sud sep.exe, nejde naištalovať nod4

[herodesominv]

je tu SUD, adresár v roote so súborom sep.exe. Zvykol mi pomôcť nod4 (nod3 som odinštaloval), ten sa nedá doinštalovať, nezapíše nejaké hodnoty do registrov, na mašine som ako admin. Na PC mám nainštalovaný remote admin,takže o ňom viem. Skúšal som combofix ktorý mi tiež pomohol vačšinou ale tiež neprebehne a nedá ani log.


Logfile of random's system information tool 1.08 (written by random/random)
Run by toth at 2011-05-31 08:44:24
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 28 GB (74%) free of 38 GB
Total RAM: 503 MB (61% free)

HijackThis download failed

======Scheduled tasks folder======

C:\WINDOWS\tasks\User_Feed_Synchronization-{36E62522-80E9-42D2-81A3-A2FBEDFB0F5A}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-09-22 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC0D62C2-9640-4AEB-A5D5-CF25DF11FA8C}]
OfferBox - C:\Program Files\OfferBox\OfferBoxBHO.dll [2011-01-21 135000]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-07-14 155648]
"LanguageMonitor"=C:\WINDOWS\system32\Oplmsb01.exe [2004-01-09 94208]
"NPSStartup"= []
"DivXUpdate"=C:\Program Files\DivX\DivX Update\DivXUpdate.exe [2010-09-16 1164584]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2011-01-31 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-09-20 932288]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-07-14 155648]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]
"AutoStartNPSAgent"=C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe [2009-12-10 116056]
"mongosee EGGS"=C:\SUD\SSOW\sep.exe [2009-11-12 91136]

SymmTime.lnk - C:\Program Files\Symmetricom\SymmTime\SymmTime.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
igfxsrvc.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe"="C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe:*:Enabled:KTF MUSIC AoD Server"
"C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe"="C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe:*:Enabled:KTF MUSIC VoD Server"
"C:\WINDOWS\system32\ftp.exe"="C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\Program Files\Opera\opera.exe"="C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

======List of files/folders created in the last 1 months======

2016-04-12 02:01:47 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2016-04-12 02:01:11 ----D---- C:\WINDOWS\Zuma's Revenge!
2016-04-12 02:01:11 ----D---- C:\Program Files\Zuma's Revenge!
2016-04-12 02:00:52 ----A---- C:\WINDOWS\Zuma's Revenge! Setup Log.txt
2011-05-31 08:44:24 ----D---- C:\rsit
2011-05-31 08:44:24 ----D---- C:\Program Files\trend micro
2011-05-30 14:04:41 ----SD---- C:\ComboFix
2011-05-30 13:50:05 ----D---- C:\Program Files\Common Files\Adobe
2011-05-30 12:49:40 ----D---- C:\WINDOWS\Minidump
2011-05-30 12:41:28 ----A---- C:\WINDOWS\zip.exe
2011-05-30 12:41:28 ----A---- C:\WINDOWS\SWXCACLS.exe
2011-05-30 12:41:28 ----A---- C:\WINDOWS\SWSC.exe
2011-05-30 12:41:28 ----A---- C:\WINDOWS\SWREG.exe
2011-05-30 12:41:28 ----A---- C:\WINDOWS\sed.exe
2011-05-30 12:41:28 ----A---- C:\WINDOWS\PEV.exe
2011-05-30 12:41:28 ----A---- C:\WINDOWS\NIRCMD.exe
2011-05-30 12:41:28 ----A---- C:\WINDOWS\MBR.exe
2011-05-30 12:41:28 ----A---- C:\WINDOWS\grep.exe
2011-05-30 12:41:18 ----D---- C:\WINDOWS\ERDNT
2011-05-30 12:41:11 ----D---- C:\Qoobox
2011-05-30 11:55:29 ----D---- C:\Program Files\ives

======List of files/folders modified in the last 1 months======

2011-05-31 08:44:24 ----RD---- C:\Program Files
2011-05-31 08:43:33 ----D---- C:\install
2011-05-31 08:42:37 ----A---- C:\WINDOWS\wincmd.ini
2011-05-31 08:11:12 ----D---- C:\WINDOWS\Prefetch
2011-05-30 15:33:30 ----A---- C:\WINDOWS\SchedLgU.Txt
2011-05-30 15:33:15 ----A---- C:\WINDOWS\SymmTime.ini
2011-05-30 14:12:53 ----D---- C:\WINDOWS
2011-05-30 14:12:33 ----D---- C:\WINDOWS\Temp
2011-05-30 14:10:13 ----D---- C:\WINDOWS\system32\drivers
2011-05-30 14:10:13 ----D---- C:\WINDOWS\system32
2011-05-30 14:10:13 ----D---- C:\WINDOWS\AppPatch
2011-05-30 14:10:09 ----D---- C:\Program Files\Common Files
2011-05-30 14:05:39 ----D---- C:\WINDOWS\system32\CatRoot2
2011-05-30 14:04:34 ----A---- C:\WINDOWS\ZoneLib-DisplayNames.ini
2011-05-30 13:58:52 ----SHD---- C:\WINDOWS\Installer
2011-05-30 13:58:52 ----SHD---- C:\Config.Msi
2011-05-30 13:57:29 ----HD---- C:\WINDOWS\inf
2011-05-30 13:50:19 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2011-05-30 13:50:05 ----D---- C:\Program Files\Adobe
2011-05-30 12:49:05 ----D---- C:\Documents and Settings\user\Application Data\OfferBox
2011-05-30 10:42:11 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2011-05-16 07:31:11 ----A---- C:\WINDOWS\system32\MRT.exe
2011-05-13 07:27:38 ----D---- C:\Program Files\Microsoft Silverlight
2011-05-10 06:17:26 ----D---- C:\Pom2

