Sumnja na Rootkit

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Manifestacija greške: u bilo kom programu recimo Word krenem da kucam neki tekst npr. polivati računar će napisati po dok na slovo l će uraditi lock kompjutera, slično se ponaša i sa nekim drugim tasterima ne sa svima.

Skenirao sam ga sa MBAM on je uklonio jednog trojanca, nakon toga sam pustio combofix ali pošto ja tom računaru pristupam udaljeno nisam imao 100% kontrolu šta je sve on našao i obrisao, sophos rootkit nije našao ništa specijalno mada je i on pronašao neke txt fajlove unutar My Documents direktorijuma.

Ostali logovi slede.




DDS (Ver_10-11-27.01) - NTFSx86
Run by Elizabeta Novak at 0:29:46,46 on ned 28.11.2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.511.160 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\Program Files\Total Commander\TotalCommanderPortable.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
c:\program files\teamviewer\version5\TeamViewer_Desktop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\ELIZAB~1\LOCALS~1\Temp\_tc\gmer.exe
c:\Documents and Settings\Elizabeta Novak\My Documents\Downloads\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
mRun: [C-Media Mixer] Mixer.exe /startup
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_06-win.cab
DPF: {CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_06-win.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - c:\program files\common files\microsoft shared\information retrieval\itss51.dll
Handler: msref - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - c:\progra~1\common~1\micros~1\refere~1\msref.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\elizab~1\applic~1\mozilla\firefox\profiles\ofk9hydp.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-11-4 2011944]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2006-3-22 826752]
R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]
S3 huadio;huadio;\??\c:\huadio.tmp --> c:\huadio.tmp [?]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys --> c:\windows\system32\drivers\ewusbdev.sys [?]
S4 RCService;RCService;c:\program files\gigabyte\rcservice\RCService.exe [2006-4-26 538624]

