Page 1 of 2 12 LastLast
Results 1 to 25 of 27

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91

    Win32/PSW.OnLineGames.NMY

    ,

    - Win32/PSW.OnLineGames.NMY autorun.inf - . .

    ? http://www.scanforfree.com/08/win32_...y-removal.html . ?


  2. #2
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167
    \windows\system32 spoolsv.exe, .
    \windows\system32\dllcache\spoolsv.exe

  3. #3
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    \windows\system32 - 56,5 KB (57 856 bytes)
    \windows\system32\dllcache\spoolsv.exe - 56,5 KB (57 856 bytes)

    hijackthis i combofix
    .
    :
    Code:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:02:06, on 18.11.2008 .
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Globe Software\StatBar\StatBar.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\Datecs\Flex2K.exe
    C:\Program Files\RBTray\RBTray.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\ESET\nod32kui.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
    O4 - HKLM\..\Run: [D_V_T] C:\\dvt.exe /S \C:\\d_v_t.reg\
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKCU\..\Run: [StatBar] C:\Program Files\Globe Software\StatBar\StatBar.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: RBTray.lnk = C:\Program Files\RBTray\RBTray.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: FlexType 2K.lnk = C:\WINDOWS\Datecs\Flex2K.exe
    O8 - Extra context menu item: Add to &Teleport - C:\PROGRA~1\TELEPO~1\teleport.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button:  - {60237576-b24c-4ba9-9740-c9f3ec9db557} - C:\PROGRA~1\SkyCode\WEBTRA~1\wt2ie.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F5DF859B-68D0-4380-9DBA-230377CFEA59}: NameServer = 212.39.90.42,212.39.90.43
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: Windows Smrss Service - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
    O24 - Desktop Component 1:  -  - http://mail03.abv.bg/app/servlet/bg....et=Cp1251&ac=s
    
    --
    End of file - 5682 bytes

    Combofix

    Code:
    ComboFix 08-11-17.06 - Vanio 2008-11-18 20:15:10.1 - NTFSx86
    Microsoft Windows XP Professional  5.1.2600.2.1251.1.1033.18.550 [GMT 2:00]
    Running from: c:\documents and settings\Vanio\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Vanio\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
     * Created a new restore point
     * Resident AV is active
    
    .
    
    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    
    C:\test.txt
    
     c:\windows\system32\winlogon.exe . . . is infected!!
    
    .
    (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    
    -------\Legacy_WINDOWS_SMRSS_SERVICE
    -------\Service_Windows Smrss Service
    
    
    (((((((((((((((((((((((((   Files Created from 2008-10-18 to 2008-11-18  )))))))))))))))))))))))))))))))
    .
    
    2008-11-18 20:01 . 2008-11-18 20:01	<DIR>	d--------	c:\program files\Trend Micro
    2008-11-18 19:15 . 2008-11-18 19:15	<DIR>	d--------	c:\documents and settings\Vanio\Application Data\True Sword
    2008-11-18 19:14 . 2008-11-18 19:22	<DIR>	d--------	c:\program files\True Sword 5
    2008-11-16 00:14 . 2008-05-30 14:11	3,850,760	--a------	c:\windows\system32\D3DX9_38.dll
    2008-11-16 00:13 . 2008-11-16 00:13	<DIR>	d--------	c:\windows\Logs
    2008-11-16 00:07 . 2008-11-16 00:07	682,280	--a------	c:\windows\system32\pbsvc.exe
    2008-11-10 23:30 . 2008-11-10 23:30	<DIR>	d--------	c:\program files\Common Files\Skype
    2008-11-10 23:30 . 2008-11-18 19:03	<DIR>	d--------	c:\documents and settings\Vanio\Application Data\skypePM
    2008-11-10 23:30 . 2008-11-10 23:30	56	--ah-----	c:\windows\system32\ezsidmv.dat
    
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-11-18 18:18	---------	d-----w	c:\documents and settings\Vanio\Application Data\Skype
    2008-11-18 17:49	---------	d-----w	c:\program files\ESET
    2008-11-17 21:52	138,376	----a-w	c:\windows\system32\drivers\PnkBstrK.sys
    2008-11-17 21:51	182,928	----a-w	c:\windows\system32\PnkBstrB.exe
    2008-11-17 21:06	---------	d-----w	c:\documents and settings\Vanio\Application Data\uTorrent
    2008-11-15 22:07	22,328	----a-w	c:\documents and settings\Vanio\Application Data\PnkBstrK.sys
    2008-11-15 22:07	---------	d--h--w	c:\program files\InstallShield Installation Information
    2008-10-02 18:11	---------	d-----w	c:\program files\TVAnts
    2008-09-21 16:28	---------	d-----w	c:\program files\mIRC
    .
    
