Trojan.vb.aqt-nie mogę sie go pozbyć.Log HijackThis

Monolito · 26 Grudzień 2007 12:32

Od dłuższego czasu mój komputer okupowany jest przez irytującego trojana-Trojan.vb.aqt.Widziałem kilka tematów użytkowników z tym samym problemem.Próbowałem wykorzystać rady w tamtych tematach,ale to nic nie dało.Udało mi sie wywalić ctfmon.exe z autostartu.W folderze system32 gdy wywalam ctfmon.exe to on po jakichś 15sekundach sam sie odtwarza.Niebardzo wiem co mam robić.Trojan usuwany był wiele razy za pomocą MacAfee,a2suqare,SpywareTerminatora,Delete Doctora itd.Nic nie pomaga.

Poniżej zamieszczam log z Hijack This

Logfile of HijackThis v1.99.1 Scan saved at 13:19:30, on 2007-12-26 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\system32\spoolsv.exe e:\all-in-one anty trojan\a-squared free\a2service.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe c:\PROGRA~1\mcafee.com\vso\OasClnt.exe c:\program files\mcafee.com\vso\mcvsshld.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe C:\PROGRA~1\Wanadoo\TaskbarIcon.exe C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Wanadoo\EspaceWanadoo.exe C:\Program Files\Wanadoo\ComComp.exe C:\Program Files\Wanadoo\Watch.exe E:\Winamp\winamp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Jarzy\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wp.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: UserInit=userinit.exe,EXPLORER.EXE O1 - Hosts: 61.110.88.200 nprotect.co.kr O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file) O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - F:\Badziewie\GetRight\xx2gr.dll O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file) O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file) O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe O4 - HKLM…\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe O4 - HKLM…\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM…\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM…\Run: [VSOCheckTask] “C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe” /checktask O4 - HKLM…\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM…\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Download with GetRight - F:\Badziewie\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - F:\Badziewie\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll O9 - Extra ‘Tools’ menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://bezpieczenstwo.onet.pl/skaner/ArcaOnline.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share … insctl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 7759017250 O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 5854432528 O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab O17 - HKLM\System\CCS\Services\Tcpip…{089F2224-16BA-4064-A297-F41DAE76EB72}: NameServer = 194.204.159.1 217.98.63.164 O17 - HKLM\System\CCS\Services\Tcpip…{DDA8A250-2E03-4DB8-9928-71B4367E6D6C}: NameServer = 85.255.115.38,85.255.112.9 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.9 O17 - HKLM\System\CS2\Services\Tcpip…{089F2224-16BA-4064-A297-F41DAE76EB72}: NameServer = 194.204.159.1 217.98.63.164 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.9 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.9 O20 - Winlogon Notify: !SASWinLogon - E:\ALL-IN-ONE ANTY TROJAN\superanitspyware\SASWINLO.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - e:\all-in-one anty trojan\a-squared free\a2service.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

Ciuci · 26 Grudzień 2007 14:23

Pobierz program SDFix

* Dwuklik na SDFix.exe następnie program wypakuje się na dysk systemowy (standardowo C:\SDFix)

* Zrestartuj komputer i wejdź do trybu awaryjnego (klawisz F8 przed bootem Windowsa)

* Wejdź do folderu z SDFix kliknij dwa razy na plik RunThis.bat

* Wciśnij Y nastąpi proces usuwania.

* Kiedy usuwanie się ukończy wciśnij dowolny klawisz (Any Key). Nastąpi restart komputera.

* Po restarcie SDFix uruchomi się ponownie, żeby dokończyć proces usuwania kiedy pojawi się w oknie programu Finished, wciśnij dowolny klawisz do zakończenia scryptu i załadowania ikon na pulpicie.

* Pokaż Report.txt znajdujący się w folderze SDFix.

Potem daj loga z ComboFix.

arekmalek · 26 Grudzień 2007 18:11

A druga infekcja ?

ZAfixuj.

Użyj FixWareOut w trybie awaryjnym i wklej raport

Kaka2 · 26 Grudzień 2007 18:17

Ciuci , na przyszłość proszę dokładniej sprawdzać logi. W przypadku jakichkolwiek przeoczeń zostaną wyciągnięte surowe konsekwencje.

Monolito · 26 Grudzień 2007 22:30

Oto i raport z FixwareOut.Mam dziwne wrażenie,że to nic nie dało,bo nadal mam odmowe dostępu do wszystkich,prócz systemowej,partycji jeśli dwukrotnie na nie klikne i ctfmon siedzi sobie w system32.Mam spróbować metody z SDfixe’em?

