Results 1 to 25 of 27
Hybrid View
-
18th November 2008 13:30 #1
Win32/PSW.OnLineGames.NMY òðîÿíåö
Çäðàâåéòå,
îò èçâåñòíî âðåìå ÍÎÄ-à ìè çàñè÷à â ïåðèôåðíèÿ õàðä è ôëàøêèòå êîèòî ñëàãàì ñëåäíèÿ âèðóñ Win32/PSW.OnLineGames.NMY êàòî ìè êàçâà ÷å autorun.inf íà ñúîòâåòíîòî ïåðèô ó-âî ìè å çàðàçåí è ìè ïðåäëàãà äà ãî èçòðèÿ. òðèÿ îáà÷å ñëåä èçâåñòíî âðåìå ïàê ñå ïîÿâÿâà.
Íÿêîé èìà ëè èäåÿ êàê äà ñå îòúðâà îò òîÿ òðîÿíåö? ãëåäàì ñåãà èç íåòà â ñòðàíèöàòà http://www.scanforfree.com/08/win32_...y-removal.html èìà íÿêâà ïðîãðàìêà çà ïðåìàõâàíå íà òîÿ âèðóñ . Çíàåòå ëè íÿêàêúâ äðóã íà÷èí çà èç÷èñòâàíå èëè äà ñå äîâåðÿâàì íà òàÿ ïðîãðàìà?
ìåðñè ïðåäâàðèòåëíî
-
18th November 2008 21:00 #2Registered User
Join Date: Dec:2005
Location: yvr
Posts: 5,167
Îòèäè äî \windows\system32 è íàìåðè spoolsv.exe, êàæè ãîëåìèíàòà ìó.
Ñúùî è íà \windows\system32\dllcache\spoolsv.exe
-
18th November 2008 21:52 #3
\windows\system32 - 56,5 KB (57 856 bytes)
\windows\system32\dllcache\spoolsv.exe - 56,5 KB (57 856 bytes)
ãëåäàõ åäíè ÷óæäè ñàéòîâå è ñ íÿêàêâè ïðîãðàìè hijackthis i combofix ïðàâèõ äèàãíîñòèêà è
ñàìî ëîãîâå ïîñòâàõ.
åòî è ëîãîâåòå:
Code:Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:02:06, on 18.11.2008 ã. Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Globe Software\StatBar\StatBar.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\Datecs\Flex2K.exe C:\Program Files\RBTray\RBTray.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\ESET\nod32kui.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup O4 - HKLM\..\Run: [D_V_T] C:\\dvt.exe /S \C:\\d_v_t.reg\ O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKCU\..\Run: [StatBar] C:\Program Files\Globe Software\StatBar\StatBar.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: RBTray.lnk = C:\Program Files\RBTray\RBTray.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: FlexType 2K.lnk = C:\WINDOWS\Datecs\Flex2K.exe O8 - Extra context menu item: Add to &Teleport - C:\PROGRA~1\TELEPO~1\teleport.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Ïðåâåäè - {60237576-b24c-4ba9-9740-c9f3ec9db557} - C:\PROGRA~1\SkyCode\WEBTRA~1\wt2ie.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{F5DF859B-68D0-4380-9DBA-230377CFEA59}: NameServer = 212.39.90.42,212.39.90.43 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Windows Smrss Service - Unknown owner - C:\WINDOWS\svchost.exe (file missing) O24 - Desktop Component 1: ÀÁÂ - ÏÎÙÀ - http://mail03.abv.bg/app/servlet/bg....et=Cp1251&ac=s -- End of file - 5682 bytes
è äðóãèÿ îò Combofix
Code:ComboFix 08-11-17.06 - Vanio 2008-11-18 20:15:10.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.550 [GMT 2:00] Running from: c:\documents and settings\Vanio\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Vanio\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\test.txt c:\windows\system32\winlogon.exe . . . is infected!! . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_WINDOWS_SMRSS_SERVICE -------\Service_Windows Smrss Service ((((((((((((((((((((((((( Files Created from 2008-10-18 to 2008-11-18 ))))))))))))))))))))))))))))))) . 2008-11-18 20:01 . 2008-11-18 20:01 <DIR> d-------- c:\program files\Trend Micro 2008-11-18 19:15 . 2008-11-18 19:15 <DIR> d-------- c:\documents and settings\Vanio\Application Data\True Sword 2008-11-18 19:14 . 2008-11-18 19:22 <DIR> d-------- c:\program files\True Sword 5 2008-11-16 00:14 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll 2008-11-16 00:13 . 2008-11-16 00:13 <DIR> d-------- c:\windows\Logs 2008-11-16 00:07 . 2008-11-16 00:07 682,280 --a------ c:\windows\system32\pbsvc.exe 2008-11-10 23:30 . 2008-11-10 23:30 <DIR> d-------- c:\program files\Common Files\Skype 2008-11-10 23:30 . 2008-11-18 19:03 <DIR> d-------- c:\documents and settings\Vanio\Application Data\skypePM 2008-11-10 23:30 . 2008-11-10 23:30 56 --ah----- c:\windows\system32\ezsidmv.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-18 18:18 --------- d-----w c:\documents and settings\Vanio\Application Data\Skype 2008-11-18 17:49 --------- d-----w c:\program files\ESET 2008-11-17 21:52 138,376 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2008-11-17 21:51 182,928 ----a-w c:\windows\system32\PnkBstrB.exe 2008-11-17 21:06 --------- d-----w c:\documents and settings\Vanio\Application Data\uTorrent 2008-11-15 22:07 22,328 ----a-w c:\documents and settings\Vanio\Application Data\PnkBstrK.sys 2008-11-15 22:07 --------- d--h--w c:\program files\InstallShield Installation Information 2008-10-02 18:11 --------- d-----w c:\program files\TVAnts 2008-09-21 16:28 --------- d-----w c:\program files\mIRC . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StatBar"="c:\program files\Globe Software\StatBar\StatBar.exe" [2003-07-25 335872] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-09 128920] "D_V_T"="c:\\dvt.exe" [2008-08-07 3584] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-20 282624] "nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-08-07 949376] "Resume copy"="copyfstq.exe" [2002-03-24 c:\windows\COPYFSTQ.EXE] "AtiPTA"="atiptaxx.exe" [2005-11-23 c:\windows\system32\atiptaxx.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\Vanio\Start Menu\Programs\Startup\ RBTray.lnk - c:\program files\RBTray\RBTray.exe [2006-07-14 53248] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] FlexType 2K.lnk - c:\windows\Datecs\Flex2K.exe [2006-11-16 130048] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\ICQLite\\ICQLite.exe"= "c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"= "d:\\GAMES\\Call of Duty 2\\CoD2MP_s.exe"= "d:\\GAMES\\Counter-Strike\\cstrike.exe"= "c:\\Program Files\\PPMate\\ppmate.exe"= "c:\\Program Files\\PPMate\\ppmnet.exe"= "c:\\Program Files\\uTorrent\\utorrent.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\DC++\\DCPlusPlus.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "h:\\downloads\\uTorrent\\utorrent-1.8-beta-9704.upx.exe"= "d:\\GAMES\\Call of Duty - World at War\\CoDWaWmp.exe"= "d:\\GAMES\\Call of Duty - World at War\\CoDWaW.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v3.8.205\ATI Tray Tools\atitray.sys [2005-11-14 10496] R2 SVKP;SVKP;\??\c:\windows\system32\SVKP.sys [2007-01-23 2368] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1bf33c29-75c1-11db-85ef-806d6172696f}] \Shell\AutoRun\command - F:\ASUSACPI.exe . Contents of the 'Scheduled Tasks' folder 2008-11-17 c:\windows\Tasks\At1.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-10-05 c:\windows\Tasks\At10.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-11-15 c:\windows\Tasks\At11.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-11-15 c:\windows\Tasks\At12.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-11-15 c:\windows\Tasks\At13.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-11-16 c:\windows\Tasks\At14.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-11-16 c:\windows\Tasks\At15.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-11-16 c:\windows\Tasks\At16.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-11-16 c:\windows\Tasks\At17.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-11-16 c:\windows\Tasks\At18.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-11-16 c:\windows\Tasks\At19.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-11-15 c:\windows\Tasks\At2.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-11-16 c:\windows\Tasks\At20.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-11-18 c:\windows\Tasks\At21.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-11-17 c:\windows\Tasks\At22.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-11-17 c:\windows\Tasks\At23.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-11-17 c:\windows\Tasks\At24.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-11-01 c:\windows\Tasks\At3.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-11-01 c:\windows\Tasks\At4.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-11-01 c:\windows\Tasks\At5.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-10-05 c:\windows\Tasks\At6.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-10-05 c:\windows\Tasks\At7.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-10-05 c:\windows\Tasks\At8.job - c:\windows\system32\fGJ5mMa7.exe [] 2008-10-05 c:\windows\Tasks\At9.job - c:\windows\system32\fGJ5mMa7.exe [] . . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Vanio\Application Data\Mozilla\Firefox\Profiles\cmi6eeu2.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-18 20:17:29 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\windows\ehome\ehRecvr.exe c:\windows\ehome\ehSched.exe c:\program files\ESET\nod32krn.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\dllhost.exe c:\windows\system32\wscntfy.exe c:\windows\ehome\ehmsas.exe c:\program files\Skype\Plugin Manager\skypePM.exe . ************************************************************************** . Completion time: 2008-11-18 20:19:12 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-18 18:18:59 Pre-Run: 11 281 354 752 bytes free Post-Run: 11,500,244,992 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect 183
îò îêîëî äâà äíè íå å çàñè÷àí âèðóñà. ñàìî íà ïåðèôåðíè USB è íà âúíøíèÿ õàðä äèñê ìè ñå ïîÿâÿâà ÷å å çàðàçåí autorun.inf-a
ïðåäè ìàëêî ïóñíàõ Spy bot search and destroy ... íàìåðè ñàìî cookies è àç ãè èçòðèõ âñè÷êèòå . íàäàëè òîâà å âèðóñàLast edited by lisi4ko; 22nd November 2008 at 12:17.
-
19th November 2008 07:19 #4Registered User
Join Date: Dec:2005
Location: yvr
Posts: 5,167
Òóê ùå ïàäà ÷èñòåíå, àêî ñè íàâèò äà ÷èñòèø, à íå äà ïðåèíñòàëèðàø- êàçâàé, ùå ïîìàãàìå.
-
19th November 2008 10:01 #5
ùå ÷èñòÿ ... windows-a íå ñúì ãî áóòàë îò ñóìàòè âðåìå . íå ìè ñå èñêà ðåèíñòàë.
âèæàì ,÷å èìà èíôåêòåä winlogon ,íî òúé êàòî íå ìè ãîâîðÿò íèùî òåçè ëîã-îâå äîðè íå çíàì îò êúäå äà çàïî÷íà
ïúê è èñêàì äà ñå íàó÷à . àêî íåùî ñå îìàöà ùå ðåèíñòàëâàì 
â ìîìåíòà ñúì íà ðàáîòà , íî âå÷åðòà ùå ñúì ñè ïðåä êîìïà
Last edited by lisi4ko; 19th November 2008 at 10:39.
-
19th November 2008 21:58 #6Registered User
Join Date: Dec:2005
Location: yvr
Posts: 5,167
1. Íàìèðàø ÷èñòà âåðñèÿ íà winlogon.exe, íàé- äîáðå îò CD- òî ñ XP:
Íàòèñêàø Start-->Run è ïèøåø
cmd
 ÷åðíèÿ ïðîçîðåö ïèøåø
êàòî ñìåíèø h:\xp_sp3\ ñ ïúòÿ äî I386 ïàïêàòà ïðè òåá.Code:expand h:\xp_sp3\i386\winlogon.ex_ c:\windows\system32\winlogonori.exe
!!!Ñëåä òîâà çàäúëæèòåëíî ñå óâåðè, ÷å c:\windows\system32\winlogonori.exe ñúùåñòâóâà!!!
Àêî ãî íÿìà, ïèøè òóê, ÍÅ èçïúëíÿâàé ñëåäâàùèòå ñòúïêè.
2. Çàïèñâàø ñëåäíîòî íà äåñêòîïà êàòî ave.txt:
3. Äúðïàø Avenger, ðàçàðõèâèðàø íÿêúäå avenger.exe, ïðåèìåíóâàø ãî íà aven.exe è ãî ïóñêàø. Íàòèñêàø Load Script-->From File è ïîñî÷âàø ïúòÿ äî ave.txt.Code:Files to move: c:\windows\system32\winlogon.exe | c:\virs\winlogon.vir c:\windows\system32\winlogonori.exe | c:\windows\system32\winlogon.exe c:\windows\system32\ezsidmv.dat | c:\virs\ezsidmv.dat Files to delete: c:\windows\Tasks\At1.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At2.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At3.job c:\windows\Tasks\At4.job c:\windows\Tasks\At5.job c:\windows\Tasks\At6.job c:\windows\Tasks\At7.job c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job c:\windows\system32\fGJ5mMa7.exe C:\WINDOWS\svchost.exe Drivers to delete: Windows Smrss Service
Ìàõàø îòìåòêàòà íà Scan for rootkits è íàòèñêàø Execute, ðàçðåøàâàø êîãàòî ïîèñêà äà ñå ðåñòàðòèðà.
4. Ñëåä ðåñòàðòà îòâàðÿø C:\avenger.txt è copy-paste ñúäúðæàíèåòî ìó òóê, çàåäíî ñ íîâ ëîã îò HiJackThis.
Êàòî ïóñêàø ëîãîâåòå òóê, îãðàäè ãè ñ QUOTE èëè CODE (áóòîíà "îùå îïöèè"--> #)
-
20th November 2008 09:24 #7
òúé êàòî ñàì ñ XP SP2 MEdia Center ùå å ïðîáëåì ëè àêî èçïîëçâàì èíñòàëàöèîíåí äèñê íà SP3 äà ðèïëåéñíà winlogon-a èëè çàäúëæèòåëíî ìè òðÿáâà èíñòàëàöèîííèÿ äèñê íà SP2? ò.å. ðàçëè÷àâàò ëè ñå winlogon-èòå? ...
-
20th November 2008 10:29 #8Registered User
Join Date: Dec:2005
Location: yvr
Posts: 5,167
Íå ìèñëÿ ÷å å äîáðà èäåÿ äà ãè ñìåíÿø. Ïî- ñêîðî ïðîâåðè â \system32\dllcache èëè WINDOWS\SoftwareDistribution\Download\XX XXXXXXXXXXXXXXXXXXXXX\ äàëè íÿìàø êîïèå. Àêî èìà, ïðîâåðè ãî ïúðâî íà www.virustotal.com è ãî êîïèðàé â system32 êàòî winlogonori.exe.  òîçè ñëó÷àé ïðîïóñêàø ïúðâàòà ñòúïêà êàêòî ñèãóðíî ñè ñå äîñåòèë.
-
20th November 2008 20:14 #9
òàêààà
ïðèáðàõ ñå àç ïðåäè ìàëêî è ïîòúðñèõ winlogon.exe â ÏÑòî . íÿìà ãî êàòî êîïèå íèêúäå
ùå ÷àêàì äî óòðå
Ïðîâåðèõ ãî âñå ïàê â www.virustotal.com îáà÷å íå ìè äàäå ÷å å çàðàçåí.ñëåä òîâà ñ Combofix ïàê ìè êàçâà ÷å å çàðàçåí.Last edited by lisi4ko; 20th November 2008 at 20:53.
