Proszę o sprawdzenie loga - trojan.drooper


(Milcia80) #1

Witam.

Od niedawna monitor antywirusowy pokazuje mi komunikat o tym że mam trojana.dropper.delf.of.

Próbowałam już różnymi sposobami tu opisanymi usunąc ten syf, ściągnełam spyremover, ad-awara i nic. Ad-awar i panda wieszały mi się w połowie, strasznie wolno komputer chodzi, otwiera internet i ogólnie tragedia.

MKS znalazł i skasował jakieś 300 zakażonych plików.

trojan znajduje sie gdzieś tu: C:/WINDOWS/system32

A oto log:

Logfile of HijackThis v1.99.1

Scan saved at 21:44:00, on 2006-02-17

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\MKS\Bin\NetMonSV.exe

C:\Program Files\MKS\Bin\mksmonsv.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\MKS\Bin\mks_scan.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\MKS\Bin\mks_menu.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Milcia\Pulpit\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://fwalerts.zonelabs.com/fwalerts/fwanalyze.jsp?V103=AdXuYe3V7mhQQwcAAIsAAAABAAAAAQAAAAIAAAABAAAAooYBADAxMDIVBAMAAQANAQL0AgAAAAAAAAACQAAA//8Q+ZLN37973092671751-1023,,,,Windows+XP-5.1.2600-Dodatek+Service+Pack+2-SP,6.0.667.000,ExtBlockAll2,j5hvqhisiu3s4he7bhx644bu4g0,1,,&CL=en&LICFLAG=1&OEM=1023&SKU=0&Mode=1&Product=ZoneAlarm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O4 - HKLM\..\Run: [MKS_MENU] C:\Program Files\MKS\Bin\mks_menu.exe

O4 - HKLM\..\Run: [ABREGMON] C:\Program Files\MKS\Bin\ABregmon.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKCU\..\Run: [Gadu-Gadu] C:\Program Files\Gadu-Gadu\powergg.exe /tray

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5323D15B-B8F4-4418-9E10-A679D54BBF52}: NameServer = 195.114.161.55 195.114.181.130

O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit sp. z o.o. - C:\Program Files\MKS\Bin\NetMonSV.exe

O23 - Service: MkSUpdateInt - MkS Sp. z o. o. - C:\Program Files\MKS\bin\MkSUpdateInt.exe

O23 - Service: MkS_Vir Monitor (MksVirMonSvc) - Unknown owner - C:\Program Files\MKS\Bin\mksmonsv.exe

O23 - Service: MkS_Scan - Unknown owner - C:\Program Files\MKS\Bin\mks_scan.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Będę wdzięczna za pomoc, bo prawde mówiąc jest to juz strasznie uciążliwe.

Pozdrawiam


(Kuz5) #2

Log masz ok

Podaj jego pełna lokalizacje

Pobierz program Ewido zrób update i przeskanuj

Wklej loga SilentRunners


(Gutek) #3

EWIDO pobierz - STĄD :wink:


(Milcia80) #4

Witam ponownie.

Dziekuje serdecznie za pomoc. Zrobiłam tak jak napisaliście i chyba jest czysto. Skanowałam Ewido, znalazł jedynie kilka “ciasteczek”. Po trojanie ani śladu, skanowałam mksem, i innymi programami, które gdzieś na tym forum znalałam. I chyba sie udało go usunąc. Nie ukazuje mi się już zaden komunikat o trojanie.

A oto log z Silent Runners (chyba dobrze zrobiłam? nie znam angielskiego :/)

Oby było wszystko ok.

Pozdrawiam


(Gblade) #5

Log obcięty, poczekaj aż dostaniesz info o zakończeniu generowania :wink:


(Milcia80) #6

Teraz powinno byc dobrze :slight_smile:

"Silent Runners.vbs", revision 43, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\PowerGG.exe"" [null data]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"MKS_MENU" = "C:\Program Files\MKS\Bin\mks_menu.exe" ["MKS Sp. z o.o."]

"ABREGMON" = "C:\Program Files\MKS\Bin\ABregmon.exe" ["ArcaBit"]

"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]

"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: "]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]

MkS_Vir\(Default) = "{CC4245C0-D511-11D0-8918-444553540000}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MKS\Bin\MkSShell.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

MkS_Vir\(Default) = "{CC4245C0-D511-11D0-8918-444553540000}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MKS\Bin\MkSShell.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Milcia\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper2.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]



Enabled Scheduled Tasks:

------------------------


"MkSUpdate" -> launches: "C:\Program Files\MKS\bin\mks_upd.exe Task" ["MkS Sp. z o. o."]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


ArcaBit NetMonitor, ABNetMon, "C:\Program Files\MKS\Bin\NetMonSV.exe" ["ArcaBit sp. z o.o."]

ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]

ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido anti-malware\ewidoguard.exe" ["ewido networks"]

MkS_Scan, MkS_Scan, "C:\Program Files\MKS\Bin\mks_scan.exe" [empty string]

MkS_Vir Monitor, MksVirMonSvc, "C:\Program Files\MKS\Bin\mksmonsv.exe" [empty string]

TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

  use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 302 seconds, including 17 seconds for message boxes)

(Kuz5) #7

Log masz ok