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown 
    REGEDIT4
    
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StatBar"="c:\program files\Globe Software\StatBar\StatBar.exe" [2003-07-25 335872]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
    "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-09 128920]
    "D_V_T"="c:\\dvt.exe" [2008-08-07 3584]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-20 282624]
    "nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-08-07 949376]
    "Resume copy"="copyfstq.exe" [2002-03-24 c:\windows\COPYFSTQ.EXE]
    "AtiPTA"="atiptaxx.exe" [2005-11-23 c:\windows\system32\atiptaxx.exe]
    
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
    
    c:\documents and settings\Vanio\Start Menu\Programs\Startup\
    RBTray.lnk - c:\program files\RBTray\RBTray.exe [2006-07-14 53248]
    
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
    FlexType 2K.lnk - c:\windows\Datecs\Flex2K.exe [2006-11-16 130048]
    
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\Program Files\\ICQLite\\ICQLite.exe"=
    "c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
    "d:\\GAMES\\Call of Duty 2\\CoD2MP_s.exe"=
    "d:\\GAMES\\Counter-Strike\\cstrike.exe"=
    "c:\\Program Files\\PPMate\\ppmate.exe"=
    "c:\\Program Files\\PPMate\\ppmnet.exe"=
    "c:\\Program Files\\uTorrent\\utorrent.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\DC++\\DCPlusPlus.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "h:\\downloads\\uTorrent\\utorrent-1.8-beta-9704.upx.exe"=
    "d:\\GAMES\\Call of Duty - World at War\\CoDWaWmp.exe"=
    "d:\\GAMES\\Call of Duty - World at War\\CoDWaW.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    
    R1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v3.8.205\ATI Tray Tools\atitray.sys [2005-11-14 10496]
    R2 SVKP;SVKP;\??\c:\windows\system32\SVKP.sys [2007-01-23 2368]
    
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1bf33c29-75c1-11db-85ef-806d6172696f}]
    \Shell\AutoRun\command - F:\ASUSACPI.exe
    .
    Contents of the 'Scheduled Tasks' folder
    
    2008-11-17 c:\windows\Tasks\At1.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-10-05 c:\windows\Tasks\At10.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-15 c:\windows\Tasks\At11.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-15 c:\windows\Tasks\At12.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-15 c:\windows\Tasks\At13.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-16 c:\windows\Tasks\At14.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-16 c:\windows\Tasks\At15.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-16 c:\windows\Tasks\At16.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-16 c:\windows\Tasks\At17.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-16 c:\windows\Tasks\At18.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-16 c:\windows\Tasks\At19.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-15 c:\windows\Tasks\At2.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-16 c:\windows\Tasks\At20.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-18 c:\windows\Tasks\At21.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-17 c:\windows\Tasks\At22.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-17 c:\windows\Tasks\At23.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-17 c:\windows\Tasks\At24.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-01 c:\windows\Tasks\At3.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-01 c:\windows\Tasks\At4.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-01 c:\windows\Tasks\At5.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-10-05 c:\windows\Tasks\At6.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-10-05 c:\windows\Tasks\At7.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-10-05 c:\windows\Tasks\At8.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-10-05 c:\windows\Tasks\At9.job
    - c:\windows\system32\fGJ5mMa7.exe []
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - c:\documents and settings\Vanio\Application Data\Mozilla\Firefox\Profiles\cmi6eeu2.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - 
    .
    
    **************************************************************************
    
    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-11-18 20:17:29
    Windows 5.1.2600 Service Pack 2 NTFS
    
    scanning hidden processes ... 
    
    scanning hidden autostart entries ...
    
    scanning hidden files ... 
    
    scan completed successfully
    hidden files: 0
    
    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ati2evxx.exe
    c:\windows\system32\ati2evxx.exe
    c:\windows\ehome\ehRecvr.exe
    c:\windows\ehome\ehSched.exe
    c:\program files\ESET\nod32krn.exe
    c:\windows\system32\PnkBstrA.exe
    c:\windows\system32\dllhost.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Skype\Plugin Manager\skypePM.exe
    .
    **************************************************************************
    .
    Completion time: 2008-11-18 20:19:12 - machine was rebooted
    ComboFix-quarantined-files.txt  2008-11-18 18:18:59
    
    Pre-Run: 11 281 354 752 bytes free
    Post-Run: 11,500,244,992 bytes free
    
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
    
    183



    . USB autorun.inf-a

    Spy bot search and destroy ... cookies .
    Last edited by lisi4ko; 22nd November 2008 at 12:17.