-
20th November 2008 10:55 #10
ñåãà íà ðàáîòíèÿ êîìï, êîéòî å ñúñ SP2 âèäÿõ,÷å èìà êîèïå âúâ WINDOWS\SoftwareDistribution\Download , à äèðåêòîðèÿ \system32\dllcache èçîáùî íÿìà . Êàòî ñå ïðèáåðà äîâå÷åðà ùå ïîòúðñÿ. Àêî ãî íå ãî íàìåðÿ òàì ùå âçåìà èíñòàëàöèîííèÿ MEDIA CENTER çà óòðå âå÷åð ïîíåæå äíåñ íÿìà äà ìîãàò äà ìè ãî äîíåñàò.
-
20th November 2008 12:25 #11
DLLcache å ñêðèòà ñèñòåìíà ïàïêà è ïðè íîðìàëíè îáñòîÿòåëñòâà íå áè òðÿáâàëî äà ÿ âèæäàø. Ïðîâåðè äàëè å òàì, êàòî îòèäåø íà Windows Explorer -> Tools -> Folder Options -> View -> [çà äà ñå âèæäà ïàïêàòà, òðÿáâà äà íÿìà îòìåòêà íà "Hide protected operating system files (Recommended)"].
-
20th November 2008 13:11 #12
-
21st November 2008 00:41 #13
highjack:
avenger:Code:Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 00:13:25, on 21.11.2008 ã. Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Globe Software\StatBar\StatBar.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\WINDOWS\Datecs\Flex2K.exe C:\Program Files\RBTray\RBTray.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Skype\Plugin Manager\SkypePM.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wpabaln.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup O4 - HKLM\..\Run: [D_V_T] C:\\dvt.exe /S \C:\\d_v_t.reg\ O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKCU\..\Run: [StatBar] C:\Program Files\Globe Software\StatBar\StatBar.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: RBTray.lnk = C:\Program Files\RBTray\RBTray.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: FlexType 2K.lnk = C:\WINDOWS\Datecs\Flex2K.exe O8 - Extra context menu item: Add to &Teleport - C:\PROGRA~1\TELEPO~1\teleport.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Ïðåâåäè - {60237576-b24c-4ba9-9740-c9f3ec9db557} - C:\PROGRA~1\SkyCode\WEBTRA~1\wt2ie.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{F5DF859B-68D0-4380-9DBA-230377CFEA59}: NameServer = 212.39.90.42,212.39.90.43 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O24 - Desktop Component 1: ÀÁÂ - ÏÎÙÀ - http://mail03.abv.bg/app/servlet/bg.abv.mail.GetData;jsessionid=aTsvVfadCpZ7?fid=10&mid=1408363779&nid=0&eid=3&charset=Cp1251&ac=s -- End of file - 5821 bytes
íàìåðèõ winlogon.ex_ îò èíñòàëàöèîííèÿ ìè óèíäîóñ (ìåæäó äðóãîòî âåðñèÿòà íà winlogon.exå íà èíñòàëàöèîííèÿ ìè óèíäîóñ è íà óèíäîóñ SP3 ñà åäíè é ñúùè è íàé-ñòðàííîòî å ,÷å ñå ðàçëè÷àâàò ïî âåðñèÿ è ðàçìåð îò ìîÿ âå÷å èíñòàëèðàí ...ñòðàííî) è ãî ðàçàðõèâèðàõ òàêà êàêòî òðÿáâàøå. ñëåä òîâà êà÷èõ àâåíäæúð-à è çàðåäèõ ñêðèïòà . ñëåä ðåñòàðòà ðàçãëåäàõ ëîãà è ìè ïèøåøå ,÷å ôàéëîâåòå ,êîèòî òðÿáâàøå äà ñå èçìåñòÿò íå ìîãàò äà ñå èçìåñòÿò ,çàùîòî íÿìàëî ñúçäàäåíà ïàïêà c:\virs\ ... îñòàíàëèòå ôàéëîâå êîèòî òðÿáâàøå äà ñå èçòðèÿò ñå èçòðèõà ,íî äðàéâåðèòå ìàé íå óñïÿõà . êàêòî è äà å àç ÿ íàïðàâèõ(ïàïêàòà VIRS) è ïàê ïóñíàõ àâåíäæúðà. ñëåä êîåòî êîìïà çàïî÷íà äà ñå ðåñòàðòèðà íåïðåêúñíàòî. ðåñòàðòèðàõ ãî â DOS (íåçíàì êàê ñå êàçâà ïðè XP-òî) è âèäÿõ ,÷å ñêðèïòà íå å ïðåèìåíóâàë winlogonori.exe íà winlogon.exe . ðú÷íî ãî ïðîìåíèõ ïðåç command com-a è åòî ÷å óèíäîóñà òðúãíà. òúïîòî å ÷å òðÿáâà äà ìó ñëàãàì îòíîâî êðàê-à , à êàòî ñå ïðîáâàì ïèøå "ERROR: Can't open C:\WINDOWS\system32\winlogon.exe for read access."Code:Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File move operation "c:\windows\system32\winlogon.exe|c:\virs\winlogon.vir" completed successfully. Error: file "c:\windows\system32\winlogon.exe" is whitelisted File move operation "c:\windows\system32\winlogonori.exe|c:\windows\system32\winlogon.exe" failed! Status: 0xc0000022 (STATUS_ACCESS_DENIED) File move operation "c:\windows\system32\ezsidmv.dat|c:\virs\ezsidmv.dat" completed successfully. Error: file "c:\windows\Tasks\At1.job" not found! Deletion of file "c:\windows\Tasks\At1.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At10.job" not found! Deletion of file "c:\windows\Tasks\At10.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At11.job" not found! Deletion of file "c:\windows\Tasks\At11.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At12.job" not found! Deletion of file "c:\windows\Tasks\At12.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At13.job" not found! Deletion of file "c:\windows\Tasks\At13.