m11m By PoH(irc-bot) mi pravi probleme po mrezi

[ tunma @ 05.05.2011. 06:31 ] @

Pozdrav,

da li je itko imao priliku pozabaviti se ovim cudom u naslovu? Radi se o WinXP masinama i po mrezi mi se rapidno siri. U Task Manageru mi se pojavljuju procesi imena "chrom.com" - dakle ne Google Chromeovi procesi nego bas ovako kako pise.

Ovaj m11m se pojavljuje na desktopu cim korisnik upali masinu i simptomi koji se dogadjaju su da se shareanom printeru ne moze pristupiti i koristiti ga. Isto tako povremeno mi korisnici ne mogu pristupiti mapiranim diskovima i sve skupa je poprilicno frustrirajuce.

Ovako to izgleda na korisnickim desktopima: http://pictap.pl/image-776E_4D6E48D7.jpg i taj prozor se jednostavno ne moze ubiti osim ako ne killnem cijeli process tree sa prije spomenutog chrom.com-a preko Task Managera.

Vecina masina su WinXP SP3.

Kaspersky, Malwarebytes i slicni nista ne prepoznaju.

Any ideas?

[ kristi1 @ 05.05.2011. 07:55 ] @

Koliko imas umrezenih masina?

Pokreni na jednoj ovu dijagnostiku

Preuzmi program DDS na desktop http://download.bleepingcomputer.com/sUBs/dds.scr
Dvoklikom pokreni DDS
Sacekaj malo, izbacice ti dva loga
Kopiraj mi log DDS.txt

[ tunma @ 05.05.2011. 09:31 ] @

Citat:

kristi1: Koliko imas umrezenih masina?

60ak

Citat:

Kopiraj mi log DDS.txt

Evo loga:

Code:
DDS (Ver_11-03-05.01) - NTFSx86
Run by XYZ at 10:20:16,01 on źet 05.05.2011
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional  5.1.2600.2.1250.385.1033.18.989.669 [GMT 2:00]
.
AV: Kaspersky Anti-Virus *Disabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\Xerox\PanelMgr\SSMMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NetSupport\NetSupport School\client32.exe
C:\Program Files\NetSupport\NetSupport School\runplugin.exe
C:\Program Files\NetSupport\NetSupport School\runplugin.exe
D:\Audacity 1.3 Beta (Unicode)\audacity.exe
C:\WINDOWS\system32\rundll32.exe
F:\dds.scr
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\ievkbd.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\xyz\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Xerox PanelMgr] c:\windows\xerox\panelmgr\SSMMgr.exe /autorun
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe"
IE: I&zvoz u Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
LSP: c:\program files\common files\nsl\nslsp.dll
TCP: {3F29049F-2387-4840-86AA-019DB0120440} = 213.147.96.3,213.147.96.4
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: PCANotify - PCANotify.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2007-3-30 18232]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2007-3-30 17848]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-4-7 475736]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]
R3 nsafltr;nsafltr;c:\windows\system32\drivers\nsafltr.sys [2010-10-26 30080]
S2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe [2010-11-2 365336]
S2 SRVStarter_GooGleV3;Service Starter: GooGleV3;c:\windows\system32\BNLODm.exe [2011-1-10 56552]
S2 SRVStarter_Lode;Service Starter: Lode;c:\windows\system32\drivers\BNLOD.exe [2010-11-3 56552]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-10-22 1691480]
S3 awhost32;Symantec pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2008-9-5 136568]
.
=============== Created Last 30 ================
.
2011-05-03 05:33:15    --------    d-----w-    c:\program files\Lame For Audacity
2011-04-22 07:20:20    --------    d-----w-    c:\windows\pss
2011-04-22 06:42:25    21504    -c--a-w-    c:\windows\system32\dllcache\hidserv.dll
2011-04-22 06:42:25    21504    ----a-w-    c:\windows\system32\hidserv.dll
2011-04-22 06:42:11    31616    -c--a-w-    c:\windows\system32\dllcache\usbccgp.sys
2011-04-22 06:42:11    31616    ----a-w-    c:\windows\system32\drivers\usbccgp.sys
2011-04-07 08:31:18    97859    ----a-w-    c:\windows\system32\drivers\klick.dat
2011-04-07 08:31:18    115267    ----a-w-    c:\windows\system32\drivers\klin.dat
2011-04-07 08:30:44    --------    d-----w-    c:\program files\Kaspersky Lab
2011-04-07 08:30:44    --------    d-----w-    c:\docume~1\alluse~1\applic~1\Kaspersky Lab
.
==================== Find3M  ====================
.
[red]2009-12-17 17:22:54    634368    --sha-w-    c:\windows\system32\chrom.com[/red]
2011-01-03 22:52:48    136704    --sha-w-    c:\windows\system32\edih132.dll
2011-01-04 14:07:42    123392    --sha-w-    c:\windows\system32\plurpp.exe
2007-03-23 15:52:12    56552    --sha-w-    c:\windows\system32\drivers\BNLOD.exe
[red]2009-12-17 17:22:54    634368    --sha-w-    c:\windows\system32\drivers\chrom.com[/red]
.
============= FINISH: 10:20:33,37 ===============

Ovo crveno mi je sumnjivo...

[ kristi1 @ 05.05.2011. 09:50 ] @

E sad, ja mogu da ti ocistim ovaj racunar, ali ti imas 60 racunara. Pitanje da li se isti procesi ponavljaju na svakom racunaru (cisto sumnjam).
Morao bi da da podelis mrezu, pa racunare koji se ciste da iskljucis sa mreze, recimo po 5-6 racunara. Sve dok ne ocistis sve racunare, ne smes da prikljucis komletnu mrezu.
Znaci morao bi da organizujes rad.

Evo kako bi izgledalo za ovaj racunar. Iskljuci ga sa mreze.

Preuzmi ovaj program na desktop http://swandog46.geekstogo.com/avenger2/download.php
Raspakuj ga u folder
Dvoklikom pokreni avenger.exe
Iskopiraj ovaj tekst u beli prozor programa

Code:
Files to delete:
c:\windows\system32\chrom.com
c:\windows\system32\edih132.dll
c:\windows\system32\plurpp.exe
c:\windows\system32\drivers\BNLOD.exe
c:\windows\system32\drivers\chrom.com

Drivers to delete:
SRVStarter_GooGleV3
SRVStarter_Lode

Zatim klikni Execute pa dva puta Yes.
Kompjuter ce se restartovati, mozda dva puta.
Iskopiraj mi log fajl C:\avenger.txt

Ovo je skripta samo za ovaj racunar, nemoj nikako da je primenjujes na druge racunare.

_{[Ovu poruku je menjao kristi1 dana 05.05.2011. u 11:19 GMT+1]}

[ tunma @ 10.05.2011. 09:17 ] @

Citat:

Iskopiraj mi log fajl C:\avenger.txt

Ovo je skripta samo za ovaj racunar, nemoj nikako da je primenjujes na druge racunare.

Sorry na malom delayu al bio sam na terenu pa nisam prije mogao. Dakle, Avengerov log je sada ovakav:

Code:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\chrom.com" deleted successfully.
File "c:\windows\system32\edih132.dll" deleted successfully.
File "c:\windows\system32\plurpp.exe" deleted successfully.
File "c:\windows\system32\drivers\BNLOD.exe" deleted successfully.
File "c:\windows\system32\drivers\chrom.com" deleted successfully.

Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\SRVStarter_GooGleV" not found!
Deletion of driver "SRVStarter_GooGleV" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Driver "SRVStarter_Lode" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

Pri restartu ovog kompa sada se bot vise ne pojavljuje.