Trojan.Win32.Rootkit.l

Dyluj · 9 Wrzesień 2005 12:43

Witam mam Win W2K i niestety trojana (Trojan.Win32.Rootkit.l) … próbowałem usunąć już KillBox`em z awaryjnego i nic …

Logfile of HijackThis v1.99.1

Scan saved at 14:34:52, on 2005-09-09

Platform: Windows 2000 SP3 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\AVPersonal\AVGUARD.EXE

C:\Program Files\AVPersonal\AVWUPSRV.EXE

C:\WINNT\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINNT\System32\nvsvc32.exe

C:\Program Files\Kerio\Personal Firewall\persfw.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe

C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

C:\WINNT\System32\CTHELPER.EXE

C:\WINNT\PowerS.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\AVPersonal\AVSched32.EXE

C:\Program Files\AVPersonal\AVGNT.EXE

C:\WINNT\System32\ctfmon.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Czysciciele\iISystem Wiper\SystemWiper.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\Program Files\WinCMD\WINCMD32.EXE

C:\WINNT\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Czysciciele\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\CZYSCI~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe

O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [PowerS] C:\WINNT\PowerS.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min

O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [iIWiper] C:\Czysciciele\iISystem Wiper\SystemWiper.exe m

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://C:osuch.mht!http://85.255.113.4/dl/adv611/x.chm::/load.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_22.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{18537808-4BFC-44D4-98E2-B972B816A19E}: NameServer = 194.204.152.34 217.98.63.164

O17 - HKLM\System\CS2\Services\Tcpip\..\{18537808-4BFC-44D4-98E2-B972B816A19E}: NameServer = 194.204.152.34 217.98.63.164

O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE

O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE

O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe

O23 - Service: Windows Task Manager Service (tskman) - Unknown owner - C:\WINNT\task.exe

będę wdzięczny za pomoc … Dyluj

Gutek · 9 Wrzesień 2005 13:06

023 - Start >>> Uruchom >>> services.msc >>> zatrzymaj i wyłącz Windows Task Manager Service a plik usuń w trybie awaryjnym ręcznie

fiesta · 9 Wrzesień 2005 21:30

Wydzielono z innego wątku.

Dyluj · 18 Wrzesień 2005 15:09

… wszystkiego i póki co nic … task usunięty … RootKit powraca … cały czas wykrywany pozostaje … nie stety pozostaje … powoli zaczynam się poddawać … komp niby działa bez problemu, ale świadomość że posiadam trojana już mnie nerwuje … … słyszałem że MicrosoftAntiSpyware mógłby pomóc, ale wiem że często po takiej “pomocy” trza stawiać system … help me! proszę …

killa_beez · 18 Wrzesień 2005 15:13

wrzuć loga z Silent Runners

http://www.silentrunners.org/

może Ci Gutek sprawdzi bo ja sie nie znam :?

Dyluj · 18 Wrzesień 2005 15:31

… tylko dotrę do domu to zrobię loga i wyśle Tobie-Wam (dzięki), póki co muszę w pracy pracować … pozdrawiam …

Złączono Posta : 19.09.2005 (Pon) 1:58

…i pozwalam sobie dołączyć loga

“Silent Runners.vbs”, revision 40.1, http://www.silentrunners.org/

Operating System: Windows 2000

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“ctfmon.exe” = “ctfmon.exe” [MS]

“Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“sms-express.com”]

“iIWiper” = “C:\Czysciciele\iISystem Wiper\SystemWiper.exe m” [“iISoftware”]

“Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“Synchronization Manager” = “mobsync.exe /logon” [MS]

“NvCplDaemon” = “RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup” [MS]

“nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”]

“iKeyWorks” = “C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe” [“A4Tech Co.,Ltd.”]

“WheelMouse” = “C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe” [“A4Tech Co.,Ltd.”]

“WINDVDPatch” = “CTHELPER.EXE” [“Creative Technology Ltd”]

“UpdReg” = “C:\WINNT\UpdReg.EXE” [“Creative Technology Ltd.”]

“Jet Detection” = ““C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe”” [empty string]

“CTStartup” = “C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run” [“Creative Technology Ltd.”]

“NeroCheck” = “C:\WINNT\System32\NeroCheck.exe” [“Ahead Software Gmbh”]

“PowerS” = “C:\WINNT\PowerS.exe” [“prolink”]

“WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data]

“RealTray” = “C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER” [“RealNetworks, Inc.”]