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At14.job" not found! Deletion of file "c:\windows\Tasks\At14.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At15.job" not found! Deletion of file "c:\windows\Tasks\At15.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At16.job" not found! Deletion of file "c:\windows\Tasks\At16.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At17.job" not found! Deletion of file "c:\windows\Tasks\At17.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At18.job" not found! Deletion of file "c:\windows\Tasks\At18.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At19.job" not found! Deletion of file "c:\windows\Tasks\At19.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At2.job" not found! Deletion of file "c:\windows\Tasks\At2.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At20.job" not found! Deletion of file "c:\windows\Tasks\At20.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At21.job" not found! Deletion of file "c:\windows\Tasks\At21.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At22.job" not found! Deletion of file "c:\windows\Tasks\At22.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At23.job" not found! Deletion of file "c:\windows\Tasks\At23.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At24.job" not found! Deletion of file "c:\windows\Tasks\At24.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At3.job" not found! Deletion of file "c:\windows\Tasks\At3.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At4.job" not found! Deletion of file "c:\windows\Tasks\At4.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At5.job" not found! Deletion of file "c:\windows\Tasks\At5.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At6.job" not found! Deletion of file "c:\windows\Tasks\At6.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At7.job" not found! Deletion of file "c:\windows\Tasks\At7.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At8.job" not found! Deletion of file "c:\windows\Tasks\At8.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\Tasks\At9.job" not found! Deletion of file "c:\windows\Tasks\At9.job" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\system32\fGJ5mMa7.exe" not found! Deletion of file "c:\windows\system32\fGJ5mMa7.exe" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\svchost.exe" not found! Deletion of file "C:\WINDOWS\svchost.exe" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Windows Smrss Service" not found! Deletion of driver "Windows Smrss Service" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate.
Íå çíàì êàê äà ìîãà äà ìîóäâàì winlogon.exe . ùå ïðîáâàì ñ àâåíäæúðà . ùå íàïèøà ïðîñòî run c:\crack ... èëè ïðîñòî c:\crack . Ùîì ìîæå äà ìåñòè ñèã ùå ìîæå è äà ìîóäâà
òàà òåçè ôàéëîâå êîèòî â ëîã-à íà àâåíäæúðà ñà ïèñàíè ÷å íå ñà èçòðèòè , ðåàëíî ñà èçòðèòè ñ èçêëþ÷åíèå íà ïîñëåäíèòå äðàéâåðè.
ïôô àêî çíàì êâî ïðàÿ ùå å ìíîãî õóáàâî
÷àêàì íÿêàêâè ïðåïîðúêè çà ïî-íàòàòú÷íè äåéñòâèÿ
-
21st November 2008 05:12 #14Registered User
Join Date: Dec:2005
Location: yvr
Posts: 5,167
Äîáðå ñè ñå îïðàâèë ñ êàøàòà

Çà êðàêà è ðúöå íå ìîãà äà òè ïîìîãíà, íèòî å ðåäíî äà êîìåíòèðàìå âúâ ôîðóìà.
Çà ïîñëåäíî- ïóñíè ïàê ComboFix è êàòî ñâúðøè ïóñíè ëîãà ìó òóê.
-
21st November 2008 10:11 #15
Ìäàà, çà êðàêàòà è ðúöåòå ñè ïðàâ

Ïðèòåñíÿâà ìå ñàìî ,÷å ñëåä öÿëàòà òàçè ðàáîòà çàïî÷íà äà ìè èçëèçà åäèí óèíäîóñêè ïðîçîðåö , íà êîéòî ïèøå íåùî îò ñîðòà ,÷å âàæíè ñèñòåìíè ôàéëîâå íà óèíäîóñ ñà áèëè áóòàíè è èñêà äà ñëîæà èíñòàëàöèîííèÿ äèñê , çà äà îïðàâè âåðñèÿòà èì. Èìàøå è 3 îïöèè . OK , Cancel è ... 3-òîòî ãî çàáðàâèõ
. ñìÿòàì äà âàçåìà äíåñ èíñòàëàöèîííèÿ äèñê. Âå÷åðòà êàòî ñå âúðíà ùå ïóñíà ïàê combofix-a è ùå ïîñòíà ëîãà.
-
21st November 2008 10:34 #16Registered User
Join Date: Dec:2005
Location: yvr
Posts: 5,167
Ïèñêà íàé- âåðîÿòíî çàðàäè äðóãàòà âåðñèÿ íà winlogon.exe.
Êàòî âçåìåø äèñêà, â start->run íàïèøè:
sfc /scannow
sfc = SystemFileChecker
-
21st November 2008 12:28 #17
òîêóùî ðàçáðàõ , ÷å ìîì÷åòî, êîåòî òðÿáâàøå äà ìè ïðàòè winlogon.ex_ íà Media Center SP2 ìè å ïðàòèë äðóã ... íà SP3 . Øå ìó ñêúñàì óøèòå. ßâíî çàðàäè òîâà ïèùè. Ò.å. winlogon-èòå íà SP2 i SP3 ñà ðàçëè÷íè.
