Próba nawiazania połączenia wychodzacego pod staly adres IP

fatezzz · 10 Marzec 2007 11:38

Witam!

Świeżo po instalacji systemu WinXP, Avast’a i Kerio. Ten ostatni w trybie zaawansowanym.

Była jedna sytuacja, gdy coś się mogło przebić. I właśnie po tej sytuacji Kerio wyrzucił mi informacje:

Process c:\winfs16.exe injected dangerous code into c:\windows\explorer.exe (code address: 0x012130A3)

Długo nie myśląc podmieniłem explorer.exe z poprzedniej instalacji Windy (z drugiego dysku uruchamiając z niego system).

Ten problem zniknął, jednak Kerio systematycznie informuje mnie o próbie wychodzącego połączenia pod adres

ip: 89.188.16.18 i to każdym możliwym programem (WinZIP, TotalCMD, iTouch, CreativeHQ, whatever…)

To mój log:

Logfile of HijackThis v1.99.1 Scan saved at 12:07:17, on 2007-03-10 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\SSH Client Putty\putty.exe E:\install\network\Hijack This v1.99.1\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://adtest.gadu-gadu.pl/clickmsg.asp … d%3D392663 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: (no name) - {D7A76D80-1086-458A-8C2C-026BF9F4B823} - C:\WINDOWS\system32\hggddbx.dll O4 - HKLM…\Run: [AudioHQU] C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM…\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: hggddbx - C:\WINDOWS\SYSTEM32\hggddbx.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Pierwszy raz używam Hijack This, więc zupełnie nie wiem jak się do tego zabrać. Pomóżcie…

btw. zastanawia mnie ten:

O2 - BHO: (no name) - {D7A76D80-1086-458A-8C2C-026BF9F4B823} - C:\WINDOWS\system32\hggddbx.dll

JNJN · 10 Marzec 2007 11:54

Przeczytaj tematy przyklejone w tym dziale i popraw posta.JNJN

adam9870 · 10 Marzec 2007 12:12

Masz trojana Vundo:

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:

C:\WINDOWS\SYSTEM32\hggddbx.dll

Klikasz X czerwony i restart kompa.

Użyj VundoFix + FixVundo + VirtumundoBeGone. Wszystkie narzędzia należy uruchomić będąc w trybie awaryjnym.

Po wykonaniu pokaż nowy log z hjt, SilentRunners, Comboscan oraz zawartość pliku c:\vundofix.txt

fatezzz · 10 Marzec 2007 14:09

Zrobiłem tak i chyba wyleczyłem, a w zasadzie Ty wyleczyłeś

Logi po zadaniu

Logfile of HijackThis v1.99.1 Scan saved at 15:03:57, on 2007-03-10 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\WINDOWS\system32\wuauclt.exe E:\install\network\Hijack This v1.99.1\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://adtest.gadu-gadu.pl/clickmsg.asp … d%3D392663 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O4 - HKLM…\Run: [AudioHQU] C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM…\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[03/10/2007, 15:00:37] - VirtumundoBeGone v1.5 ( “E:\install\antivir\vundo\VirtumundoBeGone.exe” ) [03/10/2007, 15:00:40] - Detected System Information: [03/10/2007, 15:00:40] - Windows Version: 5.1.2600, Dodatek Service Pack 2 [03/10/2007, 15:00:40] - Current Username: Administrator (Admin) [03/10/2007, 15:00:40] - Windows is in SAFE mode with Networking. [03/10/2007, 15:00:40] - Searching for Browser Helper Objects: [03/10/2007, 15:00:40] - BHO 1: {D7A76D80-1086-458A-8C2C-026BF9F4B823} () [03/10/2007, 15:00:40] - WARNING: BHO has no default name. Checking for Winlogon reference. [03/10/2007, 15:00:40] - Checking for HKLM…\Winlogon\Notify\hggddbx [03/10/2007, 15:00:40] - Found: HKLM…\Winlogon\Notify\hggddbx - This is probably Virtumundo. [03/10/2007, 15:00:40] - Assigning {D7A76D80-1086-458A-8C2C-026BF9F4B823} MSEvents Object [03/10/2007, 15:00:40] - BHO list has been changed! Starting over… [03/10/2007, 15:00:40] - BHO 1: {D7A76D80-1086-458A-8C2C-026BF9F4B823} (MSEvents Object) [03/10/2007, 15:00:40] - ALERT: Found MSEvents Object! [03/10/2007, 15:00:40] - Finished Searching Browser Helper Objects [03/10/2007, 15:00:41] - *** Detected MSEvents Object [03/10/2007, 15:00:41] - Trying to remove MSEvents Object… [03/10/2007, 15:00:42] - Terminating Process: IEXPLORE.EXE [03/10/2007, 15:00:42] - Terminating Process: RUNDLL32.EXE [03/10/2007, 15:00:42] - Disabling Automatic Shell Restart [03/10/2007, 15:00:42] - Terminating Process: EXPLORER.EXE [03/10/2007, 15:00:42] - Suspending the NT Session Manager System Service [03/10/2007, 15:00:42] - Terminating Windows NT Logon/Logoff Manager [03/10/2007, 15:00:42] - Re-enabling Automatic Shell Restart [03/10/2007, 15:00:42] - File to disable: C:\WINDOWS\system32\hggddbx.dll [03/10/2007, 15:00:42] - Renaming C:\WINDOWS\system32\hggddbx.dll -> C:\WINDOWS\system32\hggddbx.dll.vir [03/10/2007, 15:00:43] - File successfully renamed! [03/10/2007, 15:00:43] - Removing HKLM…\Browser Helper Objects{D7A76D80-1086-458A-8C2C-026BF9F4B823} [03/10/2007, 15:00:43] - Removing HKCR\CLSID{D7A76D80-1086-458A-8C2C-026BF9F4B823} [03/10/2007, 15:00:43] - Adding Kill Bit for ActiveX for GUID: {D7A76D80-1086-458A-8C2C-026BF9F4B823} [03/10/2007, 15:00:43] - Deleting ATLEvents/MSEvents Registry entries [03/10/2007, 15:00:43] - Removing HKLM…\Winlogon\Notify\hggddbx [03/10/2007, 15:00:43] - Searching for Browser Helper Objects: [03/10/2007, 15:00:43] - Finished Searching Browser Helper Objects [03/10/2007, 15:00:43] - Finishing up… [03/10/2007, 15:00:43] - A restart is needed. [03/10/2007, 15:00:53] - Attempting to Restart via STOP error (Blue Screen!)