=============== Created Last 30 ================

2010-11-27 21:34:43 98816 ----a-w- c:\windows\sed.exe
2010-11-27 21:34:43 89088 ----a-w- c:\windows\MBR.exe
2010-11-27 21:34:43 256512 ----a-w- c:\windows\PEV.exe
2010-11-27 21:34:43 161792 ----a-w- c:\windows\SWREG.exe
2010-11-27 19:05:05 -------- d-----w- c:\docume~1\elizab~1\applic~1\Malwarebytes
2010-11-27 19:04:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-27 19:04:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-27 19:04:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-27 19:04:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-06 23:29:17 -------- d-----w- c:\docume~1\elizab~1\locals~1\applic~1\IM
2010-11-06 23:28:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\IncrediMail
2010-11-06 23:28:48 -------- d-----w- c:\program files\IncrediMail
2010-11-06 23:28:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\IM
2010-11-04 20:23:59 18384 ----a-w- c:\windows\system\DCISVGA.DRV
2010-11-04 19:30:43 25048 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll
2010-11-04 19:30:43 140248 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2010-11-04 19:26:25 -------- d-----w- c:\docume~1\elizab~1\applic~1\TeamViewer
2010-11-04 19:26:20 -------- d-----w- c:\program files\TeamViewer
2010-11-04 19:07:21 -------- d-----w- c:\docume~1\elizab~1\locals~1\applic~1\GHISLER
2010-10-29 20:31:38 -------- d-----w- c:\windows\NKCCDViewerSetting
2010-10-29 20:10:18 192272 ----a-w- c:\windows\system32\MCI32.OCX
2010-10-29 20:10:17 -------- d-----w- c:\program files\Hilandar
2010-10-29 12:27:11 160256 ----a-w- c:\windows\system32\findext.dll
2010-10-29 12:27:11 111616 ----a-w- c:\windows\stpsup.exe
2010-10-29 12:27:10 200192 ----a-w- c:\program files\common files\microsoft shared\reference titles\msreftl.dll
2010-10-29 12:27:00 -------- d-----w- c:\program files\Microsoft Reference
2010-10-29 12:24:15 77824 ------w- c:\program files\common files\microsoft shared\reference titles\SfcSvr10.exe
2010-10-29 12:24:14 295744 ------w- c:\program files\common files\microsoft shared\information retrieval\itss51.dll
2010-10-29 12:24:13 197312 ------w- c:\program files\common files\microsoft shared\information retrieval\itircl51.dll
2010-10-29 12:24:11 184320 ------w- c:\program files\common files\microsoft shared\reference titles\RefMenu.dll
2010-10-29 12:24:11 122880 ------w- c:\program files\common files\microsoft shared\reference titles\RefJIC.dll
2010-10-29 12:24:11 102400 ------w- c:\program files\common files\microsoft shared\reference titles\msref.dll
2010-10-29 12:24:05 454732 ------w- c:\program files\common files\microsoft shared\reference titles\MapObj43.dll
2010-10-29 12:23:57 100864 ------w- c:\program files\common files\microsoft shared\reference titles\xtras\buddy\budapi32.dll
2010-10-29 12:23:56 100864 ------w- c:\program files\common files\microsoft shared\reference titles\budapi32.dll
2010-10-29 12:23:54 630853 ------w- c:\program files\common files\microsoft shared\reference titles\SHRL30.dll
2010-10-29 12:23:54 61440 ------w- c:\program files\common files\microsoft shared\reference titles\SHRPNL10.dll
2010-10-29 12:23:54 16384 ------w- c:\program files\common files\microsoft shared\reference titles\a\sfcr10.dll
2010-10-29 12:23:52 452096 ------w- c:\program files\common files\microsoft shared\msinforf\MSInfo32.exe
2010-10-29 12:23:52 18432 ------w- c:\program files\common files\microsoft shared\msinforf\ImgWalk.dll
2010-10-29 12:23:52 16304 ------w- c:\program files\common files\microsoft shared\msinforf\Msinf16h.exe
2010-10-29 12:23:45 188928 ------w- c:\windows\system32\swflash.ocx
2010-10-29 12:23:45 13824 ------w- c:\windows\system32\dslite.dll
2010-10-29 12:23:44 97792 ------w- c:\windows\system32\am21e.dll
2010-10-29 12:23:44 137728 ------w- c:\windows\system32\amn21e.dll
2010-10-29 12:18:08 73728 ------w- c:\program files\common files\microsoft shared\reference titles\RefReg.exe
2010-10-29 12:17:47 -------- d-----w- c:\program files\Microsoft Encarta
2010-10-29 12:15:25 -------- d-----w- C:\MSDANGER
2010-10-29 12:10:22 -------- d-----w- c:\program files\Visual
2010-10-29 12:04:16 11264 ----a-w- c:\windows\CATSTUB.EXE
2010-10-29 12:04:15 398416 ----a-w- c:\windows\system\VBRUN300.DLL
2010-10-29 12:04:15 21315 ----a-w- c:\windows\system\MCIMMP.DRV
2010-10-29 12:04:14 356992 ----a-w- c:\windows\system\VBRUN200.DLL
2010-10-29 12:04:14 105072 ----a-w- c:\windows\system\MMP.DLL
2010-10-29 12:04:12 -------- d-----w- C:\MSLANDS
2010-10-29 12:00:58 33280 ----a-w- c:\windows\system32\otoon32.dll
2010-10-29 11:58:34 756736 ----a-w- c:\windows\system32\IR41_32.DLL
2010-10-29 11:58:19 -------- d-----w- c:\program files\DK Multimedia
2010-10-29 11:42:11 -------- d-----w- c:\program files\Microsoft Multimedia
2010-10-29 11:12:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-10-29 11:11:46 5504 ------w- c:\windows\system32\drivers\imagedrv.sys
2010-10-29 11:11:46 125184 ------w- c:\windows\system32\drivers\imagesrv.sys
2010-10-29 11:11:30 476320 ------w- c:\windows\system32\ImagXpr7.dll
2010-10-29 11:11:30 471040 ------w- c:\windows\system32\ImagXRA7.dll
2010-10-29 11:11:30 262144 ------w- c:\windows\system32\ImagXR7.dll
2010-10-29 11:11:30 1568768 ------w- c:\windows\system32\ImagX7.dll
2010-10-29 11:11:30 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2010-10-29 11:11:29 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2010-10-29 11:10:13 -------- d-----w- c:\docume~1\elizab~1\locals~1\applic~1\ACD Systems
2010-10-29 11:10:12 -------- d-----w- c:\docume~1\elizab~1\applic~1\ACD Systems
2010-10-29 11:09:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\ACD Systems
2010-10-29 11:09:16 -------- d-----w- c:\program files\common files\ACD Systems
2010-10-29 11:09:16 -------- d-----w- c:\program files\ACD Systems
2010-10-29 11:08:31 -------- d-----w- c:\docume~1\elizab~1\locals~1\applic~1\Downloaded Installations
2010-10-29 11:06:48 -------- d-----w- c:\docume~1\elizab~1\applic~1\Foxit Software
2010-10-29 11:06:47 -------- d-----w- c:\docume~1\elizab~1\applic~1\Foxit
2010-10-29 11:06:45 75208 ----a-w- c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
2010-10-29 11:06:45 -------- d-----w- c:\program files\Foxit Software
2010-10-29 11:01:50 -------- d-----w- c:\program files\The KMPlayer
2010-10-29 11:00:37 232448 ----a-w- c:\windows\system32\mp3fhg.acm
2010-10-29 11:00:37 151552 ----a-w- c:\windows\system32\ac3acm.acm
2010-10-29 11:00:36 790528 ----a-w- c:\windows\system32\xvidcore.dll
2010-10-29 11:00:36 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2010-10-29 11:00:36 134144 ----a-w- c:\windows\system32\xvidvfw.dll
2010-10-29 11:00:36 108032 ----a-w- c:\windows\system32\ff_vfw.dll
2010-10-29 11:00:32 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-10-29 10:59:51 -------- d-----r- c:\program files\Skype
2010-10-29 10:57:42 -------- d-----w- c:\program files\Total Commander
2010-10-29 10:46:12 -------- d-----w- c:\windows\pss

