Szczepi
(Szczepi0804)
4 Czerwiec 2007 14:42
#1
Mam chmurke z informacją o zainfekowaniu przez ostatnią versje w/w trojanu oraz tradycyjną chmurke System Alert informującą ogólnie o zainfekowaniu.
Użyłem narzędzia SmitFraudFix, nie pomogło.
W Program Files powstał mi folder xerox, który jest podobno związany z PSW.
HJT:
Logfile of HijackThis v1.99.1 Scan saved at 16:07:06, on 2007-06-04 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Video ActiveX Access\iesmn.exe C:\Program Files\Video ActiveX Access\imsmain.exe C:\Programy\Winamp\winampa.exe C:\Program Files\Video ActiveX Access\imsmn.exe C:\Programy\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Video ActiveX Access\iesmin.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\brss01a.exe C:\Programy\Gadu-Gadu\gg.exe C:\WINDOWS\System32\wuauclt.exe C:\Programy\Opera\Opera.exe C:\Programy\Xfire\Xfire.exe C:\WINDOWS\system32\NOTEPAD.EXE E:\Instalki\hijackthis\HijackThis.exe O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - C:\Program Files\Video ActiveX Access\iesplg.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [WinampAgent] C:\Programy\Winamp\winampa.exe O4 - HKLM…\Run: [ZoneAlarm Client] “C:\Programy\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKLM…\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O17 - HKLM\System\CCS\Services\Tcpip…{9D89F113-5619-405F-8AB0-CD402A659EB8}: NameServer = 85.255.114.66,85.255.112.130 O17 - HKLM\System\CCS\Services\Tcpip…{A50D9470-4411-4F37-B29A-8CFFCF04F2F2}: NameServer = 85.255.114.66,85.255.112.130 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.66 85.255.112.130 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.66 85.255.112.130 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.66 85.255.112.130 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Silent Runners
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} “user32.dll” = “C:\Program Files\Video ActiveX Access\iesmn.exe” [null data] “rare” = “C:\Program Files\Video ActiveX Access\imsmain.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “WinampAgent” = “C:\Programy\Winamp\winampa.exe” [null data] “ZoneAlarm Client” = ““C:\Programy\Zone Labs\ZoneAlarm\zlclient.exe”” [“Zone Labs, LLC”] “PaperPort PTD” = “C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe” [“ScanSoft, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {B8C5186E-EC37-4889-9C2E-F73649FFB7BB}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Video ActiveX Access\iesplg.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRAR\rarext.dll” [null data] “{D9872D13-7651-4471-9EEE-F0A00218BEBB}” = “Multiscan” -> {HKLM…CLSID} = “ZLAVShExt Class” \InProcServer32(Default) = “C:\Programy\Zone Labs\ZoneAlarm\zlavscan.dll” [“Zone Labs, LLC”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ <> “{44e670f2-d57b-4815-a576-955d17dbbf2d}” = “auditioned” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\eeuydc.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRAR\rarext.dll” [null data] ZLAVShExt(Default) = “{D9872D13-7651-4471-9EEE-F0A00218BEBB}” -> {HKLM…CLSID} = “ZLAVShExt Class” \InProcServer32(Default) = “C:\Programy\Zone Labs\ZoneAlarm\zlavscan.dll” [“Zone Labs, LLC”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRAR\rarext.dll” [null data] ZLAVShExt(Default) = “{D9872D13-7651-4471-9EEE-F0A00218BEBB}” -> {HKLM…CLSID} = “ZLAVShExt Class” \InProcServer32(Default) = “C:\Programy\Zone Labs\ZoneAlarm\zlavscan.dll” [“Zone Labs, LLC”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\Szczepan\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Szczepan\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{31615D5C-5126-448A-818A-A7CDFEE85A9B}” -> {HKLM…CLSID} = “Protection Bar” \InProcServer32(Default) = “C:\Program Files\Video ActiveX Access\iesbpl.dll” [null data] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{31615D5C-5126-448A-818A-A7CDFEE85A9B}(Default) = “Protection Bar” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Video ActiveX Access\iesbpl.dll” [null data] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] BrSplService, Brother XP spl Service, “C:\WINDOWS\System32\brsvc01a.exe” [“brother Industries Ltd”] TrueVector Internet Monitor, vsmon, “C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service” [“Zone Labs, LLC”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 1064 seconds, including 5 seconds for message boxes)
Pomóżcie!
