SafeGroup
[split] Strona z trojanem - Wersja do druku

+- SafeGroup (https://safegroup.pl)
+-- Dział: Bezpieczeństwo (https://safegroup.pl/forum-10.html)
+--- Dział: Pomoc po zainfekowaniu (https://safegroup.pl/forum-5.html)
+--- Wątek: [split] Strona z trojanem (/thread-508.html)

[split] Strona z trojanem - p!otr@$ - 23.01.2009

Kod:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:14, on 2009-01-23
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesCreativeShared FilesCTAudSvc.exe
C:Program FilesAviraAntiVir PersonalEdition Classicsched.exe
C:WINDOWSExplorer.EXE
C:Program FilesAviraAntiVir PersonalEdition Classicavguard.exe
C:Program FilescFosSpeedspd.exe
C:Program FilesCOMODOCOMODO Internet Securitycmdagent.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32PnkBstrA.exe
C:WINDOWSsystem32PnkBstrB.exe
C:WINDOWSsystem32RunDLL32.exe
C:Program FilesAviraAntiVir PersonalEdition Classicavgnt.exe
C:Program FilescFosSpeedcFosSpeed.exe
C:Program FilesCOMODOCOMODO Internet Securitycfp.exe
C:Program FilesA4TechMouseAmoumain.exe
C:Program FilesRivaTuner v2.20ToolsRivaTunerStatisticsServerRivaTunerStatisticsServer.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
D:skypePhoneSkype.exe
D:Gadu-Gadugg.exe
D:XfireXfire.exe
D:skypePlugin ManagerskypePM.exe
C:Program FilesOperaopera.exe
C:Program FilesAviraAntiVir PersonalEdition Classicavcenter.exe
C:Program FilesAviraAntiVir PersonalEdition Classicavscan.exe
D:hijackthisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://o2.pl/
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:skypeToolbarsInternet ExplorerSkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:realplayerrpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_06binssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:Free Download Manageriefdm2.dll
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM..Run: [avgnt] "C:Program FilesAviraAntiVir PersonalEdition Classicavgnt.exe" /min
O4 - HKLM..Run: [cFosSpeed] C:Program FilescFosSpeedcFosSpeed.exe
O4 - HKLM..Run: [COMODO Internet Security] "C:Program FilesCOMODOCOMODO Internet Securitycfp.exe" -h
O4 - HKLM..Run: [RivaTuner] "C:Program FilesRivaTuner v2.20RivaTuner.exe" /T
O4 - HKLM..Run: [RivaTunerStartupDaemon] "C:Program FilesRivaTuner v2.20RivaTuner.exe" /S
O4 - HKLM..Run: [WheelMouse] C:Program FilesA4TechMouseAmoumain.exe
O4 - HKLM..Run: [RivaTunerStatisticsServer] "C:Program FilesRivaTuner v2.20ToolsRivaTunerStatisticsServerRivaTunerStatisticsServer.exe" /s
O4 - HKLM..RunOnce: [wextract_cleanup0] rundll32.exe C:WINDOWSsystem32advpack.dll,DelNodeRunDLL32 "C:DOCUME~1piotrasUSTAWI~1TempIXP000.TMP"
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - HKCU..Run: [Skype] "D:skypePhoneSkype.exe" /nosplash /minimized
O4 - HKCU..Run: [Gadu-Gadu] "D:Gadu-Gadugg.exe" /tray
O4 - Startup: Xfire.lnk = D:XfireXfire.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:OFFICE~1OFFICE11EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://D:Free Download Managerdlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://D:Free Download Managerdllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://D:Free Download Managerdlall.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://D:Free Download Managerdlselected.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_06binssv.dll
O9 - Extra ''Tools'' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_06binssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:skypeToolbarsInternet ExplorerSkypeIEPlugin.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:OFFICE~1OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O9 - Extra ''Tools'' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra ''Tools'' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232362268015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232616251484
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:PROGRA~1COMMON~1SkypeSKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:Program FilesAviraAntiVir PersonalEdition Classicsched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:Program FilesAviraAntiVir PersonalEdition Classicavguard.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:Program FilescFosSpeedspd.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:Program FilesCOMODOCOMODO Internet Securitycmdagent.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:Program FilesCommon FilesCreative Labs SharedServiceCTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:Program FilesCreativeShared FilesCTAudSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:WINDOWSsystem32PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:WINDOWSsystem32PnkBstrB.exe

--
End of file - 7109 bytes

sory ale sciągłem to exe avira niezareagowała, wpis w logu dziwny niewiem czy to po aktualizacji xp został?
04- z plikiem temp na koncu niedousunięcia jest
plik odrazu wywaliłem z dysku nawet go nieodpalałem

Re: [split] Strona z trojanem - adam_993 - 23.01.2009

Kod:
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\piotras\USTAWI~1\Temp\IXP000.TMP\"

Ten? Pobierz Combofixa i zrób log. Wyłącz antywirusa na ten czas i nie klikaj.

Re: [split] Strona z trojanem - polak900 - 13.11.2011

analiza w labo avira obiecana przeze mnie w innym poście

Dear Sir or Madam,

Thank you for your email to Avira''s virus lab.
Tracking number: INC00251465.


A listing of files alongside their results can be found below:

File ID Filename Size (Byte) Result
25240488 install.exe 62.53 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result
install.exe MALWARE

The file ''install.exe'' has been determined to be ''MALWARE''. Our analysts discovered that the file is a Trojan. In general this kind of programs contains harmful functionality called payload. Detection will be added to our virus definition file (VDF) with one of the next updates.