Złapałem trojana anty-antywirusowego

Dla specjalistów Bezpieczeństwo
#1

Mam trojana, który jest tu opisany: http://www.pcworld.pl/news/54410.html

Śmigałem jakiś czas bez antywira bo skończyła się licencja.

Kod z Debugger Windows:

Microsoft (R) Windows Debugger Version 6.9.0003.113 X86

Copyright (c) Microsoft Corporation. All rights reserved.



Loading Dump File [C]

Mini Kernel Dump File: Only registers and stack trace are available


Symbol search path is: ***Invalid***

****************************************************************************

* Symbol loading may be unreliable without a symbol search path. *

* Use .symfix to have the debugger choose a symbol path. *

* After setting your symbol path, use .reload to refresh symbol locations. *

****************************************************************************

Executable search path is: 

*********************************************************************

* Symbols can not be loaded because symbol path is not initialized. *

* *

* The Symbol Path can be set by: *

* using the _NT_SYMBOL_PATH environment variable. *

* using the -y argument when starting the debugger. *

* using .sympath and .sympath+ *

*********************************************************************

Unable to load image ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe

Windows Vista Kernel Version 6000 MP (2 procs) Free x86 compatible

Product: WinNt, suite: TerminalServer SingleUserTS Personal

Kernel base = 0x81c00000 PsLoadedModuleList = 0x81d11e10

Debug session time: Mon Jul 28 22:25:19.426 2008 (GMT+2)

System Uptime: 0 days 0:00:30.082

*********************************************************************

* Symbols can not be loaded because symbol path is not initialized. *

* *

* The Symbol Path can be set by: *

* using the _NT_SYMBOL_PATH environment variable. *

* using the -y argument when starting the debugger. *

* using .sympath and .sympath+ *

*********************************************************************

Unable to load image ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe

Loading Kernel Symbols

.................................................................................................................................................

Loading User Symbols

Loading unloaded module list

.....

Unable to load image ndisuio.sys, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ndisuio.sys

*** ERROR: Module load completed but symbols could not be loaded for ndisuio.sys

Unable to load image ndis.sys, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ndis.sys

*** ERROR: Module load completed but symbols could not be loaded for ndis.sys

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************


Use !analyze -v to get detailed debugging information.