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 PxHelp20;PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [2010-07-12 45648]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys [2006-07-24 5632]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-13 88320]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2001-08-23 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2001-08-23 55936]
R2 OkiPar;OkiPar; C:\WINDOWS\System32\DRIVERS\OKIPAR.SYS [2003-06-23 36928]
R3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-08-03 120094]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-08-03 96858]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2006-01-12 163328]
R3 FsUsbExDisk;FsUsbExDisk; \??\C:\WINDOWS\system32\FsUsbExDisk.SYS []
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2003-08-03 91419]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NWRDR;NetWare Rdr; C:\WINDOWS\system32\DRIVERS\nwrdr.sys [2008-04-13 163584]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-20 21248]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-08-29 578304]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\user\LOCALS~1\Temp\catchme.sys []
S3 NAL;Nal Service ; \??\C:\WINDOWS\system32\Drivers\iqvw32.sys []
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\sscdbus.sys [2009-09-08 80552]
S3 sscdmdfl;SAMSUNG Mobile Modem Filter; C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys [2009-09-08 11944]
S3 sscdmdm;SAMSUNG Mobile Modem Drivers; C:\WINDOWS\system32\DRIVERS\sscdmdm.sys [2009-09-08 106792]
S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM); C:\WINDOWS\system32\DRIVERS\ssm_bus.sys [2009-09-08 83592]
S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter; C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys [2009-09-08 15112]
S3 ssm_mdm;SAMSUNG Mobile USB Port II 1.0 Drivers; C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys [2009-09-08 109704]
S3 usb_rndisx;USB RNDIS Adapter; C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2008-04-13 12800]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2006-11-06 28672]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 FsUsbExService;FsUsbExService; C:\WINDOWS\system32\FsUsbExService.Exe [2009-12-10 238952]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 NWCWorkstation;Client Service for NetWare; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 r_server;Remote Administrator Service; C:\WINDOWS\system32\r_server.exe [2004-06-17 708608]
S2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

-----------------EOF-----------------

[JaRon]

spust regedit - daj najst mongosee EGGS - polozku ZMAZ - restart PC

[herodesominv]

Bolo to v

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

zmazal som

NOD4 stále hlási: Sprievodca predčasne ukončil ESET NOD32 Antivirus....kvôli chybe predčasne ukončená
a adresár sud nezmizol, nedá sa zmazať

[JaRon]

fajn, v druhom kole - stiahni combofix - premenuj ho na bobo.com - a spust v nudzovom rezime PC

[herodesominv]

mno, ten remote admin, ja to robím cez tento program, som v robote a tento PC je doma, nemám šancu sa k nemu teraz dostať a mačknúť F8, a ak by som náhodou spustil v núdzovom režime (tuším že sa do dá nejak zariadiť jedným programom) tak neviem či by mi fungoval remote admin. nedá sa to inak? preventívne som spustil combofix bez núdzového režimu premenovaný na bobo.com ale SUD tam stále je, nedokončil nedal ani log

[JaRon]

zasadna otazka znie:
po zasahu v regedit bol urobeny restart ak nie treba restartovat a potom sa pripoj znovu k PC, alebo pockaj kym prides domov

[herodesominv]

bol urobený restart, ja ho viem dať reštartovať a keď sa PC spustí viem sa naň dostať

cez regedit som našiel čo bolo treba a zmazal, daval som hladať aj ďalej ale už nič nenašlo

ale teraz som dal haldať sep.exe v regedit a našlo ho v
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-01WE-AAX2-5657QCA554112}
HKEY_USERS\S-1-5-21-796845957-813497703-839522115-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache

[JaRon]

pouzi Avenger - jeho script:

Kód: Vybrat vše

Folders to delete:
C:\SUD

[herodesominv]

adresar sud tam už nie je, idem nainštalovať NOD4 (skúsiť)


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "C:\SUD" deleted successfully.

Completed script processing.

*******************

Finished! Terminate





NOD4 stále neviem nainštalovať
skúsim ten combofix

[herodesominv]

takže ani nod, ani combofix

[JaRon]

skus AVPTool
+
toto si dufam zmazal ?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-01WE-AAX2-5657QCA554112}
viac info o pliage >> http://www.sophos.com/en-us/threat-cent ... lysis.aspx

[herodesominv]

nezmazal som to, použil som ten avenger len ako si radil a teraz avp tool, o chvilu bude z neho log

[herodesominv]

nejaký slaby log


Automatická kontrola: dokončeno před 5 min. (události: 2, objekty: 97606, čas: 00:32:26)
31. 5. 2011 12:01:42 Úloha byla spuštěna
31. 5. 2011 12:34:09 Úloha byla dokončena



a dal som hladať všetky sep.exe v registroch a mazať

[JaRon]

cervene oznacenu polozku v registroch ZMAZ
+
odinstaluj ComboFix - skusal si ho spustat uz vcera, asi ostal v nejakom zblbnutom stave
+
taktiez NOD najprv odinstaluj a skus nanovo

[herodesominv]

- z registrov je to zmazané
- combofix odinštalovaný, teraz beží nanovo, ale zas bez výsledku
- nod mám odinštalovaný dávno, inštalácia nanovo nechce zbehnúť, ale po combofixe skúsim zas,ale nič, pri inštalovaní ovládačov sa odrazu objavý, vrátenie akceie späť a potom viď img
[img][IMG]http://www.ulozisko.sk/obrazky/small-408661/bez_nazvu.JPG[/img][/img]