exe
  
  DirLook::
  c:\system32
  
  ClearJavaCache::
  
  AtJob::
  
  Reboot::

• Ulozte vytvoreny TXT jako CFScript.txt
• Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
  
• Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci