...troieni pe capul meu...

Infected Exploit.ADODB.Stream.C
Infected VBS.Trojan.Psyme.W
Infected Trojan.Downloader.Small.KR

...cam asta imi spune bitdefenderu fara sa le faca nimic. am dat si cu adaware si spybot. ca efecte simtite: pe internet ma baga automat pe un site iar ca sa deschid explorerul imi ia 1 minut.

pe ultimul am reusit sa-l bag in carantina si sa-l sterg (oare?)...


uite si logul
C:IBMTOOLSAPPSNORTONAVSUPPORTNAVTOOLSREPAIRKILL_CIH.EXE Suspect Win95.FileInfector
C:IBMTOOLSAPPSNORTONAVSUPPORTNAVTOOLSREPAIRKILL_CIH.EXE Disinfection failed
C:IBMTOOLSAPPSNORTONAVSUPPORTNAVTOOLSREPAIRKILL_CIH.EXE Moved
C:WINNTmsxmidi.exe Infected Trojan.Downloader.Small.KR
C:WINNTmsxmidi.exe Disinfection failed
C:WINNTmsxmidi.exe Moved
C:Documents and SettingsciprianLocal SettingsTemporary Internet FilesContent.IE5I98JM1I5exploit[1].chm=>/exploit.htm Infected VBS.Trojan.Psyme.W
C:Documents and SettingsciprianLocal SettingsTemporary Internet FilesContent.IE5I98JM1I5exploit[1].chm=>/exploit.htm Disinfection failed
C:Documents and SettingsciprianLocal SettingsTemporary Internet FilesContent.IE5I98JM1I5exploit[1].chm=>/exploit.htm Move failed
C:Documents and SettingsciprianLocal SettingsTemporary Internet FilesContent.IE5WPER0D6Fonline[1].chm=>/1.htm Infected Exploit.ADODB.Stream.C
C:Documents and SettingsciprianLocal SettingsTemporary Internet FilesContent.IE5WPER0D6Fonline[1].chm=>/1.htm Disinfection failed
C:Documents and SettingsciprianLocal SettingsTemporary Internet FilesContent.IE5WPER0D6Fonline[1].chm=>/1.htm Move failed
Scanned files

Pentru intarzierea Internet Explorerului este vinovat MsxMidi (Hijacker & Dropper).

Inchide Internet Explorer.
Goleste fisierele temporare din MSIE:
In "Start" => "Run" tasteaza "cleanmgr" (fara ghilimele). Apasa OK si in ferastra care apare bifeaza astea doua:
- Temporary Internet Files
- Temporary Files

Fa o dezinfectie online la TrendMicro: http://housecall.trendmicro.com/
Daca mai ai probleme da un semn.

Ai incercat sa stergi temporary internet files? adica tocmai acolo unde le gaseste. Daca nu merg unele fisiere sterse incearca din safe mode.

Si incearca sa scanezi si cu CWshredder.

Anakyn13, CWshredder se foloseste numai pentru parazitul CoolWebSearch.

golisem din internetexplorer/tools temporalele,cookiesurile, chiar si historyul. le-am sters si in safemode.
am dat acum si din run si  incerc si cu situl acela desi cred ca nu o sa ma lase proxyul. revin...

Pentru Exploitul ADODB exista un patch si un workaround.

Critical Patch Available for ADODB Vulnerability

How to disable the ADODB.Stream object from Internet Explorer

...am re-scanat cu bitdef. n-a gasit nimic !!??
aceeasi problema insa pe internet, se deschide greu si automat pe aceeasi pagina, indiferent de ce ii setez.
cum de nu au mai aparut Psyme sau Adodb habar nu am, ieri s-a caznit inginerul de sistem si nu a reusit sa faca nimic. o sa-i mai dau o scanare ...

Eventual pune un log de la HJT daca nu-i dati de cap.

HijackThis! Download

...cam asa e, bitdefenderul zice ca totul e clean.
dar au ramas efectele adica expl. si i-expl. se deschid greu iar i-expl se deschide pe aceeasi pagina indiferent de setari (culmea , pe pagina esti anuntat ca este infectat pc si trebe sa dwnl de la ei...)


