PDA

Просмотр полной версии : I got some problem with spyware and adware



iluvyoukai
13.05.2008, 05:29
Errm , hi, thanks for your time reading this.

I scanned my PC and found some suspicious thing, so I think i should get some advice from you expert. Well, actually it doesnt have any syndromes of having some virus or problems, except there is some unwanted stuff in my start up list ~ ... I can't find a name coz everytime I delete it, it creates another one with another *random* name, for example *crbnnlgne* or like that. Don't know what is it, and don't know how to kill it, just, I dont want to see it anymore. It appears on procexp as "rundll32.exe"

Check my log and tell me what's wrong please, thanks in advance.

I do appreciate this.

Rene-gad
13.05.2008, 10:49
Pls. Fix with Hijackthis

O2 - BHO: (no name) - {40086575-99AF-4361-B0DD-D42127DF0298} - C:\WINDOWS\system32\urstq.dll (file missing)
O2 - BHO: (no name) - {70AB0A8B-8A8A-496F-A339-4CD2F3352991} - C:\WINDOWS\system32\rqrqnkh.dll (file missing)
O20 - Winlogon Notify: rqrqnkh - rqrqnkh.dll (file missing)
Run the script

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
StopService('Fms30');
DeleteService('Fms30');
QuarantineFile('C:\WINDOWS\System32\Drivers\Fms30. sys','');
QuarantineFile('C:\WINDOWS\userinit.exe','');
QuarantineFile('rqrqnkh.dll','');
QuarantineFile('C:\WINDOWS\system32\urstq.dll','') ;
QuarantineFile('C:\WINDOWS\system32\rqrqnkh.dll',' ');
DelBHO('{70AB0A8B-8A8A-496F-A339-4CD2F3352991}');
DelBHO('{40086575-99AF-4361-B0DD-D42127DF0298}');
DeleteFile('C:\WINDOWS\system32\rqrqnkh.dll');
DeleteFile('C:\WINDOWS\system32\urstq.dll');
DeleteFile('rqrqnkh.dll');
DeleteFile('C:\WINDOWS\System32\Drivers\Fms30.sys' );
BC_ImportDeletedList;
ExecuteSysClean;
ExecuteRepair(13);
BC_Activate;
RebootWindows(true);
end.
After rebooting upload the quarantine (http://virusinfo.info/upload_virus_eng.php?tid=22787) and make the new logs.

iluvyoukai
14.05.2008, 04:29
Best regard.

Well, I tried to do as you guide, but Hijackthis work fine when avz doesn't really catch up anything in quarantine folder , is it normal? This is the log as running the script. I ran it once and restart, but doesnt catch up anything, so I delete the "restart" line and take the log, please take a look.



>>>> Probable masking of executable file's name 1164 yahoom~1.exe, real name - YahooMessenger.exe
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=0846E0)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 8055B6E0
KiST = 80503734 (284)
Function NtCreateKey (29) intercepted (80622048->F729D0D0), hook C:\WINDOWS\system32\Drivers\sptd.sys
>>> Function restored successfully !
>>> Hook code blocked
Function NtEnumerateKey (47) intercepted (80622888->F72A2FB2), hook C:\WINDOWS\system32\Drivers\sptd.sys
>>> Function restored successfully !
>>> Hook code blocked
Function NtEnumerateValueKey (49) intercepted (80622AF2->F72A3340), hook C:\WINDOWS\system32\Drivers\sptd.sys
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenKey (77) intercepted (806233DE->F729D0B0), hook C:\WINDOWS\system32\Drivers\sptd.sys
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryKey (A0) intercepted (80623702->F72A3418), hook C:\WINDOWS\system32\Drivers\sptd.sys
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryValueKey (B1) intercepted (80620102->F72A3298), hook C:\WINDOWS\system32\Drivers\sptd.sys
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetValueKey (F7) intercepted (80620708->F72A34AA), hook C:\WINDOWS\system32\Drivers\sptd.sys
>>> Function restored successfully !
>>> Hook code blocked
Functions checked: 284, intercepted: 7, restored: 7
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Analysis for CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
\FileSystem\ntfs[IRP_MJ_CREATE] = 86FD51E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_CLOSE] = 86FD51E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 86FD51E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 86FD51E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 86FD51E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 86FD51E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 86FD51E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 86FD51E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 86FD51E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 86FD51E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 86FD51E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 86FD51E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 86FD51E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 86FD51E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 86FD51E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 86FD51E8 -> hook not defined
Checking - complete
Deleting service/driver: Fms30
Quarantine file: failed (error), attempt of direct disk reading (C:\WINDOWS\System32\Drivers\Fms30.sys)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (C:\WINDOWS\System32\Drivers\Fms30.sys)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (C:\WINDOWS\userinit.exe)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (C:\WINDOWS\userinit.exe)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (rqrqnkh.dll)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (rqrqnkh.dll)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (C:\WINDOWS\system32\urstq.dll)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (C:\WINDOWS\system32\urstq.dll)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (C:\WINDOWS\system32\rqrqnkh.dll)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (C:\WINDOWS\system32\rqrqnkh.dll)
Quarantine file (direct disk reading) "%S" - failed (error)
Delete file:C:\WINDOWS\system32\rqrqnkh.dll
>>>To delete the file C:\WINDOWS\system32\rqrqnkh.dll reboot is required
Delete file:C:\WINDOWS\system32\urstq.dll
>>>To delete the file C:\WINDOWS\system32\urstq.dll reboot is required
Delete file:rqrqnkh.dll
>>>To delete the file rqrqnkh.dll reboot is required
Delete file:C:\WINDOWS\System32\Drivers\Fms30.sys
>>>To delete the file C:\WINDOWS\System32\Drivers\Fms30.sys reboot is required
Removing traces of deleted files...

AndreyKa
14.05.2008, 10:52
Run the script in AVZ:


begin
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\system32\kgctsevd.dll', '');
DeleteFile('C:\WINDOWS\system32\kgctsevd.dll');
BC_DeleteFile('C:\WINDOWS\system32\kgctsevd.dll');
BC_Activate;
ExecuteSysClean;
RebootWindows(false);
end.

After rebooting upload the AVZ quarantine by the link:
http://virusinfo.info/upload_virus_eng.php?tid=22787
Make the new HijackThis log.

iluvyoukai
17.05.2008, 07:13
Thanks a lot Andrey, I've uploaded it ~

AndreyKa
17.05.2008, 09:39
C:\WINDOWS\system32\kgctsevd.dll = not-a-virus:AdWare.Win32.Virtumonde.msm
If you have any problem make the new log files and attach to the topic.

Rene-gad
17.05.2008, 10:44
Well, I tried to do as you guide, but Hijackthis work fine when avz doesn't really catch up anything in quarantine folder , is it normal? If we had written the script on monday and you run it on friday, than it's OK - after the next reboot all malware files change their names.