JS/TrojanDownloader.Agent.NRL

[pitimir]

S tym casom je to u mna podobne, takze budem tu v najblizsej dobe len vecer.

K veci: Log zo SL podal info, ktore som potreboval. Mozem poprosit o novy log z DDS? Este raz skusime vytvorit log do CF a ak sa to nepodari, budeme mazat inak

[Grysom]

[pitimir]

Dobre. Postup s ComboFixom a CFScriptom zostava rovnaky, ako v predchadzajucom pokuse. Tentokrat ale bude v tomto zneni:

Kód: Vybrat vše

KillAll::
DDS::
uURLSearchHooks: QIPBHO Class: {95289393-33ea-4f8d-b952-483415b9c955} - c:\documents and settings\malechovi\data aplikací\microsoft\internet explorer\qipsearchbar.dll
BHO: QIPBHO Class: {95289393-33ea-4f8d-b952-483415b9c955} - c:\documents and settings\malechovi\data aplikací\microsoft\internet explorer\qipsearchbar.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File
TB: {FE063DB9-4EC0-403E-8DD8-394C54984B2C} - No File
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
IE: &ICQ Toolbar Search - c:\program files\icqtoolbar\toolbaru.dll/SEARCH.HTML
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab

Folder::
c:\program files\icqtoolbar
C:\FOUND.001
C:\FOUND.000

FireFox::
FF - ProfilePath - c:\docume~1\malech~1\dataap~1\mozilla\firefox\profiles\nfr3vpvw.default\
FF - prefs.js: browser.search.selectedEngine - QIP Search
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=

Driver::
oreans32

Rootkit::
c:\windows\system32\drivers\oreans32.sys

StepDel::

[Grysom]

[pitimir]

Vymenime pracovny nastroj...

1) Stiahni si Win32kDiag, najlepsie na plochu. Spust dvojklikom, po skonceni scanu by sa ti mal zobrazit textovy subor. Jeho obsah sem vloz.


2) Stiahni a uloz Junction, najlepsie na plochu. Extrahuj a subor Junction.exe presun ho do "%SystemRoot%" (vacsinou "C:\Windows"). Potom spravis nasledovne:

Start -> Spustit -> (napis) cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
Enter.

Zacne scan, po jeho skonceni sa ti zobrazi textovy dokument. Jeho obsah sem skopiruj.


3) Stiahni Avenger. Spust ho a suhlas s podmienkami atd.
Do bieleho pola v strede programu vloz skript:

Kód: Vybrat vše

Files to delete:
c:\windows\system32\drivers\oreans32.sys

Drivers to delete:
oreans32

Stlac "Execute" -> "Yes". Restart a vloz log.

[Grysom]

[Grysom]

[pitimir]

OK, jeden rootkit odstraneny a teraz skusime rozchodit dalsi nastroj:

Stiahni OTL. Uloz na plochu a spust dvojklikom subor "OTL.exe". Otvori sa okno programu, v nom zaskrtni "Scan All Users", "Lop" aj "Purity Check" a "File Scan" zmen na 7 dni miesto 30. Do policka pod nazvom "Custom Scans/Fixes" skopiruj:

Kód: Vybrat vše

netsvcs
%SYSTEMDRIVE%\*.exe
%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5
%SYSTEMDRIVE%\nvatabus.sys /s /md5
%SYSTEMDRIVE%\viamraid.sys /s /md5
%SYSTEMDRIVE%\nvata.sys /s /md5
%SYSTEMROOT%\*. /mp /s
CREATERESTOREPOINT
%SYSTEMROOT%\system32\*.dll /lockedfiles
%SYSTEMROOT%\Tasks\*.job /lockedfiles

Potom klikni na "Run Scan". Zacne scan pocitaca, po jeho ukonceni sa otvoria dva reporty - obsah oboch potrebujem vidiet.

[Grysom]

[pitimir]

OK, netrpezlivo ocakavam

A dakujem

[Grysom]

[pitimir]

Skus este raz...ak by to neslapalo ani potom, nevkladaj ziaden skript do "Custom Scans/Fixes", len nastav a spust program

[Grysom]

[pitimir]

1) Skopiruj v OTL do policka pod nazvom "Custom Scans/Fixes":