==================== Find3M ====================

2010-10-23 15:07:28 1409 ----a-w- c:\windows\system32\tmpDED6E.FOT
2010-10-23 15:07:28 1409 ----a-w- c:\windows\system32\tmpC4D6E.FOT
2010-10-23 15:07:28 1409 ----a-w- c:\windows\system32\tmp9DD6E.FOT
2010-10-23 15:07:28 1409 ----a-w- c:\windows\system32\tmp92E6E.FOT
2010-10-23 15:07:28 1409 ----a-w- c:\windows\system32\tmp88D6E.FOT
2010-10-23 15:07:28 1409 ----a-w- c:\windows\system32\tmp51E6E.FOT

============= FINISH: 0:30:20,17 ===============





https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pozdrav cerveni!






Zasto si koristio Combo Fix? Sta si njime zeleo da uradis, ukoliko ne znas njime "rukovati"? CF nije, niti ce nekada biti zamena za AntiVirus koga na ovom racunaru NEMA. I njegovo koriscenje je dozvoljeno iskljucivo kada ti neko od helper-a to napise da uradis na nacin koji ti opise. Koriscenje CF-a na "svoju ruku" nekada moze da dovede do ozbiljnih posledica po sistem.

Za pocetak instaliraj neki AV na tom racunaru, pa mozemo nastaviti resavanje tvog problema.





Nisi ispratio Uputstvo za otvaranje teme do kraja. Potrebno je da postavis Gmer2 i Gmer3 log-ove.
Uputstvo: http://www.mycity.rs/Ambulanta/Kako-otvoriti-temu-u-Ambulanti.html






goran9888 (AMF Tim)

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Otvoriti Notepad i iskopirati sledeci tekst:

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.








Sto se tice tvog problema, imaj u vidu da Win key + L = lock computer.







goran9888 (AMF Tim)

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

gde da nadjem log fajl.

nakon startovanja combofix-a mogu jos samo kratko da vidim sta se desava posle toga ne mogu da pristupim udaljeno racunaru dok Combofix ne zavrsi sa skeniranjem. Kad sam pristupio na ekranu nema log fajla

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Log obicno biva sacuvan na sistemskoj particiji pod nazivom ComboFix.txt (lokacija: C:\ComboFix.txt).
Posalji u sledecoj poruci sadrzaj tog log-a.











goran9888 (AMF Tim)

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Napisano: 29 Nov 2010 0:29

Trazio sam sa search iz TC nema nijednog novog loga.

Sto me navodi na zakljucak da je komp resetovan pre nego je zavrsio, moracu da odem da pokupim racunar.

Dopuna: 29 Nov 2010 18:43

Otklonjen virus sa mrt.exe

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ne razumem zasto si trazio preko Total Commander-a log?!

Ukoliko postoji ovaj log: C:\ComboFix.txt , posalji mi njegov sadrzaj.

Ukoliko ne postoji, ponovi prethodni korak ali obavezno budi za tim racunarom i isprati detaljno uputstvo koje sam ti dao.








goran9888 (AMF Tim)

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Napisano: 29 Nov 2010 19:30

nema combofix.log u root-u C diska uopste.

Dopuna: 29 Nov 2010 19:37

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Korak 1

Prekopiraj mi sadrzaj sledeceg log fajla:

C:\Windows\Debug\Mrt.log




Korak 2

ComboFix nije zavrsio svoj rad do kraja (vidi se na postavljenom screnshoot-u).

Isprati detaljno prethodni korak, za izvrsavanje skripte u ComboFix-u koji sam ti dao i postavi mi log koji bude izasao.
(ukoliko ne izadje log, potrazi log na lokaciji: C:\ComboFix.txt)






goran9888 (AMF Tim)