Kerio estänyt tunkeutumisen (Code injection, winlogon.exe)

tkumpula · Aug 14, 2007

Epäilenpä koneeni saaneen itseeni jotain, kun tuo Kerio alkoi herjata tämänkaltaisia:

Teknistä tietoa tunketumisen yrityksestä:

Injector-sovellus: \??\C:\WINDOWS\system32\winlogon.exe (new line)
Kuvaus: winlogon(new line)
Tiedostoversio: (new line)
Tuotteen nimi: (new line)
Tuotenimi: (new line)
Luotu: N/A(new line)
Muutettu: N/A(new line)
Käytetty: N/A

Kohdesovellus: C:\Program Files\Internet Explorer\iexplore.exe (new line)
Kuvaus: Internet Explorer(new line)
Tiedostoversio: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)(new line)
Tuotteen nimi: Microsoft® Windows® Operating System(new line)
Tuotenimi: 6.00.2900.2180(new line)
Luotu: 2007/7/19, 23:11:13(new line)
Muutettu: 2004/8/3, 21:56:52(new line)
Käytetty: 2007/8/12, 14:46:24

Address of injection: 0x7FFA0000

Samankaltaista viestiä tuli myös Tunderbirdin kanssa.

Ajoin HijackThis:n ja sain seuraavan login:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:35, on 13.8.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\ATI Technologies\ATI-ohjauspaneeli\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\TerraTec\Remote\TTTvRc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
G:\win32\Pienet ohjelmat\putty.exe
C:\Program Files\Opera\Opera.exe
g:\win32\Spybot - Search & Destroy\SpybotSD.exe
H:\apps\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.grisoft.com/doc/Programs/lng/en/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - g:\win32\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Program Files\Common Files\TerraTec\Remote\TTTvRc.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1184918488140
O20 - Winlogon Notify: winhoq32 - C:\WINDOWS\SYSTEM32\winhoq32.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

--
End of file - 4518 bytes

Myöskin Spybot S&D ilmoitti löytäneensä Virtumondo nimisen tartunnan, ja poistinkin sen kyseisellä ohjelmalla. Tuo ensimmäiseksi liittämäni ilmoitus tuli kuitenkin vielä Spybotin puhdistuksen jälkeen. AVG:n antivirus ei löydä tartuntoja.

-Tuomas

-------------------------------------------------
Tän aamuinen tulos ComboFixillä

ComboFix 07-08-09.3 - "Tuomas" 2007-08-14 11:32:23.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.242 [GMT 3:00]

((((((((((((((((((((((((( Files Created from 2007-07-14 to 2007-08-14 )))))))))))))))))))))))))))))))