Òàçè âå÷åð ùå ãî ðèïëåéñíà áàáåøêàòà ïðåç dos ,÷å íà àâåíäæúðà ùå âçåìà äà îáúðêàì ñêðèïòà
Ìåæäó äðóãîòî çàáåëÿçàõ ,÷å â system32 èìà åäèí ôàéë winlogon.bat , à òóê íà ñëóæåáíèÿ ãî íÿìà. Íå çíàì äàëè òîé íå ïðàâè íÿêàêâè áúðêîòèè ïðè ñòàðòèðàíå. Íå ñå ñåùàì êîëêî å ãîëÿì, íî âå÷ðòà ùå ïèøà.
Òàÿ ïàïêà c:\virs äåëâàì ëè ÿ èëè ÷àêàì äîêàòî íå ñå èç÷èñòÿ íàïúëíî?
-
21st November 2008 19:23 #18Registered User
Join Date: Dec:2005
Location: yvr
Posts: 5,167
Virs ìîæå ñïîêîéíî äà ÿ ìàõàø.
Winlogon.bat- îòâîðè ãî ñ Notepad è ïóñíè òóê êàêâî ïèøå âúòðå.
edit: Óâåðè ñå, ÷å íå èçïúëíÿâàø ôàéëà, àêî òðÿáâà ïúðâî ãî ïðåêðúñòè íà winlogon.bat.txt.Last edited by ilko; 21st November 2008 at 19:51.
-
21st November 2008 20:55 #19
-
21st November 2008 21:30 #20òâà å êîìáîôèêñà . íåçíàì äàëè å ÎÊCode:
ComboFix 08-11-21.02 - Vanio 2008-11-21 21:16:51.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.586 [GMT 2:00] Running from: c:\documents and settings\Vanio\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . Infected copy of c:\windows\system32\winlogon.exe was found and disinfected Restored copy from - c:\system volume information\_restore{ECFAF43C-1E3D-4CBA-8F9D-97F3938EC463}\RP3\A0000184.exe . ((((((((((((((((((((((((( Files Created from 2008-10-21 to 2008-11-21 ))))))))))))))))))))))))))))))) . 2008-11-21 21:03 . 2004-08-04 04:56 261,115 --a------ C:\WINLOGON.EX_ 2008-11-21 19:03 . 2008-11-21 19:03 <DIR> d-------- c:\documents and settings\Administrator 2008-11-21 00:12 . 2004-10-09 01:05 32,574 --a------ C:\CRACK.EXE 2008-11-21 00:09 . 2008-11-21 00:09 56 --ah----- c:\windows\system32\ezsidmv.dat 2008-11-20 23:42 . 2008-11-20 23:44 <DIR> d-------- C:\virs 2008-11-20 23:34 . 2008-11-20 23:43 135,168 --a------ C:\zip.exe 2008-11-20 23:34 . 2008-11-20 23:43 19,286 --a------ C:\cleanup.exe 2008-11-20 23:34 . 2008-11-20 23:43 574 --a------ C:\cleanup.bat 2008-11-20 23:34 . 2008-11-20 23:43 457 --a------ C:\backup.reg 2008-11-20 22:21 . 2008-05-30 23:09 731,136 --a------ C:\aven.exe 2008-11-18 23:57 . 2008-11-20 19:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-18 23:57 . 2008-11-20 19:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-18 20:01 . 2008-11-18 20:01 <DIR> d-------- c:\program files\Trend Micro 2008-11-18 19:15 . 2008-11-18 19:15 <DIR> d-------- c:\documents and settings\Vanio\Application Data\True Sword 2008-11-18 19:14 . 2008-11-18 19:22 <DIR> d-------- c:\program files\True Sword 5 2008-11-16 00:13 . 2008-11-16 00:13 <DIR> d-------- c:\windows\Logs 2008-11-16 00:07 . 2008-11-16 00:07 682,280 --a------ c:\windows\system32\pbsvc.exe 2008-11-10 23:30 . 2008-11-10 23:30 <DIR> d-------- c:\program files\Common Files\Skype 2008-11-10 23:30 . 2008-11-21 21:13 <DIR> d-------- c:\documents and settings\Vanio\Application Data\skypePM . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-21 19:14 --------- d-----w c:\documents and settings\Vanio\Application Data\Skype 2008-11-20 21:31 --------- d-----w c:\documents and settings\Vanio\Application Data\uTorrent 2008-11-18 17:49 --------- d-----w c:\program files\ESET 2008-11-17 21:52 138,376 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2008-11-15 22:07 22,328 ----a-w c:\documents and settings\Vanio\Application Data\PnkBstrK.sys 2008-11-15 22:07 --------- d--h--w c:\program files\InstallShield Installation Information 2008-10-02 18:11 --------- d-----w c:\program files\TVAnts 2008-09-21 16:28 --------- d-----w c:\program files\mIRC . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StatBar"="c:\program files\Globe Software\StatBar\StatBar.exe" [2003-07-25 335872] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-09 128920] "D_V_T"="c:\\dvt.exe" [2008-08-07 3584] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-20 282624] "nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-08-07 949376] "Resume copy"="copyfstq.exe" [2002-03-24 c:\windows\COPYFSTQ.EXE] "AtiPTA"="atiptaxx.exe" [2005-11-23 c:\windows\system32\atiptaxx.