Kód: Vybrat vše

:otl
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKU\S-1-5-21-1409082233-1454471165-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Prev Search Page = http://google.icq.com
IE - HKU\S-1-5-21-1409082233-1454471165-1417001333-1003\..\URLSearchHook: {95289393-33EA-4F8D-B952-483415B9C955} - C:\Documents and Settings\Malechovi\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll (qip.ru)
FF - prefs.js..browser.search.defaultenginename: "QIP Search"
FF - prefs.js..browser.search.selectedEngine: "QIP Search"
FF - prefs.js..keyword.URL: "http://search.qip.ru/search?from=FF&query="
[2010.01.23 19:31:48 | 00,000,961 | ---- | M] () -- C:\Documents and Settings\Malechovi\Data aplikací\Mozilla\Firefox\Profiles\nfr3vpvw.default\searchplugins\icqplugin-2.xml
[2009.01.28 16:06:10 | 00,002,061 | ---- | M] () -- C:\Documents and Settings\Malechovi\Data aplikací\Mozilla\Firefox\Profiles\nfr3vpvw.default\searchplugins\qipsearch.xml
[2009.02.19 18:09:48 | 00,000,950 | ---- | M] () -- C:\Documents and Settings\Malechovi\Data aplikací\Mozilla\Firefox\Profiles\nfr3vpvw.default\searchplugins\icqplugin-1.xml
[2009.02.20 17:28:26 | 00,000,950 | ---- | M] () -- C:\Documents and Settings\Malechovi\Data aplikací\Mozilla\Firefox\Profiles\nfr3vpvw.default\searchplugins\icqplugin-4.xml
[2009.02.21 13:30:06 | 00,000,950 | ---- | M] () -- C:\Documents and Settings\Malechovi\Data aplikací\Mozilla\Firefox\Profiles\nfr3vpvw.default\searchplugins\icqplugin-3.xml
[2009.02.21 19:40:34 | 00,000,951 | ---- | M] () -- C:\Documents and Settings\Malechovi\Data aplikací\Mozilla\Firefox\Profiles\nfr3vpvw.default\searchplugins\icqplugin.xml
[2009.02.23 18:28:08 | 00,000,950 | ---- | M] () -- C:\Documents and Settings\Malechovi\Data aplikací\Mozilla\Firefox\Profiles\nfr3vpvw.default\searchplugins\icqplugin-6.xml
[2009.02.24 17:48:18 | 00,000,950 | ---- | M] () -- C:\Documents and Settings\Malechovi\Data aplikací\Mozilla\Firefox\Profiles\nfr3vpvw.default\searchplugins\icqplugin-5.xml
O2 - BHO: (QIPBHO Class) - {95289393-33EA-4F8D-B952-483415B9C955} - C:\Documents and Settings\Malechovi\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll (qip.ru)
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O3 - HKU\S-1-5-21-1409082233-1454471165-1417001333-1003\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O3 - HKU\S-1-5-21-1409082233-1454471165-1417001333-1003\..\Toolbar\WebBrowser: (no name) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - No CLSID value found.
O3 - HKU\S-1-5-21-1409082233-1454471165-1417001333-1003\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O3 - HKU\S-1-5-21-1409082233-1454471165-1417001333-1003\..\Toolbar\WebBrowser: (no name) - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No CLSID value found.
O3 - HKU\S-1-5-21-1409082233-1454471165-1417001333-1003\..\Toolbar\WebBrowser: (no name) - {FE063DB9-4EC0-403E-8DD8-394C54984B2C} - No CLSID value found.
O4 - HKU\S-1-5-21-1409082233-1454471165-1417001333-1003..\Run: [AdobeBridge] File not found
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shoc ... wflash.cab (Shockwave Flash Object)
O33 - MountPoints2\{97f32c5a-df2b-11dc-9120-0015f21e773b}\Shell\AutoRun\command - "" = I:\kmj.exe -- File not found
O33 - MountPoints2\{97f32c5a-df2b-11dc-9120-0015f21e773b}\Shell\open\Command - "" = I:\kmj.exe -- File not found
[46 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[39 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

:files
C:\Documents and Settings\Malechovi\Data aplikací\ICQ Toolbar
C:\Documents and Settings\Malechovi\Data aplikací\Search Settings

:commands
[reboot]

Klikni na "Run Fix". Program zacne pracovat, mozny je restart PC. Po nom by sa ti mal objavit log, ten by som rad videl.


2) Napichaj do PC vsetky USB, flashky a podobne pouzivane veci...

Stiahni USBFix. Ukonci vsetky spustene veci a spust program. Vyber jazyk - v pripade anglictiny stlac E -> Enter. Dostanes do dalsieho menu. V nom stlac 2 -> Enter. Zacne sa scan, nezasahuj donho. Mozny je restart PC. Vytvoreny log najdes na "C:\UsbFix.txt", vloz ho sem.

[Grysom]