Trojos Vundo. H (HijackThis / Malwarebytes)

jjssj · #1 Birželis 3, 2009, 01:39

Aš RAN malare Anti-Malware bet tai nėra atsikratyti visų virusų / Atminties moduliai / registery raktai
Aš taip pat vyko pagrobti tai ir pašalinti kai. Dll rasti Malwarebytes bet ne visi eina.

Malwarebytes 'Anti-Malware 1,37
Duomenų bazės versija: 2216
Windows 5.1.2600 Service Pack 2

02/06/2009 22:04:31
mbam-log-2009-06-02 (22-04-31). Txt

Scan Type: Quick Scan
Objektai nuskaitomi: 89.008
Praėjo: 3 minute (s) 23 second (s)

Atminties procesai Infected: 0
Atminties moduliai Infected: 3
Registro raktus Infected: 13
Vertybių registrą Infected: 0
Registro duomenų elementų Infected: 2
Katalogai Infected: 2
Failai Infected: 7

Atminties procesai Infected:
(Nr. kenksminga daiktų aptikti)

Atminties moduliai Infected:
C: \ WINDOWS \ system32 \ dwkljtof.dll (Trojan.Vundo.H) -> I ¹ trinti paleid.
C: \ WINDOWS \ system32 \ becbn.dll (Trojan.Agent) -> I ¹ trinti paleid.
C: \ WINDOWS \ system32 \ xanyzwy.dll (Trojan.Vundo.H) -> I ¹ trinti paleid.

Registro raktus Infected:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Explorer \ Browser Helper Objects \ (936182df-5f7a-4d1e-a86f-a6d0f061e70a) (Trojan.Vundo.H) -> I ¹ trinti paleid.
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Notify \ feuyhaok (Trojan.Vundo.H) -> I ¹ trinti paleid.
HKEY_CLASSES_ROOT \ CLSID \ (936182df-5f7a-4d1e-a86f-a6d0f061e70a) (Trojan.Vundo.H) -> I ¹ trinti paleid.
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Explorer \ Browser Helper Objects \ (0e8459fd-af07-48F1-8cd1-3884d15eaf47) (Trojan.Vundo.H) -> Karantinas ir sėkmingai ištrintas.
HKEY_CLASSES_ROOT \ CLSID \ (0e8459fd-af07-48F1-8cd1-3884d15eaf47) (Trojan.Vundo.H) -> Karantinas ir sėkmingai ištrintas.
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Ext \ Stats \ (0e8459fd-af07-48F1-8cd1-3884d15eaf47) (Trojan.Vundo.H) -> Karantinas ir sėkmingai ištrintas.
HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Services \ b mbgzbpm (Trojan.Vundo.H) -> Karantinas ir sėkmingai ištrintas.
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Services \ b mbgzbpm (Trojan.Vundo.H) -> Karantinas ir sėkmingai ištrintas.
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Servic es \ bmbgzbpm (Trojan.Vundo.H) -> Karantinas ir sėkmingai ištrintas.
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Ext \ Stats \ (936182df-5f7a-4d1e-a86f-a6d0f061e70a) (Trojan.Vundo.H) -> Karantinas ir sėkmingai ištrintas.
HKEY_CLASSES_ROOT \ CLSID \ (10c0b0c0-fc01-473b-8ebb-4376353f96e4) (Trojan.Agent) -> Karantinas ir sėkmingai ištrintas.
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Ext \ Stats \ (10c0b0c0-fc01-473b-8ebb-4376353f96e4) (Trojan.Agent) -> Karantinas ir sėkmingai ištrintas.
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Explorer \ Browser Helper Objects \ (10c0b0c0-fc01-473b-8ebb-4376353f96e4) (Trojan.Agent) -> Karantinas ir sėkmingai ištrintas.

Vertybių registrą Infected:
(Nr. kenksminga daiktų aptikti)

Registro duomenų elementų Infected:
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Policies \ System \ DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Gera: (0) -> Karantinas ir sėkmingai ištrintas.
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Policies \ System \ DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Gera: (0) -> Karantinas ir sėkmingai ištrintas.

Katalogai Infected:
C: \ WINDOWS \ system32 \ append.dll (Trojan.Agent) -> Karantinas ir sėkmingai ištrintas.
C: \ WINDOWS \ system32 \ xlib254.dll (Trojan.Agent) -> Karantinas ir sėkmingai ištrintas.

