matio
(matio)
26 Grudzień 2007 22:51
#1
Podłączam do kompa pendriva i nagle alert kaspra, że jest plik ufo.exe i ze to trojan. Oczywiście usunąłem, ale z tego co czytałem, on sie podobno przerzuca na każdy pendrive podpiety do komputera… Format pena nie zabardzo wchodzi w rachubę, bo mam na nim b. ważne dane:/
hijackthis
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:10:06, on 2007-12-26 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe D:\Programy\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\WINDOWS\System32\nvsvc32.exe D:\Programy\SolidConverterPDF\SCPDF\SolidPdfService.exe D:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\rundll32.exe D:\Programy\CursorXP\CursorXP.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\mspaint.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Mozilla Firefox\firefox.exe D:\Programy\BitComet\BitComet.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.o2.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programy\Adobe\ActiveX\AcroIEHelper.dll O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - D:\Programy\SolidConverterPDF\SCPDF\ExploreExtPDF.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Programy\BitComet\tools\BitCometBHO_1.1.9.24.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programy\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - D:\Programy\SolidConverterPDF\SCPDF\ExploreExtPDF.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [kis] “D:\Programy\Kaspersky Internet Security 6.0\avp.exe” O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [CursorXP] D:\Programy\CursorXP\CursorXP.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’) O4 - HKUS\S-1-5-21-1390067357-113007714-1708537768-1003…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User ‘?’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - S-1-5-21-1390067357-113007714-1708537768-1003 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User ‘?’) O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Programy\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Programy\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Programy\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Programy\Kaspersky Internet Security 6.0\scieplugin.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Programy\BitComet\tools\BitCometBHO_1.1.9.24.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Programy\SPYBOT~1\SDHelper.dll O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Programy\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Programy\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - D:\Programy\Kaspersky Internet Security 6.0\avp.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Diskeeper - Diskeeper Corporation - D:\Programy\Diskeeper\DkService.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - D:\Programy\SolidConverterPDF\SCPDF\SolidPdfService.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O24 - Desktop Component 0: (no name) - http://geocities.yahoo.com.br/fernandes … rsia-2.jpg – End of file - 6258 bytes
combofix
ComboFix 07-12-21.4 - Mati 2007-12-26 23:02:47.3 - FAT32x86 Running from: C:\Documents and Settings\Mati\Pulpit\Mati\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 ))))))))))))))))))))))))))))))) . 2007-12-20 22:52 . 2007-12-20 22:55 234 --a------ C:\WINDOWS\Fakturka.ini 2007-12-20 22:40 . 2007-12-20 22:40 2007-12-20 22:11 . 2003-05-12 04:35 561,179 --a------ C:\WINDOWS\system32\dao360.DLL 2007-12-20 22:11 . 2002-09-20 18:04 180,224 --a------ C:\WINDOWS\system32\msadox.dll 2007-12-06 18:33 . 2007-12-06 18:33 2007-11-29 19:42 . 2007-11-29 19:51 21,684,976 --a------ C:\Nagranie006 promotor.amr.MP3 2007-11-29 19:38 . 2006-01-08 00:53 2007-11-29 19:38 . 2004-02-22 10:11 719,872 --a------ C:\WINDOWS\system32\devil.dll 2007-11-29 19:38 . 2006-10-07 17:43 502,784 --a------ C:\WINDOWS\x2.64.exe 2007-11-29 19:38 . 2007-05-14 15:24 394,240 --a------ C:\WINDOWS\system32\Smab.dll 2007-11-29 19:38 . 2007-05-17 17:30 318,976 --a------ C:\WINDOWS\system32\avisynth.dll 2007-11-29 19:38 . 2005-02-28 13:16 240,128 --a------ C:\WINDOWS\system32\x.264.exe 2007-11-29 19:38 . 2006-04-12 09:47 217,073 --a------ C:\WINDOWS\meta4.exe 2007-11-29 19:38 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll 2007-11-29 19:38 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll 2007-11-29 19:38 . 2006-04-05 08:09 66,560 --a------ C:\WINDOWS\MOTA113.exe 2007-11-29 19:38 . 2005-07-14 12:31 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-26 11:52 88,964 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2007-12-26 11:52 6,408,224 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2007-12-26 11:52 2,937,140 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2007-12-26 11:52 1,376,256 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat 2007-12-11 17:17 45,984 ----a-w C:\Documents and Settings\Mati\Dane aplikacji\GDIPFONTCACHEV1.DAT 2007-12-10 12:09 45,984 ----a-w C:\Documents and Settings\kloc\Dane aplikacji\GDIPFONTCACHEV1.DAT 2007-12-01 19:19 45,984 ----a-w C:\Documents and Settings\Jacek\Dane aplikacji\GDIPFONTCACHEV1.DAT 2007-11-21 17:24 892,928 ----a-w C:\WINDOWS\system32\iconv.dll 2007-11-21 17:24 740,442 ----a-w C:\WINDOWS\system32\DivX.dll 2007-11-21 17:24 1,559,040 ----a-w C:\WINDOWS\system32\xvidcore.dll 2007-11-17 21:52 --------- d-----w C:\Program Files\Common Files\BHPS 2007-11-04 11:30 --------- d–h--w C:\Program Files\Zero G Registry 2007-10-31 22:28 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Grisoft 2006-12-03 14:28 144 ----a-w C:\Documents and Settings\Jagoda\Dane aplikacji\config.dat 2006-10-25 18:47 143 ----a-w C:\Documents and Settings\Jacek\Dane aplikacji\config.dat 2006-10-04 15:23 142 ----a-w C:\Documents and Settings\kloc\Dane aplikacji\config.dat 2007-05-01 21:39 5 --sha-w C:\WINDOWS\system32\bdbddfafb5_s.dll 2006-05-03 09:06 163,328 --sh–r C:\WINDOWS\system32\flvDX.dll 2007-02-21 10:47 31,232 --sh–r C:\WINDOWS\system32\msfDX.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” [2002-09-20 17:05] “CursorXP”=“D:\Programy\CursorXP\CursorXP.exe” [2005-01-19 16:34] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“RUNDLL32.exe” [2001-10-26 17:30 C:\WINDOWS\system32\rundll32.exe] “nwiz”=“nwiz.exe” [2006-01-24 13:52 C:\WINDOWS\system32\nwiz.exe] “NvMediaCenter”=“RUNDLL32.exe” [2001-10-26 17:30 C:\WINDOWS\system32\rundll32.exe] “kis”=“D:\Programy\Kaspersky Internet Security 6.0\avp.exe” [2006-03-24 18:09] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe” [2006-05-03 02:56] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2002-09-20 17:05] “PcSync”=“C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” [2006-11-09 17:15] C:\Documents and Settings\Mati\Menu Start\Programy\Autostart\ Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] “UIHost”=“C:\WINDOWS\System32\logonui.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mati^Menu Start^Programy^Autostart^Adobe Gamma.lnk] path=C:\Documents and Settings\Mati\Menu Start\Programy\Autostart\Adobe Gamma.lnk backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCLEPCI] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2006-05-03 02:56 36975 --a------ C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-26 23:05:07 Windows 5.1.2600 Dodatek Service Pack. 1 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-26 23:06:24
i podczas skanowania kaspersky skanuje plik autorun.inf, ale nic w nim nie znajduje.
gdy pokazał się log po skanowaniu combofixem pokazało się takie okno
Gutek
(Gutek)
28 Grudzień 2007 17:54
#2
matio
(matio)
28 Grudzień 2007 18:13
#3
Czy ten Flash Disinfector nie skasuje mi przy okazji danych z pendrive?