Log po infekcji trojanem.killwin.bl

SzymSzejdi · 16 Czerwiec 2006 17:32

Siemka

Bardzo proszę o sprawdzenie logów po infekcji trojanem kill.win.bl, z góry dziękuję. Czy ktoś mógłby mi powiedzieć co robi ten trojan? Nie mogę znaleźć nic na googlach

Logfile of HijackThis v1.99.1 Scan saved at 19:23:24, on 2006-06-16 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\INTERN~2\MEDIAKEY.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\PROGRA~1\INTERN~2\KBOSDCtl.EXE C:\PROGRA~1\INTERN~2\KCodeMsg.EXE C:\Program Files\WIDCOMM\Oprogramowanie interfejsu Bluetooth\BTTray.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\PROGRA~1\WIDCOMM\OPROGR~1\BTSTAC~1.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\WIDCOMM\Oprogramowanie interfejsu Bluetooth\bin\btwdins.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Raxco\PerfectDisk\PDSched.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Mozilla Firefox\firefox.exe E:\Instalki\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asus.com/products1.aspx?l1=2 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [MediaKey] C:\PROGRA~1\INTERN~2\MEDIAKEY.EXE O4 - HKLM…\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 -noicon O4 - HKLM…\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O8 - Extra context menu item: Wyślij do interfejsu &Bluetooth - C:\Program Files\WIDCOMM\Oprogramowanie interfejsu Bluetooth\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Oprogramowanie interfejsu Bluetooth\btsendto_ie.htm O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Oprogramowanie interfejsu Bluetooth\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{DE4742FD-48F2-4284-9664-FBADE6AA8557}: NameServer = 194.204.152.34,194.204.159.1 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Oprogramowanie interfejsu Bluetooth\bin\btwdins.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I z Silentrunners

“Silent Runners.vbs”, revision 41, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Steam” = (empty string) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”] “Alcmtr” = “ALCMTR.EXE” [“Realtek Semiconductor Corp.”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “MediaKey” = “C:\PROGRA~1\INTERN~2\MEDIAKEY.EXE” [“Dritek System Inc.”] “Zone Labs Client” = “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [“Zone Labs, LLC”] “DAEMON Tools” = ““C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 -noicon” [“DT Soft Ltd.”] “NetLimiter” = “C:\Program Files\NetLimiter\NetLimiter.exe /s” [“LockTime”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = “AcroIEHlprObj Class” [from CLSID] -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {31FF080D-12A3-439A-A2EF-4BA95A3148E8}(Default) = “*_*_**đ*” (unwritable string) -> {CLSID}\InProcServer32(Default) = “C:\Program Files\GetRight\xx2gr.dll” [“Headlight Software, Inc.”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = “SSVHelper Class” [from CLSID] -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” = “UnlockerShellExtension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{B8323370-FF27-11D2-97B6-204C4F4F5020}” = “SmartFTP Shell Extension DLL” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\SmartFTP Client 2.0\smarthook.dll” [“SmartFTP”] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{6af09ec9-b429-11d4-a1fb-0090960218cb}” = “My Bluetooth Places” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\btneighborhood.dll” [“Broadcom Corporation.”] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] HKLM\System\CurrentControlSet\Control\Session Manager\ INFECTION WARNING! “BootExecute” = “pdboot.exe autocheck autochk *” [file not found], [file not found], [MS], [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] FineReader(Default) = “{AC0DD14A-8F29-4F88-BE1D-0F0ED1B06C9F}” -> {CLSID}\InProcServer32(Default) = “c:\program files\abbyy finereader 7.0 professional edition\fecmenu.dll” [“ABBYY (BIT Software)”] UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\qw\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\AURORA~2.SCR” (aurora_5xxx.scr) [“Axialis Software”] Startup items in “qw” & “All Users” startup folders: ---------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “BTTray” -> shortcut to: “C:\Program Files\WIDCOMM\Oprogramowanie interfejsu Bluetooth\BTTray.exe” [“Broadcom Corporation.”] “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\system32\wshbth.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Program Files\NetLimiter\nl_lsp.dll [null data], 01 - 05, 28 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 27 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll” [“Sun Microsystems, Inc.”] {CCA281CA-C863-46EF-9331-5C8D4460577F}\ “ButtonText” = “@btrez.dll,-4015” “MenuText” = “@btrez.dll,-4017” “Script” = “C:\Program Files\WIDCOMM\Oprogramowanie interfejsu Bluetooth\btsendto_ie.htm” [null data] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] Bluetooth Service, btwdins, “C:\Program Files\WIDCOMM\Oprogramowanie interfejsu Bluetooth\bin\btwdins.exe” [“Broadcom Corporation.”] Bluetooth Support Service, BthServ, “C:\WINDOWS\system32\svchost.exe -k bthsvcs” {“C:\WINDOWS\System32\bthserv.dll” [MS]} LightScribeService Direct Disc Labeling Service, LightScribeService, ““C:\Program Files\Common Files\LightScribe\LSSrvc.exe”” [“Hewlett-Packard Company”] PDScheduler, PDSched, ““C:\Program Files\Raxco\PerfectDisk\PDSched.exe”” [“Raxco Software, Inc.”] TrueVector Internet Monitor, vsmon, “C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service” [“Zone Labs, LLC”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Port drukarki interfejsu Bluetooth\Driver = “bthcrp.dll” [“Broadcom Corporation.”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 14 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 8 seconds. ---------- (total run time: 48 seconds)

Bieniol · 16 Czerwiec 2006 17:38

W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku (w razie problemów z usuwaniem plików użyj narzędzia KillBox ):

Dodatkowo usuń resztki po Messengerze:

Skan EWIDO po update

Monczkin · 16 Czerwiec 2006 17:51

Prawdopodobnie chodzi o to - nowa wersja syfu

http://www.m2smi.com/m2net/web_index_sm … t_20040922

Więcej na stronach obcojęzycznych

SzymSzejdi · 16 Czerwiec 2006 17:54

ALCMTR.EXE to jakiś program od mojej karty muzycznej realtek, napewno go usunąc?

Bieniol · 16 Czerwiec 2006 17:56

To jest Spyware od Realteka - spokojnie możesz usunąć

kuz5 · 16 Czerwiec 2006 18:01

No nie tak spokojnie, były przypadki ze userzy skarżyli się na brak dzwięku, lepiej zostaw to, nic groźnego (no chyba że chcesz skosić, to już twoja decyzja)

SzymSzejdi · 16 Czerwiec 2006 18:20

no i posprzątane Dziękuję wszystkim za pomoc