2007-08-13 23:06 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-13 20:31 dir d-------- C:\DOCUME~1\Tuomas\APPLIC~1\uTorrent
2007-08-13 10:08 dir d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-12 08:32 dir d-------- C:\DOCUME~1\Hanna\APPLIC~1\TerraTec
2007-08-11 18:47 65,536 -ra------ C:\WINDOWS\system32\MFC71DEU.DLL
2007-08-11 18:47 61,440 -ra------ C:\WINDOWS\system32\MFC71ITA.DLL
2007-08-11 18:47 61,440 -ra------ C:\WINDOWS\system32\MFC71FRA.DLL
2007-08-11 18:47 61,440 -ra------ C:\WINDOWS\system32\MFC71ESP.DLL
2007-08-11 18:47 57,344 -ra------ C:\WINDOWS\system32\MFC71ENU.DLL
2007-08-11 18:47 49,152 -ra------ C:\WINDOWS\system32\MFC71KOR.DLL
2007-08-11 18:47 49,152 -ra------ C:\WINDOWS\system32\MFC71JPN.DLL
2007-08-11 18:47 45,056 -ra------ C:\WINDOWS\system32\MFC71CHT.DLL
2007-08-11 18:47 44,544 -ra------ C:\WINDOWS\system32\msxml4a.dll
2007-08-11 18:47 40,960 -ra------ C:\WINDOWS\system32\MFC71CHS.DLL
2007-08-11 18:47 dir d-------- C:\DOCUME~1\Tuomas\APPLIC~1\TerraTec
2007-08-11 18:47 dir d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TerraTec
2007-08-11 18:46 dir d-------- C:\Program Files\TerraTec
2007-08-11 18:46 dir d-------- C:\Program Files\Common Files\TerraTec
2007-08-11 18:45 53,760 --a------ C:\WINDOWS\system32\drivers\vfwwdm32.dll
2007-08-11 18:45 22,528 -ra------ C:\WINDOWS\system32\drivers\TTCinergyT2BDA.sys
2007-08-11 16:03 dir d-------- C:\WINDOWS\SxsCaPendDel
2007-08-11 15:04 dir d-------- C:\DOCUME~1\Tuomas\APPLIC~1\AVSMedia
2007-08-11 14:34 dir d-------- C:\DOCUME~1\Hanna\APPLIC~1\AVSMedia
2007-08-11 14:34 dir d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AVS4YOU
2007-08-11 14:33 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2007-08-11 14:33 638,976 --a------ C:\WINDOWS\system32\divx.dll
2007-08-11 14:33 536,576 --a------ C:\WINDOWS\system32\msvcr70d.dll
2007-08-11 14:33 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-08-11 14:33 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2007-08-11 14:33 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-08-11 14:33 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-08-11 14:33 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-08-11 14:33 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-08-11 14:33 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-08-11 14:33 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-08-11 14:33 dir d-------- C:\Program Files\Common Files\AVSMedia
2007-08-11 12:35 dir d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NCH Software
2007-08-11 12:07 dir d-------- C:\WINDOWS\system32\appmgmt
2007-08-11 11:41 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2007-08-11 11:41 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-08-04 10:04 dir d-------- C:\Program Files\MSXML 4.0
2007-08-01 18:30 dir d-------- C:\DOCUME~1\Tuomas\APPLIC~1\DeepBurner
2007-07-28 21:24 dir d-------- C:\Program Files\DAEMON Tools
2007-07-28 21:21 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-07-26 11:16 dir d-------- C:\Program Files\7-Zip
2007-07-21 23:53 dir d-------- C:\Program Files\MPlayer
2007-07-21 15:56 dir d-------- C:\Program Files\uTorrent
2007-07-21 15:56 dir d-------- C:\DOCUME~1\Hanna\APPLIC~1\uTorrent
2007-07-21 12:25 dir d-------- C:\DOCUME~1\Tuomas\APPLIC~1\CyberLink
2007-07-21 12:25 dir d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-07-21 12:24 dir d-------- C:\Program Files\CyberLink
2007-07-21 08:58 12,290,511 --------- C:\AVG7QT.DAT
2007-07-20 17:33 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2007-07-20 17:33 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll
2007-07-20 17:33 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2007-07-20 17:33 2,272 --a------ C:\WINDOWS\system32\w95inf16.dll
2007-07-20 17:33 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2007-07-20 17:33 182,032 --a------ C:\WINDOWS\system32\dxtmsft3.dll
2007-07-20 17:33 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2007-07-20 17:31 dir d-------- C:\Program Files\Sierra On-Line
2007-07-20 14:45 dir d-------- C:\DOCUME~1\Tuomas\APPLIC~1\OpenOffice.org2
2007-07-20 14:43 dir d-------- C:\DOCUME~1\Tuomas\APPLIC~1\Opera
2007-07-20 14:34 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-20 14:33 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-07-20 14:33 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-07-20 14:33 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-07-20 14:33 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-07-20 14:33 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-07-20 14:32 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-07-20 14:32 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-07-20 14:32 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-07-20 14:03 dir d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-20 12:16 dir d-------- C:\DOCUME~1\Hanna\APPLIC~1\OpenOffice.org2
2007-07-20 12:03 dir d-------- C:\Program Files\OpenOffice.org 2.2
2007-07-20 11:57 dir d-------- C:\DOCUME~1\Hanna\APPLIC~1\Thunderbird
2007-07-20 11:36 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-07-20 10:52 dir d---s---- C:\DOCUME~1\Hanna\UserData
2007-07-20 10:37 dir d-------- C:\DOCUME~1\Hanna\APPLIC~1\Opera
2007-07-20 05:06 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-07-20 05:06 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-07-20 05:05 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys
2007-07-20 05:04 9,008 --a--c--- C:\WINDOWS\system32\dllcache\ver.dll
2007-07-20 05:04 9,008 --a------ C:\WINDOWS\system\VER.DLL
2007-07-20 05:04 85,020 --a--c--- C:\WINDOWS\system32\dllcache\dgsetup.dll
2007-07-20 05:04 85,020 --a------ C:\WINDOWS\system32\dgsetup.dll
2007-07-20 05:04 82,944 --a--c--- C:\WINDOWS\system32\dllcache\olecli.dll
2007-07-20 05:04 82,944 --a------ C:\WINDOWS\system\OLECLI.DLL
2007-07-20 05:04 8,192 -ra------ C:\WINDOWS\system32\kbdhept.dll
2007-07-20 05:04 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdhept.dll
2007-07-20 05:04 774,144 --a--c--- C:\WINDOWS\system32\dllcache\spttseng.dll
2007-07-20 05:04 77,824 --a--c--- C:\WINDOWS\system32\dllcache\spcommon.dll
2007-07-20 05:04 7,168 -ra------ C:\WINDOWS\system32\kbdcz.dll
2007-07-20 05:04 7,168 --a--c--- C:\WINDOWS\system32\dllcache\kbdcz.dll
2007-07-20 05:04 68,768 --a------ C:\WINDOWS\system\mmsystem.dll
2007-07-20 05:04 61,440 --a--c--- C:\WINDOWS\system32\dllcache\spcplui.dll
2007-07-20 05:04 6,656 -ra------ C:\WINDOWS\system32\kbdycl.dll
2007-07-20 05:04 6,656 -ra------ C:\WINDOWS\system32\kbdsl1.dll
2007-07-20 05:04 6,656 -ra------ C:\WINDOWS\system32\kbdsl.dll
2007-07-20 05:04 6,656 -ra------ C:\WINDOWS\system32\kbdpl.dll
2007-07-20 05:04 6,656 -ra------ C:\WINDOWS\system32\kbdhu.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-22 23:24 29392 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-05-16 18:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 18:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 18:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 18:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 18:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll
2003-07-31 12:53 147456 --a------ C:\WINDOWS\inf\EL2K_XP.sys
2003-07-31 12:50 448768 --a------ C:\WINDOWS\inf\EL2K_N64.sys
2003-07-31 12:43 147456 --a------ C:\WINDOWS\inf\EL2K_2K.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="atiptaxx.exe" []
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-07-20 02:58]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"TerraTec Remote Control"="C:\Program Files\Common Files\TerraTec\Remote\TTTvRc.exe" [2006-08-25 07:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 01:29]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2007-07-20 02:32:44]

