Wykryty backdoor.wi32.agent.arb

Dla specjalistów Bezpieczeństwo
#1

pomózcie kasperski wykrył backdoor.win32.agent.arb

o to logi do sprawdzenia i raport kasperskiego

“Silent Runners.vbs”, revision R51, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}” = ““C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”” [“Nero AG”]

“ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS]

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}

“SpybotDeletingB7983” = “command /c del “C:\Program Files\Internet Explorer\Setup\svchost.exe”” [null data]

“SpybotDeletingD2046” = “cmd /c del “C:\Program Files\Internet Explorer\Setup\svchost.exe”” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“SoundMAXPnP” = “C:\Program Files\Analog Devices\Core\smax4pnp.exe” [“Analog Devices, Inc.”]

“SoundMAX” = ““C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” /tray” [“Analog Devices, Inc.”]

“NeroFilterCheck” = “C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [“Nero AG”]

“LogitechVideoRepair” = “E:\Program Files\Logitech\Video\ISStart.exe” [“Labtec Inc.”]

“LogitechVideoTray” = “E:\Program Files\Logitech\Video\LogiTray.exe” [“Labtec Inc.”]

“LXCCCATS” = “rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16” [MS]

“lxccmon.exe” = ““C:\Program Files\Lexmark 3300 Series\lxccmon.exe”” [“Lexmark International, Inc.”]

“FaxCenterServer” = ““C:\Program Files\Lexmark Fax Solutions\fm3032.exe” /s” [null data]

“CnxDslTaskBar” = "“C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe” “ZTE Corporation\ZXDSL852"” [“Conexant Systems, Inc.”]

“SunJavaUpdateSched” = “rem “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”” [file not found]

“nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "]

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}

“SpybotDeletingA1847” = “command /c del “C:\Program Files\Internet Explorer\Setup\svchost.exe”” [null data]

“SpybotDeletingC6568” = “cmd /c del “C:\Program Files\Internet Explorer\Setup\svchost.exe”” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “AcroIEHlprObj Class”

\InProcServer32(Default) = “E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]

{22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = “Skype add-on (mastermind)”

-> {HKLM…CLSID} = “Skype add-on (mastermind)”

\InProcServer32(Default) = “C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll” [“Skype Technologies S.A.”]

{53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided)

-> {HKLM…CLSID} = “Spybot-S&D IE Protection”

\InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

-> {HKLM…CLSID} = “SSVHelper Class”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll” [“Sun Microsystems, Inc.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]

“{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band”

-> {HKLM…CLSID} = “History Band”

\InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS]

“{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension”

-> {HKLM…CLSID} = “SimpleShlExt Class”

\InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string]

“{A155339D-CCCD-4714-85EB-3754B804C9DF}” = “a-squared Free Shell Extension”

-> {HKLM…CLSID} = “a-squared Free Shell Extension”

\InProcServer32(Default) = “C:\Program Files\a-squared Free\a2freecontmenu.dll” [“Emsi Software GmbH”]

“{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}” = “My Labtec Pictures”

-> {HKLM…CLSID} = “My Labtec Pictures”

\InProcServer32(Default) = “E:\Program Files\Logitech\Video\Namespc2.dll” [“Labtec Inc.”]

“{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “E:\Program Files\rarext.dll” [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”

-> {HKLM…CLSID} = “PDF Shell Extension”

\InProcServer32(Default) = “E:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “E:\Program Files\rarext.dll” [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “E:\Program Files\rarext.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

a-squared Free Shell Extension(Default) = “{A155339D-CCCD-4714-85EB-3754B804C9DF}”

-> {HKLM…CLSID} = “a-squared Free Shell Extension”

\InProcServer32(Default) = “C:\Program Files\a-squared Free\a2freecontmenu.dll” [“Emsi Software GmbH”]

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “E:\Program Files\rarext.dll” [null data]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

a-squared Free Shell Extension(Default) = “{A155339D-CCCD-4714-85EB-3754B804C9DF}”

-> {HKLM…CLSID} = “a-squared Free Shell Extension”

\InProcServer32(Default) = “C:\Program Files\a-squared Free\a2freecontmenu.dll” [“Emsi Software GmbH”]

Group Policies {policy setting}:

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

“NoResolveTrack” = (REG_DWORD) hex:0x00000001

{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

“NoResolveTrack” = (REG_DWORD) hex:0x00000001

{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001

{Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) hex:0x00000001

{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp”

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp”

Enabled Screen Saver:

HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “C:\WINDOWS\system32\logon.scr” [MS]

Startup items in “admin” & “All Users” startup folders:

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Adobe Reader Speed Launch” -> shortcut to: “E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 31

%SYSTEMROOT%\system32\nvappfilter.dll [“NVIDIA”], 06 - 08, 14

%SystemRoot%\system32\mswsock.dll [MS], 09 - 11, 15 - 30

%SystemRoot%\system32\rsvpsp.dll [MS], 12 - 13

Toolbars, Explorer Bars, Extensions:

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{77BF5300-1474-4EC7-9980-D32B190E9B07}\

“ButtonText” = “Skype”

“CLSIDExtension” = “{77BF5300-1474-4EC7-9980-D32B190E9B07}”

-> {HKLM…CLSID} = “Skype add-on (button)”

\InProcServer32(Default) = “C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll” [“Skype Technologies S.A.”]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\

“MenuText” = “Spybot - Search & Destroy Configuration”

“CLSIDExtension” = “{53707962-6F74-2D53-2644-206D7942484F}”

-> {HKLM…CLSID} = “Spybot-S&D IE Protection”

\InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\

“MenuText” = “@xpsp3res.dll,-20001”

“Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):

a-squared Free Service, a2free, ““C:\Program Files\a-squared Free\a2service.exe”” [“Emsi Software GmbH”]

Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”]

ATK Keyboard Service, ATKKeyboardService, “C:\WINDOWS\ATKKBService.exe” [“ASUSTeK COMPUTER INC.”]

ForceWare Intelligent Application Manager (IAM), ForceWare Intelligent Application Manager (IAM), “C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe” [empty string]

ForceWare IP service, nSvcIp, “C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe” [“NVIDIA Corporation”]

ForceWare user log service, nSvcLog, “C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe” [“NVIDIA Corporation”]

Forceware Web Interface, ForcewareWebInterface, ““C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe” -k runservice” [“Apache Software Foundation”]

LightScribeService Direct Disc Labeling Service, LightScribeService, ““C:\Program Files\Common Files\LightScribe\LSSrvc.exe”” [“Hewlett-Packard Company”]

lxcc_device, lxcc_device, “C:\WINDOWS\system32\lxcccoms.exe -service” [“Lexmark International, Inc.”]

NMIndexingService, NMIndexingService, ““C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe”” [“Nero AG”]

NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "]

Registry Management Service, RegManServ, “E:\Advanced Registry Doctor\RegManServ.exe” [null data]

Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS]

Print Monitors:

HKLM\System\CurrentControlSet\Control\Print\Monitors\

3300 Series Port\Driver = “lxcclmpm.DLL” [“Lexmark International, Inc.”]

Lexmark Print-2-Fax Port\Driver = “LXPRMON.DLL” [null data]

---------- (launch time: 2007-08-31 20:01:25)

<>: Suspicious data at a malware launch point.

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • The search for DESKTOP.INI DLL launch points on all local fixed drives

took 14 seconds.

---------- (total run time: 40 seconds)

#2

Te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

Jeśli nie masz jakiegoś narzędzia usuwającego, to ściągnij OTMoveIt

Do pola Paste List of Files/Folders to be Moved wklej poniższe ścieżki:

Następnie wciśnij przycisk MoveIt!

Pojawi się komunikat, że jest potrzebny restart do usunięcia podanych plików/folderów- wciśnij Yes.

Po restarcie usuń ręcznie folder C:** _OTMoveIt** (Prawoklik >>> Usuń >>> Opróżnij Kosz).

Opróżnij foldery “TEMP”, “Temporary Internet Files” oraz “System Volume Information”

Potem daj log z Hijacka oraz log z ComboFix (na dole tej strony z linku) -

Log wklej na http://wklej.org/, a w poście daj tylko link.

jessi

#3

sory ale nie widzę w hijacku tych wpisów które mam usunąć

oto logi

#4

Log wygląda na czysty.

Te sfiksowania podałam na wszelki wypadek, gdyby te wpisy były.

One teoretycznie powinny same zniknąć po restarcie, bo oznaczone były jako “RunOnce”. I rzeczywiście - same zniknęły.

jessi

#5

dzięki za wyjasnienie

czy ktos moze mi powiedzieć jak otworzyć porty zmknięte przez windows woorms doors cleaner obawiam sie że zamknąłem nie te porty co trzeba i przez to ares zrywa mi połaczenia podczas ściągania wwdc nie chce sie uruchomic wyskakuje błąd explorer exe

czy jest jakis sposub lub program na otworzenie ręcznie zamkniętych portów

prosze pomózcie i przepraszam jak piszę nie w tym miejscu

#6

Te porty możesz praktycznie otworzyć tylko przy pomocy WWDC, inny sposób wymaga zaniesienia komputera do serwisu naprawczego.

Jeśli WWDC nie chce działać, to go usuń i jeszcze raz ściągnij.

A tak poza tym, to nie sądzę, by te robaczywe porty miały jakiś związek z Aresem.

jessi

#7

dzięki za radę to będzie kiszka jak nie moge tych portow sam otworzyć a czy format odblokuje mi te porty

i może mi ktoś powie dlaczego ares po paru minutach zrywa połączenie