backdoor

[Alucard]

Niedawno przez przypadek nieświadomie uruchomiłem prawdopodobnie zainfekowany plik. Nie mam jednak co do tego pewności, ponieważ po przeskanowaniu na virusscan.jotti takie antywirusy jak Kasperksy czy Nod32 nic nie wykryły za to inne (m.in panda) wychwyciły backdoora.
Wolę się jednak upewnić czy nie ma, aby na kompie żadnego syfku, więc dla pewności zamieszczam log z HiJacka.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:32:00, on 2008-04-19
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
D:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

Mało tego, bo komputer świeżo po formacie.

[wojtas]

w jakim pliku panda znalazła backdoora?


Wykonaj to co jest podane w tym temacie

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa

[Alucard]

log z ComboFix:

ComboFix 08-04-18.3 - Administrator 2008-04-19 13:58:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.48.1045.18.496 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Moje dokumenty\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-19 13:32 . 2008-04-19 13:32 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-19 13:31 . 2008-04-19 13:59 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-04-19 13:31 . 2008-04-17 02:02 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione
2008-04-19 13:31 . 2008-04-17 00:13 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony
2008-04-19 13:31 . 2008-04-19 13:59 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit
2008-04-19 13:31 . 2008-04-17 02:02 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty
2008-04-19 13:31 . 2008-04-17 02:02 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-04-19 13:31 . 2008-04-17 02:02 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji
2008-04-19 13:31 . 2008-04-19 13:31 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-19 13:31 . 2008-04-19 13:58 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-19 13:27 . 2008-04-19 13:47 <DIR> d-------- C:\SDFix
2008-04-19 00:33 . 2008-04-19 00:33 31 --a------ C:\WINDOWS\idc.ini
2008-04-19 00:33 . 2008-04-19 00:33 18 --a------ C:\WINDOWS\usdthank.ini
2008-04-17 21:45 . 2008-04-17 23:17 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-04-17 20:56 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-04-17 20:56 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-04-17 20:55 . 2008-04-17 20:55 223 --a------ C:\WINDOWS\HP Precisionscan Pro.INI
2008-04-17 20:50 . 2008-04-17 20:50 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-04-17 20:48 . 2008-04-17 20:48 <DIR> d-------- C:\Hewlett-Packard
2008-04-17 20:45 . 2008-04-17 20:45 <DIR> d-------- C:\sj659
2008-04-17 15:48 . 2006-03-02 14:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-17 15:35 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-17 15:32 . 2008-04-17 15:35 <DIR> d-------- C:\Program Files\Java
2008-04-17 15:29 . 2008-04-17 15:29 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-17 12:16 . 2008-04-17 12:16 <DIR> d-------- C:\Python25
2008-04-17 12:09 . 2006-06-26 02:49 1,867,776 --a------ C:\WINDOWS\system32\python24.dll
2008-04-17 12:08 . 2006-06-26 02:49 1,867,776 --a------ C:\WINDOWS\python24.dll
2008-04-17 11:08 . 2008-04-17 11:08 <DIR> d-------- C:\WINDOWS\Sun
2008-04-17 02:14 . 2008-04-17 02:17 <DIR> d-------- C:\Documents and Settings\Administrator\Gadu-Gadu
2008-04-17 02:14 . 2008-04-17 02:14 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Gadu-Gadu