Failai Infected:
C: \ WINDOWS \ system32 \ xanyzwy.dll (Trojan.Vundo.H) -> I ¹ trinti paleid.
C: \ WINDOWS \ system32 \ dwkljtof.dll (Trojan.Vundo.H) -> I ¹ trinti paleid.
C: \ WINDOWS \ system32 \ becbn.dll (Trojan.Agent) -> I ¹ trinti paleid.
C: \ WINDOWS \ system32 \ zfmhjbu.dll (Trojan.Vundo.H) -> I ¹ trinti paleid.
C: \ WINDOWS \ system32 \ bekbn.dll (Trojan.Agent) -> Karantinas ir sėkmingai ištrintas.
C: \ WINDOWS \ system32 \ drivers \ jcnfgawt.sys (Rootkit.Agent) -> I ¹ trinti paleid.
C: \ WINDOWS \ system32 \ drivers \ sjbxdggg.sys (Rootkit.Agent) -> I ¹ trinti paleid.

Logfile Trend Micro HijackThis v2.0.2
Skaitymo išsaugotas 22:52:36, on 02/06/2009
Platforma: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Veikia procesus:
C: \ Windows \ System32 \ smss.exe
C: \ Windows \ system32 \ csrss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ Windows \ system32 \ services.exe
C: \ Windows \ system32 \ lsass.exe
C: \ Windows \ System32 \ svchost.exe
C: \ Windows \ System32 \ svchost.exe
C: \ Windows \ System32 \ svchost.exe
C: \ Windows \ System32 \ svchost.exe
C: \ Windows \ System32 \ svchost.exe
C: \ Windows \ System32 \ svchost.exe
C: \ windows \ explorer.exe
C: \ Windows \ system32 \ Spoolsv.exe
C: \ Windows \ SOUNDMAN.EXE
C: \ Program Files \ ATI Technologies \ ATI.ACE \ cli.exe
C: \ PROGRA ~ 1 \ Agnitum \ OUTPOS ~ 1 \ op_mon.exe
C: \ Windows \ system32 \ carpserv.exe
C: \ PROGRA ~ 1 \ AVG \ AVG8 \ avgtray.exe
C: \ Program Files \ Java \ jre6 \ bin \ jusched.exe
C: \ Windows \ system32 \ Ctfmon.exe
C: \ PROGRA ~ 1 \ Agnitum \ OUTPOS ~ 1 \ acs.exe
C: \ Windows \ System32 \ astsrv.exe
C: \ PROGRA ~ 1 \ AVG \ AVG8 \ avgwdsvc.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Common Files \ Nero \ Nero BackItUp 4 \ NBService.exe
C: \ Windows \ system32 \ oodag.exe
C: \ PROGRA ~ 1 \ AVG \ AVG8 \ avgam.exe
C: \ PROGRA ~ 1 \ AVG \ AVG8 \ avgrsx.exe
C: \ PROGRA ~ 1 \ AVG \ AVG8 \ avgnsx.exe
C: \ Windows \ System32 \ svchost.exe
C: \ Windows \ system32 \ wscntfy.exe
C: \ Windows \ System32 \ svchost.exe
C: \ Program Files \ ATI Technologies \ ATI.ACE \ cli.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ Source Engine \ OSE.EXE
C: \ Program Files \ Common Files \ Mozilla Shared \ firefox.exe
C: \ Program Files \ Mozilla Firefox \ firefox.exe
C: \ Program Files \ Trend Micro \ HijackThis \ HijackThis.exe

