Vundo/Virtumonde - jakies pozostałości?

krybart · 17 Listopad 2007 15:41

Witam,

przez ostatnie parę dni intensywnie walczyłem z trojanami/wirusami, które przypominały Virtumonde. Dla pewności czy to coś nie pozostawiło syfu w rejestrze oraz czy nic poza tym nie siedzi proszę o sprawdzenie logów z HJT, ComboFixa oraz SDfixa

HJT

Logfile of HijackThis v1.99.1

Scan saved at 16:22:18, on 2007-11-17

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Software\Narzędzia\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Software\SPRZT~1\A4Tech\Keyboard\Ikeymain.exe

C:\Software\SPRZT~1\A4Tech\Mouse\Amoumain.exe

C:\WINDOWS\explorer.exe

I:\Programy\Narzędzia\Hijack\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Software\INTERN~1\BEZPIE~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Software\Internetowe\P2P\Free Download Manager\iefdmcks.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [iKeyWorks] c:\Software\SPRZT~1\A4Tech\Keyboard\Ikeymain.exe

O4 - HKLM\..\Run: [WheelMouse] c:\Software\SPRZT~1\A4Tech\Mouse\Amoumain.exe

O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Software\Internetowe\P2P\Free Download Manager\dllink.htm

O11 - Options group: [INTERNATIONAL] International*

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195168806953

O17 - HKLM\System\CCS\Services\Tcpip\..\{C04FAF82-0821-4CE3-9FC2-88B7B94FFDD9}: NameServer = 192.168.0.1

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NMSAccessU - Unknown owner - C:\Software\Narzędzia\CDBurnerXP\NMSAccessU.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

ComboFix

ComboFix 07-11-08.1 - Administrator 2007-11-17 16:16:36.3 - NTFSx86 

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.703 [GMT 1:00]

Running from: I:\Programy\Narzędzia\ComboFix\ComboFix.exe

.


((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))

.


2007-11-17 16:03	




SDFix

[code] SDFix: Version 1.114 Run by Administrator on 2007-11-17 at 16:03 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\system32\eventmgr.exe - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-17 16:06:48 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:2df9c43f “s2”=dword:110480d0 “h0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Software\Narz\x0119dzia\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:84,be,41,f3,86,57,63,88,87,f8,4c,4d,2f,a9,1a,e8,12,13,9a,dc,04,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,ee,be,57,d7,87,9b,84,0b,9a,cc,c3,41,ce,3d,d8,c5,00,… “khjeh”=hex:36,62,59,dc,f9,29,72,5e,70,5e,98,b4,e1,24,18,45,a1,6f,2e,7f,25,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:e1,69,7d,21,f4,13,f9,e5,97,9a,7a,54,88,7c,13,30,a1,46,a5,51,6d,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Software\Narz\x0119dzia\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:84,be,41,f3,86,57,63,88,87,f8,4c,4d,2f,a9,1a,e8,12,13,9a,dc,04,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,ee,be,57,d7,87,9b,84,0b,9a,cc,c3,41,ce,3d,d8,c5,00,… “khjeh”=hex:36,62,59,dc,f9,29,72,5e,70,5e,98,b4,e1,24,18,45,a1,6f,2e,7f,25,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:e1,69,7d,21,f4,13,f9,e5,97,9a,7a,54,88,7c,13,30,a1,46,a5,51,6d,… scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Wed 14 Nov 2007 6,470 …SH. — “C:\WINDOWS\system32\stvwa.bak1” Fri 29 Jun 2007 4,348 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak” Fri 16 Nov 2007 0 A.SH. — “C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp” Wed 25 Jul 2007 5,388,088 A…H. — “C:\Software\Graficzne\Picasa\Picasa2\setup.exe” Mon 19 Sep 2005 48,640 A…H. — “C:\Documents and Settings\Administrator\Dokumenty\Tata\Praca ( inne )~WRL0001.tmp” Finished!

dzieki i pozdrawiam

Gutek · 17 Listopad 2007 17:21

Już Ok możesz usunąć jeszcze plik C:\WINDOWS\system32\ stvwa.bak1