Virus Necunoscut De Bitdefender

Buna ziua,


am pc-ul infectat de un virus care BD nu la recunoscut. va postez unele screenshot-uri. Daca aveti nevoie de mai multe detalii, spunetimi.


1.gif


2.gif


3.gif


4.gif


8.gif


5.gif


6.gif


7.gif


astept indicatii pentru al elimina.

Comentarii

  • adaug si log-ul de hijackthis


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11.48.33, on 02/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
    C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\ATKKBService.exe
    C:\Programmi\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Programmi\Raxco\PerfectDisk\PDAgent.exe
    C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
    C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\Programmi\RealVNC\VNC4\WinVNC4.exe
    C:\Programmi\File comuni\BitDefender\BitDefender Communicator\xcommsvr.exe
    C:\Programmi\File comuni\BitDefender\BitDefender Update Service\livesrv.exe
    C:\Programmi\BitDefender\BitDefender 2008\vsserv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programmi\Raxco\PerfectDisk\PDEngine.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
    C:\Programmi\BitDefender\BitDefender 2008\bdagent.exe
    C:\Programmi\Acronis\TrueImageHome\TrueImageMonitor.exe
    C:\Programmi\Acronis\TrueImageHome\TimounterMonitor.exe
    C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe
    C:\Programmi\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programmi\Logitech\SetPoint\SetPoint.exe
    C:\Programmi\File comuni\Logitech\KhalShared\KHALMNPR.EXE
    C:\Programmi\iPod\bin\iPodService.exe
    C:\Programmi\iTunes\iTunes.exe
    C:\WINDOWS\system32\ujmuvahd.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\msdtc.exe
    C:\WINDOWS\system32\lpislldp.exe
    C:\Programmi\Mozilla Firefox\firefox.exe
    C:\Programmi\Winamp\winamp.exe
    C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Programmi\BitDefender\BitDefender 2008\IEToolbar.dll
    O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\hmaoxnis.dll
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /F "C:\WINDOWS\TEMP\E_S6A.tmp" /EF "HKLM"
    O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Programmi\BitDefender\BitDefender 2008\IEShow.exe"
    O4 - HKLM\..\Run: [BDAgent] "C:\Programmi\BitDefender\BitDefender 2008\bdagent.exe"
    O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programmi\Acronis\TrueImageHome\TrueImageMonitor.exe
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Programmi\Acronis\TrueImageHome\TimounterMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [slide.exe] C:\Programmi\Slide\Slide.exe
    O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: &Scarica con FlashGet - C:\Programmi\FlashGet\jc_link.htm
    O8 - Extra context menu item: &Scarica tutto con FlashGet - C:\Programmi\FlashGet\jc_all.htm
    O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://C:\Programmi\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Converti in Adobe PDF - res://C:\Programmi\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Converti nel file PDF esistente - res://C:\Programmi\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Converti selezione in Adobe PDF - res://C:\Programmi\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programmi\FlashGet\FlashGet.exe
    O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programmi\FlashGet\FlashGet.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187202703187
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187538333296
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5A3B2F23-875A-496A-860C-303919A41D6C}: NameServer = 62.94.0.1,212.216.112.222
    O17 - HKLM\System\CS1\Services\Tcpip\..\{5A3B2F23-875A-496A-860C-303919A41D6C}: NameServer = 62.94.0.1,212.216.112.222
    O17 - HKLM\System\CS2\Services\Tcpip\..\{5A3B2F23-875A-496A-860C-303919A41D6C}: NameServer = 62.94.0.1,212.216.112.222
    O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00DE5EB.dat
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
    O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Programmi\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
    O23 - Service: DomainService -   - C:\WINDOWS\system32\ujmuvahd.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Programmi\File comuni\BitDefender\BitDefender Update Service\livesrv.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PDAgent - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk\PDAgent.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk\PDEngine.exe
    O23 - Service: PDExchange - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk\PDExchange.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Programmi\BitDefender\BitDefender 2008\vsserv.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Programmi\RealVNC\VNC4\WinVNC4.exe
    O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Programmi\File comuni\BitDefender\BitDefender Communicator\xcommsvr.exe

    --
    End of file - 12265 bytes

  • Cesar
    editat decembrie 2007

    o scansionare cu bitdefender (nu imi permite ca sa sterg sau sa mut virusul in carantina):


    9.gif

  • Salut Cesar,


    Intr-adevar, sunt cateva obiecte suspecte in log-ul HijackThis!. Din pacate, nu am timp chiar acum sa ma uit foarte atent pe log-ul tau (o sa ma uit putin mai tarziu, si o sa-ti spun exact ce sa faci).


    Poti sa te uiti in log-ul de scanare al BD si sa postezi calea catre fisierele infectate (eventual si din ce cauza nu se poate lua nicio masura impotriva lor)?


    Cris.

  • a mai iesit si asta... -_-


    13.gif

  • alexcrist
    editat decembrie 2007

    In HijackThis, da fix la urmatoarele (opreste BitDefender, pentru ca s-ar putea sa blocheze accesul la fisiere):


    O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4 832-A2BF-45AF82825583} - C:\WINDOWS\system32\hmaoxnis.dll
    O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00DE5E B.dat
    O23 - Service: DomainService - - C:\WINDOWS\system32\ujmuvahd.exe


    Apoi da un restart la PC si mai fa o Scanare Profunda (Deep Scan, in engleza...nu stiu cum e in italiana) si mai posteaza un log HijackThis!


    Daca BD mai detecteaza ceva, scrie unde anume (nu atasa log-uri de scanare, pentru ca nu am acces la ele...doar BD Virus Analysts au acces la atasamente pe aria asta).


    Cris.


    P.s.: Inainte de a da fix in HJ, verifica daca fisierul C:\WINDOWS\system32\ujmuvahd.exe este detectat de BD. Daca nu, pune-l intr-o arhiva ZIP cu parola infected si atasaz-o la urmatorul tau post, pentru a putea fi analizat si sa i se adauge detectie :)

  • se pare ca nu mai da probleme... :mellow:

  • Cesar
    editat decembrie 2007

    din pacate, se pare ca mai am inca probleme...


    din cand in cand se deschid ferestre de internet explorer cu url diferite.


    une exemplu: ~ Link sters ~


    :(

  • Salut!


    Data viitoarea, te rog scrie linkul intr-un fisier text pe care sa-l atasezi aici; linkurile directe pot fi accesate de oricine, si daca contin malware, pot deveni noi surse de infectie. La fisierele atasate pe aceasta arie avem acces doar noi moderatorii si analistii de virusi.


    In ceea ce priveste problema ta este posibil ca sa mai ai ceva librarie incarcata sub ceva proces, care cauzeaza aceste rele. Ti-am pus pe PM un program care va crea un fisier text, c:\log.txt unde vor fi listate toate procesele care se executa si toate librariile incarcate. Sa imi trimiti acel fisier si ma voi uita peste el, sa incerc gasesc ce nu e in regula.


    Toate cele bune!

    /applications/core/interface/file/attachment.php?id=1127" data-fileid="1127" rel="">link.txt