R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = http://www.virginmedia.com/
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Page_URL = http://www.tiny.com
R1 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Žiniasklaida ernet Nustatymai, ProxyOverride = *. vietos
O2 - BHO: AcroIEHelperStub - (18DF081C-E8AD-4283-A596-FA578C2EBDC3) - C: \ Program Files \ Common Files \ Adobe \ Acrobat \ ActiveX \ AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - (3CA2F312-6F6E-4B53-A66E-4E65E497C8C0) - C: \ Program Files \ AVG \ AVG8 \ avgssie.dll
O2 - BHO: Click-to-Call BHO - (5C255C8A-E604-49b4-9D64-90988571CECB) - C: \ Program Files \ Windows Live \ Messenger \ wlchtc.dll
O2 - BHO: Groove GFS Browser Helper - (72853161-30C5-4D22-B7F9-0BBC1D38A37E) - C: \ Program Files \ Microsoft Office \ Office12 \ GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - (9030D464-4C02-4ABF-8ECC-5164760863C6) - C: \ Program Files \ Common Files \ Microsoft Shared \ Windows Live \ WindowsLiveLogin.dll
O2 - BHO: (no name) - (936182df-5f7a-4d1e-a86f-a6d0f061e70a) - C: \ Windows \ system32 \ xanyzwy.dll
O2 - BHO: Java ™ Plug-in 2 SSV Helper - (DBC80044-A445-435b-BC74-9C25C1C588A9) - C: \ Program Files \ Java \ jre6 \ bin \ jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - (E7E6F031-17CE-4C07-BC86-EABFE594F69C) - C: \ Program Files \ Java \ jre6 \ lib \ dislokuoti \ jqs \ ty \ jqs_plugin.dll
O4 - HKLM \ .. \ Run: [ATIPTA] "C: \ Program Files \ ATI Technologies \ ATI Control Panel \ atiptaxx.exe"
O4 - HKLM \ .. \ Run: [PinnacleDriverCheck] C: \ WINDOWS \ system32 \ PSDrvCheck.exe
O4 - HKLM \ .. \ Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM \ .. \ Run: [NeroFilterCheck] C: \ WINDOWS \ system32 \ NeroCheck.exe
O4 - HKLM \ .. \ Run: [InCD] C: \ Program Files \ Ahead \ InCD \ InCD.exe
O4 - HKLM \ .. \ Run: [ATICCC] "C: \ Program Files \ ATI Technologies \ ATI.ACE \ cli.exe" runtime-Delay
O4 - HKLM \ .. \ Run: [OutpostMonitor] C: \ PROGRA ~ 1 \ Agnitum \ OUTPOS ~ 1 \ op_mon.exe / tray / noservice
O4 - HKLM \ .. \ Run: [CARPService] carpserv.exe
O4 - HKLM \ .. \ Run: [AVG8_TRAY] C: \ PROGRA ~ 1 \ AVG \ AVG8 \ avgtray.exe
O4 - HKLM \ .. \ Run: [SunJavaUpdateSched] "C: \ Program Files \ Java \ jre6 \ bin \ jusched.exe"
O4 - HKLM \ .. \ RunServices: [RegisterDropHandler] C: \ PROGRA ~ 1 \ TEXTBR ~ 1,0 \ bin \ regist ~ 1.EXE
O4 - HKCU \ .. \ Run: [Ctfmon.exe] C: \ Windows \ system32 \ Ctfmon.exe
O4 - HKUS \. DEFAULT \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe (User 'Default user')
O8 - Extra kontekstinio meniu punktą: E & Eksportuoti į "Microsoft Excel - res: / / C: \ PROGRA ~ 1 \ Micros ~ 2 \ Office12 \ EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - (2670000A-7350-4f3c-8081-5663EE0C6C49) - C: \ PROGRA ~ 1 \ Micros ~ 2 \ Office12 \ ONBttnIE.dll
O9 - Extra 'Tools' MENUITEM: S & end to OneNote - (2670000A-7350-4f3c-8081-5663EE0C6C49) - C: \ PROGRA ~ 1 \ Micros ~ 2 \ Office12 \ ONBttnIE.dll
O9 - Extra button: Outpost Firewall Pro Greita Tune - (44627E97-789B-40d4-B5C2-58BD171129A1) - C: \ Program Files \ Agnitum \ Outpost Firewall \ ie_bar.dll
O9 - Extra button: Research - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ PROGRA ~ 1 \ MIC273 ~ 1 \ Office12 \ REFIEBAR.DLL
O9 - Extra button: Messenger - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O9 - Extra 'Tools' MENUITEM: Windows Messenger - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL = http://www.tiny.com
O18 - Protocol: grooveLocalGWS - (88FED34C-F0CA-4636-A375-3CB6248B04CD) - C: \ Program Files \ Microsoft Office \ Office12 \ GrooveSystemServices.dll
O18 - Protocol: linkscanner - (F274614C-63F8-47D5-A4D1-FBDDE494F8D1) - C: \ Program Files \ AVG \ AVG8 \ avgpp.dll
Ø20 - Winlogon Notify: avgrsstarter - C: \ Windows \ System32 \ avgrsstx.dll
Ø20 - Winlogon Notify: feuyhaok - C: \ Windows \ System32 \ xanyzwy.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe (file missing)
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd - C: \ PROGRA ~ 1 \ Agnitum \ OUTPOS ~ 1 \ acs.exe
O23 - Service: Asta tarnybos (astcc) - Nalpeiron Ltd - C: \ Windows \ System32 \ astsrv.exe
O23 - Service: ATI HotKey Rinkėjas - ATI Technologies Inc - C: \ Windows \ System32 \ Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C: \ WINDOWS \ system32 \ ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C: \ Program Files \ Common Files \ Autodesk Shared \ Service \ AdskScSrv.exe
O23 - Service: Autodesk Licensing Service Network - Autodesk, Inc - C: \ Program Files \ Common Files \ Autodesk Shared \ Service \ AdskNetSrv.exe
O23 - Service: AVG8 watchdog (avg8wd) - AVG Technologies CZ, sro - C: \ PROGRA ~ 1 \ AVG \ AVG8 \ avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C: \ Windows \
O23 - Service: Bonjour Service - Unknown owner - C: \ Program Files \ Bonjour \ mDNSResponder.exe (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C: \ Program Files \ Common Files \ EPSON \ EBAPI \ eEBSVC.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc - C: \ Program Files \ Common Files \ Macrovision Shared \ FLEXnet Publisher \ FNPLicensingService.exe
O23 - Service: gearsec - GEAR Software - C: \ Windows \ system32 \ gearsec.exe
O23 - Service: InstallDriver lentelė Manager (IDriverT) - Macrovision Corporation - C: \ Program Files \ Common Files \ InstallShield \ Driver \ 11 \ Intel 32 \ IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C: \ Program Files \ Ahead \ InCD \ InCDsrv.exe
O23 - Service: iPod Service - Apple Inc - C: \ Program Files \ iPod \ bin \ iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc - C: \ Program Files \ Java \ jre6 \ bin \ jqs.exe
O23 - Service: License Management Service - ESD Element5 - C: \ Program Files \ Common Files \ Element5 Shared \ Service \ Licencija vadybininkas ESD.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C: \ Program Files \ Common Files \ Nero \ Nero BackItUp 4 \ NBService.exe
O23 - Service: O & O Defrag - O & O Software GmbH - C: \ Windows \ system32 \ oodag.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C: \ Program Files \ Spyware Doctor \ pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C: \ Program Files \ Spyware Doctor \ pctsSvc.exe
O23 - Service: ThreatFire (threatfire) - PC Tools - C: \ Program Files \ Spyware Doctor \ TFEngine \ TFService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C: \ Windows \

