Analiza logu i problem z DefLib.sys

golytm · 24 Październik 2007 15:56

Witam.

Mam następujący problem: Przy każdym uruchomieniu komputera, Avast “wyrzuca” mi, ze znaleziono w pliku DefLib.sys pasożyta Win32:Agent-KDC[Trj]. Podejmowanie jakichkolwiek dzialan typu: kwarantanna, czy “usuń” nie przynosi efektu…to samo z “ręcznym” usuwaniem pliku…

Stąd moja prośba o przeanalizowanie loga, i podpowiedź co z tym wszystkim zrobić, ponieważ jestem zielony i sam do tego nie dojdę.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:54:45, on 2007-10-24 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Installed Programs\Avast 4\aswUpdSv.exe C:\Installed Programs\Avast 4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Installed Programs\Krasnal\MYSQL\bin\mysqld.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\Installed Programs\Avast 4\ashMaiSv.exe C:\WINDOWS\system32\wscntfy.exe C:\Installed Programs\Avast 4\ashWebSv.exe C:\WINDOWS\system32\VTTimer.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Installed Programs\DAEMON Tools\daemon.exe C:\Installed Programs\Gmail Notifier\gnotify.exe C:\Installed Programs\iTunes\iTunesHelper.exe C:\INSTAL~1\AVAST4~1\ashDisp.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Installed Programs\Gadu-Gadu\gg.exe C:\Program Files\iPod\bin\iPodService.exe C:\DOCUME~1\GoLY\USTAWI~1\Temp\winlogon.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe C:\Installed Programs\Mozilla Firefox\firefox.exe C:\Installed Programs\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredimail.com/english/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\hhupd.exe, O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM…\Run: [VTTimer] VTTimer.exe O4 - HKLM…\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM…\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM…\Run: [soundMAX] “C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” /tray O4 - HKLM…\Run: [DAEMON Tools] “C:\Installed Programs\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Installed Programs\Gmail Notifier\gnotify.exe O4 - HKLM…\Run: [iTunesHelper] “C:\Installed Programs\iTunes\iTunesHelper.exe” O4 - HKLM…\Run: [QuickTime Task] “C:\Installed Programs\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [tguard] C:\Installed Programs\Beniamin\tguard.exe O4 - HKLM…\Run: [avast!] C:\INSTAL~1\AVAST4~1\ashDisp.exe O4 - HKLM…\Run: [bpk] C:\Installed Programs\bpk\bpk.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Installed Programs\Acrobat Reader\Reader\Reader_sl.exe” O4 - HKLM…\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM…\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM…\Run: [iSUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start O4 - HKLM…\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\PL\Programs\Registration.exe /title=“CorelDRAW Graphics Suite 12” /date=110307 serial=DR12CUT-1205362-WCN lang=PL O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [internetCalls] “C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe” -nosplash -minimized O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [Gadu-Gadu] “C:\Installed Programs\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c O4 - HKCU…\Run: [Twoje TVN24] “C:\Installed Programs\Pasek TVN24\PasekTVN24.exe” O4 - HKCU…\Run: [Firewall auto setup] C:\DOCUME~1\GoLY\USTAWI~1\Temp\winlogon.exe O4 - HKCU…\RunOnce: [FFTI] C:\Documents and Settings\GoLY\Dane aplikacji\Mozilla\Firefox\Profiles\e16r2dou.default\extensions{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath=“C:\Documents and Settings\GoLY\Dane aplikacji\Mozilla\Firefox\Profiles/e16r2dou.default\extensions{B13721C7-F507-4982-B2E5-502A71474FED}” O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\INSTAL~1\Office\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\INSTAL~1\Office\OFFICE11\REFIEBAR.DLL O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Installed Programs\Avast 4\aswUpdSv.exe O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Installed Programs\Avast 4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Installed Programs\Avast 4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Installed Programs\Avast 4\ashWebSv.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Installed Programs\Sony\plugins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing) O23 - Service: MySql - Unknown owner - C:\Installed Programs\Krasnal/MYSQL/bin/mysqld.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Installed Programs\Sony\plugins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing) – End of file - 8142 bytes

Kaka2 · 24 Październik 2007 16:14

Krzychuu , proszę dokładniej sprawdzać logi (otrzymałem informację iż nie podałeś kompletnego sposobu usunięcia, oraz ominąłeś jeden wpis).

adam9870 · 24 Październik 2007 16:18

Usuń powyżej przedstawione wpisy korzystając z HijackThis.

Skorzystaj z programu ATF-Cleaner w celu opróżnienia TEMPów.

Użyj SDFix, a następnie wklej log z ComboFix.

golytm · 25 Październik 2007 07:50

Witam ponownie.