BugCheck 100000D1, {14, 2, 0, 88fa6f7c}


*** WARNING: Unable to verify timestamp for Epfwndis.sys

*** ERROR: Module load completed but symbols could not be loaded for Epfwndis.sys

*** WARNING: Unable to verify timestamp for RT61.sys

*** ERROR: Module load completed but symbols could not be loaded for RT61.sys

***** Kernel symbols are WRONG. Please fix symbols to do analysis.


*************************************************************************

******

******

***Your debugger is not using the correct symbols***

******

***In order for this command to work properly, your symbol path***

***must point to .pdb files that have full type information.***

******

***Certain .pdb files (such as the public OS symbols) do not***

***contain the required information. Contact the group that***

***provided you with these symbols if you need this command to***

***work.***

******

***Type referenced: nt!_KPRCB***

******

*************************************************************************

*************************************************************************

******

******

***Your debugger is not using the correct symbols***

******

***In order for this command to work properly, your symbol path***

***must point to .pdb files that have full type information.***

******

***Certain .pdb files (such as the public OS symbols) do not***

***contain the required information. Contact the group that***

***provided you with these symbols if you need this command to***

***work.***

******

***Type referenced: nt!KPRCB***

******

*************************************************************************

*************************************************************************

******

******

***Your debugger is not using the correct symbols***

******

***In order for this command to work properly, your symbol path***

***must point to .pdb files that have full type information.***

******

***Certain .pdb files (such as the public OS symbols) do not***

***contain the required information. Contact the group that***

***provided you with these symbols if you need this command to***

***work.***

******

***Type referenced: nt!_KPRCB***

******

*************************************************************************

*************************************************************************

******

******

***Your debugger is not using the correct symbols***

******

***In order for this command to work properly, your symbol path***

***must point to .pdb files that have full type information.***

******

***Certain .pdb files (such as the public OS symbols) do not***

***contain the required information. Contact the group that***

***provided you with these symbols if you need this command to***

***work.***

******

***Type referenced: nt!KPRCB***

******

*************************************************************************

*************************************************************************

******

******

***Your debugger is not using the correct symbols***

******

***In order for this command to work properly, your symbol path***

***must point to .pdb files that have full type information.***

******

***Certain .pdb files (such as the public OS symbols) do not***

***contain the required information. Contact the group that***

***provided you with these symbols if you need this command to***

***work.***

******

***Type referenced: nt!_KPRCB***

******

*************************************************************************

*************************************************************************

******

******

***Your debugger is not using the correct symbols***

******

***In order for this command to work properly, your symbol path***

***must point to .pdb files that have full type information.***

******

***Certain .pdb files (such as the public OS symbols) do not***

***contain the required information. Contact the group that***

***provided you with these symbols if you need this command to***

***work.***

******

***Type referenced: nt!_KPRCB***

******

*************************************************************************

*************************************************************************

******

******

***Your debugger is not using the correct symbols***

******

***In order for this command to work properly, your symbol path***

***must point to .pdb files that have full type information.***

******

***Certain .pdb files (such as the public OS symbols) do not***

***contain the required information. Contact the group that***

***provided you with these symbols if you need this command to***

***work.***

******

***Type referenced: nt!_KPRCB***

******

*************************************************************************

*************************************************************************

******

******

***Your debugger is not using the correct symbols***

******

***In order for this command to work properly, your symbol path***

***must point to .pdb files that have full type information.***

******

***Certain .pdb files (such as the public OS symbols) do not***

***contain the required information. Contact the group that***

***provided you with these symbols if you need this command to***

***work.***

******

***Type referenced: nt!_KPRCB***

******

*************************************************************************

*********************************************************************

* Symbols can not be loaded because symbol path is not initialized. *

* *

* The Symbol Path can be set by: *

* using the _NT_SYMBOL_PATH environment variable. *

* using the -y argument when starting the debugger. *

* using .sympath and .sympath+ *

*********************************************************************

*********************************************************************

* Symbols can not be loaded because symbol path is not initialized. *

* *

* The Symbol Path can be set by: *

* using the _NT_SYMBOL_PATH environment variable. *

* using the -y argument when starting the debugger. *

* using .sympath and .sympath+ *

*********************************************************************

Probably caused by : ndisuio.sys ( ndisuio+2f7c )


Followup: MachineOwner

Ktoś wie jak się go pozbyć?

#2

Nie ten log trzeba wkleić.

Wklej logi z HijackThis i Combofix na stronę www.wklejto.pl i tutaj tylko dajesz linka na forum.

#3

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:27:07, on 2008-07-28

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16575)

Boot mode: Normal


Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\System32\s3trayp.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\RALINK\Common\RaUI.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Opera\Opera.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

O1 - Hosts: ::1 localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.24\AsRunHelp.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'USŁUGA SIECIOWA')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O13 - Gopher Prefix: 

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe

O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - Unknown owner - C:\Users\Administrator\Desktop\SiSoftware Sandra Lite 2007 XI.SP1\RpcSandraSrv.exe (file missing)


--

End of file - 5141 bytes
#4

Aha, sorki

#5

I ten drugi:

http://www.wklejto.pl/6838

#6

Pobierz ComboFix, ale nie uruchamiaj

Otwórz notatnik i wklej do niego:

File::

C:\Windows\System32\~.tmp


Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7a606fe-c7dc-11db-a2b1-806e6f6e6963}]

Plik -> zapisz jako -> CFScript.txt.

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

02f8f1e3c410a4cc.gif

Rozpocznie się usuwanie i powstanie log, który dasz na forum.

Logi dajesz na http://wklejto.pl lub na http://wklej.org a w poście dajesz tylko link

#7

http://wklejto.pl/6850

#8

Log wyglada na czysty

usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.

Przeczyść komputer Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum

lub

Dr.WEB CureIt!

#9

Raport Kasperskyego:

http://www.wklejto.pl/6861

#10

Usuń to:

#11

Zrobiłem wszystko ale dalej wywala mi BlueScreen

#12

Pokaz na forum log z tego: http://www.forumpc.pl/index.php?showtopic=16074

#13

Jest na samej górze.