Trojan.Virtumonde

Mazurpl · 28 Marzec 2008 14:55

Wstyd się przyznawać ale ściągnąłem coś z internetu i była tam niespodzianka w postaci Trojana :? .

Mój log z HijackThis:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:18:08, on 27/03/2008 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe C:\Program Files\Gateway\EzTune\DTHtml.exe C:\WINDOWS\system32\taskswitch.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe D:\INTERNET\AVG\avgcc.exe C:\Program Files\Netropa\Onscreen Display\OSD.exe C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe C:\Program Files\Portrait Displays\Pivot Software\floater.exe D:\INTERNET\Spyware Doctor\pctsTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe D:\INTERNET\Gadu-Gadu\gg.exe D:\INTERNET\xampp\apache\bin\apache.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe D:\INTERNET\AVG\avgamsvr.exe D:\INTERNET\AVG\avgupsvc.exe D:\INTERNET\AVG\avgemc.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe D:\INTERNET\xampp\mysql\bin\mysqld-nt.exe C:\WINDOWS\system32\nvsvc32.exe D:\INTERNET\Spyware Doctor\pctsAuxs.exe D:\INTERNET\Spyware Doctor\pctsSvc.exe D:\INTERNET\SYGATE\smc.exe C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE C:\WINDOWS\system32\wbem\wmiprvse.exe D:\INTERNET\xampp\apache\bin\apache.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\Program Files\Mozilla Firefox\firefox.exe D:\INTERNET\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://D:\INTERNET\IEPro\IEProRs.dll/easyhome.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - D:\INTERNET\IEPro\iepro.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r O4 - HKLM…\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM…\Run: [CTHelper] CTHELPER.EXE O4 - HKLM…\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM…\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM…\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKLM…\Run: [PivotSoftware] “C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe” O4 - HKLM…\Run: [DT GWY] C:\Program Files\Gateway\EzTune\DTHtml.exe -startup_folder O4 - HKLM…\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” O4 - HKLM…\Run: [AVG7_CC] D:\INTERNET\AVG\avgcc.exe /STARTUP O4 - HKLM…\Run: [smcService] D:\INTERNET\SYGATE\smc.exe -startgui O4 - HKLM…\Run: [PCSuiteTrayApplication] D:\TELEFON\NOKIAP~1\NOKIAP~1\LAUNCH~1.EXE -startup O4 - HKLM…\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM…\Run: [iSTray] “D:\INTERNET\Spyware Doctor\pctsTray.exe” O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “D:\INTERNET\Gadu-Gadu\gg.exe” /tray O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-19…\Run: [AVG7_Run] D:\INTERNET\AVG\avgw.exe /RUNONCE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - D:\INTERNET\IEPro\iepro.dll O9 - Extra ‘Tools’ menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - D:\INTERNET\IEPro\iepro.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows … 6200885727 O20 - Winlogon Notify: pmnopom - pmnopom.dll (file missing) O23 - Service: Apache2.2 - Apache Software Foundation - D:\INTERNET\xampp\apache\bin\apache.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\INTERNET\AVG\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\INTERNET\AVG\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\INTERNET\AVG\avgemc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe O23 - Service: mysql - Unknown owner - D:\INTERNET\xampp\mysql\bin\mysqld-nt.exe O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\INTERNET\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\INTERNET\Spyware Doctor\pctsSvc.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - D:\INTERNET\SYGATE\smc.exe – End of file - 7520 bytes

Przerażająca to wygląda! Spyware Doctor mi go wykrył ale usunąć już nie może. AVG Free nonstop coś z nim robi ale i tak to gó*** daje :P.

Proszę o pomoc i mówcie w języku normalnym dla ludzi :P!