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\Vanio\Start Menu\Programs\Startup\ RBTray.lnk - c:\program files\RBTray\RBTray.exe [2006-07-14 53248] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] FlexType 2K.lnk - c:\windows\Datecs\Flex2K.exe [2006-11-16 130048] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\ICQLite\\ICQLite.exe"= "c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"= "d:\\GAMES\\Call of Duty 2\\CoD2MP_s.exe"= "d:\\GAMES\\Counter-Strike\\cstrike.exe"= "c:\\Program Files\\PPMate\\ppmate.exe"= "c:\\Program Files\\PPMate\\ppmnet.exe"= "c:\\Program Files\\uTorrent\\utorrent.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\DC++\\DCPlusPlus.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "h:\\downloads\\uTorrent\\utorrent-1.8-beta-9704.upx.exe"= "d:\\GAMES\\Call of Duty - World at War\\CoDWaWmp.exe"= "d:\\GAMES\\Call of Duty - World at War\\CoDWaW.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= S1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v3.8.205\ATI Tray Tools\atitray.sys [2005-11-14 10496] S2 SVKP;SVKP;\??\c:\windows\system32\SVKP.sys [2007-01-23 2368] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1bf33c29-75c1-11db-85ef-806d6172696f}] \Shell\AutoRun\command - F:\ASUSACPI.exe . . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Vanio\Application Data\Mozilla\Firefox\Profiles\cmi6eeu2.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-21 21:24:10 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-11-21 21:25:39 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-21 19:25:12 Pre-Run: 11 584 221 184 bytes free Post-Run: 11,573,157,888 bytes free 114
ñìåíèõ ëîãîíà ñ òîÿ êîéòî òðÿáâà äà å
èìàõ ìàëêî ïðîáëåìè ñúñ ñòàðòèðàíåòî íà âèíà
-
21st November 2008 21:50 #21Registered User
Join Date: Dec:2005
Location: yvr
Posts: 5,167
Èçãëåæäà íàðåä, combofix å âçåë winlogon.exe îò System Restore.
Çà âñåêè ñëó÷àé ñêàíèðàé \windows\system32\winlogon.exe íà www.virustotal.com .
Îòâîðè Regedit è èçòðèé öåëèÿò êëþ÷:
HKEY_CURRENT_USER\software\microsoft\win dows\currentversion\explorer\mountpoints 2\{1bf33c29-75c1-11db-85ef-806d6172696f}
Ôëàø÷åòî, êîåòî å èìàëî áóêâà F: å èìàëî è â autorun.inf äà ñòàðòèðà F:\ASUSACPI.exe, îò íåãî ìàé å òðúãíàëî âñè÷êî.
Îñòàíàëîòî èçãëåæäà íàðåä. Ïóñíè òàçè ïðîãðàìêà, ïîíå ìàëêî äà ïðåäïàçè â áúäåùå:
http://download.bleepingcomputer.com...isinfector.exe
-
22nd November 2008 12:58 #22
ñíîùè êàòî ïóñêàõ êîìáîôèêñ-à è ñëåä òîâà ðåñòàðòíàõ êîìïà íîä-à ìè çàñå÷å, ÷å èìà íÿêàêúâ çàðàçåí òåêñòîâè ôàéë â documents and settings/local users/ è ò.í. ...íåùî îò ñîðòà 'AV-*.txt' . íà ìÿñòîòî íà çâåçäè÷êàòà áåøå íÿêàêâî òðèáóêâåíî
ñúêðàùåíèå. Ñåãà êàòî ãî òúðñÿ íå ìîãà äà ãî íàìåðÿ. Ìîæå äà ñå å èçïîëçâàë îò êîìáîôèêñ è ñëåä òîâà äà ñå å äåëíàë.íåçíàì
â HKEY_CURRENT_USER\Software\Microsoft\Win dows\CurrentVersion\Explorer\MountPoints 2
èìà 5 ïîäïàïêè(íåçíàì êàê ñå íàðè÷àò èíà÷å
) ñ òîâà èìå --> {1bf33c29-75c1-11db-85ef-806d6172696f} , åäíàòà îò êîèòî èìà 2 ïîäïàïêè ... autorun è shell .
âñè÷êèòå 5 ïàïêè ñ òîâà èìå '{1bf33c29-75c1-11db-85ef-806d6172696f}' ëè òðÿáâà äà èçòðèÿ èëè íÿêîÿ òî÷íî îïðåäåëåíà?
ñàìî äà êàæà ,÷å àáñîëþòíî ñúùèòå 5 ïàïêè ñúñ ñúùèòå èìåíà ãè èìà è â:
HKEY_USERS\S-1-5-21-117609710-2111687655-725345543-1003\Software\Microsoft\Windows\CurrentV ersion\Explorer\MountPoints2
ñúùèÿ êëþ÷ ãî èìà è â HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices . ïðèëè÷à ìè íà àðõèâ çà ñëàãàíè ïåðèôåðíè ó-âà.
btw F: ìè å ÄÂÄ çàïèñâà÷êàòà . ÿâíî ïðèÿòåëêàòà ìè êàòî å ñëàãàëà íÿêàêâè äèñêîâå è å ñòàíàëà áåëÿòà ,çàùîòî àç îò ìåñåöè íå ñàì èçïîëçâàë çàïèñâà÷êàòà.
òúé êàòî òîçè âèðóñ ìè ãî çàñè÷àøå ñàìî íà ïåðèôåðíèòå óñòðîéñòâà â autorun.inf
è àç âñå ãî òðèåõ . èìà ëè íÿêàêâà îïàñíîñò äà ñå êðèå íÿêúäå òàì ãàäèíêàòà ?