Logfile of HiJackThis v1.98.2
Scan saved at 08:26:08, on 26.08.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:WINNTSystem32smss.exe
C:WINNTsystem32winlogon.exe
C:WINNTsystem32services.exe
C:WINNTsystem32lsass.exe
C:WINNTsystem32svchost.exe
C:WINNTsystem32spoolsv.exe
C:WINNTsystem32crypserv.exe
C:WINNTSystem32svchost.exe
C:WINNTrunservice.exe
C:WINNTSystem32NMSSvc.exe
C:WINNTSystem32nvsvc32.exe
C:WINNTsystem32regsvc.exe
C:WINNTsystem32MSTask.exe
C:WINNTsystem32stisvc.exe
C:WINNTSystem32WBEMWinMgmt.exe
C:WINNTSystem32mspmspsv.exe
C:WINNTsystem32svchost.exe
C:Program FilesCommon FilesSoftwinBitDefender Communicatorxcommsvr.exe
C:Program FilesCommon FilesSoftwinBitDefender Local Managerbdlm.exe
C:Program FilesCommon FilesSoftwinBitDefender Scan Serverbdss.exe
C:Program FilesSoftwinBitDefender Standard Editionvsserv.exe
C:WINNTExplorer.EXE
C:WINNTsystem32Smtray.exe
C:WINNTsystem32internat.exe
C:Program FilesMicrosoft OfficeOfficeOSA.EXE
C:PROGRAM FILESIBMCLIENT ACCESSEMULATORpcsws.exe
C:PROGRAM FILESIBMCLIENT ACCESSEMULATORPCSCM.EXE
C:PROGRA~1IBMCLIENT~1cwblmsrv.exe
C:PROGRAM FILESIBMCLIENT ACCESSEMULATORpcsws.exe
C:PROGRAM FILESIBMCLIENT ACCESSEMULATORpcsws.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Program FilesSoftwinBitDefender Standard Editionbdmcon.exe
C:Documents and SettingsciprianDesktophijackthisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet Explorer,Search = http://bigbr.cc (obfuscated)
R1 - HKCUSoftwareMicrosoftInternet Explorer,SearchURL = http://bigbr.cc (obfuscated)
R1 - HKLMSoftwareMicrosoftInternet Explorer,Search = http://bigbr.cc (obfuscated)
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://bigbr.cc (obfuscated)
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://bigbr.cc (obfuscated)
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = file://C:DOCUME~1ciprianLOCALS~1Tempsp.html
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = file://C:DOCUME~1ciprianLOCALS~1Tempsp.html
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://lookfor.cc?pin=29126
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://bigbr.cc (obfuscated)
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = file://C:DOCUME~1ciprianLOCALS~1Tempsp.html
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = file://C:DOCUME~1ciprianLOCALS~1Tempsp.html
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = file://C:DOCUME~1ciprianLOCALS~1Tempsp.html
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://bigbr.cc (obfuscated)
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = file://C:DOCUME~1ciprianLOCALS~1Tempsp.html
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://bigbr.cc (obfuscated)
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = about:blank
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings
F3 - REG:win.ini: run=C:WINNTsystem32serviceswmplayer.exe
O1 - Hosts: xxx.xxx.xxx.xxx PROD
O1 - Hosts: xxx.xxx.xxx.xxx BACKUP
O1 - Hosts: xxx.xxx.xxx.xxx BRASOV
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocx
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: (no name) - {A66A3E46-E099-4E8A-AF8D-8C7E8003DC55} - C:WINNTsystem32bemjp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINNTSystem32msdxm.ocx
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINNTSystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [tourpath] regedit /s c:winnttour.reg
O4 - HKLM..Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..Run: [Client Access Service] "C:Program FilesIBMClient AccessCwbSvStr.Exe"
O4 - HKLM..Run: [Client Access Help Update] "C:Program FilesIBMClient Accesscwbinhlp.exe"
O4 - HKLM..Run: [Client Access Check Version] "C:Program FilesIBMClient Accesscwbckver.exe" LOGIN
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [Smapp] Smtray.exe
O4 - HKLM..Run: [timerecorder.exe] C:Program Files2UTimeRecordertimerecorder.exe
O4 - HKLM..Run: [SpeedyPDF] C:Program FilesSpeedyPDFspdfload.exe
O4 - HKLM..Run: [xpsystem] C:WINNTsystem32serviceswmplayer.exe
O4 - HKLM..Run: [BDSwitchAgent] C:Program FilesSoftwinBitDefender Standard Editionbdswitch.exe
O4 - HKCU..Run: [internat.exe] internat.exe
O4 - HKCU..Run: [xpsystem] C:WINNTsystem32serviceswmplayer.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Office Startup.lnk = C:Program FilesMicrosoft OfficeOfficeOSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:Program FilesMicrosoft OfficeOfficeFINDFAST.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O8 - Extra context menu item: Save Flash - res://C:Program FilesUnH SolutionsFlash Saving PluginFlashSButton.dll/210
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - (no file) (HKCU)
O12 - Plugin for .mov: C:Program FilesInternet ExplorerPLUGINSnpqtplugin.dll
O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O13 - Home Prefix: http://%62%69%67%62%72%2E%63%63?error=
O13 - Mosaic Prefix: http://%62%69%67%62%72%2E%63%63?error=
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O16 - DPF: {10000030-1000-0000-1000-000000000000} - its:mhtml:file://c:MAIN.MHT!http://zloeboogle.bi...id=3301::/x.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:RecycledQ330995.exe
O16 - DPF: {11311111-1111-1111-1111-11111121115F} - file://C:RecycledQ383301.exe
O16 - DPF: {93B52CD5-EDFF-4405-8975-754100710FD5} (GameLauncher Control) - http://www.linkmania...amelauncher.cab
O18 - Filter: text/html - {2C67D7A0-EB0E-4635-839C-98CAB9438541} - C:WINNTsystem32bemjp.dll
O18 - Filter: text/plain - {2C67D7A0-EB0E-4635-839C-98CAB9438541} - C:WINNTsystem32bemjp.dll

