Problem z Virtumonde

klucznik · 23 Marzec 2008 12:13

Witam

Od około miesiąca zmagam sie z szkodnikiem Virtumonde. Jest on strasznie uciążliwy, gdyż za każdym razem jak uruchamiam komputer, nod mi pokazuje

Prosze o pomoc i o szczegółowe jej opisanie. Dziękuje.

Combofix

ComboFix 08-03-22.3 - Admin 2008-03-23 9:50:25.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.275 [GMT 1:00] Running from: C:\Documents and Settings\Admin\Pulpit\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\BMa71fe1b4.xml C:\WINDOWS\cookies.ini C:\WINDOWS\pskt.ini C:\WINDOWS\system32\cmds.txt C:\WINDOWS\system32\gxfhqvgl.dll C:\WINDOWS\system32\hmctdwqt.dll C:\WINDOWS\system32\imomidaa.dll C:\WINDOWS\system32\looknlge.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\mmpldxaf.dll C:\WINDOWS\system32\oolglvgt.dll C:\WINDOWS\system32\pisdpvmg.ini C:\WINDOWS\system32\sdeenmhq.dll C:\WINDOWS\system32\seidllma.dll C:\WINDOWS\system32\slmodypr.dll C:\WINDOWS\system32\tcnmhyoi.dll C:\WINDOWS\system32\tkcom32.dll C:\WINDOWS\system32\tqwdtcmh.ini C:\WINDOWS\system32\tuvtrqp.dll C:\WINDOWS\system32\tyuncwmh.dll C:\WINDOWS\system32\wbpufdvs.dll C:\WINDOWS\system32\xqjapmsy.dll C:\WINDOWS\system32\xyyxx.ini C:\WINDOWS\system32\xyyxx.ini2 C:\WINDOWS\system32\ysmpajqx.ini . ((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 ))))))))))))))))))))))))))))))) . 2008-03-23 09:40 . 2008-03-23 09:40 2008-03-21 12:19 . 2008-03-21 21:52 1,367,352 —hs---- C:\WINDOWS\system32\cxjpirem.ini2 2008-03-21 12:17 . 2008-03-21 12:17 2008-03-18 17:43 . 2008-03-18 17:43 1 --a------ C:\WINDOWS\system32\rc.dat 2008-03-18 17:43 . 2008-03-18 17:43 1 --a------ C:\WINDOWS\system32\ps1.dat 2008-03-18 17:40 . 2008-03-18 17:40 3,705 --a------ C:\WINDOWS\system32\hi.sfc 2008-03-16 11:32 . 2006-05-03 22:53 174,592 --a------ C:\WINDOWS\system32\framedyn.dll 2008-03-16 11:31 . 2005-12-22 12:24 137,884 --a------ C:\WINDOWS\system32\drivers\sscdmdm.sys 2008-03-16 11:31 . 2005-12-22 12:24 80,272 --a------ C:\WINDOWS\system32\drivers\sscdbus.sys 2008-03-16 11:31 . 2005-12-22 12:24 11,877 --a------ C:\WINDOWS\system32\drivers\sscdcmnt.sys 2008-03-16 11:31 . 2005-12-22 12:24 11,877 --a------ C:\WINDOWS\system32\drivers\sscdcm.sys 2008-03-16 11:31 . 2005-12-22 12:24 11,188 --a------ C:\WINDOWS\system32\drivers\sscdwhnt.sys 2008-03-16 11:31 . 2005-12-22 12:24 11,188 --a------ C:\WINDOWS\system32\drivers\sscdwh.sys 2008-03-16 11:31 . 2005-12-22 12:24 10,864 --a------ C:\WINDOWS\system32\drivers\sscdmdfl.sys 2008-03-16 11:30 . 2008-03-16 11:30 2008-03-16 11:30 . 2005-08-28 20:51 766 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-03-16 11:29 . 2008-03-16 11:29 2008-03-16 11:29 . 2006-07-24 16:05 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys 2008-03-16 10:19 . 2008-03-16 10:18 1,367,292 --ahs---- C:\WINDOWS\system32\cxjpirem.ini 2008-03-16 10:13 . 2008-03-16 10:13 1,367,292 —hs---- C:\WINDOWS\system32\cxjpirem.tmp 2008-03-16 10:06 . 2008-03-16 10:06 2008-03-15 08:26 . 2008-03-15 08:26 2008-03-12 16:13 . 2008-03-13 16:20 1,318,488 —hs---- C:\WINDOWS\system32\gvisfrqh.ini 2008-03-10 15:03 . 2008-03-11 15:21 1,317,454 —hs---- C:\WINDOWS\system32\mgishreh.ini 2008-03-09 15:00 . 2008-03-10 15:02 1,318,943 —hs---- C:\WINDOWS\system32\muumcdqu.ini 2008-03-07 18:41 . 2008-03-08 13:57 1,308,401 —hs---- C:\WINDOWS\system32\xvbdgpbi.ini 2008-03-06 12:59 . 2008-03-07 18:42 1,308,161 —hs---- C:\WINDOWS\system32\xljotcrs.ini 2008-03-04 21:13 . 2008-03-06 13:00 1,307,571 —hs---- C:\WINDOWS\system32\bthviqhm.ini 2008-03-04 14:56 . 2008-03-04 14:56 2008-03-03 21:16 . 2008-03-04 21:16 1,303,378 —hs---- C:\WINDOWS\system32\ivjklsra.ini 2008-03-01 15:04 . 2008-03-01 15:04 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2008-03-01 15:04 . 2008-03-01 15:04 298,104 --a------ C:\WINDOWS\system32\imon.dll 2008-03-01 15:04 . 2008-03-01 15:04 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2008-02-28 21:27 . 2008-02-28 21:27 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-18 20:28 323,072 ------w C:\WINDOWS\system32\xxyyx.dll 2008-02-15 14:56 --------- d-----w C:\Program Files\Microsoft.NET 2008-02-14 12:55 --------- d-----w C:\Program Files\Common Files\Adobe 2008-02-12 13:29 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment 2008-02-11 19:04 --------- d-----w C:\Program Files\Java 2008-02-11 19:03 --------- d-----w C:\Program Files\Common Files\Java 2008-02-11 18:53 21,840 ----a-w C:\WINDOWS\system32\SIntfNT.dll 2008-02-11 18:53 17,212 ----a-w C:\WINDOWS\system32\SIntf32.dll 2008-02-11 18:53 12,067 ----a-w C:\WINDOWS\system32\SIntf16.dll 2008-02-11 16:24 --------- d-----w C:\Program Files\Norton AntiVirus 2008-02-11 16:23 --------- d-----w C:\Program Files\Symantec 2008-02-11 16:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-02-11 16:23 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Symantec 2008-02-09 18:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-02-09 