Zdaje się,że wszystko już gra. Postąpiłem tak jak napisałeś i póki co nie ma problemu adam9870 ,wielkie dzięksy za reakcje. Pozdrawiam serdecznie. Wklejam log z ComboFix:

ComboFix 07-10-23.1 - GoLY 2007-10-25 2:00:52.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.122 [GMT 2:00] Running from: C:\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\autorun.inf . ((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 ))))))))))))))))))))))))))))))) . 2007-10-25 02:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-25 01:48 2007-10-25 01:23 1,205,321 --a------ C:\SDFix.exe 2007-10-25 01:22 1,392,911 --a------ C:\ComboFix.exe 2007-10-25 01:19 50,688 --a------ C:\ATF-Cleaner.exe 2007-10-24 14:37 2007-10-03 21:06 2007-10-03 19:24 2007-10-02 14:15 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-24 23:59 --------- d-----w C:\Documents and Settings\GoLY\Dane aplikacji\Skype 2007-10-24 16:02 --------- d-----w C:\Program Files\Picasa2 2007-09-26 16:55 --------- d-----w C:\Documents and Settings\GoLY\Dane aplikacji\OpenOffice.org2 2007-09-24 19:09 --------- d-----w C:\Program Files\HP 2007-09-24 19:09 --------- d-----w C:\Program Files\Common Files\HP 2007-09-24 19:08 --------- d-----w C:\Program Files\Hewlett-Packard 2007-09-23 07:43 --------- d-----w C:\Program Files\OpenOffice.org 2.3 2007-09-23 07:42 --------- d-----w C:\Program Files\Java 2007-09-17 20:31 --------- d-----w C:\Documents and Settings\GoLY\Dane aplikacji\Gadu-Gadu 2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-09-04 21:15 --------- d-----w C:\Documents and Settings\GoLY\Dane aplikacji\Corel 2007-09-04 21:13 --------- d-----w C:\Program Files\Common Files\Corel 2007-09-04 21:12 --------- d-----w C:\Program Files\Corel 2007-09-04 21:12 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-08-08 13:29 319 ----a-w C:\drmHeader.bin . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “VTTimer”=“VTTimer.exe” [2005-03-07 21:33 C:\WINDOWS\system32\VTTimer.exe] “High Definition Audio Property Page Shortcut”=“HDAShCut.exe” [2004-10-27 16:21 C:\WINDOWS\system32\HdAShCut.exe] “SoundMAXPnP”=“C:\Program Files\Analog Devices\Core\smax4pnp.exe” [2005-05-20 03:11] “SoundMAX”=“C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” [2005-09-07 16:35] “DAEMON Tools”=“C:\Installed Programs\DAEMON Tools\daemon.exe” [2005-12-10 16:57] “NWEReboot”="" [] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 12:50] “{0228e555-4f9c-4e35-a3ec-b109a192b4c2}”=“C:\Installed Programs\Gmail Notifier\gnotify.exe” [2005-07-15 23:48] “iTunesHelper”=“C:\Installed Programs\iTunes\iTunesHelper.exe” [2006-10-30 10:36] “QuickTime Task”=“C:\Installed Programs\QuickTime\qttask.exe” [2006-09-01 16:57] “tguard”=“C:\Installed Programs\Beniamin\tguard.exe” [] “avast!”=“C:\INSTAL~1\AVAST4~1\ashDisp.exe” [2007-09-06 12:06] “RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2004-11-02 20:24] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-06-14 18:32] “Adobe Reader Speed Launcher”=“C:\Installed Programs\Acrobat Reader\Reader\Reader_sl.exe” [2007-05-11 03:06] “ISUSPM Startup”=“C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe” [2004-06-16 06:03] “ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2004-06-16 06:03] “CorelDRAW Graphics Suite 11b”=“C:\Program Files\Corel\Corel Graphics 12\Languages\PL\Programs\Registration.exe” [2004-06-23 00:20] “HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2005-05-11 23:12] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44] “InternetCalls”=“C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe” [] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-03-30 13:34] “Gadu-Gadu”=“C:\Installed Programs\Gadu-Gadu\gg.exe” [2007-07-09 09:39] “IncrediMail”=“C:\Program Files\IncrediMail\bin\IncMail.exe” [2007-09-20 15:17] “Twoje TVN24”=“C:\Installed Programs\Pasek TVN24\PasekTVN24.exe” [2007-04-10 12:03] [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “Picasa Media Detector”=C:\Program Files\Picasa2\PicasaMediaDetector.exe R2 SQLWriter;SQL Server VSS Writer;“C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe” R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys R3 Pcatip;Pcatip;C:\WINDOWS\system32\DRIVERS\Pcatip.sys R3 S3G700;S3G700;C:\WINDOWS\system32\DRIVERS\S3G700m.sys S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] AutoRun\command - G:\INTRO.EXE *Newly Created Service* - CATCHME . Contents of the ‘Scheduled Tasks’ folder “2007-10-24 22:00:03 C:\WINDOWS\Tasks\HPpromotions journeysoftware.job” . ************************************************************************** catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-25 02:01:51 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-25 2:02:35 . — E O F —