system
(system)
27 Marzec 2007 16:39
#1
Podczas ostatniego sprawdzania kompa antywirus wykrył trojana Trojan-PSW.Win32.QQPass, dlatego wole się upewnić czy nie mam jeszcze jakiegoś syfu.Proszę o sprawdzenie loga.
Logfile of HijackThis v1.99.1 Scan saved at 18:05:26, on 2007-03-27 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Programy\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE C:\Programy\F-Secure Internet Security\Anti-Virus\fsgk32st.exe C:\Programy\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe C:\Programy\F-Secure Internet Security\Anti-Virus\FSGK32.EXE C:\Programy\F-Secure Internet Security\Common\FSMA32.EXE C:\Programy\F-Secure Internet Security\Anti-Virus\fssm32.exe C:\Programy\F-Secure Internet Security\Common\FSMB32.EXE C:\Programy\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\Programy\F-Secure Internet Security\backweb\4476822\Program\fspex.exe C:\Programy\F-Secure Internet Security\Common\FCH32.EXE C:\Programy\F-Secure Internet Security\Common\FSM32.EXE C:\WINDOWS\system32\ctfmon.exe C:\Programy\HDD Health\hddhealth.exe C:\Programy\F-Secure Internet Security\Common\FAMEH32.EXE C:\Programy\F-Secure Internet Security\Anti-Virus\fsqh.exe C:\Programy\F-Secure Internet Security\Anti-Virus\fsrw.exe C:\Programy\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe C:\Programy\F-Secure Internet Security\Anti-Virus\fsav32.exe C:\Programy\F-Secure Internet Security\FWES\Program\fsdfwd.exe C:\Programy\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\system32\wscntfy.exe C:\Programy\F-SECU~1\ANTI-S~1\fsaw.exe C:\Programy\F-Secure Internet Security\FSGUI\fsguidll.exe C:\Programy\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\PROGRAMY\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\Adrian\Pulpit\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programy\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\Programy\FreshDevices\FreshDownload\fdcatch.dll O2 - BHO: Alcohol Toolbar Helper - {52D06F97-5511-43FA-8FDA-C481864FD26E} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programy\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: Alcohol Toolbar - {4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\Programy\FreshDevices\FreshDownload\fdiebar.dll O4 - HKLM…\Run: [F-Secure Manager] “C:\Programy\F-Secure Internet Security\Common\FSM32.EXE” /splash O4 - HKLM…\Run: [F-Secure TNB] “C:\Programy\F-Secure Internet Security\TNB\TNBUtil.exe” /CHECKALL /WAITFORSW O4 - HKLM…\Run: [F-Secure Startup Wizard] “C:\Programy\F-Secure Internet Security\FSGUI\FSSW.EXE” /reboot O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Programy\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [HDDHealth] C:\Programy\HDD Health\hddhealth.exe -wl O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Programy\F-Secure Internet Security\backweb\4476822\Program\fspex.exe O8 - Extra context menu item: &Zablokuj to okienko - C:\Programy\F-Secure Internet Security\Anti-Spyware\blockpopups.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\Programy\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Osłona programu IE - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programy\F-Secure Internet Security\Anti-Spyware\ieshield.dll O9 - Extra ‘Tools’ menuitem: Osłona programu IE… - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programy\F-Secure Internet Security\Anti-Spyware\ieshield.dll O9 - Extra button: FreshDownload - {3ADC4D90-67D5-44E0-9A73-23A99C82FFB1} - C:\Programy\FreshDevices\FreshDownload\fd.exe O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programy\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house … hcImpl.cab O20 - Winlogon Notify: WBSrv - C:\Programy\WINDOW~1\wbsrv.dll O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\Programy\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Programy\F-Secure Internet Security\Anti-Virus\fsgk32st.exe O23 - Service: fsbwsys - F-Secure Corp. - C:\Programy\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programy\F-Secure Internet Security\FWES\Program\fsdfwd.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programy\F-Secure Internet Security\Common\FSMA32.EXE O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Programy\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programy\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Programy\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “HDDHealth” = “C:\Programy\HDD Health\hddhealth.exe -wl” [“PANTERASoft”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “F-Secure Manager” = ““C:\Programy\F-Secure Internet Security\Common\FSM32.EXE” /splash” [“F-Secure Corporation”] “F-Secure TNB” = ““C:\Programy\F-Secure Internet Security\TNB\TNBUtil.exe” /CHECKALL /WAITFORSW” [“F-Secure Corporation”] “F-Secure Startup Wizard” = ““C:\Programy\F-Secure Internet