MyCity » Ambulanta -> Arhiva Ambulante » Worm.win32.autorun.cex

Worm.win32.autorun.cex

Napisano na dan: 28.1.2008

Worm.win32.autorun.cex
Sledeća strana Pagination

Idi na vrh

Poslao: 28 Jan 2008 20:06
Idi na vrh
offline
  • Pridružio: 28 Jan 2008
  • Poruke: 17

Kaspersky AV 7 ga tako detektuje.
Nije mi antrivirusni bio updateovan (ni na jednom od racunara) i pokupio sam ovaj virus od kolege i preneo na drugi racunar. Primjetio sam ga slucajno - Ubacio USB memoriju i video autorun.inf - pomislih ostatak od cuvenog "Adobe_R.exe", posto sam zurio rekoh obriscau ga kasnije, sledeci put kad sam otvorio USB vidim da kao da ima manje fajlova nego prethodni put i shvatim da se nevide sistemski i skriveni fajlovi, pokusam ukljuciti da se vide, i racunar samo vraca na default postavke (da se ne vide).

Odmah je u rutu svakog diska (particije) presnimio svoj fajlove (autorun.inf i xo8wr9.exe)

Uspio sam iz command prompta izbrisati te fajlove i nakon toga skenirao sam komp sa kasperskim i on je izbrisao jos nekoliko fajlova iz system32, tako da kasperski ne pronalazi nista sumnjivo, ali i dalje ostaje problem sa hidden files (kada podesim show hidden files and folders i iskljucim hide protected system file.... on to vrati kako je bilo)

SpyBot S&D je nasao samo neke cookie, nakon toga AdAware2007 nista.

Fajlovi koje je kasperski detektovao (i obraisao) su bili zarazeni virusom "worm.win32.autorun.XXX" (ovo XXX je uglavnom razlicito od fajla do fajla - .cex .bvz).
Na viruslist vidim da je ovaj virus dodat prije nekoliko dana i nema opisa.

Sta raditi? (prvenstveno da uspijem ukljuciti ovo sa skrivenim fajlovima)

Hijackthis Log je
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:00:19 PM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Free Download Manager\FUM\fumoei.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\CCP Server 5\ccpsrv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Reaktor\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.live.com/results.aspx?FORM=DNSAS&q=flu.bg.ac.rs
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://workgroup/
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Free Uploader Oe Integration] C:\Program Files\Free Download Manager\FUM\fumoei.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CyberCaféPro Main Control Station 5.lnk = C:\Program Files\CCP Server 5\ccpsrv.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{950CC0E6-1928-4189-9EEF-CDBD952011BA}: NameServer = 217.23.192.9,217.23.192.14
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 8333 bytes

Poslao: 28 Jan 2008 20:15
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Iskljuci TeaTimer dok podesavas to o vidljivosti fajlova.

Ukoliko to ne pomogne, onda idemo na sledece:
Preuzmi program Flash_Disinfector.

program se pokreće dvoklikom na Flash_Disinfector.exe
kada se pojavi poruka sa obaveštenjem, potrebno je priključiti inficirane USB flash drive-ove (pri tome držati pritisnut taster Shift kako bi se izbegao autoplay)
kliknuti na OK i sačekati da se proces završi
kada se pojavi poruka Done !!, kliknuti na OK.


Dopuna: 28 Jan 2008 20:15

Evo kako se iskljucuje Tea Timer:


Pokrenite Spybot S&D
Kliknite Mode stavku u meniju
Odaberite Advance Mode
Na traci levo kliknite na Tools
Kliknite na Resident
Destiklirajte Resident Tea-Timer
Zatvorite Spybot S&D
Restartujte kompjuter.
Nemojte zaboraviti da ponovo ukljucite ove opcije kada zavrsimo ciscenje.


Ukoliko budes koristio Flash Disinfector obavezno iskljuci Tea Timer.

Poslao: 29 Jan 2008 16:06
Idi na vrh
offline
  • Pridružio: 28 Jan 2008
  • Poruke: 17

Uradjeno tako (USB flash je bio od ranije cist). Radi sve OK. Samo da jos jednom skeniram komp i to je to.

Hvala ti.
Pozdrav

Dopuna: 29 Jan 2008 15:39

Evo sada sam vidio da mi je na USB-u i na diskovima napravio file (tacnije folder sa ekstenzijom inf) autorun.inf koji nemoze da se obrise (javlja gresku - this folder was created by flash desinfector) niti ga kasperski moze skenirati (locked). Unutar njega se nalazi neki file "lpt3.This folder was created by Flash_Disinfector".

Pretpostavljam da je to uradjeno preventive radi (da eventualni virusi nebi ubacili svoj autorun.inf). Jesam li u pravu?

U svakom slucaju postoji li nacin i koji je da ipak nekako izbrisem ovaj file (cisto da znam)?

Hvala

Dopuna: 29 Jan 2008 16:06

Uspio sam i izbrisati iz command prompta (samo me interesuje, ako nije OT, zbog cega se nemoze izbrisati iz windowsa - kakav je to fazon, pa ako neko zna neka odgovori, inace tema moze u arhivu).

Poslao: 29 Jan 2008 18:55
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

lpt3 je ime rezervisano za sistemski uredjaj, tj. paralelni port br.3
U ranija vremena, da bi se lakse pristupilo stampacu prikljucenom na paralelni port, napravljeno je da moze da mu se pristupi kao fajlu. Upisom u fajl se ustvari slalo na stampac da odstampa nesto.
U vreme Windowsa, to je zadrzano zarad kompatibilnosti sa DOS programima.
Windows sada, zbog te kompatibilnosti, ne dozvoljava brisanje fajlova koji u imenu imaju LPT (paralelni port), PRN (centroniks port), AUX i NULL. Mozda sam neki izostavio, ali mislim da su svi na broju.

Sto se tog foldera tice, u pravu si, to je bila preventiva da se ne moze vise kreirati taj autorun.inf fajl.
Naime, ukoliko imas fajl nekog imena, onda ne mozes kreirati folder istog imena, i suprotno - ukoliko imas folder nekog imena, onda ne mozes kreirati fajl istog imena.
Ima i par komercijalnih anti-spyware programa koji to rade.

MyCity » Ambulanta -> Arhiva Ambulante » Worm.win32.autorun.cex

Ko je trenutno na forumu
 

Ukupno su 895 korisnika na forumu :: 43 registrovanih, 7 sakrivenih i 845 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: ajo baba, Alexandar-1973, Bokiboks, Boris BM, cavatina, dane007, Dannyboy, DonRumataEstorski, Excalibur13, FOX, ikan, Ivica1102, JOntra, Karla, kolle.the.kid, Komentator, Kubovac, kybonacci, libellule_dk, Litostroton, mikrimaus, milenko crazy north, Misirac, Mlav, mnn2, mocnijogurt, naki011, nebojsag, nemkea71, opt1, ozzy, RJ, Romibrat, royst33, Sirius, slonic_tonic, stegonosa, Trpe Grozni, uruk, vathra, vlajkox, W123, |_MeD_|