Problem z wirusem (Sinowal)

Dariusz_J · 8 Wrzesień 2008 17:39

Witam,

Proszę o pomoc w usunięciu wirusa, którego wykrył mi Kaspersky:

C:\System Volume Information_restore{0342FA35-476A-490E-9559-EAEDD2DED134}\RP11\A0013515.exe Zainfekowanych: Backdoor.Win32.Sinowal.rh

Co dziwne, NOD32 2008 nie wykrywa go.

Dziękuję z góry za pomoc i pozdrawiam.

bartisz · 8 Wrzesień 2008 17:46

Wyłącz przywracanie systemu na wszystkich dyskach, a następnie, po kilku minutach, włącz

2. Wykonaj log z programów Combofix i Hijackthis i wrzuć je na forum (Zasady wklejania logów).

Igoor · 8 Wrzesień 2008 17:59

Używasz jednoczesnie NODa i KIS?

Zmień nazwę tematu na zgodną z regulaminem.

Dariusz_J · 8 Wrzesień 2008 18:59

Oto logi:

ComboFix 08-09-05.09 - Daruś 2008-09-08 20:50:28.8 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.122 [GMT 2:00] Running from: C:\Documents and Settings\Daruś\Pulpit\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\Downloaded Program Files\setup.inf C:\WINDOWS\system32\mdm.exe C:\WINDOWS\system32\ybeeg.ini . ((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 ))))))))))))))))))))))))))))))) . 2008-09-08 20:42 . 2008-09-08 20:42 2008-09-08 13:13 . 2008-09-08 13:13 2008-09-08 13:13 . 2008-09-08 13:13 2008-09-08 13:13 . 2008-09-08 13:13 2008-08-15 15:04 . 2008-08-15 15:04 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-08 07:58 --------- d-----w C:\Program Files\INTERIAPL 2008-09-08 07:38 --------- d-----w C:\Program Files\Neostrada TP 2008-09-04 16:56 --------- d-----w C:\Program Files\Yahoo! 2008-08-24 21:56 --------- d-----w C:\Program Files\HP 2008-08-15 13:05 --------- d-----w C:\Program Files\Lavasoft 2008-08-15 13:01 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft 2008-08-04 22:33 --------- d-----w C:\Program Files\Ganymede 2008-07-29 21:08 --------- d-----w C:\Program Files\Windows Media Components 2008-07-29 21:08 --------- d-----w C:\Program Files\V1 Home 2.0 2008-07-27 19:05 --------- d-----w C:\Program Files\Java 2008-07-08 14:27 --------- d-----w C:\Program Files\ESET 2008-07-08 14:25 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ESET 2008-04-21 10:40 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat 2007-04-16 22:21 463 ----a-w C:\Documents and Settings\Daruś\Dane aplikacji\hvsvyngfto[6].dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2004-08-23 20480] “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\GestMaj.exe” [2004-10-14 32768] “LWBMOUSE”=“C:\Program Files\NASDAK\OmniMouse Driver\2.1.23\MOUSE32A.EXE” [2001-11-09 356352] “Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe” [2007-03-09 63712] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-09-17 286720] “HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2007-05-08 54840] “Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 39792] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe” [2008-06-10 144784] “egui”=“C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” [2008-06-10 1447168] “VTTimer”=“VTTimer.exe” [2005-03-07 C:\WINDOWS\system32\VTTimer.exe] “VTTrayp”=“VTtrayp.exe” [2005-01-11 C:\WINDOWS\system32\VTTrayp.exe] “SoundMan”=“SOUNDMAN.EXE” [2004-12-22 C:\WINDOWS\SOUNDMAN.EXE] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2001-10-26 13312] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472] HP Photosmart Premier - Szybkie uruchomienie.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588] VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2007-08-14 585728] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “vidc.iv31”= C:\WINDOWS\System32\ir32_32.dll “vidc.iv32”= C:\WINDOWS\System32\ir32_32.dll “vidc.mjpg”= mcmjpg32.dll “vidc.ffds”= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] “UpdatesDisableNotify”=dword:00000001 “AntiVirusDisableNotify”=dword:00000001 “AntiVirusOverride”=dword:00000001 “FirewallOverride”=dword:00000001 R1 epfwtdir;epfwtdir;C:\WINDOWS\System32\DRIVERS\epfwtdir.sys [2008-06-10 34312] R3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\System32\DRIVERS\e4usbaw.sys [2006-09-19 116992] S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\System32\Drivers\e4ldr.sys [2006-09-15 64000] . - - - - ORPHANS REMOVED - - - - Toolbar-ID - (no file) WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file) . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Daruś\Dane aplikacji\Mozilla\Firefox\Profiles\8kx602nt.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.wp.pl/ . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-08 20:52:13 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-09-08 20:53:51 ComboFix-quarantined-files.txt 2008-09-08 18:53:38 Pre-Run: 21,259,583,488 bajtów wolnych Post-Run: 21,299,429,376 bajtów wolnych 105 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:58:21, on 2008-09-08 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\WINDOWS\System32\FTRTSVC.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\VTTimer.exe C:\WINDOWS\System32\VTtrayp.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\NASDAK\OmniMouse Driver\2.1.23\MOUSE32A.EXE C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Neostrada TP\neostradatp.exe C:\Program Files\Neostrada TP\ComComp.exe C:\PROGRA~1\NEOSTR~1\Toaster.exe C:\PROGRA~1\NEOSTR~1\Inactivity.exe C:\PROGRA~1\NEOSTR~1\PollingModule.exe C:\Program Files\Neostrada TP\Watch.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [VTTimer] VTTimer.exe O4 - HKLM…\Run: [VTTrayp] VTtrayp.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe O4 - HKLM…\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\2.1.23\MOUSE32A.EXE O4 - HKLM…\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe” O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe” O4 - HKLM…\Run: [egui] “C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” /hide /waitservice O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Photosmart Premier - Szybkie uruchomienie.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.33/g_bin/pl/cards_2_0_0_77.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://download.gamedesire.com/g_bin/pl … 0_0_35.cab O16 - DPF: {4B4513E2-4E57-43DF-9496-FCD37E9DFA64} (GameDesire Sea Battle) - http://download.gamedesire.com/g_bin/pl … 0_0_29.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/programs/ … canner.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab O16 - DPF: {70B410C0-BADA-11D4-8308-0080C8D7ED4A} - http://67.15.101.33/g_bin/pl/bridge_2_0_0_24.cab O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.33/g_bin/pl/words_2_0_0_51.cab O17 - HKLM\System\CCS\Services\Tcpip…{A90F0EFB-1BF7-4C39-A361-DC5064A68205}: NameServer = 194.204.152.34 217.98.63.164 O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe – End of file - 6502 bytes Dziękuję z góry za analizę logów. P.S. Igoor, używam NOD32, Kaspersky’ego on-line scannera używam tylko co jakiś czas dla sprawdzenia.

huber2t · 8 Wrzesień 2008 19:02

fix w hiajckthis

Poza tym ok

usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.

Przeczyść komputer Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum

lub

Dr.WEB CureIt!