  4. #4
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167
    , , - , .

  5. #5
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    Quote Originally Posted by ilko View Post
    , , - , .
    ... windows-a . .
    , winlogon , - .

    ,
    Last edited by lisi4ko; 19th November 2008 at 10:39.

  6. #6
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167
    1. winlogon.exe, - CD- XP:
    Start-->Run
    cmd

    Code:
    expand h:\xp_sp3\i386\winlogon.ex_ c:\windows\system32\winlogonori.exe
    h:\xp_sp3\ I386 .

    !!! , c:\windows\system32\winlogonori.exe !!!
    , , .

    2. ave.txt:

    Code:
    Files to move:
    c:\windows\system32\winlogon.exe | c:\virs\winlogon.vir
    c:\windows\system32\winlogonori.exe | c:\windows\system32\winlogon.exe
    c:\windows\system32\ezsidmv.dat | c:\virs\ezsidmv.dat
    
    Files to delete:
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job
    c:\windows\system32\fGJ5mMa7.exe
    C:\WINDOWS\svchost.exe
    
    Drivers to delete:
    Windows Smrss Service
    3. Avenger, avenger.exe, aven.exe . Load Script-->From File ave.txt.
    Scan for rootkits Execute, .

    4. C:\avenger.txt copy-paste , HiJackThis.

    , QUOTE CODE ( " "--> #)

  7. #7
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    XP SP2 MEdia Center SP3 winlogon-a SP2? .. winlogon-? ...

  8. #8
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167
    . - \system32\dllcache WINDOWS\SoftwareDistribution\Download\XX XXXXXXXXXXXXXXXXXXXXX\ . , www.virustotal.com system32 winlogonori.exe. .

  9. #9
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    Quote Originally Posted by ilko View Post
    . - \system32\dllcache WINDOWS\SoftwareDistribution\Download\XX XXXXXXXXXXXXXXXXXXXXX\ . , www.virustotal.com system32 winlogonori.exe. .


    winlogon.exe .

    www.virustotal.com . Combofix .
    Last edited by lisi4ko; 20th November 2008 at 20:53.

  10. #10
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    , SP2 , WINDOWS\SoftwareDistribution\Download , \system32\dllcache . . MEDIA CENTER .

  11. #11
    Nostrum IvO's Avatar
    Join Date: Jun:2008
    Location: HOME.WAD
    Posts: 1,334
    Quote Originally Posted by lisi4ko View Post
    ... \system32\dllcache . . MEDIA CENTER .

    DLLcache . , Windows Explorer -> Tools -> Folder Options -> View -> [ , "Hide protected operating system files (Recommended)"].

  12. #12
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    Quote Originally Posted by IvO View Post
    DLLcache . , Windows Explorer -> Tools -> Folder Options -> View -> [ , "Hide protected operating system files (Recommended)"].
    . . -

  13. #13
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    highjack:
    Code:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 00:13:25, on 21.11.2008 .
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Globe Software\StatBar\StatBar.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\WINDOWS\Datecs\Flex2K.exe
    C:\Program Files\RBTray\RBTray.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Skype\Plugin Manager\SkypePM.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wpabaln.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
    O4 - HKLM\..\Run: [D_V_T] C:\\dvt.exe /S \C:\\d_v_t.reg\
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKCU\..\Run: [StatBar] C:\Program Files\Globe Software\StatBar\StatBar.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: RBTray.lnk = C:\Program Files\RBTray\RBTray.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: FlexType 2K.lnk = C:\WINDOWS\Datecs\Flex2K.exe
    O8 - Extra context menu item: Add to &Teleport - C:\PROGRA~1\TELEPO~1\teleport.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button:  - {60237576-b24c-4ba9-9740-c9f3ec9db557} - C:\PROGRA~1\SkyCode\WEBTRA~1\wt2ie.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F5DF859B-68D0-4380-9DBA-230377CFEA59}: NameServer = 212.39.90.42,212.39.90.43
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O24 - Desktop Component 1:  -  - http://mail03.abv.bg/app/servlet/bg.abv.mail.GetData;jsessionid=aTsvVfadCpZ7?fid=10&mid=1408363779&nid=0&eid=3&charset=Cp1251&ac=s
    
    --
    End of file - 5821 bytes
    avenger:
    Code:
    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com
    
    Platform:  Windows XP
    
    *******************
    
    Script file opened successfully.
    Script file read successfully.
    
