Podejrzenie o TR/Crypt.ULPM.Gen - pendrive

Witam.

Znalazłem w sieci taki wątek:

http://www.hwupgrade.it/forum/showthread.php?t=1599371

Niestety na pendrive’ie znajdował się plik UFO.exe i plik Autorun.inf. Avast nic nie wykrył (z tego co podejrzałem autorun to uruchamiał tego ufo.exe i robił coś jeszcze). Dotychczas miałem wyłączone autoodtwarzania na dyskach CD-ROM, jakiś czas temu wyłączyłem autoodtwarzania na wszystkich dyskach. Jednak nie mogę stwierdzić, kiedy pendrive został podłączony do komputera (nie ja to robiłem), więc nie wiem czy to było przed czy po wyłączeniu autoodtwarzania na wszystkich dyskach.

Prosiłbym o srpawdzenie logów:

HiJackThis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:36:24, on 2007-11-17

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

D:\Programy\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Programy\SeaMonkey\seamonkey.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

D:\Programy\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programy\AdobeReader\ActiveX\AcroIEHelper.dll

O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Programy\GetRight\xx2gr.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Programy\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Download with GetRight - D:\Programy\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - D:\Programy\GetRight\GRbrowse.htm

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184690854718

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D983A1AD-4608-48C5-BA4A-E7727800EB59}: NameServer = 194.204.159.1 217.98.63.164

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - D:\Programy\SuperAntiSpyware\SASWINLO.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Programy\Avast\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - D:\Programy\Avast\ashServ.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--

End of file - 2936 bytes

z Silent Runners

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"ZoneAlarm Client" = ""D:\Programy\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]


HKLM\Software\Microsoft\Active Setup\Installed Components\

{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax"

                                       \StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]

{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider"

                                       \StubPath = "rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "D:\Programy\AdobeReader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{31FF080D-12A3-439A-A2EF-4BA95A3148E8}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "bho2gr Class"

                   \InProcServer32\(Default) = "D:\Programy\GetRight\xx2gr.dll" ["Headlight Software, Inc."]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "D:\Programy\Avast\ashShell.dll" ["ALWIL Software"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Programy\WinRAR\rarext.dll" [null data]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitów"

  -> {HKLM...CLSID} = "Eksplorator pulpitów"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"

  -> {HKLM...CLSID} = "ZLAVShExt Class"

                   \InProcServer32\(Default) = "D:\Programy\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)

  -> {HKLM...CLSID} = "SABShellExecuteHook Class"

                   \InProcServer32\(Default) = "D:\Programy\SuperAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> !SASWinLogon\DLLName = "D:\Programy\SuperAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "D:\Programy\AdobeReader\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "D:\Programy\Avast\ashShell.dll" ["ALWIL Software"]

HexWorkshopContextMenu\(Default) = "{7bc80fe0-4b41-11cf-8fba-444553540000}"

  -> {HKLM...CLSID} = "Hex Workshop Shell Extension"

                   \InProcServer32\(Default) = "d:\programy\HexWorkshop\hwext.dll" ["BreakPoint Software, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Programy\WinRAR\rarext.dll" [null data]

ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"

  -> {HKLM...CLSID} = "ZLAVShExt Class"

                   \InProcServer32\(Default) = "D:\Programy\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Programy\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "D:\Programy\Avast\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Programy\WinRAR\rarext.dll" [null data]

ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"

  -> {HKLM...CLSID} = "ZLAVShExt Class"

                   \InProcServer32\(Default) = "D:\Programy\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Pawel\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

CutePDF Writer Monitor\Driver = "cpwmon2k.dll" [null data]

hpzsnt08\Driver = "hpzsnt08.dll" ["HP"]



---------- (launch time: 2007-11-17 19:28:04)

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 190 seconds.

---------- (total run time: 268 seconds)

Czy jeszcze jakieś logi będą konieczne ?

