MyCity » Ambulanta -> Arhiva Ambulante » Worm.win32.autorun.cex

Worm.win32.autorun.cex

Napisano na dan: 28.1.2008

Worm.win32.autorun.cex
Sledeća strana Pagination

Idi na vrh

Poslao: 28 Jan 2008 20:06
Idi na vrh
offline
  • Pridružio: 28 Jan 2008
  • Poruke: 17

Kaspersky AV 7 ga tako detektuje.
Nije mi antrivirusni bio updateovan (ni na jednom od racunara) i pokupio sam ovaj virus od kolege i preneo na drugi racunar. Primjetio sam ga slucajno - Ubacio USB memoriju i video autorun.inf - pomislih ostatak od cuvenog "Adobe_R.exe", posto sam zurio rekoh obriscau ga kasnije, sledeci put kad sam otvorio USB vidim da kao da ima manje fajlova nego prethodni put i shvatim da se nevide sistemski i skriveni fajlovi, pokusam ukljuciti da se vide, i racunar samo vraca na default postavke (da se ne vide).

Odmah je u rutu svakog diska (particije) presnimio svoj fajlove (autorun.inf i xo8wr9.exe)

Uspio sam iz command prompta izbrisati te fajlove i nakon toga skenirao sam komp sa kasperskim i on je izbrisao jos nekoliko fajlova iz system32, tako da kasperski ne pronalazi nista sumnjivo, ali i dalje ostaje problem sa hidden files (kada podesim show hidden files and folders i iskljucim hide protected system file.... on to vrati kako je bilo)

SpyBot S&D je nasao samo neke cookie, nakon toga AdAware2007 nista.

Fajlovi koje je kasperski detektovao (i obraisao) su bili zarazeni virusom "worm.win32.autorun.XXX" (ovo XXX je uglavnom razlicito od fajla do fajla - .cex .bvz).
Na viruslist vidim da je ovaj virus dodat prije nekoliko dana i nema opisa.

Sta raditi? (prvenstveno da uspijem ukljuciti ovo sa skrivenim fajlovima)

Hijackthis Log je
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:00:19 PM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Free Download Manager\FUM\fumoei.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\CCP Server 5\ccpsrv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Reaktor\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.live.com/results.aspx?FORM=DNSAS&q=flu.bg.ac.rs
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://workgroup/
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Free Uploader Oe Integration] C:\Program Files\Free Download Manager\FUM\fumoei.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CyberCaféPro Main Control Station 5.lnk = C:\Program Files\CCP Server 5\ccpsrv.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{950CC0E6-1928-4189-9EEF-CDBD952011BA}: NameServer = 217.23.192.9,217.23.192.14
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 8333 bytes

Poslao: 28 Jan 2008 20:15
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Iskljuci TeaTimer dok podesavas to o vidljivosti fajlova.

Ukoliko to ne pomogne, onda idemo na sledece:
Preuzmi program Flash_Disinfector.

program se pokreće dvoklikom na Flash_Disinfector.exe
kada se pojavi poruka sa obaveštenjem, potrebno je priključiti inficirane USB flash drive-ove (pri tome držati pritisnut taster Shift kako bi se izbegao autoplay)
kliknuti na OK i sačekati da se proces završi
kada se pojavi poruka Done !!, kliknuti na OK.


Dopuna: 28 Jan 2008 20:15

Evo kako se iskljucuje Tea Timer:


Pokrenite Spybot S&D
Kliknite Mode stavku u meniju
Odaberite Advance Mode
Na traci levo kliknite na Tools
Kliknite na Resident
Destiklirajte Resident Tea-Timer
Zatvorite Spybot S&D
Restartujte kompjuter.
Nemojte zaboraviti da ponovo ukljucite ove opcije kada zavrsimo ciscenje.


Ukoliko budes koristio Flash Disinfector obavezno iskljuci Tea Timer.

Poslao: 29 Jan 2008 16:06
Idi na vrh
offline
  • Pridružio: 28 Jan 2008
  • Poruke: 17

Uradjeno tako (USB flash je bio od ranije cist). Radi sve OK. Samo da jos jednom skeniram komp i to je to.

Hvala ti.
Pozdrav

Dopuna: 29 Jan 2008 15:39

Evo sada sam vidio da mi je na USB-u i na diskovima napravio file (tacnije folder sa ekstenzijom inf) autorun.inf koji nemoze da se obrise (javlja gresku - this folder was created by flash desinfector) niti ga kasperski moze skenirati (locked). Unutar njega se nalazi neki file "lpt3.This folder was created by Flash_Disinfector".

Pretpostavljam da je to uradjeno preventive radi (da eventualni virusi nebi ubacili svoj autorun.inf). Jesam li u pravu?

U svakom slucaju postoji li nacin i koji je da ipak nekako izbrisem ovaj file (cisto da znam)?

Hvala

Dopuna: 29 Jan 2008 16:06

Uspio sam i izbrisati iz command prompta (samo me interesuje, ako nije OT, zbog cega se nemoze izbrisati iz windowsa - kakav je to fazon, pa ako neko zna neka odgovori, inace tema moze u arhivu).

Poslao: 29 Jan 2008 18:55
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

lpt3 je ime rezervisano za sistemski uredjaj, tj. paralelni port br.3
U ranija vremena, da bi se lakse pristupilo stampacu prikljucenom na paralelni port, napravljeno je da moze da mu se pristupi kao fajlu. Upisom u fajl se ustvari slalo na stampac da odstampa nesto.
U vreme Windowsa, to je zadrzano zarad kompatibilnosti sa DOS programima.
Windows sada, zbog te kompatibilnosti, ne dozvoljava brisanje fajlova koji u imenu imaju LPT (paralelni port), PRN (centroniks port), AUX i NULL. Mozda sam neki izostavio, ali mislim da su svi na broju.

Sto se tog foldera tice, u pravu si, to je bila preventiva da se ne moze vise kreirati taj autorun.inf fajl.
Naime, ukoliko imas fajl nekog imena, onda ne mozes kreirati folder istog imena, i suprotno - ukoliko imas folder nekog imena, onda ne mozes kreirati fajl istog imena.
Ima i par komercijalnih anti-spyware programa koji to rade.

MyCity » Ambulanta -> Arhiva Ambulante » Worm.win32.autorun.cex

Ko je trenutno na forumu
 

Ukupno su 892 korisnika na forumu :: 56 registrovanih, 8 sakrivenih i 828 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 39mm, A.R.Chafee.Jr., ajo baba, Alogosapir, Apok, bestguarder, bobomicek, Bobrock1, bojank, bojankrstc, Boris90, brundo65, Bubimir, dankisha, Darko8, dejaanm680, draggan, dragoljub11987, Frunze, Georgius, ikan, ILGromovnik, JOntra, Karla, kokodakalo, Koridor, krca73, Kubovac, kybonacci, Lapulapu, Lieutenant, Markan90, mgolub, Milan A. Nikolic, milan op1978, mile23, milos.cbr, Mixelotti, nemkea71, panzerwaffe, powSrb, raketaš, repac, Ripanjac, skvara, sokars, Srki94, stegonosa, tespis, trutcina, Tvrtko I, uruk, Vlajman1957, Wisdomseeker, wizzardone, Zlikowsky