Security\FSGUI\FSSW.EXE” /reboot” [“F-Secure Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Programy\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {206E52E0-D52E-11D4-AD54-0000E86C26F6}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Programy\FreshDevices\FreshDownload\fdcatch.dll” [“FreshDevices Corp.”] {52D06F97-5511-43FA-8FDA-C481864FD26E}(Default) = (no title provided) -> {HKLM…CLSID} = “Alcohol Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll” [null data] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Programy\Spybot - Search & Destroy\SDHelper.dll” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRAR\rarext.dll” [null data] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\Programy\ALCOHO~1\ALCOHO~1\AxShlex.dll” [“Alcohol Soft Development Team”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Programy\Microsoft Office\OFFICE11\msohev.dll” [MS] “{2F5AC606-70CF-461C-BFE1-734234536262}” = “WindowBlinds CPL Extension” -> {HKLM…CLSID} = “DisplayCplExt Class” \InProcServer32(Default) = “C:\Programy\WindowBlinds\wbui.dll” [“Stardock.Net , Inc”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <> “AppInit_DLLs” = “wbsys.dll” [“Stardock.Net , Inc”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> WBSrv\DLLName = “C:\Programy\WINDOW~1\wbsrv.dll” [“Stardock Corporation”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Programy\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Adrian” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “C:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “F-Secure Anti-Virus 2006” -> shortcut to: “C:\Programy\F-Secure Internet Security\backweb\4476822\Program\fspex.exe -startup” [“F-Secure Internet Security 2005”] Enabled Scheduled Tasks: ------------------------ “Scheduled scanning task” -> launches: "C:\Programy\F-SECU~1\ANTI-V~1\fsav.exe /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\Programy\F-SECU~1\ANTI-V~1\report.txt " [“F-Secure Corporation”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2}” -> {HKLM…CLSID} = “Alcohol Toolbar” \InProcServer32(Default) = “C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll” [null data] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2}” = “Alcohol Toolbar” -> {HKLM…CLSID} = “Alcohol Toolbar” \InProcServer32(Default) = “C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll” [null data] “{ED0E8CA5-42FB-4B18-997B-769E0408E79D}” = “FreshDownload Bar” -> {HKLM…CLSID} = “FreshDownload Bar” \InProcServer32(Default) = “C:\Programy\FreshDevices\FreshDownload\fdiebar.dll” [“FreshDevices Corp.”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Programy\MICROS~1\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {300DB664-75B5-47C0-8B45-A44ACCF73C00}\ “ButtonText” = “Osłona programu IE” “MenuText” = “Osłona programu IE…” “CLSIDExtension” = “{0928F506-07E8-470c-979D-147C296D4879}” -> {HKLM…CLSID} = “F-Secure IE Shield COM button” \InProcServer32(Default) = “C:\Programy\F-Secure Internet Security\Anti-Spyware\ieshield.dll” [“F-Secure Corporation”] {3ADC4D90-67D5-44E0-9A73-23A99C82FFB1}\ “ButtonText” = “FreshDownload” “Exec” = “C:\Programy\FreshDevices\FreshDownload\fd.exe” [“FreshDevices Corp.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ F-Secure Anti-Virus 2006, BackWeb Plug-in - 4476822, “C:\Programy\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE” [“F-Secure Internet Security 2005”] F-Secure Anti-Virus Firewall Daemon, FSDFWD, ““C:\Programy\F-Secure Internet Security\FWES\Program\fsdfwd.exe”” [“F-Secure Corporation”] F-Secure Management Agent, FSMA, ““C:\Programy\F-Secure Internet Security\Common\FSMA32.EXE”” [“F-Secure Corporation”] fsbwsys, fsbwsys, ““C:\Programy\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe”” [“F-Secure Corp.”] FSGKHS, F-Secure Gatekeeper Handler Starter, ““C:\Programy\F-Secure Internet Security\Anti-Virus\fsgk32st.exe”” [“F-Secure Corporation”] StarWind iSCSI Service, StarWindService, “C:\Programy\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe” [“Rocket Division Software”] Sunbelt Kerio Personal Firewall 4, KPF4, ““C:\Programy\Sunbelt Software\Personal Firewall\kpf4ss.exe”” [“Sunbelt Software”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] Monitor 2 języka BJ\Driver = “CNBJMON2.DLL” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 21 seconds. ---------- (total run time: 92 seconds)
adam9870
(adam9870)
27 Marzec 2007 18:14
#2
Oba logi czyste.
Ale konkretnie gdzie go wykrył? Jeśli znowu pojawi się informacja o wykryciu tego trojana, proszę podać dokładną lokalizację do znajdowanego zainfekowanego pliku. Póki co możesz przeskanować system http://www.ewido.net/en/
system
(system)
27 Marzec 2007 18:59
#3
Dzięki za pomoc a trojan był w :
C:\PROGRAMY\MOZILLA FIREFOX\XPICLEANUP.EXE i
D:\Nowy folder (2)\Programy 2\Firefox Setup 2.0.0.2.exe