Username “Jarzy” - 2007-12-26 23:24:18 [Fixwareout edited 9/01/2007] ~Prerun check HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters “nameserver”=“85.255.115.38 85.255.112.9” HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces{DDA8A250-2E03-4DB8-9928-71B4367E6D6C} “nameserver”=“85.255.115.38,85.255.112.9” HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces{9F2FA65B-4F53-4931-A84A-651720464FF4} “DhcpNameServer”=“85.255.115.38,85.255.112.9” HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces{DDA8A250-2E03-4DB8-9928-71B4367E6D6C} “DhcpNameServer”=“85.255.115.38,85.255.112.9” System was rebooted successfully.~ Postrun check HKLM\SOFTWARE~\Winlogon\ “System”="" … … ~~~Misc files. …~~~ Checking for older varients. … ~Current runs (hklm hkcu “run” Keys Only) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “WOOWATCH”=“C:\PROGRA~1\Wanadoo\Watch.exe” “WOOTASKBARICON”=“C:\PROGRA~1\Wanadoo\TaskbarIcon.exe” “MSKAGENTEXE”=“C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe” “MCAgentExe”=“c:\PROGRA~1\mcafee.com\agent\mcagent.exe” “MCUpdateExe”=“c:\PROGRA~1\mcafee.com\agent\McUpdate.exe” “VSOCheckTask”="“C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe” /checktask" “VirusScan Online”=“C:\Program Files\McAfee.com\VSO\mcvsshld.exe” “OASClnt”=“C:\Program Files\McAfee.com\VSO\oasclnt.exe” “StormCodec_Helper”="“C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe” /S /opti" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “MSMSGS”="“C:\Program Files\Messenger\msmsgs.exe” /background" “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” … Hosts file was reset, If you use a custom hosts file please replace it…~ End report ~~~~~

Monolito · 28 Grudzień 2007 11:09

Użyłem SDfix’a.Nadal nic-ctfmon siedzi w system32.Do ochorny kompa używam SpywareBlastera i Spybota S&D.Czy mam zainstalować jakiegoś firewalla czy co?

Pierwszy raport pod nazwą report:

SDFix: Version 1.119 Run by Jarzy on 2007-12-28 at 11:52 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\autorun.inf - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-28 11:56:30 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:2c,40,b0,63,3e,81,0f,02,6c,5f,a5,fa,d5,ee,15,40,0d,2b,c5,86,75,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,ea,60,a6,b0,33,2b,b2,f7,3e,27,a0,45,1a,b5,29,bf,cc,… “khjeh”=hex:1b,e1,f3,dd,17,d8,79,b2,22,29,a5,91,f3,84,d0,6b,9a,7b,8e,6c,a6,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:0c,04,0e,3c,38,63,4c,b3,34,7c,13,3f,3d,86,80,ef,16,8d,6c,76,8b,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:22459102 “s2”=dword:5840982d “h0”=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “p0”=“C:\Program Files\Alcohol Soft\Alcohol 120” “h0”=dword:00000001 “ujdew”=hex:53,19,71,16,ba,b4,95,4c,49,f6,b0,8c,39,97,f6,c3,35,8d,c2,86,a4,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:7f,58,6f,25,10,f5,0b,7d,a3,97,9f,8c,ae,ef,be,b5,1d,69,ff,91,68,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,ea,60,a6,b0,33,2b,b2,f7,3e,27,a0,45,1a,b5,29,bf,cc,… “khjeh”=hex:87,64,cc,dc,5f,15,5f,fe,b4,9a,a7,40,c5,77,0d,03,6b,87,5b,6b,ca,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:0a,4e,92,d7,f9,7f,0d,f2,c3,56,c1,f5,e1,9f,94,0c,7e,3d,a0,db,c3,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:2c,40,b0,63,3e,81,0f,02,6c,5f,a5,fa,d5,ee,15,40,0d,2b,c5,86,75,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,ea,60,a6,b0,33,2b,b2,f7,3e,27,a0,45,1a,b5,29,bf,cc,… “khjeh”=hex:1b,e1,f3,dd,17,d8,79,b2,22,29,a5,91,f3,84,d0,6b,9a,7b,8e,6c,a6,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:0c,04,0e,3c,38,63,4c,b3,34,7c,13,3f,3d,86,80,ef,16,8d,6c,76,8b,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “p0”=“C:\Program Files\Alcohol Soft\Alcohol 120” “h0”=dword:00000001 “ujdew”=hex:53,19,71,16,ba,b4,95,4c,49,f6,b0,8c,39,97,f6,c3,35,8d,c2,86,a4,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:7f,58,6f,25,10,f5,0b,7d,a3,97,9f,8c,ae,ef,be,b5,1d,69,ff,91,68,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,ea,60,a6,b0,33,2b,b2,f7,3e,27,a0,45,1a,b5,29,bf,cc,… “khjeh”=hex:87,64,cc,dc,5f,15,5f,fe,b4,9a,a7,40,c5,77,0d,03,6b,87,5b,6b,ca,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:0a,4e,92,d7,f9,7f,0d,f2,c3,56,c1,f5,e1,9f,94,0c,7e,3d,a0,db,c3,… scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “E:\Gg\gg.exe”=“E:\Gg\gg.exe:*:Enabled:Gadu-Gadu - program glowny” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Mon 22 Aug 2005 79,872 A…H. — “C:\Swsetup\Monitors\SP31193\hpinsx64.exe” Wed 11 Jul 2007 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\6565a92aeeef176188ae2c9a8920fd79\BIT4.tmp” Finished!

