Ravia instyler ex-it! self extractor i kilka innych rzeczy

**Posty:** 14 · przez **autovidol** 12 Wrz 2008, 17:11

Dzień dobry,

Proszę uprzejmie o pomoc. Na dysku systemowym mam taką nieusuwalną aplikację, nazywa się ravia, poniżej napisane ex-it! self extractor. Ponadto pojawiło się Qoobox (ale to chyba jakiś folder combofixa). Poza tym przy starcie uruchamia mi się folder systemowy. Zamieszczam logi z combofixa i hijacka:

Kod: Zaznacz wszystko: Logfile of HijackThis v1.99.1 Scan saved at 17:02:48, on 2008-09-12 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\windows\system32\spoolsv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\windows\system32\nvsvc32.exe C:\Program Files\Sunbelt Software\SbPFLnch.exe C:\windows\System32\snmp.exe C:\Program Files\Sunbelt Software\SbPFSvc.exe C:\windows\system32\svchost.exe C:\windows\RTHDCPL.EXE C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Sunbelt Software\SbPFCl.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\windows\system32\wscntfy.exe C:\windows\system32\wuauclt.exe C:\windows\explorer.exe C:\Documents and Settings\Administrator\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [WinSmsFi] System O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing) O17 - HKLM\System\CS2\Services\Tcpip\..\{3FDDFB11-11C5-4A67-911E-DE8E5A64A440}: NameServer = 217.30.129.149 217.30.137.200 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - (no file) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe O23 - Service: L Ile Noyee Drivers Auto Removal (pr2ajbeb) (pr2ajbeb) - Micro Application - C:\windows\system32\pr2ajbeb.exe O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\SbPFLnch.exe O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\SbPFSvc.exe