Acha…plik autorun usunąłem z pendrive’a, tego ufo.exe na razie zostawiłem (pendrive nie należy do mnie, właściciel też nie wie co to jest).

Log HijackThis czysty

Pobierz Combofixa przeskanuj nim kompa daj log

:slight_smile:

OK, zaraz wrzucę log z combofixa, ale o co chodzi z tym w logu Silenta:

<>: Suspicious data at a malware launch point.

?

Złączono Posta : 17.11.2007 (Sob) 20:29

Log z Combofix:

Log wygląda na czysty

ten plik możesz usunąć w ten sposób

otwórz notatnik i wklej

File:: 

C:\WINDOWS\system\SysSD.dll

zapisz jako CFScript (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

na pytanie “1 or 2” - to wpisz 1 i naciśnij ENTER

Powinno rozpocząć się usuwanie

Po restarcie usuń ręcznie folder C: \Qoobox

:slight_smile:

Dzięki. A może wystarczy tego SysSD.dll usunać ręcznie ? (przy wyłączonym przywracaniu systemu). W porządku jak nie pójdzie, to usunę tak, jak radziłeś. Co do tego pliku z pendrive - otworzyłem go notatnikiem pod linuxem, moją uwagę zwrócił taki ciąg:

F i l e D e s c r i p t i o n S e r v i c e s a n d C o n t r o l l e r a p p ` L e g a l C o p y r i g h t ( C ) M i c r o s o f t C o r p o r a t i o n . A l l r i g h t s r e s e r v e d . t R P r o d u c t N a m e M i c r o s o f t ( R ) W i n d o w s ( R ) O p e r a t i n g S y s t e m 4 F i l e V e r s i o n 5 . 0 1 . 2 1 9 6 8 P r o d u c t V e r s i o n 5 . 0 1 . 2 1 9 6 0 I n t e r n a l N a m e s e c p o l @ O r i g i n a l F i l e n a m e s e c p o l . e x e

Wrzuciłem secpol.exe do google i wyniki nie są pocieszające.

Pobierz program SDFix

Log z SDFix:

SDFix: Version 1.115


Run by Pawel on 2007-11-19 at 17:44


Microsoft Windows XP [Wersja 5.1.2600]


Running From: C:\SDFix


Safe Mode:

Checking Services: 



Restoring Windows Registry Values

Restoring Windows Default Hosts File


Rebooting...



Normal Mode:

Checking Files: 


No Trojan Files Found






Removing Temp Files...


ADS Check:


C:\WINDOWS

No streams found. 


C:\WINDOWS\system32

No streams found. 


C:\WINDOWS\system32\svchost.exe

No streams found.


C:\WINDOWS\system32\ntoskrnl.exe

No streams found.




                                 Final Check:


catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-19 17:48:25

Windows 5.1.2600 Dodatek Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden services & system hive ...


scanning hidden registry entries ...


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]

"Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,..


scanning hidden files ...


scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0



Remaining Services:

------------------




Authorized Application Key Export:


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"D:\\Programy\\AQQ\\AQQ.exe"="D:\\Programy\\AQQ\\AQQ.exe:*:Enabled:P2P AQQ"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]


Remaining Files:

---------------



Files with Hidden Attributes:


Sun 28 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Sun 29 Jul 2007 25,802,312 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\510fd197909dd722575ec6e361c56938\BIT38.tmp"


Finished!

Mam jeszcze pytanko - zauważyłem, ze po zakończeniu programu SDFix zmienił mi się tryb uruchamiania niektórych usług (m.in aktualizacje automatyczne). Zmieniła się też nazwa usługi Zasilacz awaryjny UPS na agielską. Jak wrócić do polskiej nazwy ? Mam polskiego Windowsa. Ten problem występuje z kilkoma usługami. Mam odpowiednie punkty przywracania, ale czy da sie to zrobić w inny sposób ? Podobnie z ComboFix.