Drugi nazywa się “catchme”.Nie za bardzo orientuje sie co to jest,ale pojawiło mi sie na pulpicie,więc zamieszczam.

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-28 11:56:30 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:2c,40,b0,63,3e,81,0f,02,6c,5f,a5,fa,d5,ee,15,40,0d,2b,c5,86,75,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,ea,60,a6,b0,33,2b,b2,f7,3e,27,a0,45,1a,b5,29,bf,cc,… “khjeh”=hex:1b,e1,f3,dd,17,d8,79,b2,22,29,a5,91,f3,84,d0,6b,9a,7b,8e,6c,a6,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:0c,04,0e,3c,38,63,4c,b3,34,7c,13,3f,3d,86,80,ef,16,8d,6c,76,8b,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:22459102 “s2”=dword:5840982d “h0”=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “p0”=“C:\Program Files\Alcohol Soft\Alcohol 120” “h0”=dword:00000001 “ujdew”=hex:53,19,71,16,ba,b4,95,4c,49,f6,b0,8c,39,97,f6,c3,35,8d,c2,86,a4,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:7f,58,6f,25,10,f5,0b,7d,a3,97,9f,8c,ae,ef,be,b5,1d,69,ff,91,68,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,ea,60,a6,b0,33,2b,b2,f7,3e,27,a0,45,1a,b5,29,bf,cc,… “khjeh”=hex:87,64,cc,dc,5f,15,5f,fe,b4,9a,a7,40,c5,77,0d,03,6b,87,5b,6b,ca,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:0a,4e,92,d7,f9,7f,0d,f2,c3,56,c1,f5,e1,9f,94,0c,7e,3d,a0,db,c3,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:2c,40,b0,63,3e,81,0f,02,6c,5f,a5,fa,d5,ee,15,40,0d,2b,c5,86,75,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,ea,60,a6,b0,33,2b,b2,f7,3e,27,a0,45,1a,b5,29,bf,cc,… “khjeh”=hex:1b,e1,f3,dd,17,d8,79,b2,22,29,a5,91,f3,84,d0,6b,9a,7b,8e,6c,a6,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:0c,04,0e,3c,38,63,4c,b3,34,7c,13,3f,3d,86,80,ef,16,8d,6c,76,8b,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “p0”=“C:\Program Files\Alcohol Soft\Alcohol 120” “h0”=dword:00000001 “ujdew”=hex:53,19,71,16,ba,b4,95,4c,49,f6,b0,8c,39,97,f6,c3,35,8d,c2,86,a4,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:7f,58,6f,25,10,f5,0b,7d,a3,97,9f,8c,ae,ef,be,b5,1d,69,ff,91,68,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,ea,60,a6,b0,33,2b,b2,f7,3e,27,a0,45,1a,b5,29,bf,cc,… “khjeh”=hex:87,64,cc,dc,5f,15,5f,fe,b4,9a,a7,40,c5,77,0d,03,6b,87,5b,6b,ca,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:0a,4e,92,d7,f9,7f,0d,f2,c3,56,c1,f5,e1,9f,94,0c,7e,3d,a0,db,c3,… scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0

arekmalek · 28 Grudzień 2007 11:42

Użyj WWDC (ustaw znaczki na zielono, netbios może być na żółto)

Daj log z Combofix

Monolito · 28 Grudzień 2007 19:21

Dobra.Zrobiłem jak nakazano.Zamknąłem wszystko co było na czerwono w WWDC.