ïåðèôåðíèÿ ìè õàðä ïîñòîÿííî å âêëþ÷åí è ñåãà ìó íàïðàâèõ ñêàí , íÿìà íèùî . è ñúñ ôëàøêèòå íàïðàâèõ ñúùîòîòî è ïðè òÿõ íÿìà íèùî.
çà âñåêè ñëó÷àé ïóñíàõ è òàçè ïðîãðàìêà flash disinfector è çà ïåðèôåðíèÿ è çà ôëàøêàòà. ïðè âñÿêî ðúãâàíå íà ôëàøêàòà ùå ÿ ïóñêàì
èìà ëè íà÷èí äà íå ñå ñòàðòèðà autorun.inf êàòî ñëàãàì äèñêà , çà äà ìîãà äà ïðåðîâÿ äèñêîâåòå è äà íàìåðÿ âèíîâíèêà ASUSACPI.exe è äà ãî çàñèëÿ êúì êîôàòà ?
è îùå åäíî âúïðîñ÷å êîåòî å ìàëêî â ñòðàíè îò òåìàòà
êàòî ìè ñå ñòàðòèðà windows îòíà÷àëî ìè äàâà 3 èçáîðà äà ñòàðòèðàì RECOVERY CONSOLE , WINDOWS MEDIA CENTER (po DEFAULT) , WINDOWS XP Proffesional (òîâà å ìèíàëèÿ ìè óèíäîóñ)... òà èñêàì òîçè òðåòèÿ èçáîð äà ãî èçòðèÿ...íåçíàì çàùî èçîáùî ìå ïèòà ñëåä êàòî áÿõ ôîðìàòèðàë õàðäà ïðåäè äà ñè êà÷à Media Center-a . íå çíàì êàê ñå å çàïàçèëî èçîáùî íî èñêàì äà ãî ìàõíà.
êàòî ðàçãëåæäàõ êîìáîôèêñ ëîãà (ïúðâèÿ êîéòî ñúì ïîñòíàë), íàé-íàêðàÿ âèäÿõ ñëåäíîòî:
êîåòî ìå íàâåäå íà ìèñúëòà,÷å ïðîñòî òðÿáâà äà îòâîðÿ c:\cmdcons\BOOTSECT.DAT è äà èçòðèÿ îïöèÿòà XP Proffsional...äà àìà éîêCode:[operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
ñ íîóòïàäà ìè èçêàðâà ìàéìóíêè. íå çíàì äàëè èçîáùî îò òàì òðÿáâà äà ñå äåëíå . à áè òðÿáâàëî è äà èìà äðóãà ïðîãðàìêà çà îòâàðÿíå íà òåçè ôàéëîâå.óèíäîóñà ìè å ïúëíà áîçà
Last edited by lisi4ko; 22nd November 2008 at 13:44.
-
22nd November 2008 19:42 #23Registered User
Join Date: Dec:2005
Location: yvr
Posts: 5,167
Àêî F òè å çàïèñâà÷êàòà, òîãàâà âúïðîñíèÿ ôàéë âåðîÿòíî ñè å ðåäîâåí, íå çàêà÷àé ðåãèñòúðà.
Çà äà ìàõíåø èçëèøíîòî ñòàðòîâîòî ìåíþ- îòâîðè ñ Notepad c:\boot.ini è ìàõíè èçëèøíèòå ëèíèè. Ôàéëúò å ñêðèò è read-only. Òðÿáâà äà ðàçðåøèø ïîêàçâàíåòî íà ñêðèòè è ñèñòåìíè ôàéëîâå çà äà ãî âèäèø è â properties äà ìàõíåø îòìåòêàòà read-only çà äà ãî ðåäàêòèðàø.
-
22nd November 2008 21:42 #24
ìäàà ... ãîòîâî . à ðåãèñòúðà íÿìà äà ãî áóòàì èçîáùî.
òðÿáâà äà ñè ñëîæà íÿêîÿ ñêàíèðàùà ïðîãðàìêà çà òðîÿíöè è òåìïîäîáíè îñâåí íîä-à,÷å òîé ÿâíî íèêàêâà ðàáîòà íå âúðøè.
ùå å õóáàâî äà ñå îòâîðè åäíà òåìà çà ÷åòåíå è àíàëèçèðàíå íà ëîãîâåòå íà highjack combofix avenger è òåìïîäîáíè . êàêâî òðÿáâà äà ñå ãëåäà ... êàê ñå ìàõà è èçîáùî çà íÿêàêâà ïîìîù ïðèìåðíî.
ìåðñè ìíîãî çà ïîìîùòà ... íÿìàøå äà ñå ñïðÿâà èíà÷å

â áúäåùå ùå âíèìàâàì ïîâå÷å
-
22nd November 2008 22:29 #25Registered User
Join Date: Dec:2005
Location: yvr
Posts: 5,167
Úìì..òåìà ñè èìà, ïîíå ñ íÿêîè îñíîâíè íåùà íàõâúðëÿíè, îò âòîðèÿ ïîñò íàòàòúê:
http://www.hardwarebg.com/forum/showthread.php?t=91314




Reply With Quote

Íå âúçìîæíîñò äà èçêëþ÷à êîìïþòúðà
7th May 2023, 16:02 in Îáù ôîðóì çà PC õàðäóåð