Anakyn13 a avut o presimitire   .
Oricum nu recomand CWshredder, decat daca parazitul e identificat corect. CWShredder poate face si rau.

Download CWShredder
executa-l si apasa Fix (nu Scan). Reboot si posteaza un nou log sa vedem daca reuseste sa-l scoata si daca mai ramane ceva.
BitDefender nu poate scoate asta, nici nu stiu daca il identifica.

Daca CWShredder pare sa nu functioneze, download CoolWebSearch.Smartkiller (v1/v2) Miniremoval Tool, executa-l pe asta mai intai si CWShredder ar trebui sa functioneze normal dupa asta.

...uite ce zice shreder:

Asta e de azi ? Daca e de azi, posteaza un nou log HJT te rog. Pe la 9.30 ajung la job si il preiau de acolo.

...si cica sa-mi reinstalez mediaplayerul. mi-e teama ca boala mpului se trage de la ultimul acemegacodec (fara de care nu am putut deschide troy).

Nu reinstala inca nimic pana cand logul HJT nu e curat. Cauta sa nu te plimbi pe net daca e posbil. Daca ai folosit CWshredder acum posteaza te rog un nou log HJT.

...am bootat. cica nu mai am mediaplayer, s-a sters ceva in registrii. aceleasi efecte si uite logul:

Logfile of HiJackThis v1.98.2
Scan saved at 09:03:42, on 26.08.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:WINNTSystem32smss.exe
C:WINNTsystem32winlogon.exe
C:WINNTsystem32services.exe
C:WINNTsystem32lsass.exe
C:WINNTsystem32svchost.exe
C:WINNTsystem32spoolsv.exe
C:WINNTsystem32crypserv.exe
C:WINNTSystem32svchost.exe
C:WINNTrunservice.exe
C:WINNTSystem32NMSSvc.exe
C:WINNTSystem32nvsvc32.exe
C:WINNTsystem32regsvc.exe
C:WINNTsystem32MSTask.exe
C:WINNTsystem32stisvc.exe
C:WINNTSystem32WBEMWinMgmt.exe
C:WINNTSystem32mspmspsv.exe
C:WINNTsystem32svchost.exe
C:Program FilesCommon FilesSoftwinBitDefender Communicatorxcommsvr.exe
C:Program FilesCommon FilesSoftwinBitDefender Local Managerbdlm.exe
C:Program FilesCommon FilesSoftwinBitDefender Scan Serverbdss.exe
C:Program FilesSoftwinBitDefender Standard Editionvsserv.exe
C:WINNTExplorer.EXE
C:WINNTsystem32Smtray.exe
C:WINNTsystem32internat.exe
C:Program FilesMicrosoft OfficeOfficeOSA.EXE
C:WINNTsystem32taskmgr.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Documents and SettingsciprianDesktophijackthisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = file://C:DOCUME~1ciprianLOCALS~1Tempsp.html
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = file://C:DOCUME~1ciprianLOCALS~1Tempsp.html
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = file://C:DOCUME~1ciprianLOCALS~1Tempsp.html
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = file://C:DOCUME~1ciprianLOCALS~1Tempsp.html
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = file://C:DOCUME~1ciprianLOCALS~1Tempsp.html
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = file://C:DOCUME~1ciprianLOCALS~1Tempsp.html
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = about:blank
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,F3 - REG:win.ini: run=C:WINNTsystem32serviceswmplayer.exe
O1 - Hosts: xxx.xxx.xxx.xxx PROD
O1 - Hosts: xxx.xxx.xxx.xxx BACKUP
O1 - Hosts: xxx.xxx.xxx.xxx BRASOV
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocx
O2 - BHO: (no name) - {1D209094-9986-4267-8BD2-B7BEDADFDE59} - C:WINNTsystem32bemjp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINNTSystem32msdxm.ocx
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINNTSystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [tourpath] regedit /s c:winnttour.reg
O4 - HKLM..Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..Run: [Client Access Service] "C:Program FilesIBMClient AccessCwbSvStr.Exe"
O4 - HKLM..Run: [Client Access Help Update] "C:Program FilesIBMClient Accesscwbinhlp.exe"
O4 - HKLM..Run: [Client Access Check Version] "C:Program FilesIBMClient Accesscwbckver.exe" LOGIN
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [Smapp] Smtray.exe
O4 - HKLM..Run: [timerecorder.exe] C:Program Files2UTimeRecordertimerecorder.exe
O4 - HKLM..Run: [SpeedyPDF] C:Program FilesSpeedyPDFspdfload.exe
O4 - HKLM..Run: [BDSwitchAgent] C:Program FilesSoftwinBitDefender Standard Editionbdswitch.exe
O4 - HKCU..Run: [internat.exe] internat.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Office Startup.lnk = C:Program FilesMicrosoft OfficeOfficeOSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:Program FilesMicrosoft OfficeOfficeFINDFAST.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O8 - Extra context menu item: Save Flash - res://C:Program FilesUnH SolutionsFlash Saving PluginFlashSButton.dll/210
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - (no file) (HKCU)
O12 - Plugin for .mov: C:Program FilesInternet ExplorerPLUGINSnpqtplugin.dll
O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O16 - DPF: {10000030-1000-0000-1000-000000000000} - its:mhtml:file://c:MAIN.MHT!http://zloeboogle.bi...id=3301::/x.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:RecycledQ330995.exe
O16 - DPF: {11311111-1111-1111-1111-11111121115F} - file://C:RecycledQ383301.exe
O16 - DPF: {93B52CD5-EDFF-4405-8975-754100710FD5} (GameLauncher Control) - http://www.linkmania...amelauncher.cab
O18 - Filter: text/html - {D920B216-40E0-4E90-A698-6AE0A9D9519C} - C:WINNTsystem32bemjp.dll
O18 - Filter: text/plain - {D920B216-40E0-4E90-A698-6AE0A9D9519C} - C:WINNTsystem32bemjp.dll

OK, acum a devenit mai clar ce este. Admin de la tine stie ce faci ? Ai drepturi de administrator pe workstation ? Poti intra in Safe Mode ?

...am drepturi de admin.

OK, sa-l scoatem mai intai pe W32. Agabot. Te rog anunta-l pe adminul tau ca ai avut acest worm. E posibil sa mai fie si pe alte statii de lucru.

Printeaza instructiunile astea.

A. Intra in Safe Mode (metoda F8)
1. Close all open programs.
2. Click Restart, and then click OK.
3. Watch the screen while it is still black. When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key on your keyboard. The Windows 2000 Advanced Options Menu appears.
4. Ensure that the Safe mode option is selected. In most cases, it is the first item in the list and is selected by default. (If it is not selected, use the arrow keys on your keyboard to select it.)
5. Press Enter. The computer will start in Safe mode. This can take a few minutes.

B. Deschide HiJackThis si bifeaza asta:
F3 - REG:win.ini: run=C:WINNTsystem32serviceswmplayer.exe
Apasa FIX. Inchide HJT.

C. Asigura-te ca hidden files sunt vizibile:
# Double-click My Computer.
# Click the Tools menu, and then click Folder Options.
# Click the View tab.
# Clear "Hide file extensions for known file types."
# Under the "Hidden files" folder, select "Show hidden files and folders."
# Clear "Hide protected operating system files."
# Click Apply, and then click OK.

D. Apasa CRTL-ALT-DEL si opreste procesul wmplayer.exe daca il gesesti in Task Manager.

E. Cauta si sterge acest fisier:
C:WINNTsystem32serviceswmplayer.exe <-- acest fisier

6. Start --> Run --> tasteaza REGEDIT, apasa OK
Cauta:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWindows Media Player = wmplayer.exe
si
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServicesWindows Media Player = wmplayer.exe

Sterge in dreapta cheile: Windows Media Player = wmplayer.exe

F. REBOOT normal si posteaza un nou log HJT.