Potem skanik z ComboFix i reset kompa.Oto log a ComboFix’a:

ComboFix 07-12-21.4 - Jarzy 2007-12-28 20:13:48.1 - NTFSx86 Running from: C:\Documents and Settings\Jarzy\Pulpit\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 ))))))))))))))))))))))))))))))) . 2007-12-28 12:50 . 2007-12-28 12:50 2007-12-28 11:51 . 2007-12-28 11:51 2007-12-27 22:02 . 1999-12-17 10:13 86,016 --a------ C:\WINDOWS\unvise32.exe 2007-12-26 20:56 . 2007-12-26 20:56 2007-12-22 19:09 . 2007-12-22 19:09 2007-12-22 11:12 . 2007-12-22 11:13 2007-12-21 17:00 . 2007-12-21 17:00 2007-12-21 17:00 . 2007-12-21 17:00 2007-12-21 17:00 . 2007-12-21 17:00 2007-12-21 16:37 . 2007-12-26 00:24 2007-12-21 15:37 . 2007-12-21 15:39 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-28 11:42 --------- d-----w C:\Program Files\Wanadoo 2007-12-27 21:04 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-12-25 10:59 --------- d-----w C:\Program Files\SpywareBlaster 2007-12-22 15:47 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spyware Terminator 2007-12-22 12:26 --------- d-----w C:\Program Files\Spyware Terminator 2007-12-21 16:00 --------- d-----w C:\Documents and Settings\Jarzy\Dane aplikacji\Apple Computer 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-10-29 22:44 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-20 05:01 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll 2007-04-11 15:52 108,576 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2007-04-11 15:52 7,712 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 17:24] “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2004-05-12 00:03] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:44] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “WOOWATCH”=“C:\PROGRA~1\Wanadoo\Watch.exe” [2002-12-09 17:24] “WOOTASKBARICON”=“C:\PROGRA~1\Wanadoo\TaskbarIcon.exe” [2002-12-09 17:24] “MSKAGENTEXE”=“C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe” [2005-09-26 09:26] “MCAgentExe”=“c:\PROGRA~1\mcafee.com\agent\mcagent.exe” [2005-09-22 17:29] “MCUpdateExe”=“c:\PROGRA~1\mcafee.com\agent\mcupdate.exe” [2006-01-11 11:05] “VSOCheckTask”=“C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe” [2005-07-08 17:18] “VirusScan Online”=“C:\Program Files\McAfee.com\VSO\mcvsshld.exe” [2005-08-10 11:49] “OASClnt”=“C:\Program Files\McAfee.com\VSO\oasclnt.exe” [2005-08-11 21:02] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-03 23:44] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-04-06 01:18:17] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 19:05:56] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoResolveSearch”= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon] E:\ALL-IN-ONE ANTY TROJAN\superanitspyware\SASWINLO.DLL 2007-04-30 12:12 294912 E:\ALL-IN-ONE ANTY TROJAN\superanitspyware\SASWINLO.DLL R0 m5289;m5289;C:\WINDOWS\system32\DRIVERS\m5289.sys [2004-12-01 09:49] R0 uliagpkx;ULi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\agpkx.sys [2005-05-03 10:31] S1 sp_rsdrv2;Spyware Terminator Driver 2;C:\Documents and Settings\All Users\Dane aplikacji\Spyware Terminator\sp_rsdrv2.sys [] S2 ALIEHCD;ULi PCI to USB Enhanced Host Controller;C:\WINDOWS\system32\Drivers\ALIEHCI.sys [2005-06-02 18:59] S3 aliroothub;USB 2.0 Root Hub;C:\WINDOWS\system32\DRIVERS\AliRtHub.sys [2005-06-02 17:27] S3 SIS163u;SiS163 usb Wireless LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\sis163u.sys [2006-07-23 20:32] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe \Shell\Open(&0)\command - Recycled\ctfmon.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe \Shell\Open(&0)\command - Recycled\ctfmon.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe \Shell\Open(&0)\command - Recycled\ctfmon.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe \Shell\Open(&0)\command - Recycled\ctfmon.exe *Newly Created Service* - PROCEXP90 . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-28 20:15:34 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-28 20:16:00 . 2007-12-28 11:38:20 — E O F —

Gutek · 28 Grudzień 2007 20:12

Otwórz Notatnik i wklej w nim to:

Windows Registry Editor Version 5.00 


[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Monolito · 29 Grudzień 2007 23:46

No dobra.Zrobiłem jak mówisz.I co dalej?Co ma mi dać ten cały motyw z fix.reg?

Gutek · 30 Grudzień 2007 00:32

Miałes infekcję na pendrive

Monolito · 2 Styczeń 2008 12:56

Czy ctfmon.exe jest normalnym plikiem w systemie czy zawsze muszę podejrzewać infekcję jeśli zobaczę go w systemie?