Leon1 · 28 Marzec 2008 15:10

Wyłącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

wpis

usuń HijackThisem >> Fix checked

Pobierz Combofix http://www.searchengines.pl/index.php?showtopic=86306&st=0&p=395642entry395642 przeskanuj daj log

Mazurpl · 28 Marzec 2008 15:28

http://phpfi.com/305863

Leon1 · 28 Marzec 2008 15:52

start >> uruchom >> cmd

sc stop Apache2.2

sc delete Apache2.2

usuń HijackThisem >> Fix checked

zrób optymalizacje uruchamiania http://cybertrash.netarteria.pl/cyber/index.php/topic,378.0.html

Pobierz program SDFix

Mazurpl · 28 Marzec 2008 16:13

SDFix: Version 1.163 Run by Damian on 28/03/2008 at 16:07 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-28 16:11:34 Windows 5.1.2600 Dodatek Service Pack 2 NTFS detected NTDLL code modification: ZwClose scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:2df9c43f “s2”=dword:110480d0 “h0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“D:\NARZEDZIA\DAEMON Tools Lite” “h0”=dword:00000000 “khjeh”=hex:64,9e,0e,80,60,59,89,18,c6,75,a4,23,89,bf,c2,b2,59,17,d2,a7,3f,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,f6,3b,77,4b,de,27,7c,a2,6a,97,46,13,a6,54,41,90,f8,… “khjeh”=hex:42,27,6d,1e,5e,de,01,52,3c,65,2b,e5,b7,0d,c3,19,68,13,ed,58,be,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:d7,9b,53,6f,cf,c0,a9,8d,12,b5,e1,4e,b4,f5,1b,56,93,9b,99,1f,f6,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:ff,9a,65,70,75,76,2c,1f,79,b5,e3,8d,53,fa,72,ea,c9,09,43,de,cc,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42] “khjeh”=hex:d8,0a,d7,90,c3,c8,7b,2f,19,49,f0,bb,75,ae,5b,d5,b2,8e,70,19,d4,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43] “khjeh”=hex:d2,56,66,57,24,63,0e,3f,8f,87,a0,77,95,ec,3e,e8,40,5b,a3,38,86,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“D:\NARZEDZIA\DAEMON Tools Lite” “h0”=dword:00000000 “khjeh”=hex:64,9e,0e,80,60,59,89,18,c6,75,a4,23,89,bf,c2,b2,59,17,d2,a7,3f,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,f6,3b,77,4b,de,27,7c,a2,6a,97,46,13,a6,54,41,90,f8,… “khjeh”=hex:42,27,6d,1e,5e,de,01,52,3c,65,2b,e5,b7,0d,c3,19,68,13,ed,58,be,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:d7,9b,53,6f,cf,c0,a9,8d,12,b5,e1,4e,b4,f5,1b,56,93,9b,99,1f,f6,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:ff,9a,65,70,75,76,2c,1f,79,b5,e3,8d,53,fa,72,ea,c9,09,43,de,cc,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42] “khjeh”=hex:d8,0a,d7,90,c3,c8,7b,2f,19,49,f0,bb,75,ae,5b,d5,b2,8e,70,19,d4,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43] “khjeh”=hex:d2,56,66,57,24,63,0e,3f,8f,87,a0,77,95,ec,3e,e8,40,5b,a3,38,86,… scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" “D:\INTERNET\AVG\avginet.exe”=“D:\INTERNET\AVG\avginet.exe:*:Enabled:avginet.exe” “D:\INTERNET\AVG\avgamsvr.exe”=“D:\INTERNET\AVG\avgamsvr.exe:*:Enabled:avgamsvr.exe” “D:\INTERNET\AVG\avgcc.exe”=“D:\INTERNET\AVG\avgcc.exe:*:Enabled:avgcc.exe” “D:\INTERNET\AVG\avgemc.exe”=“D:\INTERNET\AVG\avgemc.exe:*:Enabled:avgemc.exe” “D:\INTERNET\Gadu-Gadu\gg.exe”=“D:\INTERNET\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program g3˘wny” “D:\INTERNET\IEPro\MiniDM.exe”=“D:\INTERNET\IEPro\MiniDM.exe:*:Enabled:MiniDM” “D:\INTERNET\xampp\apache\bin\apache.exe”=“D:\INTERNET\xampp\apache\bin\apache.exe:*:Enabled:Apache HTTP Server” “X:\DAMIAN\Ots\TFS\Mystic Spirit\TheForgottenServer.exe”=“X:\DAMIAN\Ots\TFS\Mystic Spirit\TheForgottenServer.exe:*:Enabled:Mystic Spirit (0.2.10)” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Finished!