slawek_36
(Slawek Im)
28 Czerwiec 2007 17:06
#1
Witam wszystkich
Od jakiegoś czasu Spybot&Destroy wykrywa podczas uruchomienia konta Admina dziwną rzecz. Po skanie tymprogramem wiem że to COŚ nazywa się Dropper.ragger a w zapiskach z hijacthis jest dziwny moim zdaniem zapis o wextract_cleanup0 do którego to zapisu odwołuje się S&D
a to log z hijacthis
Logfile of HijackThis v1.99.1 Scan saved at 18:49:28, on 2007-06-28 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\WLAN\WConfig\WConfig.exe D:\programy bez instalacji\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {15FAC292-47E3-43DC-B097-C479F9D32DC3} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe” O4 - HKLM…\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 “C:\DOCUME~1\FOTOAD~1\USTAWI~1\Temp\IXP000.TMP” O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: WConfig.lnk = ? O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O15 - Trusted Zone: http://wirusy.interia.pl O15 - Trusted Zone: http://bezpieczenstwo.onet.pl O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://bezpieczenstwo.onet.pl/skaner/ArcaOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{18E123A1-9330-44DA-8DC1-0F22689D1FA9}: NameServer = 192.168.1.97 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: fccbbxx - C:\WINDOWS\ O20 - Winlogon Notify: winubg32 - winubg32.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ##Id_String1 .6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
czy mozna coś z tym zrobić?
Dzięki wszystkim. którzy poświęcą chwilę czasu na tym tekstem.
qrczak13
(qrczak13)
28 Czerwiec 2007 21:22
#2
Na czas prac ręcznych wyłącz TeaTimer od Spybot - Search & Destroy .
Użyj ATF Cleaner
Usuń plik na czerwono w trybie awaryjnym, a wpisy w HJT.
Po wykonaniu w/w daj log z ComboFix
slawek_36
(Slawek Im)
29 Czerwiec 2007 05:53
#3
dzięki, zaraz po południu biorę się do roboty
Złączono Posta : 30.06.2007 (Sob) 8:54
dzięki qrczak13,
linki poprowadziły mnie na stronę http://www.cybertrash.pl i zassałem sobie również SUPERAntiSpy. Jak radziłeś wykonałem wszystko a ponadto SUPERAntiSpy wykrył 15 różnych świństw.
log z ComboFix
((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 ))))))))))))))))))))))))))))))) 2007-06-30 09:30 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-30 07:17 2007-06-30 07:16 2007-06-30 07:16 2007-06-30 06:57 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-06-30 06:57 2007-06-30 06:57 2007-06-30 06:57 2007-06-30 06:57 2007-06-30 06:57 2007-06-30 06:57 2007-06-30 06:57 2007-06-30 06:34 2007-06-24 21:59 2007-06-24 21:55 2007-06-24 21:55 2007-06-20 19:44 2007-06-20 19:20 22 --a------ C:\WINDOWS\wyczysc.cmd 2007-06-20 19:14 403 --a------ C:\WINDOWS\wyczysc.reg 2007-06-12 06:38 2007-06-12 06:38 2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys 2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys 2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys 2007-06-03 12:22 2007-05-21 19:09 2007-05-20 11:23 7,680 --a------ C:\WINDOWS\system32\drivers\RKL3FE.tmp.sys 2007-05-14 20:38 7,680 --a------ C:\WINDOWS\system32\drivers\RKL13.tmp.sys 2007-05-14 20:36 23,552 --a------ C:\WINDOWS\system32\MSMPIDE.DLL 2007-05-14 20:36 116,224 --a------ C:\WINDOWS\system32\pdfcmnnt.dll 2007-05-14 20:36 2007-05-06 21:09 2007-05-05 11:49 2007-05-05 11:16 2007-05-05 09:59 108,544 --------- C:\WINDOWS\system32\pxcpyi64.exe 2007-05-01 15:39 9,600 -ra------ C:\WINDOWS\system32\drivers\vmnetadapter.sys 2007-05-01 15:39 5,120 -ra------ C:\WINDOWS\system32\vnetinst.dll 2007-05-01 15:38 364,631 --a------ C:\WINDOWS\system32\vnetlib.dll 2007-05-01 15:38 15,616 --a------ C:\WINDOWS\system32\drivers\vmnetuserif.sys 2007-05-01 15:38 135,168 --a------ C:\WINDOWS\system32\vmnat.exe 2007-05-01 15:38 106,496 --a------ C:\WINDOWS\system32\vmnetdhcp.exe 2007-05-01 15:38 10,240 -ra------ C:\WINDOWS\system32\drivers\vmnet.sys 2007-05-01 15:35 7,077,888 --a------ C:\DOCUME~1\Foto\ntuser.dat (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-30 07:39:10 91,052 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-06-30 07:39:10 503,696 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-06-27 17:40:13 25,992 ----a-w C:\WINDOWS\system32\pgdfgsvc.exe 2007-05-21 17:08:57 -------- d-----w C:\DOCUME~1\FOTOAD~1\DANEAP~1\Lavasoft 2007-05-20 09:25:11 -------- d-----w C:\Program Files\Winamp 2007-05-05 11:36:40 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll 2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-04-13 13:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-02-06 21:40] {CC59E0F9-7E43-44FA-9FAA-8377850BF205}=C:\Program Files\Free Download Manager\iefdmcks.dll [2006-08-20 20:55] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SoundMan”=“SOUNDMAN.EXE” [2005-07-22 09:00 C:\WINDOWS\SOUNDMAN.EXE] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 17:42] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe” [2006-09-07 16:51] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:44] “SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “ClearRecentDocsOnExit”=1 (0x1) “NoSimpleStartMenu”=1 (0x1) “NoRecentDocsNetHood”=1 (0x1) “NoLowDiskSpaceChecks”=1 (0x1) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”=“C:\Program Files\SUPERAntiSpyware\SASSEH.DLL” [2006-12-20 13:55] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbbxx] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winubg32] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsHive] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{9c8e44a9-6ab9-11db-928e-806d6172696f}] AutoRun\command- E:\Setup.exe ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-30 09:39:40 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … ? [3260] scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-30 9:41:08 C:\ComboFix-quarantined-files.txt … 2007-06-30 09:41 — E O F —
Czy już wszystko w OK?
Joan
(Joan Sunshine)
1 Lipiec 2007 18:10
#4
Przeskanuj ten plik na stronie http://virusscan.jotti.org/ i podaj wynik.
Otwórz notatnik i wklej w nim to:
Plik -> zapisz jako -> zmień rozszerzenie na wszystkie pliki -> zapisz pod nazwą FIX.REG
Odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa
Nowy log z Combo prosze.
Dziękuję,
żyłem trochę w nieświadomości