    Backups directory opened successfully at C:\Avenger
    
    *******************
    
    Beginning to process script file:
    
    File move operation "c:\windows\system32\winlogon.exe|c:\virs\winlogon.vir" completed successfully.
    
    Error:  file "c:\windows\system32\winlogon.exe" is whitelisted
    File move operation "c:\windows\system32\winlogonori.exe|c:\windows\system32\winlogon.exe" failed!
    Status: 0xc0000022 (STATUS_ACCESS_DENIED)
    
    File move operation "c:\windows\system32\ezsidmv.dat|c:\virs\ezsidmv.dat" completed successfully.
    
    Error:  file "c:\windows\Tasks\At1.job" not found!
    Deletion of file "c:\windows\Tasks\At1.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At10.job" not found!
    Deletion of file "c:\windows\Tasks\At10.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At11.job" not found!
    Deletion of file "c:\windows\Tasks\At11.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At12.job" not found!
    Deletion of file "c:\windows\Tasks\At12.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At13.job" not found!
    Deletion of file "c:\windows\Tasks\At13.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At14.job" not found!
    Deletion of file "c:\windows\Tasks\At14.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At15.job" not found!
    Deletion of file "c:\windows\Tasks\At15.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At16.job" not found!
    Deletion of file "c:\windows\Tasks\At16.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At17.job" not found!
    Deletion of file "c:\windows\Tasks\At17.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At18.job" not found!
    Deletion of file "c:\windows\Tasks\At18.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At19.job" not found!
    Deletion of file "c:\windows\Tasks\At19.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At2.job" not found!
    Deletion of file "c:\windows\Tasks\At2.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At20.job" not found!
    Deletion of file "c:\windows\Tasks\At20.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At21.job" not found!
    Deletion of file "c:\windows\Tasks\At21.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At22.job" not found!
    Deletion of file "c:\windows\Tasks\At22.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At23.job" not found!
    Deletion of file "c:\windows\Tasks\At23.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At24.job" not found!
    Deletion of file "c:\windows\Tasks\At24.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At3.job" not found!
    Deletion of file "c:\windows\Tasks\At3.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At4.job" not found!
    Deletion of file "c:\windows\Tasks\At4.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At5.job" not found!
    Deletion of file "c:\windows\Tasks\At5.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At6.job" not found!
    Deletion of file "c:\windows\Tasks\At6.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At7.job" not found!
    Deletion of file "c:\windows\Tasks\At7.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At8.job" not found!
    Deletion of file "c:\windows\Tasks\At8.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At9.job" not found!
    Deletion of file "c:\windows\Tasks\At9.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\system32\fGJ5mMa7.exe" not found!
    Deletion of file "c:\windows\system32\fGJ5mMa7.exe" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "C:\WINDOWS\svchost.exe" not found!
    Deletion of file "C:\WINDOWS\svchost.exe" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\Windows Smrss Service" not found!
    Deletion of driver "Windows Smrss Service" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Completed script processing.
    
    *******************
    
    Finished!  Terminate.
    winlogon.ex_ ( winlogon.ex SP3 - , ...) . - . , , , c:\virs\ ... , . ( VIRS) . . DOS ( XP-) , winlogonori.exe winlogon.exe . command com-a . - , "ERROR: Can't open C:\WINDOWS\system32\winlogon.exe for read access."
    winlogon.exe . . run c:\crack ... c:\crack .

    - , .


    -

  14. #14
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167


    , .

    - ComboFix .

  15. #15
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    ,

    , , , , . 3 . OK , Cancel ... 3- . . combofix-a .

  16. #16
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167
    - winlogon.exe.
    , start->run :
    sfc /scannow

    sfc = SystemFileChecker

  17. #17
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    , , winlogon.ex_ Media Center SP2 ... SP3 . . . .. winlogon- SP2 i SP3 .
    dos ,
    , system32 winlogon.bat , . . , .
    c:\virs ?