2008-04-17 02:06 . 2004-08-04 02:35 58,624 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-04-17 02:06 . 2004-08-04 01:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-17 02:05 . 2004-08-04 01:15 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-04-17 02:05 . 2004-08-04 02:44 130,048 --a------ C:\WINDOWS\system32\ksproxy.ax
2008-04-17 02:05 . 2001-08-17 22:20 96,256 --a------ C:\WINDOWS\system32\drivers\ac97intc.sys
2008-04-17 02:05 . 2004-08-04 02:44 77,312 --a------ C:\WINDOWS\system32\usbui.dll
2008-04-17 02:05 . 2004-08-04 01:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-04-17 02:05 . 2004-08-04 01:07 42,368 --a------ C:\WINDOWS\system32\drivers\AGP440.SYS
2008-04-17 02:05 . 2004-08-04 02:44 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2008-04-17 02:02 . 2008-04-17 20:46 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-04-17 02:02 . 2008-04-17 02:02 <DIR> dr-h----- C:\Documents and Settings\Default User\Ustawienia lokalne
2008-04-17 02:02 . 2008-04-17 02:02 <DIR> d-------- C:\Documents and Settings\Default User\Ulubione
2008-04-17 02:02 . 2008-04-17 00:13 <DIR> d--h----- C:\Documents and Settings\Default User\Szablony
2008-04-17 02:02 . 2008-04-17 02:02 <DIR> d-------- C:\Documents and Settings\Default User\Pulpit
2008-04-17 02:02 . 2008-04-17 02:02 <DIR> d-------- C:\Documents and Settings\Default User\Moje dokumenty
2008-04-17 02:02 . 2008-04-17 02:02 <DIR> dr------- C:\Documents and Settings\Default User\Menu Start
2008-04-17 02:02 . 2008-04-17 02:02 <DIR> dr-h----- C:\Documents and Settings\Default User\Dane aplikacji
2008-04-17 02:02 . 2008-04-17 02:02 <DIR> d-------- C:\Documents and Settings\All Users\Ulubione
2008-04-17 02:02 . 2008-04-17 02:02 <DIR> d--h----- C:\Documents and Settings\All Users\Szablony
2008-04-17 02:02 . 2008-04-19 00:53 <DIR> d-------- C:\Documents and Settings\All Users\Pulpit
2008-04-17 02:02 . 2008-04-17 00:46 <DIR> dr------- C:\Documents and Settings\All Users\Menu Start
2008-04-17 02:02 . 2008-04-17 00:15 <DIR> dr------- C:\Documents and Settings\All Users\Dokumenty
2008-04-17 02:02 . 2008-04-17 00:56 <DIR> dr-h----- C:\Documents and Settings\All Users\Dane aplikacji
2008-04-17 02:01 . 2008-04-17 00:20 <DIR> d--h----- C:\Documents and Settings\Default User
2008-04-17 02:01 . 2008-04-17 00:18 <DIR> d-------- C:\Documents and Settings\All Users
2008-04-17 02:01 . 2008-04-19 13:31 <DIR> d-------- C:\Documents and Settings
2008-04-17 02:00 . 2008-04-17 00:24 261 --a------ C:\WINDOWS\system32\$winnt$.inf
2008-03-29 08:21 . 2008-03-29 08:21 2,873,856 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-03-29 08:21 . 2008-03-29 08:21 2,873,856 --a--c--- C:\WINDOWS\system32\dllcache\ati2mtag.sys
2008-03-29 07:19 . 2008-03-29 07:19 9,801,728 --a------ C:\WINDOWS\system32\atioglx2.dll
2008-03-29 06:40 . 2008-03-29 06:40 167,936 --a------ C:\WINDOWS\system32\atiok3x2.dll
2008-03-29 06:05 . 2008-03-29 06:05 372,736 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2008-03-29 06:04 . 2008-03-29 06:04 299,008 --a--c--- C:\WINDOWS\system32\dllcache\ati2dvag.dll
2008-03-29 06:04 . 2008-03-29 06:04 299,008 --a------ C:\WINDOWS\system32\ati2dvag.dll
2008-03-29 05:56 . 2008-03-29 05:56 172,032 --a------ C:\WINDOWS\system32\atipdlxx.dll
2008-03-29 05:56 . 2008-03-29 05:56 126,976 --a------ C:\WINDOWS\system32\Oemdspif.dll
2008-03-29 05:55 . 2008-03-29 05:55 126,976 --a------ C:\WINDOWS\system32\ati2evxx.dll
2008-03-29 05:55 . 2008-03-29 05:55 43,520 --a------ C:\WINDOWS\system32\ati2edxx.dll