Gutek
(Gutek)
4 Czerwiec 2007 14:51
#2
Użyj SmitFraudFix wybierz opcji nr 2 , oczywiście w trybie awaryjnym oraz użyj FixWareOut - http://downloads.subratam.org/Fixwareout.exe
Po tym daj log z Combofix
Szczepi
(Szczepi0804)
4 Czerwiec 2007 17:11
#3
Wykonałem obie czynności, chmurka nadal się pojawia
Combofix:
ComboFix 07-06-3 - Running from: “C:\Documents and Settings\Szczepan\Pulpit” ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\video activex access C:\Program Files\video activex access\iesbpl.dll C:\Program Files\video activex access\iesbunst.exe C:\Program Files\video activex access\iesmin.exe C:\Program Files\video activex access\iesmn.exe C:\Program Files\video activex access\iesplg.dll C:\Program Files\video activex access\iesunst.exe C:\Program Files\video activex access\imsmain.exe C:\Program Files\video activex access\imsmn.exe C:\Program Files\video activex access\imsunst.exe C:\Program Files\video activex access\ot.ico C:\Program Files\video activex access\ts.ico C:\Program Files\video activex access\uninst.exe ((((((((((((((((((((((((( Files Created from 2007-05-04 to 2007-06-04 ))))))))))))))))))))))))))))))) 2007-06-04 11:22 2007-06-04 11:22 2007-05-18 18:38 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS 2007-05-13 18:01 2007-05-13 17:50 57,344 --a------ C:\WINDOWS\system32\brsvc01a.exe 2007-05-13 17:50 45,056 --a------ C:\WINDOWS\system32\brss01a.exe 2007-05-13 17:50 258,048 --a------ C:\WINDOWS\system32\bsplmf01.dll 2007-05-13 17:50 131,072 --a------ C:\WINDOWS\system32\bsplmf01.exe 2007-05-13 17:42 2007-05-13 17:39 50 --a------ C:\WINDOWS\system32\bridf05a.dat 2007-05-13 17:38 52,224 --------- C:\WINDOWS\system32\brinsstr.dll 2007-05-13 17:38 147,456 --------- C:\WINDOWS\brunin03.dll 2007-05-13 17:38 2007-05-13 17:36 2007-05-13 17:35 2007-05-13 17:35 2007-05-13 17:35 2007-05-13 17:34 2007-05-12 18:46 2007-05-12 14:52 62,592 --a------ C:\WINDOWS\system32\drivers\moufiltr.sys (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-04 17:09:57 -------- d-----w C:\DOCUME~1\Szczepan\DANEAP~1\Xfire 2007-06-04 17:02:29 610 ----a-w C:\WINDOWS\system32\tmp.reg 2007-06-03 18:02:01 -------- d-----w C:\DOCUME~1\Szczepan\DANEAP~1\teamspeak2 2007-05-23 10:49:18 7,168 --s-a-w C:\WINDOWS\system32\eeuydc.dll 2007-05-13 16:01:12 -------- d-----w C:\Program Files\Common Files\InstallShield 2007-05-13 16:01:01 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-05-11 19:28:37 -------- d–h--w C:\Program Files\WindowsUpdate 2007-05-01 13:13:13 -------- d-----w C:\DOCUME~1\Szczepan\DANEAP~1\MSN6 2007-04-28 16:34:55 -------- d-----w C:\Program Files\Media Player Classic 2007-04-28 16:34:55 -------- d-----w C:\DOCUME~1\Szczepan\DANEAP~1\Real 2007-04-28 16:23:46 -------- d-----w C:\DOCUME~1\Szczepan\DANEAP~1\Media Player Classic 2007-04-28 15:33:14 2,560 ----a-w C:\WINDOWS\system32\bitcometres.dll 2007-04-28 08:22:04 -------- d-----w C:\Program Files\Common Files\Ahead 2007-04-27 20:52:09 -------- d-----w C:\DOCUME~1\Szczepan\DANEAP~1\Opera 2007-04-27 18:46:38 4,212 —h–w C:\WINDOWS\system32\zllictbl.dat 2007-04-27 18:31:00 -------- d-----w C:\Program Files\Common Files\ODBC 2007-04-27 18:30:57 -------- d-----w C:\Program Files\Common Files\SpeechEngines 2007-04-27 18:18:11 49,492 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-04-27 18:18:11 355,486 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-04-27 17:50:38 -------- d-----w C:\Program Files\Messenger 2007-04-27 17:45:10 -------- d-----w C:\Program Files\microsoft frontpage 2007-04-27 17:44:29 0 --sha-r C:\MSDOS.SYS 2007-04-27 17:44:29 0 --sha-r C:\IO.SYS 2007-04-27 17:44:29 0 ----a-w C:\CONFIG.SYS 2007-04-27 17:44:29 0 ----a-w C:\AUTOEXEC.BAT 2007-04-27 17:42:40 -------- d-----w C:\Program Files\Usługi online 2007-04-27 17:42:08 -------- d-----w C:\Program Files\Movie Maker 2007-04-27 17:41:30 -------- d-----w C:\Program Files\Common Files\MSSoap 2007-04-27 17:40:54 21,856 ----a-w C:\WINDOWS\system32\emptyregdb.dat 2007-04-27 17:40:03 -------- d-----w C:\Program Files\Windows NT 2007-04-27 17:40:03 -------- d-----w C:\Program Files\MSN Gaming Zone 2007-03-08 22:02:00 75,512 ----a-w C:\WINDOWS\zllsputility.exe 2007-03-08 22:01:42 1,087,216 ----a-w C:\WINDOWS\system32\zpeng24.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “WinampAgent”=“C:\Programy\Winamp\winampa.exe” [2006-10-25 07:37] “ZoneAlarm Client”=“C:\Programy\Zone Labs\ZoneAlarm\zlclient.exe” [2007-03-09 00:02] “PaperPort PTD”=“C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe” [2005-03-17 14:25] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2001-08-02 07:14] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] “{44e670f2-d57b-4815-a576-955d17dbbf2d}”=“C:\WINDOWS\System32\eeuydc.dll” [2007-05-23 12:49] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* ************************************************************************** catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-04 19:10:06 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-04 19:10:48 C:\ComboFix-quarantined-files.txt … 2007-06-04 19:10 — E O F —
Gutek
(Gutek)
4 Czerwiec 2007 17:47
#4
Pobierz The Avenger . Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w taką lupkę => w okienku, które się otworzy wklej:
kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).
Po tym nowy log z Combo
Gutek
(Gutek)
4 Czerwiec 2007 19:26
#6
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Ustaw rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG >>> kliknij podwójnie zrobiony plik i potwierdź >>> reset kompa