12:55 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\TEMP 2008-02-09 08:36 --------- d-----w C:\Documents and Settings\Admin\Dane aplikacji\Gadu-Gadu 2008-02-09 07:54 --------- d-----w C:\Program Files\Creative 2008-02-09 07:53 --------- d-----w C:\Program Files\Eset 2008-02-08 21:25 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-02-08 20:58 --------- d-----w C:\Documents and Settings\Admin\Dane aplikacji\ESET 2008-02-08 20:54 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ESET 2008-02-08 20:25 --------- d-----w C:\Program Files\microsoft frontpage 2008-02-08 20:21 --------- d-----w C:\Program Files\Usługi online 2007-10-22 02:49 867,848 ----a-w C:\Program Files\NOV2007_d3dx10_36_x64.cab 2007-10-22 02:49 807,132 ----a-w C:\Program Files\NOV2007_d3dx10_36_x86.cab 2007-10-22 02:49 49,392 ----a-w C:\Program Files\NOV2007_X3DAudio_x64.cab 2007-10-22 02:49 44,850 ----a-w C:\Program Files\dxdllreg_x86.cab 2007-10-22 02:49 21,744 ----a-w C:\Program Files\NOV2007_X3DAudio_x86.cab 2007-10-22 02:49 200,010 ----a-w C:\Program Files\NOV2007_XACT_x64.cab 2007-10-22 02:49 151,512 ----a-w C:\Program Files\NOV2007_XACT_x86.cab 2007-10-22 02:49 1,805,306 ----a-w C:\Program Files\NOV2007_d3dx9_36_x64.cab 2007-10-22 02:49 1,712,608 ----a-w C:\Program Files\NOV2007_d3dx9_36_x86.cab . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE~\Browser Helper Objects{07C7156E-D651-4ACC-9AD3-498C916E9651}] C:\WINDOWS\system32\tuvtrqp.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{4D801C6C-400B-48B9-B337-6FDD6B82B4C8}] 2008-02-18 21:28 323072 --------- C:\WINDOWS\system32\xxyyx.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{FFFFFFFF-8F0D-4322-B01F-B42439E0B71C}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 22:44 15360] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-08-04 00:55 1667584] “AdobeUpdater”=“C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe” [2007-03-01 10:37 2321600] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2005-12-10 03:06 7311360] “nwiz”=“nwiz.exe” [2005-12-10 03:06 1519616 C:\WINDOWS\system32\nwiz.exe] “NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2005-12-10 03:06 86016] “CreativeMixer”=“C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.exe” [1999-11-18 06:01 20480] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0\bin\jusched.exe” [2008-02-11 20:04 36972] “Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-10-10 19:51 39792] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2008-03-01 15:04 949376] “a42cd228”=“C:\WINDOWS\system32\meripjxc.dll” [] “combofix”=“C:\WINDOWS\system32\CF4766.exe” [2004-08-03 22:44 395776] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-03 22:44 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{07C7156E-D651-4ACC-9AD3-498C916E9651}”= C:\WINDOWS\system32\tuvtrqp.dll [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtrqp] tuvtrqp.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\xxyyx.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] “AntiVirusDisableNotify”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile] “EnableFirewall”= 0 (0x0) [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “D:\programy\Gadu-Gadu\gg.exe”= . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-23 09:59:17 Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\lsass.exe - C:\WINDOWS\system32\xxyyx.dll - C:\Program Files\Eset\pr_imon.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Java\jre1.5.0\bin\jucheck.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-03-23 10:01:31 - machine was rebooted ComboFix-quarantined-files.txt 2008-03-23 09:01:24 . 2008-03-03 09:08:10 — E O F — Hijackthis Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:05:24, on 2008-03-23 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE C:\Program Files\Java\jre1.5.0\bin\jusched.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Java\jre1.5.0\bin\jucheck.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE D:\programy\Gadu-Gadu\gg.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: SrchHook Class - {F4F10C1D-87C7-404A-B4B3-000000000000} - D:\programy\DAP\SBSearch.dll (file missing) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {4D801C6C-400B-48B9-B337-6FDD6B82B4C8} - C:\WINDOWS\system32\xxyyx.dll O2 - BHO: (no name) - {FFFFFFFF-8F0D-4322-B01F-B42439E0B71C} - (no file) O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [CreativeMixer] C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE /t O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [a42cd228] rundll32.exe “C:\WINDOWS\system32\meripjxc.dll”,b O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - Winlogon Notify: tuvtrqp - tuvtrqp.dll (file missing) O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\programy\Ares\chatServer.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe – End of file - 4491 bytes