--
End of file - 7.951 baitų

Any help please, kompiuteris GOING MAD užraktas Task Manager, naršyti su nuolatiniais iššokančių langų skausmą, kai kurios programos yra išjungtos. Aš kalbu apie visiškai iš naujo įdiegti. Bet tik noriu, kad sistema stabili, kad būtų atsarginė kopija failus.

**evilfantasy** · #2 Birželis 3, 2009, 10:31

Atsisiųsti DDS pagal subs ir išsaugokite jį savo kompiuteryje. Pakaitinis DDS parsisiuntimo nuorodą

Vista vartotojai Dešiniuoju pelės mygtuku spustelėkite dds pasirinkite Vykdyti kaip administratorius (Jūs gausite UAC eilutę, leiskite ji)

* XP vartotojams Dukart spustelėkite dds paleisti.
* Jei jūsų antivirusinė ar ugniasienė bando blokuoti DDS tada leiskite jį paleisti.
* Kai baigsite DDS bus atidaryti du (2) rąstų.

1) DDS.txt
2) Attach.txt

* Išsaugoti tiek Įrašai darbalaukyje.
* Nukopijuokite ir įklijuokite visą turinį ir į kitą Atsakyti rąstų.

Pastaba DDS pamokys rašyti Attach.txt prisijungti kaip priedą.
Prašome tik po to, kaip bet kurį kitą žurnalą pagal nukopijuokite ir įklijuokite jį į atsakymą.