Kod: Zaznacz wszystko: ComboFix 08-09-11.02 - Administrator 2008-09-12 16:51:39.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.1582 [GMT 2:00] Running from: E:\Downloady\ComboFix.exe * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MICROSOFT_WINDOWS_TCP_PROTOCOL -------\Service_Microsoft Windows TCP Protocol ((((((((((((((((((((((((( Files Created from 2008-08-12 to 2008-09-12 ))))))))))))))))))))))))))))))) . 2008-09-12 15:38 . 2008-09-12 15:38 <DIR> d-------- C:\Program Files\Alwil Software 2008-08-27 10:24 . 2008-08-27 10:28 <DIR> d-------- C:\Program Files\Sunbelt Software 2008-08-27 10:24 . 2008-07-16 09:57 269,736 -ra------ C:\WINDOWS\system32\drivers\SbFw.sys 2008-08-27 10:24 . 2008-06-21 04:54 65,576 --a------ C:\WINDOWS\system32\drivers\SbFwIm.sys 2008-08-27 05:43 . 2008-08-27 05:43 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-08-27 05:43 . 2008-08-27 05:43 1,120,255 --a------ C:\ravia.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-12 14:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-09-12 14:31 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft 2008-09-12 13:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-09-11 18:03 --------- d-----w C:\Program Files\BitComet 2008-08-29 17:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype 2008-08-29 12:04 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-26 21:50 --------- d-----w C:\Program Files\Soulseek 2008-05-02 12:17 94,080 ----a-w C:\Documents and Settings\Administrator\Application Data\ezplay.sys 2008-05-02 12:17 87,608 ----a-w C:\Documents and Settings\Administrator\Application Data\ezpinst.exe 2008-05-02 12:17 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys 2007-06-29 16:37 23 --sha-w C:\windows\system32\baeaaadb1_r.dll . ------- Sigcheck ------- 2006-01-13 04:03 360448 2a4818aea80acd2c95d7d92d2f3155f8 C:\windows\system32\drivers\tcpip.sys 2006-01-13 03:46 1075200 2deaca71a7fd77205f59d48d76b2f565 C:\windows\explorer.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [2008-08-22 1234160] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WinSmsFi"="System" [X] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232] "NvCplDaemon"="C:\windows\system32\NvCpl.dll" [2007-04-13 8429568] "RTHDCPL"="RTHDCPL.EXE" [2006-07-21 C:\WINDOWS\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2006-05-16 C:\WINDOWS\SkyTel.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "msnsc"="C:\WINDOWS\system32\msnsc.exe" [2006-01-13 62054] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nlsf"="move" [X] "tscuninstall"="C:\windows\system32\tscupgrd.exe" [2006-01-13 44544] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.iac2"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iac25_32.ax "msacm.l3codecp"= l3codecp.acm "msacm.sl_anet"= C:\PROGRA~1\ACEMEG~1\SystemS\sl_anet.acm "vidc.yv12"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL "vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll "vidc.iyuv"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iyuv_32.dll "vidc.yvu9"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\Iyvu9_32.dll "vidc.uyvy"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll "vidc.yuy2"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll "vidc.yvyu"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll "msacm.msaudio1"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msaud32.acm [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ageofconan.exe] "Debugger"="E:\Program Files\Age of Conan Quick Start\aoclaunch.exe" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBB36X Configure] -r------- 2006-07-12 11:58 356352 C:\WINDOWS\system32\JMRaidTool.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2007-04-13 00:44 8429568 C:\WINDOWS\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WireLessKeyboard ] --a------ 2005-08-03 00:43 217088 C:\Program Files\Multimedia Keyboard\PS2USBKbdDrv.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Soulseek-Test\\slsk.exe"= "C:\\Program Files\\BitComet\\BitComet.exe"= "C:\\Program Files\\Tlen.pl\\tlen.exe"= "C:\\Program Files\\Soulseek\\slsk.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "16985:TCP"= 16985:TCP:BitComet 16985 TCP "16985:UDP"= 16985:UDP:BitComet 16985 UDP "9225:TCP"= 9225:TCP:BitComet 9225 TCP "9225:UDP"= 9225:UDP:BitComet 9225 UDP "19005:TCP"= 19005:TCP:BitComet 19005 TCP "19005:UDP"= 19005:UDP:BitComet 19005 UDP "8485:TCP"= 8485:TCP:BitComet 8485 TCP "8485:UDP"= 8485:UDP:BitComet 8485 UDP R0 pe3ajbeb;L Ile Noyee Environment Driver (pe3ajbeb);C:\windows\system32\drivers\pe3ajbeb.sys [2007-08-22 64632] R0 ps7ajbeb;L Ile Noyee Synchronization Driver (ps7ajbeb);C:\windows\system32\drivers\ps7ajbeb.sys [2007-08-22 68736] R1 aswSP;avast! Self Protection;C:\windows\system32\drivers\aswSP.sys [2008-07-19 78416] R1 SbFw;SbFw;C:\windows\system32\drivers\SbFw.sys [2008-07-16 269736] R1 sbhips;Sunbelt HIPS Driver;C:\windows\system32\drivers\sbhips.sys [2008-06-21 66600] R2 aswFsBlk;aswFsBlk;C:\windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560] R2 NwSapAgent;SAP Agent;C:\windows\system32\svchost.exe [2006-01-13 14336] R2 SbPF.Launcher;SbPF.Launcher;C:\Program Files\Sunbelt Software\SbPFLnch.exe [2008-07-30 95528] R2 SPF4;Sunbelt Personal Firewall 4;C:\Program Files\Sunbelt Software\SbPFSvc.exe [2008-07-30 1361192] R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;C:\windows\system32\DRIVERS\sbfwim.sys [2008-06-21 65576] S2 pr2ajbeb;L Ile Noyee Drivers Auto Removal (pr2ajbeb);C:\windows\system32\pr2ajbeb.exe svc [ ] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eeb5fa59-9eb9-11dc-bafa-0060520b00b9}] \Shell\AutoRun\command - I:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eeb5fa5a-9eb9-11dc-bafa-0060520b00b9}] \Shell\AutoRun\command - fooool.exe \Shell\explore\Command - fooool.exe \Shell\open\Command - fooool.exe . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\f8c8jg9u.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npdsplay.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npwmsdrm.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-12 16:59:45 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\snmp.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Sunbelt Software\SbPFCl.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-09-12 17:02:18 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-12 15:02:12 Pre-Run: 3,641,970,688 bytes free Post-Run: 3,577,044,992 bytes free 156

**Posty:** 8001 · przez **Okocza** 12 Wrz 2008, 17:15

otwórz notatnik i wklej:

Kod: Zaznacz wszystko: File:: C:\ravia.exe C:\windows\system32\baeaaadb1_r.dll Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eeb5fa5a-9eb9-11dc-bafa-0060520b00b9}]

zapisz jako CFScript.txt i przeciągnij na ikonę combofix.exe

dodatkowo zastosuj sdfix'a

specjalne-narzedzia-czyszczace-vt96631.html

**Posty:** 684 · przez **djarta** 12 Wrz 2008, 17:19

Zaraz nie będzie "ravii" :wink:

Wklej do Notatnika:

Kod: Zaznacz wszystko: File:: C:\ravia.exe C:\windows\system32\pr2ajbeb.exe Driver:: pr2ajbeb Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eeb5fa59-9eb9-11dc-bafa-0060520b00b9}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eeb5fa5a-9eb9-11dc-bafa-0060520b00b9}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WinSmsFi"=-

>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->

Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania.
Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:\Qoobox.

Potem:

C:\windows\system32\baeaaadb1_r.dll

Sprawdź go na --> http://virusscan.jotti.org/
albo na http://www.virustotal.com/en/indexf.html.

===========================================
K.