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R2 SPF4;Sunbelt Personal Firewall 4;C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
R3 EL2000;3Com 3C2000x EtherLink XL Adapter;C:\WINDOWS\system32\DRIVERS\EL2K_XP.sys
R3 TTCinergyT2;TerraTec Cinergy T² (BDA);C:\WINDOWS\system32\DRIVERS\TTCinergyT2BDA.sys
S3 DSDrv4;DSDrv4;\??\G:\win32\KTV\Plugins\S_Bt8x8\DSDrv4.sys
S3 Hauppauge WinTV-HVR;Hauppauge WinTV-HVR 713X PCI Card;C:\WINDOWS\system32\DRIVERS\HCW713x.sys
S3 MPE;BDA MPE Filter;C:\WINDOWS\system32\DRIVERS\MPE.sys

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-14 11:34:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\system32\cmd.exe [4004] 0x8219C5B0

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\27:\xf5wjY\1]
"DisplayName"="\t"
"DeviceDesc"="\t"
"ProviderName"=""
"MFG"="\xfa0"
"ReinstallString"="2002, 6.13.10.6102"
"DeviceInstanceIds"=str(7):""

scanning hidden files ...

scan completed successfully
hidden files: 0

---

VirusTotalin tulokset winlogon.exestä:

Result: 0/32 (0%)
Compact
Print results Antivirus Version Last Update Result
AhnLab-V3 2007.8.9.2 2007.08.13 -
AntiVir 7.4.0.60 2007.08.13 -
Authentium 4.93.8 2007.08.13 -
Avast 4.7.1029.0 2007.08.13 -
AVG 7.5.0.476 2007.08.13 -
BitDefender 7.2 2007.08.13 -
CAT-QuickHeal 9.00 2007.08.13 -
ClamAV 0.91 2007.08.13 -
DrWeb 4.33 2007.08.13 -
eSafe 7.0.15.0 2007.08.10 -
eTrust-Vet 31.1.5055 2007.08.13 -
Ewido 4.0 2007.08.13 -
FileAdvisor 1 2007.08.13 -
Fortinet 2.91.0.0 2007.08.13 -
F-Prot 4.3.2.48 2007.08.13 -
F-Secure 6.70.13030.0 2007.08.13 -
Ikarus T3.1.1.12 2007.08.13 -
Kaspersky 4.0.2.24 2007.08.13 -
McAfee 5096 2007.08.13 -
Microsoft 1.2704 2007.08.13 -
NOD32v2 2457 2007.08.13 -
Norman 5.80.02 2007.08.13 -
Panda 9.0.0.4 2007.08.12 -
Prevx1 V2 2007.08.13 -
Rising 19.36.02.00 2007.08.13 -
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.11 -
Symantec 10 2007.08.13 -
TheHacker 6.1.8.168 2007.08.13 -
VBA32 3.12.2.2 2007.08.13 -
VirusBuster 4.3.26:9 2007.08.13 -
Webwasher-Gateway 6.0.1 2007.08.13 -
Additional information
File size: 502272 bytes
MD5: 01c3346c241652f43aed8e2149881bfe
SHA1: a5396141cab8b22d9d88b28a814089537dce366a

Auttaja · Aug 13, 2007

1. Lataa combofix.exe työpöydällesi jommastakummasta linkistä:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Tuplaklikkaa combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. (C:\ComboFix.txt) Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

========

C:\WINDOWS\system32\winlogon.exe

Laita piilotiedostot näkyviin ja tarkistuksen jälkeen piiloon takaisin

http://www.virustotal.com/

Mene tuonne sivulle ja lataa tiedosto käyttämällä "selaa" toimintoa.

Jos palvelu on ruuhkautunut käytä http://virusscan.jotti.org/

Laita tulos seuraavaan vastaukseen combofixin login kera.

Hujo · Aug 13, 2007

edit:

Log in or Sign up

Kerio estänyt tunkeutumisen (Code injection, winlogon.exe)

tkumpula Member

Auttaja Guest

Hujo Guest

Share This Page

Log in or Sign up

Kerio estänyt tunkeutumisen (Code injection, winlogon.exe)

tkumpula Member

Auttaja Guest

Hujo Guest

Share This Page

Useful Searches