  18. #18
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167
    Virs .
    Winlogon.bat- Notepad .

    edit: , , winlogon.bat.txt.
    Last edited by ilko; 21st November 2008 at 19:51.

  19. #19
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    Quote Originally Posted by ilko View Post
    Virs .
    Winlogon.bat- Notepad .

    edit: , , winlogon.bat.txt.
    sorry ... bat , BAK .

  20. #20
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    Code:
    ComboFix 08-11-21.02 - Vanio 2008-11-21 21:16:51.3 - NTFSx86
    Microsoft Windows XP Professional  5.1.2600.2.1251.1.1033.18.586 [GMT 2:00]
    Running from: c:\documents and settings\Vanio\Desktop\ComboFix.exe
     * Created a new restore point
     * Resident AV is active
    
    .
    
    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    
    Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
    Restored copy from - c:\system volume information\_restore{ECFAF43C-1E3D-4CBA-8F9D-97F3938EC463}\RP3\A0000184.exe
    
    .
    (((((((((((((((((((((((((   Files Created from 2008-10-21 to 2008-11-21  )))))))))))))))))))))))))))))))
    .
    
    2008-11-21 21:03 . 2004-08-04 04:56	261,115	--a------	C:\WINLOGON.EX_
    2008-11-21 19:03 . 2008-11-21 19:03	<DIR>	d--------	c:\documents and settings\Administrator
    2008-11-21 00:12 . 2004-10-09 01:05	32,574	--a------	C:\CRACK.EXE
    2008-11-21 00:09 . 2008-11-21 00:09	56	--ah-----	c:\windows\system32\ezsidmv.dat
    2008-11-20 23:42 . 2008-11-20 23:44	<DIR>	d--------	C:\virs
    2008-11-20 23:34 . 2008-11-20 23:43	135,168	--a------	C:\zip.exe
    2008-11-20 23:34 . 2008-11-20 23:43	19,286	--a------	C:\cleanup.exe
    2008-11-20 23:34 . 2008-11-20 23:43	574	--a------	C:\cleanup.bat
    2008-11-20 23:34 . 2008-11-20 23:43	457	--a------	C:\backup.reg
    2008-11-20 22:21 . 2008-05-30 23:09	731,136	--a------	C:\aven.exe
    2008-11-18 23:57 . 2008-11-20 19:53	<DIR>	d--------	c:\program files\Spybot - Search & Destroy
    2008-11-18 23:57 . 2008-11-20 19:53	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2008-11-18 20:01 . 2008-11-18 20:01	<DIR>	d--------	c:\program files\Trend Micro
    2008-11-18 19:15 . 2008-11-18 19:15	<DIR>	d--------	c:\documents and settings\Vanio\Application Data\True Sword
    2008-11-18 19:14 . 2008-11-18 19:22	<DIR>	d--------	c:\program files\True Sword 5
    2008-11-16 00:13 . 2008-11-16 00:13	<DIR>	d--------	c:\windows\Logs
    2008-11-16 00:07 . 2008-11-16 00:07	682,280	--a------	c:\windows\system32\pbsvc.exe
    2008-11-10 23:30 . 2008-11-10 23:30	<DIR>	d--------	c:\program files\Common Files\Skype
    2008-11-10 23:30 . 2008-11-21 21:13	<DIR>	d--------	c:\documents and settings\Vanio\Application Data\skypePM
    
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-11-21 19:14	---------	d-----w	c:\documents and settings\Vanio\Application Data\Skype
    2008-11-20 21:31	---------	d-----w	c:\documents and settings\Vanio\Application Data\uTorrent
    2008-11-18 17:49	---------	d-----w	c:\program files\ESET
    2008-11-17 21:52	138,376	----a-w	c:\windows\system32\drivers\PnkBstrK.sys
    2008-11-15 22:07	22,328	----a-w	c:\documents and settings\Vanio\Application Data\PnkBstrK.sys
    2008-11-15 22:07	---------	d--h--w	c:\program files\InstallShield Installation Information
    2008-10-02 18:11	---------	d-----w	c:\program files\TVAnts
    2008-09-21 16:28	---------	d-----w	c:\program files\mIRC
    .
    