jessica · 23 Marzec 2008 13:01

Wklej do Notatnika :

File::

C:\WINDOWS\system32\cxjpirem.ini2

C:\WINDOWS\system32\rc.dat

C:\WINDOWS\system32\ps1.dat

C:\WINDOWS\system32\hi.sfc

C:\WINDOWS\system32\cxjpirem.ini

C:\WINDOWS\system32\cxjpirem.tmp

C:\WINDOWS\system32\gvisfrqh.ini

C:\WINDOWS\system32\mgishreh.ini

C:\WINDOWS\system32\muumcdqu.ini

C:\WINDOWS\system32\xvbdgpbi.ini

C:\WINDOWS\system32\xljotcrs.ini

C:\WINDOWS\system32\bthviqhm.ini

C:\WINDOWS\system32\ivjklsra.ini

C:\WINDOWS\system32\xxyyx.dll


Folder::

C:\FOUND.002

C:\FOUND.001


Registry::


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07C7156E-D651-4ACC-9AD3-498C916E9651}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D801C6C-400B-48B9-B337-6FDD6B82B4C8}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-8F0D-4322-B01F-B42439E0B71C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"a42cd228"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehook]

"{07C7156E-D651-4ACC-9AD3-498C916E9651}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtrqp]

>>Plik>>Zapisz jako… >>> CFScript

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

–>

Ma się rozpocząć usuwanie. (i powstanie log). Daj ten log, który powstanie w trakcie usuwania.

Log wklej na http://wklej.org/, a w poście daj tylko link.(czyli skopiuj adres z paska adresów) .

Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:** Qoobox**.

jessi

klucznik · 23 Marzec 2008 13:43

Pomogło ;), nie uruchamia sie juz to okienko z noda. Folder usunąłem i dołączam link

Jestem Ci bardzo wdzięczny i podziwiam, że umiesz wyśledzić to co najważniejsze w tych logach, gdyż ja się na tym nie znam.

jessica · 23 Marzec 2008 14:03

Tak, ten log jest już czysty.

jessi