“SunJavaUpdateSched” = “C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe” [null data]

“AVSCHED32” = “C:\Program Files\AVPersonal\AVSched32.EXE /min” [“H+BEDV Datentechnik GmbH”]

“AVGCtrl” = ““C:\Program Files\AVPersonal\AVGNT.EXE” /min” [“H+BEDV Datentechnik GmbH”]

“TrojanScanner” = “C:\Program Files\Trojan Remover\Trjscan.exe” [“Simply Super Software”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\CTStartup {++}

“CTStartup” = ““C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE” /play” [“Creative Technology Ltd.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = “AcroIEHlprObj Class” [from CLSID]

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx” [empty string]

{53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided)

-> {CLSID}\InProcServer32(Default) = “C:\CZYSCI~1\SPYBOT~1\SDHelper.dll” [null data]

{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}(Default) = “PCTools Site Guard” [from CLSID]

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll” [“PC Tools”]

{B56A7D7D-6927-48C8-A975-17DF180C71AC}(Default) = “PCTools Browser Monitor” [from CLSID]

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll” [“GuideWorks Pty. Ltd.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {CLSID}\InProcServer32(Default) = “C:\WINNT\System32\hticons.dll” [“Hilgraeve, Inc.”]

“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Eksplorator pulpitów”

-> {CLSID}\InProcServer32(Default) = “C:\WINNT\System32\nvshell.dll” [“NVIDIA Corporation”]

“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”

-> {CLSID}\InProcServer32(Default) = “C:\WINNT\System32\nvshell.dll” [“NVIDIA Corporation”]

“{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\OFFICE11\MLSHEXT.DLL” [MS]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\OFFICE11\OLKFSTUB.DLL” [MS]

“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\OFFICE11\msohev.dll” [MS]

HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

AntiVir/Win(Default) = “{a7cda720-84ee-11d0-b5c0-00001b3ca278}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\AVPersonal\AVShlExt.DLL” [“H+BEDV Datentechnik GmbH”]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

AntiVir/Win(Default) = “{a7cda720-84ee-11d0-b5c0-00001b3ca278}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\AVPersonal\AVShlExt.DLL” [“H+BEDV Datentechnik GmbH”]

Active Desktop and Wallpaper:

Active Desktop is enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “C:\WINNT\Web\Wallpaper\Raj.jpg”

Startup items in “Jacek” & “All Users” startup folders:

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Adobe Gamma Loader.exe” -> shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”]

“DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe” [empty string]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\rnr20.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 15

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = “Real.com” [from CLSID]

-> {CLSID}\InProcServer32(Default) = “C:\WINNT\System32\Shdocvw.dll” [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

“MenuText” = “Sun Java Console”

“CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}”

-> {CLSID}\InProcServer32(Default) = “C:\WINNT\System32\msjava.dll” [MS]

{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\

“ButtonText” = “Spyware Doctor”

“CLSIDExtension” = “{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll” [“GuideWorks Pty. Ltd.”]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

“ButtonText” = “Badanie”

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

“ButtonText” = “Real.com”

Miscellaneous IE Hijack Points

C:\WINNT\INF\IERESET.INF (used to “Reset Web Settings”)

Added lines (compared with English-language version):

Missing lines (compared with English-language version):

strings: 1 line

Running Services (Display Name, Service Name, Path {Service DLL}):

AntiVir Service, AntiVirService, ““C:\Program Files\AVPersonal\AVGUARD.EXE”” [“H+BEDV Datentechnik GmbH”]

AntiVir Update, AVWUpSrv, ““C:\Program Files\AVPersonal\AVWUPSRV.EXE”” [“H+BEDV Datentechnik GmbH, Germany”]

Kerio Personal Firewall, PersFw, ““C:\Program Files\Kerio\Personal Firewall\persfw.exe”” [“Kerio Technologies”]

Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS]

NVIDIA Driver Helper Service, NVSvc, “C:\WINNT\System32\nvsvc32.exe” [“NVIDIA Corporation”]

System zdarzeń COM+, EventSystem, “C:\WINNT\System32\svchost.exe -k netsvcs” {“C:\WINNT\System32\es.dll” [null data]}

Windows Task Manager Service, tskman, ““C:\WINNT\task.exe”” [null data]

This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

To search all directories of local fixed drives for DESKTOP.INI

DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

use the -supp parameter or answer “No” at the first message box.

---------- (total run time: 47 seconds, including 6 seconds for message boxes)

znalazłem szczepionkęna G Data, ale nie pomogła, widze że nadal mam tego “paskude” … pomożecie? pozdrawiam Dyluj

Złączono Posta : 19.09.2005 (Pon) 10:43

… dziękuje za chęć pomocy … jakoś udało mi się … w awaryjnym wywaliłem Task.exe, plus jeszcze dwa dziwne *.sys`y przeszukałem rejestry i z łapki ciołęm … póki co straciłem trojana i mnie nie nęka … mam jednak pytanie - co proponujecie “na wszelki wypadek” czy naprawdę odpuścić sobie przeglądanie stron w IE? - pozdrawiam i dziękuję Dyluj