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown 
    REGEDIT4
    
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StatBar"="c:\program files\Globe Software\StatBar\StatBar.exe" [2003-07-25 335872]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
    "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-09 128920]
    "D_V_T"="c:\\dvt.exe" [2008-08-07 3584]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-20 282624]
    "nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-08-07 949376]
    "Resume copy"="copyfstq.exe" [2002-03-24 c:\windows\COPYFSTQ.EXE]
    "AtiPTA"="atiptaxx.exe" [2005-11-23 c:\windows\system32\atiptaxx.exe]
    
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
    
    c:\documents and settings\Vanio\Start Menu\Programs\Startup\
    RBTray.lnk - c:\program files\RBTray\RBTray.exe [2006-07-14 53248]
    
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
    FlexType 2K.lnk - c:\windows\Datecs\Flex2K.exe [2006-11-16 130048]
    
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\Program Files\\ICQLite\\ICQLite.exe"=
    "c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
    "d:\\GAMES\\Call of Duty 2\\CoD2MP_s.exe"=
    "d:\\GAMES\\Counter-Strike\\cstrike.exe"=
    "c:\\Program Files\\PPMate\\ppmate.exe"=
    "c:\\Program Files\\PPMate\\ppmnet.exe"=
    "c:\\Program Files\\uTorrent\\utorrent.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\DC++\\DCPlusPlus.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "h:\\downloads\\uTorrent\\utorrent-1.8-beta-9704.upx.exe"=
    "d:\\GAMES\\Call of Duty - World at War\\CoDWaWmp.exe"=
    "d:\\GAMES\\Call of Duty - World at War\\CoDWaW.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    
    S1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v3.8.205\ATI Tray Tools\atitray.sys [2005-11-14 10496]
    S2 SVKP;SVKP;\??\c:\windows\system32\SVKP.sys [2007-01-23 2368]
    
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1bf33c29-75c1-11db-85ef-806d6172696f}]
    \Shell\AutoRun\command - F:\ASUSACPI.exe
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - c:\documents and settings\Vanio\Application Data\Mozilla\Firefox\Profiles\cmi6eeu2.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - 
    .
    
    **************************************************************************
    
    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-11-21 21:24:10
    Windows 5.1.2600 Service Pack 2 NTFS
    
    scanning hidden processes ... 
    
    scanning hidden autostart entries ...
    
    scanning hidden files ... 
    
    scan completed successfully
    hidden files: 0
    
    **************************************************************************
    .
    Completion time: 2008-11-21 21:25:39 - machine was rebooted
    ComboFix-quarantined-files.txt  2008-11-21 19:25:12
    
    Pre-Run: 11 584 221 184 bytes free
    Post-Run: 11,573,157,888 bytes free
    
    114
    .



  21. #21
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167
    , combofix winlogon.exe System Restore.
    \windows\system32\winlogon.exe www.virustotal.com .

    Regedit :
    HKEY_CURRENT_USER\software\microsoft\win dows\currentversion\explorer\mountpoints 2\{1bf33c29-75c1-11db-85ef-806d6172696f}

    , F: autorun.inf F:\ASUSACPI.exe, .

    . , :
    http://download.bleepingcomputer.com...isinfector.exe

  22. #22
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    - - , documents and settings/local users/ .. ... 'AV-*.txt' .
    . . .

    HKEY_CURRENT_USER\Software\Microsoft\Win dows\CurrentVersion\Explorer\MountPoints 2
    5 ( ) --> {1bf33c29-75c1-11db-85ef-806d6172696f} , 2 ... autorun shell .

    5 '{1bf33c29-75c1-11db-85ef-806d6172696f}' ?

    , 5 :
    HKEY_USERS\S-1-5-21-117609710-2111687655-725345543-1003\Software\Microsoft\Windows\CurrentV ersion\Explorer\MountPoints2

    HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices . -.

    btw F: . , .

    autorun.inf
    . ?
    , . .
    flash disinfector .

    autorun.inf , ASUSACPI.exe ?



    windows 3 RECOVERY CONSOLE , WINDOWS MEDIA CENTER (po DEFAULT) , WINDOWS XP Proffesional ( )... ... Media Center-a . .
    ( ), - :
    Code:
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
    , c:\cmdcons\BOOTSECT.DAT XP Proffsional... . . .
    Last edited by lisi4ko; 22nd November 2008 at 13:44.

  23. #23
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167
    F , , .

    - Notepad c:\boot.ini . read-only. properties read-only .

  24. #24
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    ... . .
    -, .

    highjack combofix avenger . ... .

    ...


  25. #25
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Copyright © 1999-2011 . .
iskamPC.com | mobility.BG | Bloody's Techblog | | 3D Vision Blog |