2008-03-29 05:55 . 2008-03-29 05:55 26,112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2008-03-29 05:54 . 2008-03-29 05:54 536,576 --a------ C:\WINDOWS\system32\ati2evxx.exe
2008-03-29 05:52 . 2008-03-29 05:52 53,248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2008-03-29 05:43 . 2008-03-29 05:43 3,176,480 --a--c--- C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-03-29 05:43 . 2008-03-29 05:43 3,176,480 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-03-29 05:39 . 2008-03-29 05:39 307,200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2008-03-29 05:36 . 2008-03-29 05:36 3,107,788 --a------ C:\WINDOWS\system32\ativvaxx.dat
2008-03-29 05:36 . 2008-03-29 05:36 3,107,788 --a------ C:\WINDOWS\system32\ativva5x.dat
2008-03-29 05:36 . 2008-03-29 05:36 1,765,120 --a--c--- C:\WINDOWS\system32\dllcache\ativvaxx.dll
2008-03-29 05:36 . 2008-03-29 05:36 1,765,120 --a------ C:\WINDOWS\system32\ativvaxx.dll
2008-03-29 05:36 . 2008-03-29 05:36 887,724 --a------ C:\WINDOWS\system32\ativva6x.dat
2008-03-29 05:24 . 2008-03-29 05:24 46,080 --a------ C:\WINDOWS\system32\amdpcom32.dll
2008-03-29 05:23 . 2008-03-29 05:23 5,439,488 --a------ C:\WINDOWS\system32\atioglxx.dll
2008-03-29 05:21 . 2008-03-29 05:21 393,216 --a------ C:\WINDOWS\system32\atikvmag.dll
2008-03-29 05:19 . 2008-03-29 05:19 17,408 --a------ C:\WINDOWS\system32\atitvo32.dll
2008-03-29 05:18 . 2008-03-29 05:18 49,152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll
2008-03-29 05:12 . 2008-03-29 05:12 520,192 --a--c--- C:\WINDOWS\system32\dllcache\ati2cqag.dll
2008-03-29 05:12 . 2008-03-29 05:12 520,192 --a------ C:\WINDOWS\system32\ati2cqag.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 08:18 --------- d---a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-04-16 22:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-16 22:30 --------- d-----w C:\Program Files\SAGEM
2008-04-16 22:30 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-16 22:20 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-16 22:17 --------- d-----w C:\Program Files\Usługi online
2008-03-28 19:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-21 11:11 2,117,632 ----a-w C:\WINDOWS\system32\python25.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:05 662,016 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=


.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 13:59:53
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-04-19 14:02:25
ComboFix-quarantined-files.txt 2008-04-19 12:01:22

Pre-Run: 16,086,446,080 bajtów wolnych
Post-Run: 16,145,154,048 bajtów wolnych

Report z SDFix:

SDFix: Version 1.172
Run by Administrator on 2008-04-19 at 13:34

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 13:40:24
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 65536 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :


Finished!

Jeszcze coś: większość antywirusów wykrywała coś o nazwie PcCilent.GV lub Win32.HLLM.Paps .

[wojtas]

w jakim pliku??

[Alucard]

Ale o co chodzi? Jeśli o rozszerzenie to exe.

[wojtas]

o nazwe pliku w jakim wykrywa Ci wirusa

Autor postu otrzymał pochwałę

[Alucard]

Był to program Gameboost - Setup (jeśli chodzi ci o to, że antywiry ześwirowały to wątpię, bo pobrałem z innego źródła i nic nie wykryły).

[wojtas]

1. Ściągnij OTMoveIt i go włacz i odpal go z opcji CleanUp
2. wykonaj optymalizację windowsa
3.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
4.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem

i bedzie ok

[Alucard]

Czyli mam rozumieć, że logi są czyste? Wielkie dzięki .